diff options
author | Максим Новиков | 2023-08-29 10:40:31 +0300 |
---|---|---|
committer | Максим Новиков | 2023-08-29 10:40:31 +0300 |
commit | 74aca42fc02a9166f8ce8f6a70790697deb7e396 (patch) | |
tree | fa2a6473020643c4c7f15d3dd9b2398dd8526570 | |
download | aur-74aca42fc02a9166f8ce8f6a70790697deb7e396.tar.gz |
v3.0.2
-rw-r--r-- | .SRCINFO | 30 | ||||
-rw-r--r-- | PKGBUILD | 75 | ||||
-rw-r--r-- | example-openssl.cnf | 369 | ||||
-rw-r--r-- | gost.cnf | 15 | ||||
-rwxr-xr-x | openssl-gost-engine.install | 91 |
5 files changed, 580 insertions, 0 deletions
diff --git a/.SRCINFO b/.SRCINFO new file mode 100644 index 000000000000..1c9a1d5f9d86 --- /dev/null +++ b/.SRCINFO @@ -0,0 +1,30 @@ +pkgbase = openssl-gost-engine + pkgdesc = A reference implementation of the Russian GOST crypto algorithms for OpenSSL + pkgver = v3.0.2 + pkgrel = 1 + url = https://github.com/gost-engine/engine/ + install = openssl-gost-engine.install + arch = i686 + arch = x86_64 + license = apache + makedepends = git + makedepends = cmake + depends = perl + depends = openssl + optdepends = ca-certificates + provides = openssl-gost-engine + conflicts = openssl-gost-engine + conflicts = gost-engine + backup = etc/ssl/gost.cnf + source = git+https://github.com/gost-engine/engine.git#commit=2a8a5e0 + source = git+https://github.com/provider-corner/libprov.git#commit=8a126e0 + source = gost.cnf + source = example-openssl.cnf + source = openssl-gost-engine.install + sha512sums = SKIP + sha512sums = SKIP + sha512sums = ad43a736c26c36b11a39f9b0831839a8bc033f838ce5bc5d93930e2610fcfa69679799bb1fc413f16fc189449df31bae9690d44b18bd7d7b28fe2eb2bdf9084a + sha512sums = b78d96d14edce1be96fab96da0e97e4c94c59e311428e2f84d77864366e7b3bbaaf6a8192d275552bb578075a5aada2200be83bec256ceb9aa057f0a892d6f8b + sha512sums = 1083718c4aad31c1b41743c77bae202f2746e0610e2f7c7891f70b97cff52b9ffd5afdd82edf41a991492425ac823d14949a35d9fff375a9963fbc2e645461ad + +pkgname = openssl-gost-engine diff --git a/PKGBUILD b/PKGBUILD new file mode 100644 index 000000000000..a0605ba56615 --- /dev/null +++ b/PKGBUILD @@ -0,0 +1,75 @@ +# Maintainer: Maxim Novikov <the.mlex@gmail.com> + +pkgname=openssl-gost-engine +pkgver=v3.0.2 +pkgrel=1 +pkgdesc="A reference implementation of the Russian GOST crypto algorithms for OpenSSL" +arch=('i686' 'x86_64') +url="https://github.com/gost-engine/engine/" +license=('apache') +depends=('perl' 'openssl') +makedepends=('git' 'cmake') +optdepends=('ca-certificates') +provides=('openssl-gost-engine') +conflicts=( + 'openssl-gost-engine' + 'gost-engine' +) +source=( + "git+https://github.com/gost-engine/engine.git#commit=2a8a5e0" + "git+https://github.com/provider-corner/libprov.git#commit=8a126e0" + "gost.cnf" + "example-openssl.cnf" + "openssl-gost-engine.install" +) +sha512sums=( + SKIP + SKIP + 'ad43a736c26c36b11a39f9b0831839a8bc033f838ce5bc5d93930e2610fcfa69679799bb1fc413f16fc189449df31bae9690d44b18bd7d7b28fe2eb2bdf9084a' + 'b78d96d14edce1be96fab96da0e97e4c94c59e311428e2f84d77864366e7b3bbaaf6a8192d275552bb578075a5aada2200be83bec256ceb9aa057f0a892d6f8b' + '1083718c4aad31c1b41743c77bae202f2746e0610e2f7c7891f70b97cff52b9ffd5afdd82edf41a991492425ac823d14949a35d9fff375a9963fbc2e645461ad' +) +install='openssl-gost-engine.install' +backup=( + 'etc/ssl/gost.cnf' +) + +pkgver(){ + cd "$srcdir/engine" + printf "r%s.%s" "$(git rev-list --count HEAD)" "$(git rev-parse --short HEAD)" +} +prepare() { + cd "$srcdir/engine" + + git submodule init + git config submodule.libs/libprov.url "${srcdir}/libprov" + git -c protocol.file.allow=always submodule update + + mkdir -p build +} + +build() { + cd "$srcdir/engine/build" + cmake .. \ + -DCMAKE_BUILD_TYPE=Release \ + -DCMAKE_INSTALL_PREFIX=/usr + cmake --build . --config Release +} + +check() { + cd "$srcdir/engine/build" + make test +} + +package() { + cd "$srcdir/engine/build" + + DESTDIR="$pkgdir" cmake --build . --target install --config Release + install -Dm0644 "$srcdir/gost.cnf" -t "$pkgdir/etc/ssl" + + mkdir -p -m0644 "$pkgdir/usr/share/doc/openssl-gost-engine" + install -m0644 "$srcdir/engine/INSTALL.md" \ + "$srcdir/engine/README.gost" \ + "$srcdir/engine/README.md" \ + "$pkgdir/usr/share/doc/openssl-gost-engine" +} diff --git a/example-openssl.cnf b/example-openssl.cnf new file mode 100644 index 000000000000..81c33d1d34a6 --- /dev/null +++ b/example-openssl.cnf @@ -0,0 +1,369 @@ +# +# OpenSSL example configuration file. +# This is mostly being used for generation of certificate requests. +# + +# Set GOST Configuration +openssl_conf=openssl_gost + +# Note that you can include other files from the main configuration +# file using the .include directive. +#.include filename + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . + +# Extra OBJECT IDENTIFIER info: +#oid_file = $ENV::HOME/.oid +oid_section = new_oids + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] + +# We can add new OIDs in here for use by 'ca', 'req' and 'ts'. +# Add a simple OID like this: +# testoid1=1.2.3.4 +# Or use config file substitution like this: +# testoid2=${testoid1}.5.6 + +# Policies used by the TSA examples. +tsa_policy1 = 1.2.3.4.1 +tsa_policy2 = 1.2.3.4.5.6 +tsa_policy3 = 1.2.3.4.5.7 + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = /etc/ssl # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +#unique_subject = no # Set to 'no' to allow creation of + # several certs with same subject. +new_certs_dir = $dir/newcerts # default place for new certs. + +certificate = $dir/cacert.pem # The CA certificate +serial = $dir/serial # The current serial number +crlnumber = $dir/crlnumber # the current crl number + # must be commented out to leave a V1 CRL +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/cakey.pem# The private key + +x509_extensions = usr_cert # The extensions to add to the cert + +# Comment out the following two lines for the "traditional" +# (and highly broken) format. +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options + +# Extension copying option: use with caution. +# copy_extensions = copy + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crlnumber must also be commented out to leave a V1 CRL. +# crl_extensions = crl_ext + +default_days = 365 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = default # use public key default MD +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_match + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### +[ req ] +default_bits = 2048 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extensions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString (PKIX recommendation before 2004) +# utf8only: only UTF8Strings (PKIX recommendation after 2004). +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. +string_mask = utf8only + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = AU +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = Some-State + +localityName = Locality Name (eg, city) + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = Internet Widgits Pty Ltd + +# we can do this but it is not needed normally :-) +#1.organizationName = Second Organization Name (eg, company) +#1.organizationName_default = World Wide Web Pty Ltd + +organizationalUnitName = Organizational Unit Name (eg, section) +#organizationalUnitName_default = + +commonName = Common Name (e.g. server FQDN or YOUR name) +commonName_max = 64 + +emailAddress = Email Address +emailAddress_max = 64 + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 + +unstructuredName = An optional company name + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +# This is required for TSA certificates. +# extendedKeyUsage = critical,timeStamping + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] + + +# Extensions for a typical CA + + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer + +basicConstraints = critical,CA:true + +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +# keyUsage = cRLSign, keyCertSign + +# Some might want this also +# nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +# subjectAltName=email:copy +# Copy issuer details +# issuerAltName=issuer:copy + +# DER hex encoding of an extension: beware experts only! +# obj=DER:02:03 +# Where 'obj' is a standard or added object +# You can even override a supported extension: +# basicConstraints= critical, DER:30:03:01:01:FF + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always + +[ proxy_cert_ext ] +# These extensions should be added when creating a proxy certificate + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +# This really needs to be in place for it to be a proxy certificate. +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo + +#################################################################### +[ tsa ] + +default_tsa = tsa_config1 # the default TSA section + +[ tsa_config1 ] + +# These are used by the TSA reply generation only. +dir = /etc/ssl # TSA root directory +serial = $dir/tsaserial # The current serial number (mandatory) +crypto_device = builtin # OpenSSL engine to use for signing +signer_cert = $dir/tsacert.pem # The TSA signing certificate + # (optional) +certs = $dir/cacert.pem # Certificate chain to include in reply + # (optional) +signer_key = $dir/private/tsakey.pem # The TSA private key (optional) +signer_digest = sha256 # Signing digest to use. (Optional) +default_policy = tsa_policy1 # Policy if request did not specify it + # (optional) +other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) +digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) +accuracy = secs:1, millisecs:500, microsecs:100 # (optional) +clock_precision_digits = 0 # number of digits after dot. (optional) +ordering = yes # Is ordering defined for timestamps? + # (optional, default: no) +tsa_name = yes # Must the TSA name be included in the reply? + # (optional, default: no) +ess_cert_id_chain = no # Must the ESS cert id chain be included? + # (optional, default: no) +ess_cert_id_alg = sha1 # algorithm to compute certificate + # identifier (optional, default: sha1) + +# GOST Engine Configuration +[openssl_gost] +engines = engine_section + +[engine_section] +gost = gost_section + +[gost_section] +engine_id = gost +dynamic_path = /usr/lib/engines-1.1/gost.so +default_algorithms = ALL +CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet +init = 0 + +# GOST Engine Configuration End diff --git a/gost.cnf b/gost.cnf new file mode 100644 index 000000000000..11aec5c22a28 --- /dev/null +++ b/gost.cnf @@ -0,0 +1,15 @@ +# GOST Engine Configuration +[openssl_gost] +engines = engine_section + +[engine_section] +gost = gost_section + +[gost_section] +engine_id = gost +dynamic_path = /usr/lib/engines-3/gost.so +default_algorithms = ALL +CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet +init = 0 + +# GOST Engine Configuration End diff --git a/openssl-gost-engine.install b/openssl-gost-engine.install new file mode 100755 index 000000000000..d4c8f1f8d020 --- /dev/null +++ b/openssl-gost-engine.install @@ -0,0 +1,91 @@ +_helpline(){ +echo " + +Attention! Внимание! +---- + + You have to insert that line into your /etc/ssl/openssl.cnf + before any [section] + +# --- +# Set GOST Configuration +openssl_conf=openssl_gost +# --- + + And the content of gost.cnf at the very end of the openssl.cnf. + Do not .include it. + +How to check: +____ + +listings: + openssl dgst -list|grep gost + openssl engine gost -c + openssl ciphers|tr ':' '\n'|grep GOST + +hashsum: openssl dgst -engine gost -md_gost12_256 testfile +keygen: openssl genpkey -algorithm gost2012_256 -pkeyopt paramset:TCB -out ca.key + +TroubleShout +____ + +а) export OPENSSLDIR=/etc/ssl +б) s/openssl_gost/openssl_def/g +в) https://www.altlinux.org/%D0%93%D0%9E%D0%A1%D0%A2_%D0%B2_OpenSSL + http://wiki.rosalab.ru/ru/index.php/OpenSSL_%D0%B8_%D0%93%D0%9E%D0%A1%D0%A2 + +" + +} + +## arg 1: the new package version +#pre_install() { + # do something here +#} + +## arg 1: the new package version +post_install() { + if [ ! "`grep -s openssl_gost /etc/ssl/openssl.cnf`" ]; then + _helpline + fi + enginesdir=`openssl version -e|perl -ne '/^ENGINESDIR: "(.+)"$/; print $1'` + echo " + Checks after installation: + $enginesdir should contains the file "gost.so" + " +} + +## arg 1: the new package version +## arg 2: the old package version +#pre_upgrade() { + # do something here +#} + +## arg 1: the new package version +## arg 2: the old package version +post_upgrade() { + if [ ! "`grep -s openssl_gost /etc/ssl/openssl.cnf`" ]; then + _helpline + fi + enginesdir=`openssl version -e|perl -ne '/^ENGINESDIR: "(.+)"$/; print $1'` + echo " + Checks after installation: + $enginesdir should contains the file "gost.so" + " +} + +## arg 1: the old package version +#pre_remove() { + # do something here +#} + +## arg 1: the old package version +post_remove() { + if [ "`grep openssl_gost /etc/ssl/openssl.cnf`" ]; then + echo " + + Do not forget to modify your /etc/ssl/openssl.cnf + + " + fi +} |