带有 GOST 引擎的 OpenSSL
我想使用 OpenSSL 生成私有/公共/(证书签名请求)并稍后签署一些数据。但我想使用 OpenSSL GOST 引擎。
我下载了 OpenSSL 1.0.0 并修改了 openssl.cfg 文件:
openssl_conf = openssl_def
[openssl_def]
engines = engine_section
[engine_section]
gost = gost_section
[gost_section]
engine_id = gost
dynamic_path = ./gost.dll
default_algorithms = ALL
CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet
我可以生成私钥和 CSR(单行命令字符串):
openssl req -newkey gost2001 -pkeyopt paramset:A -passout pass:aofvlgzm \
-subj "/C=RU/ST=Moscow/L=Moscow/O=foo_bar/OU=foo_bar/CN=developer/ \
[email protected]" \
-new > certificate_signing_request.csr
我明白2 个文件:
- certificate_signing_request.csr
- privkey.pem
我知道我可以做(打印私钥和公钥的(未加密)文本表示):
openssl genpkey -algorithm gost2001 -pkeyopt paramset:A -text
我使用 GOST 而不是 RSA,这就是为什么我不能这样做:
openssl rsa -in privkey.pem -pubout -out pubkey.pem
Enter pass phrase for privkey.pem:
6132:error:0607907F:digital envelope routines:EVP_PKEY_get1_RSA:expecting an rsa key:.\crypto\evp\p_lib.c:288:
我的问题是:如何使用 gost 生成/获取公钥(也许从私钥或 csr 中获取)?
我使用:
- Windows 7 professional x64;
- OpenSSL 1.0.0;
- Gost引擎。
感谢您的任何帮助。
I want to use OpenSSL to generate private/public/(Certificate Signing Request) and to sign some data later. But I want to use OpenSSL GOST engine.
I downloaded OpenSSL 1.0.0 and modified openssl.cfg file:
openssl_conf = openssl_def
[openssl_def]
engines = engine_section
[engine_section]
gost = gost_section
[gost_section]
engine_id = gost
dynamic_path = ./gost.dll
default_algorithms = ALL
CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet
I can generate private key and CSR (single line command string):
openssl req -newkey gost2001 -pkeyopt paramset:A -passout pass:aofvlgzm \
-subj "/C=RU/ST=Moscow/L=Moscow/O=foo_bar/OU=foo_bar/CN=developer/ \
[email protected]" \
-new > certificate_signing_request.csr
I get 2 files:
- certificate_signing_request.csr
- privkey.pem
I know that I can do (prints an (unencrypted) text representation of private and public keys):
openssl genpkey -algorithm gost2001 -pkeyopt paramset:A -text
I use GOST instead RSA that is why I cannot just do:
openssl rsa -in privkey.pem -pubout -out pubkey.pem
Enter pass phrase for privkey.pem:
6132:error:0607907F:digital envelope routines:EVP_PKEY_get1_RSA:expecting an rsa key:.\crypto\evp\p_lib.c:288:
My question is : how can I generate/get public key (mabye from private key or from csr) using gost?
I use:
- Windows 7 professional x64;
- OpenSSL 1.0.0;
- Gost engine.
Thanks for any help.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我解决了我的问题。
为所有想要替代 КРИПТО-ПРО
证书签名请求 (CSR) + 私钥的人提供的 分步指南
./openssl req -newkey gost2001 -pkeyopt paramset:A -passout pass:aofvlgzm -subj “/C=RU/ST=莫斯科/L=莫斯科/O=foo_bar/OU=foo_bar/CN=developer/[电子邮件受保护]" -keyout private.key.pem -out csr.csr签名CSR (csr.csr) 与 private.key.pem(!!!仅限管理员命令提示!!!)
如果不是管理员:“无法写入‘随机状态’”
./openssl x509 -req -days 365 -in csr.csr -signkey private.key.pem -out crt.crt获取公钥
./openssl x509 -inform pem -in crt.crt -pubkey -noout > public.key.pem获取 GOST2001-md_gost94 十六进制
./openssl.exe dgst -hex -sign private.key.pem message.xml获取MIME application/x-pkcs7-signature
./openssl smime -sign -inkey private.key.pem -signer crt.crt -in消息.xmlI resolved my problem.
Step by step guide for everyone who wants an alternative to КРИПТО-ПРО
Certificate Signing Request(CSR) + private key
./openssl req -newkey gost2001 -pkeyopt paramset:A -passout pass:aofvlgzm -subj "/C=RU/ST=Moscow/L=Moscow/O=foo_bar/OU=foo_bar/CN=developer/[email protected]" -keyout private.key.pem -out csr.csrSign CSR (csr.csr) with private.key.pem (!!! ADMIN COMMAND PROMT ONLY !!!)
if not admin: "unable to write 'random state'"
./openssl x509 -req -days 365 -in csr.csr -signkey private.key.pem -out crt.crtGet public key
./openssl x509 -inform pem -in crt.crt -pubkey -noout > public.key.pemGet GOST2001-md_gost94 hex
./openssl.exe dgst -hex -sign private.key.pem message.xmlGet MIME application/x-pkcs7-signature
./openssl smime -sign -inkey private.key.pem -signer crt.crt -in message.xml