Add support of cryptopro

[skie]

General failure happen when start haskell when CryptoPro installed.

Getting unknown public key OID: [1,2,643,2,2,19]

Here is the list of cryptopro OIDS ftp://soft.lissi.ru/Utils/GenRequest/openssl/crypto_oid.h

[vdukhovni]

I don't think that GOST should be supported in the default implementation of this package. The best way to get there is likely to make the set of public-key algorithms pluggable, via some sort of table lookup mechanism, which would enable extension via hooks that add more table rows, and then GOST could be provided via an optional module, maintained by a suitably motivated GOST user.

[skie]

Main issue that users that have cryptopro installed on windows can't start nor haskell nor elm on their machines. So I dont expect to have gost supported but at least have some way to avoid app crash in this case.

[vdukhovni]

Is this because some of the certificates in the trust store have GOST signatures? If so, then indeed it should be possible to skip unsupported CA certs without failing to process the rest. You should probably describe the failure scenario in more detail...

[skie]

To be honest I have same usecase that described in http://stackoverflow.com/questions/39086758/haskell-or-elm-error-unknown-public-key-oid Unfortunately reinstall windows is not an optition for me. And answer on your question - yes I should have installed some certificates provided by my bank.

[vdukhovni]

That URL also fails to provide a useful problem description. This is not a sufficiently detailed report. Have you added GOST-based trusted CAs to your system-wide list of trusted CA certificates? Are you able to look more closely and determine the context in which that error happens.

Is there any way to point Elm at a non-default certificate store that contains only CA certs that are understood by Data.X509.PublicKey (RSA or ECDSA with P-256, P-384 or P-521)?

[skie]

Yes GOST certificate is installed system wide. It is app requirement. Here is certificate link http://cpca.cryptopro.ru/cacer.p7b This link has description (unfortunatly only in russian language: http://cpca.cryptopro.ru/center.htm )

[vdukhovni]

You've provided a URL for a PKCS#7 file containing a bunch of GOST-based CA certificates. This still does not answer the question of how these are deployed and used on your system.

When I construct a PEM CAfile, with all the GOST certs from the PKCS#7 bundle and a CA that's the actual issue of the certificate for a test site, with a TLS connection to the site its certificate is still verified, despite the GOST certs listed first in the CAfile. When I test with just the GOST CA certificates, the connection fails with

HandshakeFailed (Error_Protocol ("certificate rejected: [SelfSigned]",True,CertificateUnknown))

Now I must admit that I'm testing a TLS client on MacOS/X and not elm on Windows (I am guessing you're using Windows). But to determine whether the problem lies in Data.X509 and what the actual problem is, it is important to have a more precise problem description.

You need to obtain and post a more detailed description of the failure. What program is failing. What version of "hs-certificate" is it using? What is the failing program doing when it fails?

The error message your report happens when public keys are decoded from ASN1. Is your server certificate using a GOST public key? That's not supported. It it's issuing CA using a GOST public key? That's not supported either. Just having some CAs in the trust store that use GOST public keys seems to not cause any problems on my end...

[vincenthz]

@skie What happens if you make the GOST OID known in the OID list ?

Making sure the whole thing don't fail apart if there are unknown certificates is definitely what we want here.

[skie]

I dont write any code, all i have - empty folder where i trying to run elm-make and just getting "elm-make: unknown public key OID: [1,2,643,2,2,19]. Tracking where error coming lead to this library. I haven't used haskell in the past and not doing it right now. That's what i trying to explain.

[vdukhovni]

It's probably best to file a bug report with the Elm maintainers. They should be well-positioned to figure out whether the bug is a result of Elm doing the wrong thing, or if the problem is with Data.X509, they should be able to make a more detail upstream bug report.