Re: [openssl-users] Re: create certificate request programmatically using OpenSSL API
On Mon, Jul 30, 2012 at 5:15 AM, Erwann Abalea wrote: > GOST is not a block cipher, it's the acronym for "GOsudarstvennyi STandard", > which means "State Standard". It's not dedicated to cryptography. My apologies. I thought you were referring to the GOST block cipher. (I've never used it, but knew its been part of Crypto++ for some time: http://www.cryptopp.com/docs/ref/class_g_o_s_t.html). Jeff > Le 28/07/2012 21:31, Jeffrey Walton a écrit : > > On Fri, Jul 27, 2012 at 9:00 AM, Abyss Lingvo wrote: > > Hi all! > > The last problem is how to create GOST key pair for certificate. > It is clear how to create RSA keys. > Sample is here : http://www.openssl.org/docs/crypto/EVP_PKEY_keygen.html > > #include > #include > EVP_PKEY_CTX *ctx; > EVP_PKEY *pkey = NULL; > ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL); > if (!ctx) > /* Error occurred */ > if (EVP_PKEY_keygen_init(ctx) <= 0) > /* Error */ > if (EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 2048) <= 0) > /* Error */ > /* Generate key */ > if (EVP_PKEY_keygen(ctx, &pkey) <= 0) > /* Error */ > > Unfortunately there is no EVP_PKEY_GOST constant and I can't create EVP_PKEY > containing GOST key pair. > > Does anybody know how to create GOST key pair? > > GOST is a block cipher. It uses a symmetric key, not public/private keys. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: create certificate request programmatically using OpenSSL API
Hi Jeff There are two GOST algorithms. GOST 28147-89 is for symmetric block cyphering and GOST R 34.10-2001 for asymmetric cyphering and digital signing. OpenSSL support both algorithms. I mean GOST R 34.10-2001 here. Best Regards
Re: [openssl-users] Re: create certificate request programmatically using OpenSSL API
GOST is not a block cipher, it's the acronym for "GOsudarstvennyi STandard", which means "State Standard". It's not dedicated to cryptography. Speaking of GOST standard is redundant, but clearer for non russian locutors. There's a block cipher (poorly) defined as a GOST standard, referenced "GOST 28147-89". Attempts to be adopted as an ISO standard have failed. The S-Box to use is not defined in the standard, whence 2 compliant implementations can be non interoperable. There's also a hash algorithm defined as a GOST standard, referenced "GOST R 34.11-94" or "GOST 34.311-95", using GOST 28147-89 inside. "GOST R 34.11-94" in itself is also useless because of the lack of S-Box standard. The RFC 4357 defines 2 S-Boxes. And finally there's a digital signature defined as a GOST standard, referenced "GOST R 34.10-94" and superseded by "GOST R 34.10-2001" (RFC5832), consider it similar to ECDSA. It uses "GOST R 34.11-94" to hash data (just as {EC}DSA uses SHA{1,2*}). -- Erwann ABALEA Le 28/07/2012 21:31, Jeffrey Walton a écrit : On Fri, Jul 27, 2012 at 9:00 AM, Abyss Lingvo wrote: Hi all! The last problem is how to create GOST key pair for certificate. It is clear how to create RSA keys. Sample is here : http://www.openssl.org/docs/crypto/EVP_PKEY_keygen.html #include #include EVP_PKEY_CTX *ctx; EVP_PKEY *pkey = NULL; ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL); if (!ctx) /* Error occurred */ if (EVP_PKEY_keygen_init(ctx) <= 0) /* Error */ if (EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 2048) <= 0) /* Error */ /* Generate key */ if (EVP_PKEY_keygen(ctx, &pkey) <= 0) /* Error */ Unfortunately there is no EVP_PKEY_GOST constant and I can't create EVP_PKEY containing GOST key pair. Does anybody know how to create GOST key pair? GOST is a block cipher. It uses a symmetric key, not public/private keys. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: create certificate request programmatically using OpenSSL API
On Fri, Jul 27, 2012 at 9:00 AM, Abyss Lingvo wrote: > Hi all! > > The last problem is how to create GOST key pair for certificate. > It is clear how to create RSA keys. > Sample is here : http://www.openssl.org/docs/crypto/EVP_PKEY_keygen.html > > #include > #include > EVP_PKEY_CTX *ctx; > EVP_PKEY *pkey = NULL; > ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL); > if (!ctx) > /* Error occurred */ > if (EVP_PKEY_keygen_init(ctx) <= 0) > /* Error */ > if (EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 2048) <= 0) > /* Error */ > /* Generate key */ > if (EVP_PKEY_keygen(ctx, &pkey) <= 0) > /* Error */ > > Unfortunately there is no EVP_PKEY_GOST constant and I can't create EVP_PKEY > containing GOST key pair. > > Does anybody know how to create GOST key pair? GOST is a block cipher. It uses a symmetric key, not public/private keys. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: create certificate request programmatically using OpenSSL API
Hi all! The last problem is how to create GOST key pair for certificate. It is clear how to create RSA keys. Sample is here : http://www.openssl.org/docs/crypto/EVP_PKEY_keygen.html #include #include EVP_PKEY_CTX *ctx; EVP_PKEY *pkey = NULL; ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL); if (!ctx) /* Error occurred */ if (EVP_PKEY_keygen_init(ctx) <= 0) /* Error */ if (EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 2048) <= 0) /* Error */ /* Generate key */ if (EVP_PKEY_keygen(ctx, &pkey) <= 0) /* Error */ Unfortunately there is no EVP_PKEY_GOST constant and I can't create EVP_PKEY containing GOST key pair. Does anybody know how to create GOST key pair? Best Regards
Re: create certificate request programmatically using OpenSSL API
I wrote this a while ago, but I think it was trivially modified from something I found online. I added a few comments, which perhaps is helpful__ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: create certificate request programmatically using OpenSSL API
On Fri, Jul 20, 2012, Abyss Lingvo wrote: > Hi all! > > > How to > create certificate request programmatically via OpenSSL API? > > This is the solution for command line utility: > > openssl genrsa -out server_key.pem -passout pass:$passwd -des3 1024 > > > openssl req -new -key server_key.pem -passin pass:$passwd \ > -passout pass:$passwd -out server_req.pem -days 1095 \ > -subj > /C=US/ST=City/L=City/O=company/OU=SSLServers/CN=localhost/emailAddress=sslser...@company.com > > > How to do the same but using OpenSSL API? A simple example is demos/x509/mkreq.c Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: create certificate request programmatically using OpenSSL API
You can take the code in apps/req.c and extract the pieces you need. On 07/20/2012 10:17 AM, Abyss Lingvo wrote: Hi all! How to create certificate request programmatically via OpenSSL API? This is the solution for command line utility: openssl genrsa -out server_key.pem -passout pass:$passwd -des3 1024 openssl req -new -key server_key.pem -passin pass:$passwd \ -passout pass:$passwd -out server_req.pem -days 1095 \ -subj /C=US/ST=City/L=City/O=company/OU=SSLServers/CN=localhost/emailAddress=sslser...@company.com How to do the same but using OpenSSL API? Best Regards xidex