An example of using OpenXPKI with alternative cryptography

by Sergei Vyshenski

Since late summer of 2006 a production branch of OpenSSL version 0.9.9 has a built-in support for arbitrary asymmetric cryptography, and provides an extended set of russian national algorithms (GOST) as an example of foreign cryptography. Today this OpenSSL-0.9.9 branch is far from the stable state. As soon as it stabilizes, the OpenXPKI project will surely support it. That is both classical RSA - DSA cryptography, and GOST cryptography will be supported simultaneously and by default and out of the box.

For those who can not wait, provided here is a patched version of OpenSSL-0.9.8d equipped with the (same as in ver.0.9.9) set of GOST algorithms. This collection is called OpenSSL-0.9.8d-gost. It has full and simultaneous support of both western and russian cryptography. The recipes that follow have been tested to work with OpenXPKI at FreeBSD@Intel-32, FreeBSD@AMD-64, Debian@Intel-32 platforms. Tested to work here means that all built-in tests of the OpenXPKI pass ok, and that no cryptographic-backend-related errors were found while working with the OpenXPKI via web interface.

Roughly today's procedure to prepare support for GOST in OpenXPKI is as follows:

  • unzip a regular OpenSSL-0.9.8d version
  • apply a patch which enables support of arbitrary asymmetric cryptography,
  • install thus patched OpenSSL version to a specially dedicated directory OPENSSL_INSTALLDIR, so that your system's OpenSSL installation is not violated,
  • configure engine-gost (which is a set of GOST algoritms) to work with this OpenSSL and install it,

The details of the above procedure are given in a shell script. For simplicity it knows internet references for only one of many SourceForge mirrors to get tarballs from. To run this script you need to install wget. You may have to edit first lines of the script to match your system and preferences:

  • OPENSSL_SOURCEDIR points to the directory to which tarballs will be unzipped.
  • OPENSSL_INSTALLDIR points to the directory to which OpenSSL-gost software collection will be installed. Beware: this directrory will be cleaned before installing.
  • MAKE points to your gmake (on Linux it could be named just make).

If the script fails at a download stage, you can help it by downloading 3 needed tarballs manually from the references above, and placing all of them into OPENSSL_SOURCEDIR. After that re-run the script.

If successful, the above procedure adds support for the following cryptographic algorithms (named here as recognized by the OpenSSL library):

  • md_gost94 message digest algorithm.
  • gost89 symmetric encryption algorithm with 256 bit key.
  • gost94 public key algorithm with 1024 bit public key.
  • gost94cp public key algorithm with 1024 bit public key (CP mode1).
  • gost2001 public key algorithm based on elliptic curves with 512 bit public key.
  • gost2001cp public key algorithm based on elliptic curves with 512 bit public key (CP mode1).

To test GOST support at the library level try:

    ${OPENSSL_INSTALLDIR}/bin/openssl engine gost -t -c -vvvv

You should see something similar to the following:

    (gost) GOST engine
     [gost89, md_gost94, gost94, gost94cp, gost2001, gost2001cp]
         [ available ]

And do not forget to (re)install OpenXPKI based on the just installed OpenSSL-gost software collection.

Environment variables:

    OPENSSL_PREFIX=${OPENSSL_INSTALLDIR}
    GOST_OPENSSL_ENGINE=${OPENSSL_INSTALLDIR}/lib/engines/libgost.so

should be defined while running the following commands related to the OpenXPKI's server:

    perl Makefile.PL
    make
    make test

After that in addition to the usual western cryptography, users and administrators of OpenXPKI will be able to enjoy the following GOST public key algoritms (listed in the spelling of OpenXPKI):

  • GOST94 (public key algorithm)
  • GOST2001 (elliptic curves public key algorithm)
  • GOST94CP (public key algorithm in CP mode1)
  • GOST2001CP (elliptic curves public key algorithm in CP mode1)

In full accord with X.509 standard, all these GOST* algorithms along with all DSA and RSA algorithms could be used to cross-sign certificates. Thus chains of arbitrary algorithms could be found in certification chains of a given PKI.

If environment variable:

    GOST_OPENSSL_ENGINE

is UNDEFINED during make procedure for OpenXPKI server, then GOST-related tests of OpenXPKI are skipped, and support of GOST algorithms in OpenXPKI is suspended. This also applies to the case when cryptographic backend #1 is used (see Cryptography abstraction concept). Thus the presence of GOST-related code inside of the OpenXPKI makes no harm to the customer who does not have GOST-enabled cryptographic backend, or knows nothing about GOST.


(1) Digital signature in CP mode has different byte ordering with respect to the regular mode. Strictly speaking this mode explicitly violates related Russian federal standards for digital signature. Nonetheless it is widely employed in some of the MSWindows-based applications. Supported here for compatibility.