Working with russian (GOST) cryptography

An example of using OpenXPKI with alternative cryptography

by Sergei Vyshenski

Since late summer of 2006 a production branch of OpenSSL version 0.9.9 has a built-in support for arbitrary asymmetric cryptography, and provides an extended set of russian national algorithms (GOST) as an example of foreign cryptography. Today this OpenSSL-0.9.9 branch is far from the stable state. As soon as it stabilizes, the OpenXPKI project will surely support it. That is both classical RSA - DSA cryptography, and GOST cryptography will be supported simultaneously and by default and out of the box.

For those who can not wait, provided here is a patched version of OpenSSL-0.9.8d equipped with the (same as in ver.0.9.9) set of GOST algorithms. This collection is called OpenSSL-0.9.8d-gost. It has full and simultaneous support of both western and russian cryptography. The recipes that follow have been tested to work with OpenXPKI at FreeBSD@Intel-32, FreeBSD@AMD-64, Debian@Intel-32 platforms. Tested to work here means that all built-in tests of the OpenXPKI pass ok, and that no cryptographic-backend-related errors were found while working with the OpenXPKI via web interface.

Roughly today's procedure to prepare support for GOST in OpenXPKI is as follows:

The details of the above procedure are given in a shell script. For simplicity it knows internet references for only one of many SourceForge mirrors to get tarballs from. To run this script you need to install wget. You may have to edit first lines of the script to match your system and preferences:

If the script fails at a download stage, you can help it by downloading 3 needed tarballs manually from the references above, and placing all of them into OPENSSL_SOURCEDIR. After that re-run the script.

If successful, the above procedure adds support for the following cryptographic algorithms (named here as recognized by the OpenSSL library):

To test GOST support at the library level try:

    ${OPENSSL_INSTALLDIR}/bin/openssl engine gost -t -c -vvvv

You should see something similar to the following:

    (gost) GOST engine
     [gost89, md_gost94, gost94, gost94cp, gost2001, gost2001cp]
         [ available ]

And do not forget to (re)install OpenXPKI based on the just installed OpenSSL-gost software collection.

Environment variables:


should be defined while running the following commands related to the OpenXPKI's server:

    perl Makefile.PL
    make test

After that in addition to the usual western cryptography, users and administrators of OpenXPKI will be able to enjoy the following GOST public key algoritms (listed in the spelling of OpenXPKI):

In full accord with X.509 standard, all these GOST* algorithms along with all DSA and RSA algorithms could be used to cross-sign certificates. Thus chains of arbitrary algorithms could be found in certification chains of a given PKI.

If environment variable:


is UNDEFINED during make procedure for OpenXPKI server, then GOST-related tests of OpenXPKI are skipped, and support of GOST algorithms in OpenXPKI is suspended. This also applies to the case when cryptographic backend #1 is used (see Cryptography abstraction concept). Thus the presence of GOST-related code inside of the OpenXPKI makes no harm to the customer who does not have GOST-enabled cryptographic backend, or knows nothing about GOST.

(1) Digital signature in CP mode has different byte ordering with respect to the regular mode. Strictly speaking this mode explicitly violates related Russian federal standards for digital signature. Nonetheless it is widely employed in some of the MSWindows-based applications. Supported here for compatibility.