Openssl 0.98-dev provides system to implement additional ciphers and message digest algorithms using dynamically loadable engines, but doesn't seem to provide equivalent way for digital signature and key distribution algorithms.
But there are much more digital signature algorithms then DSA and RSA. There are some DSA-like algorithms, for example Russian GOST 34.10-94, which can be easily implemented as DSA method, but we encounter following problems: 1. Wee need to distinguish these algorithms from DSA, and DSA_METHOD in engine system doesn't allow us to use separate NIDs and OIDs for different DSA_METHODs. 2. Standard ASN1 routines limit length of DSA secret key to 160 bit, but GOST requires 512 or even 1024 bit private key. It seems that second problem can be worked around using custom key loading methods in the engine. Alsough it is some duplication of effort already done in core openssl. Simular problem arises implementing newer GOST 34.10-2001 as variation of ECDSA. But OID problem seems to be fundamental and requires some changes in Openssl core. As far as I know, Russia is not only country which has its own cryptography standards, so some way to support national algorithms should be added into Openssl eventually. Question is - which architectural decision is better? ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
