search

pyca / cryptography

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers.
https://cryptography.io
Other
6.66k stars 1.53k forks source link

How to enable GOST in cryptography? #3859

Closed RockBomber closed 7 years ago

RockBomber commented 7 years ago

Hello!

I have X509Req file with Public Key Algorithm: GOST R 34.10-2001 I had an error with getting pub key:

$ openssl req -pubkey -inform DER -in sign_op_pkcs10.req       
Error getting public key
140098225559200:error:0609E09C:digital envelope routines:PKEY_SET_TYPE:unsupported algorithm:p_lib.c:239:
140098225559200:error:0B07706F:x509 certificate routines:X509_PUBKEY_get:unsupported algorithm:x_pubkey.c:155:

I enabled GOST in OpenSSL by added lines to file /etc/ssl/openssl.cnf:

#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#

openssl_conf=openssl_def

...

# OpenSSL default section
[openssl_def]
engines = engine_section

# Engine section
[engine_section]
gost = gost_section

# Engine gost section
[gost_section]
engine_id = gost
dynamic_path = /usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgost.so
default_algorithms = ALL
CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet

Now I can success get pub key from X509Req file:

$ openssl req -pubkey -inform DER -in sign_op_pkcs10.req
-----BEGIN PUBLIC KEY-----
MGMwHAYGKoUDAgITMBIGByqFAwICIwEGByqFAwICHgEDQwAEQL5wCc4ZAqc8B9I5
L1RdN32O+p3f1RMB9h0j0ygZ5rEJdLEUEr39nlJUspoOuUbaa5kgYqzKXDOEXAKZ
GVw7wJc=
-----END PUBLIC KEY-----
-----BEGIN CERTIFICATE REQUEST-----
MIIBsDCCAV0CAQAwgZUxCzAJBgNVBAYTAlJVMT8wPQYDVQQDDDbQmtGD0LfQvdC1
0YbQvtCyINCS0LvQsNC00LjQvNC40YAg0JLQsNC70LXRgNGM0LXQstC40YcxEjAQ
BgNVBAcMCTYwMDAzMjAxMjEPMA0GA1UECgwG0JzQpNCmMSAwHgYDVQQLDBfQn9Ca
0KDQkdCfINCc0KTQpiAzMjAxMjBjMBwGBiqFAwICEzASBgcqhQMCAiMBBgcqhQMC
Ah4BA0MABEC+cAnOGQKnPAfSOS9UXTd9jvqd39UTAfYdI9MoGeaxCXSxFBK9/Z5S
VLKaDrlG2muZIGKsylwzhFwCmRlcO8CXoFswWQYJKoZIhvcNAQkOMUwwSjALBgNV
HQ8EBAMCBsAwOwYDVR0lBDQwMgYIKoUDAhkBAgEGCCqFAwIZAQIEBggqhQMCGQEC
QAYIKwYBBQUHAwIGCCsGAQUFBwMEMAoGBiqFAwICAwUAA0EAu4/u70RgMppxR+/p
0Kh9dhJBhp4sQft7W6DAyFpq4iviig12FojHcoWbjXPk6XvyO8sUWF4W96WVpHIu
cBQdUQ==
-----END CERTIFICATE REQUEST-----

But I've still got an error with getting pub key with python-cryptography:

Traceback (most recent call last):
  File "test_pkrbp.py", line 71, in <module>
    print 'public_key:', csr.public_key()
  File "/home/asdef/.virtualenvs/autotesting/local/lib/python2.7/site-packages/cryptography/hazmat/backends/openssl/x509.py", line 364, in public_key
    self._backend.openssl_assert(pkey != self._backend._ffi.NULL)
  File "/home/asdef/.virtualenvs/autotesting/local/lib/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 111, in openssl_assert
    return binding._openssl_assert(self._lib, ok)
  File "/home/asdef/.virtualenvs/autotesting/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 75, in _openssl_assert
    errors_with_text
cryptography.exceptions.InternalError: Unknown OpenSSL error. This error is commonly encountered when another library is not cleaning up the OpenSSL error stack. If you are using cryptography with another library that uses OpenSSL try disabling it before reporting a bug. Otherwise please file an issue at https://github.com/pyca/cryptography/issues with information on how to reproduce this. ([_OpenSSLErrorWithText(code=101310620L, lib=6, func=158, reason=156, reason_text='error:0609E09C:digital envelope routines:PKEY_SET_TYPE:unsupported algorithm'), _OpenSSLErrorWithText(code=185036911L, lib=11, func=119, reason=111, reason_text='error:0B07706F:x509 certificate routines:X509_PUBKEY_get:unsupported algorithm')])

Help please! How to enable GOST in cryptography?

My environment: Ubuntu 14.04 Python 2.7.8 OpenSSL 1.0.1f cryptography 2.0.3 cffi 1.10.0

reaperhulk commented 7 years ago

Chances are you're seeing this error because cryptography 2.0+ have binary wheels available that include a version of OpenSSL that does not support GOST. You can check this by doing python -c "from cryptography.hazmat.backends.openssl.backend import backend;print(backend.openssl_version_text())". If it outputs 1.1.0f (and not 1.0.1f) you've got the wheel. Try reinstalling with pip install cryptography --no-binary cryptography.

RockBomber commented 7 years ago

Thank You for answer!

I checked it:

$ python -c "from cryptography.hazmat.backends.openssl.backend import backend;print(backend.openssl_version_text())"
OpenSSL 1.0.1f 6 Jan 2014

Likely cryptography use an external OpenSSL. Right?

But I also tried to reinstall cryptography:

$ pip uninstall cryptography 
Uninstalling cryptography-2.0.3:
  /home/asdef/.virtualenvs/autotesting/lib/python2.7/site-packages/cryptography
  /home/asdef/.virtualenvs/autotesting/lib/python2.7/site-packages/cryptography-2.0.3-py2.7.egg-info
Proceed (y/n)? y
  Successfully uninstalled cryptography-2.0.3

$ pip install cryptography --no-binary cryptography
Collecting cryptography
  Downloading cryptography-2.0.3.tar.gz (427kB)
    100% |████████████████████████████████| 430kB 1.5MB/s 
Requirement already satisfied: idna>=2.1 in /home/asdef/.virtualenvs/autotesting/lib/python2.7/site-packages (from cryptography)
Requirement already satisfied: asn1crypto>=0.21.0 in /home/asdef/.virtualenvs/autotesting/lib/python2.7/site-packages (from cryptography)
Requirement already satisfied: six>=1.4.1 in /home/asdef/.virtualenvs/autotesting/lib/python2.7/site-packages (from cryptography)
Requirement already satisfied: enum34 in /home/asdef/.virtualenvs/autotesting/lib/python2.7/site-packages (from cryptography)
Requirement already satisfied: ipaddress in /home/asdef/.virtualenvs/autotesting/lib/python2.7/site-packages (from cryptography)
Requirement already satisfied: cffi>=1.7 in /home/asdef/.virtualenvs/autotesting/lib/python2.7/site-packages (from cryptography)
Requirement already satisfied: pycparser in /home/asdef/.virtualenvs/autotesting/lib/python2.7/site-packages (from cffi>=1.7->cryptography)
Installing collected packages: cryptography
  Running setup.py install for cryptography ... done
Successfully installed cryptography-2.0.3

Again chcked it:

$ python -c "from cryptography.hazmat.backends.openssl.backend import backend;print(backend.openssl_version_text())"
OpenSSL 1.0.1f 6 Jan 2014

But I still have same error:

Traceback (most recent call last):
  File "test_pkrbp.py", line 92, in <module>
    print 'public_key:', csr.public_key()
  File "/home/asdef/.virtualenvs/autotesting/local/lib/python2.7/site-packages/cryptography/hazmat/backends/openssl/x509.py", line 364, in public_key
    self._backend.openssl_assert(pkey != self._backend._ffi.NULL)
  File "/home/asdef/.virtualenvs/autotesting/local/lib/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 111, in openssl_assert
    return binding._openssl_assert(self._lib, ok)
  File "/home/asdef/.virtualenvs/autotesting/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 75, in _openssl_assert
    errors_with_text
cryptography.exceptions.InternalError: Unknown OpenSSL error. This error is commonly encountered when another library is not cleaning up the OpenSSL error stack. If you are using cryptography with another library that uses OpenSSL try disabling it before reporting a bug. Otherwise please file an issue at https://github.com/pyca/cryptography/issues with information on how to reproduce this. ([_OpenSSLErrorWithText(code=101310620L, lib=6, func=158, reason=156, reason_text='error:0609E09C:digital envelope routines:PKEY_SET_TYPE:unsupported algorithm'), _OpenSSLErrorWithText(code=185036911L, lib=11, func=119, reason=111, reason_text='error:0B07706F:x509 certificate routines:X509_PUBKEY_get:unsupported algorithm')])
reaperhulk commented 7 years ago

You probably need to call something to initialize the engine/load the default config, but that's outside of the scope of what we can support since cryptography does not (and will not) test against this type of configuration. Good luck!

vgottardi commented 5 years ago

I successfully loaded my openssl.cnf (including an engine definition similar to @RockBomber's) into my Python app by calling:

from cryptography.hazmat.backends.openssl.backend import backend
backend._lib.OPENSSL_config(backend._ffi.NULL)

Note: OPENSSL_config() is deprecated in OpenSSL 1.1.0+. Not tested, but CONF_modules_load() should work in that case.

[I know it's 2 years late... might still help someone]