Greetings! On Fri, Sep 9, 2011 at 12:39 PM, Roumen Petrov <[email protected]> wrote: > Dmitry Belyavsky wrote: >> >> Greetings! >> >> On Thu, Sep 8, 2011 at 8:43 PM, Roumen Petrov<[email protected]> >> wrote: >> >>> >>> Dmitry Belyavsky wrote: >>> >>>> >>>> Greetings! >>>> >>>> It seems to work. It's compatible with example provided before >>>> (xmlsec1 --verify --trusted-pem tests/keys/gost2001ca.pem >>>> --verification-time "2006-04-01 00:00:00" >>>> tests/aleksey-xmldsig-01/enveloped-gost.xml is successful) and >>>> self-compatible. >>>> >>>> On Wed, Sep 7, 2011 at 2:32 AM, Aleksey Sanin<[email protected]> >>>> wrote: >>>> >>>> >>>>> >>>>> [SNIP] >>>>> >>>>> >>> >>> Which openssl version for first time offer GOST support, even as >>> externally >>> maintained patch ? >>> >>> >>> If first is 0.9.8 I think that xmlsec regression test could be automated >>> . >>> >> >> Unfortunately, no. You need 1.0 version with gost engine enabled >> through the openssl.cnf file according to README.gost file. >> > > So I'm not familiar with status of GOST support in OpenSSL . Internet search > point to page on cryptocom.ru where is listed patch for openssl 0.9.8. > I cannot found earlier version.
I'm familiar with status of GOST in OpenSSL and was among the authors of the Cryptocom's patch. I have a little patch making GOST support to xmlsec with cryptocom-builded OpenSSL, but really it's almost not interesting outside Russia. >> >> BTW, does anybody really need th pre-0.9.8 version of the OpenSSL >> library (and its support)? >> > > May be nobody . I ask because openssl engine configuration is different > between openssl version 0.9.7 and 0.9.8+. > > So following the guide README.gost I do this > > $ cd [XMLSEC_TOP_BUILD_DIR] > > $ cat openssl.cnf > openssl_conf = openssl_def > > [ openssl_def ] > engines = engine_section > > [ engine_section ] > gost = gost_section > > [ gost_section ] > #engine_id = gost > #dynamic_path = /usr/lib/ssl/engines/libgost.so > default_algorithms = ALL > CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet > > $ OPENSSL_CONF=`pwd`/openssl.cnf \ > make check > > An result is this (extract from console log): > ...... > --------- These tests CAN FAIL (extra OS config required) ---------- > aleksey-xmldsig-01/enveloped-gost > Checking required transforms OK > Checking required key data OK > Verify existing signature OK > ....... > > With above I confirm that xlsec test could be fully automated. > Tested with openssl 1.0.0e, dynamic engine build including GOST engine. Thank you, it should really work! -- SY, Dmitry Belyavsky _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
