Add PKCS#12 RFC 9337 / RFC 9548 GOST-native support#527
Open
ilya-maltsev wants to merge 1 commit intogost-engine:masterfrom
Open
Add PKCS#12 RFC 9337 / RFC 9548 GOST-native support#527ilya-maltsev wants to merge 1 commit intogost-engine:masterfrom
ilya-maltsev wants to merge 1 commit intogost-engine:masterfrom
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds end-to-end PKCS#12 (PFX) support for GOST algorithms, covering both RFC 9337/9548 (TK-26 PBES2/PBKDF2 + CTR-ACPKM) and CryptoPro’s proprietary keybag PBE OID 1.2.840.113549.1.12.1.80, with parity tests across engine/provider modes and a Docker dev stack to reproduce validation matrices (including CryptoPro CSP).
Changes:
- Introduces RFC 9337/9548 PKCS#12 conformance + CLI smoke tests, plus an engine-vs-provider structural parity check.
- Adds provider-side plumbing for CryptoPro proprietary keybag decode (OID binding + provider cipher dispatch).
- Ships per-OpenSSL-version libcrypto patch files (3.4/3.6/4.0) plus extensive documentation and a multi-version Docker dev environment.
Reviewed changes
Copilot reviewed 41 out of 42 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
test/pkcs12_rfc9337.sh |
CLI-level smoke test for openssl pkcs12 -export/-in using RFC 9337/9548 ciphers/digests. |
test/pkcs12_cross_mode_parity.sh |
Runs the RFC9337 test binary under engine/provider configs and diffs structural fingerprints. |
test_pkcs12_rfc9337.c |
Core RFC 9337/9548 matrix test using libcrypto APIs + structural fingerprint output mode. |
README.pkcs12.ru.md |
Russian PKCS#12 documentation: modes, OIDs, env knobs, provider patch requirement, CryptoPro decode notes. |
README.pkcs12.md |
English PKCS#12 documentation mirroring the RU version. |
README.md |
Links the repository root README to the new PKCS#12 docs. |
patches/pkcs12/README.ru.md |
Russian documentation for the per-version OpenSSL libcrypto PKCS#12 provider-mode patches. |
patches/pkcs12/README.md |
English documentation for the per-version OpenSSL libcrypto PKCS#12 provider-mode patches. |
patches/pkcs12/openssl-pkcs12-provider-pbe-4.0.patch |
OpenSSL 4.0 libcrypto patch enabling provider-mode PKCS#12 PBE paths for GOST. |
patches/pkcs12/openssl-pkcs12-provider-pbe-3.6.patch |
OpenSSL 3.6 libcrypto patch enabling provider-mode PKCS#12 PBE paths for GOST. |
patches/pkcs12/openssl-pkcs12-provider-pbe-3.4.patch |
OpenSSL 3.4 libcrypto patch enabling provider-mode PKCS#12 PBE paths for GOST. |
gost_prov.c |
Provider init/teardown wiring for CryptoPro keybag OID/PBE registration lifecycle. |
gost_prov_digest.c |
Adds LN aliases to provider digest names to satisfy PKCS#12 internal lookups via long name. |
gost_prov_cipher.c |
Provider cipher enhancements: custom alg-id params emission, PRF NID exposure, (inactive) OMAC ads. |
gost_grasshopper_cipher.c |
Engine-side cipher fixes: deterministic UKM seed lifecycle + PRF ctrl + AEAD ctrl trio for OMAC. |
gost_gost2015.c |
Fixes ACPKM+OMAC seed generation to avoid post-AI re-randomization (round-trip correctness). |
gost_cryptopro_keybag.h |
Declares CryptoPro proprietary keybag OID/NID/PBE registration API and unwrap cipher dispatch. |
gost_cryptopro_keybag_asn1.h |
ASN.1 schema declarations for CryptoPro keybag decode pipeline. |
gost_cryptopro_keybag_asn1.c |
ASN.1 template implementations for CryptoPro keybag decode pipeline. |
gost_crypt.c |
Engine-side updates for Magma: PRF ctrl + OMAC AEAD ctrl trio + deterministic UKM seed serialization. |
docker/dev_pkcs12/scripts/run-full-check.sh |
Dev helper: strict rebuild + ctest + cppcheck + valgrind sweep of test binaries. |
docker/dev_pkcs12/scripts/fetch-openssl.sh |
Fetches OpenSSL source tarballs used by the multi-version dev stack. |
docker/dev_pkcs12/scripts/entrypoint.sh |
Dev container bootstrap: patch+build OpenSSL in-volume and build/install engine/provider. |
docker/dev_pkcs12/scripts/engine_to_csp_matrix.sh |
Provider-mode matrix: generate PFX in dev stacks and import into CryptoPro CSP (Tier-1 validation). |
docker/dev_pkcs12/scripts/cryptopro_keybag_decode.sh |
CSP→OpenSSL decode matrix for proprietary keybag .80 across 3.4/3.6/4.0 stacks. |
docker/dev_pkcs12/README.ru.md |
Russian docs for dev stack layout, bootstrap, and test invocation. |
docker/dev_pkcs12/README.md |
English docs for dev stack layout, bootstrap, and test invocation. |
docker/dev_pkcs12/Dockerfile.test |
Minimal test runner image for ctest against the dev-built OpenSSL prefix. |
docker/dev_pkcs12/Dockerfile.dev |
Dev image for building OpenSSL + engine/provider with debugging tools. |
docker/dev_pkcs12/docker-compose.yml |
Orchestrates 3 OpenSSL-version dev containers plus CryptoPro CSP sibling container. |
docker/dev_pkcs12/cryptopro/test_gamma/kpim |
Seed material for CSP RNG (dev/test-only). |
docker/dev_pkcs12/cryptopro/test_gamma/db1/kis_1 |
Baked CPSD gamma seed file for headless CryptoPro CSP keygen (dev/test-only). |
docker/dev_pkcs12/cryptopro/readme.keygen.md |
Verified CSP key+cert+PFX export flow documentation for the test container. |
docker/dev_pkcs12/cryptopro/readme.dockerfile.md |
Describes the CryptoPro container build and runtime quirks. |
docker/dev_pkcs12/cryptopro/readme.certmgr.md |
Reference for certmgr CLI surface used by matrix scripts. |
docker/dev_pkcs12/cryptopro/entrypoint.cryptopro.sh |
CryptoPro container init: seed RNG gamma, drop interactive RNG, log license. |
docker/dev_pkcs12/cryptopro/Dockerfile.cryptopro |
Builds the CryptoPro CSP image from a user-provided proprietary archive. |
docker/dev_pkcs12/cryptopro/data/.gitkeep |
Keeps the PFX swap directory in git. |
docker/dev_pkcs12/.gitignore |
Ignores some local dev artifacts under docker/dev_pkcs12/. |
cmake/tests.cmake |
Registers the new RFC9337 test(s) and engine/provider parity/CLI tests with ctest. |
cmake/provider.cmake |
Adds CryptoPro keybag source files to the provider build. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
134
to
139
| static void gost_teardown(void *vprovctx) | ||
| { | ||
| GOST_prov_deinit_digests(); | ||
| GOST_prov_deinit_macs(); | ||
| unregister_cryptopro_keybag_pbe(); | ||
| provider_ctx_free(vprovctx); |
Comment on lines
+259
to
+265
| /* PBKDF2.prf is X509_ALGOR. */ | ||
| { | ||
| const ASN1_OBJECT *prf_oid; | ||
| X509_ALGOR_get0(&prf_oid, NULL, NULL, pbkdf2->prf); | ||
| if (OBJ_obj2txt(out->prf_oid, sizeof(out->prf_oid), | ||
| prf_oid, 1) <= 0) goto out; | ||
| } |
| @@ -0,0 +1,3 @@ | |||
| .docker-build-cache | |||
| *.local.yml | |||
| *.local.env | |||
Comment on lines
163
to
166
| * Described in RFC 6986, first name from | ||
| * https://www.ietf.org/archive/id/draft-deremin-rfc4491-bis-06.txt | ||
| * (is there not an RFC namming these?) | ||
| */ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Based on #128
Поддержка PKCS#12 (PFX) с алгоритмами ГОСТ
Экспорт и импорт PFX-контейнеров через стандартный
openssl pkcs12:gost89под обвязкой RFC 7292; внешний MAC — HMAC под ГОСТ-хэшем.1.2.840.113549.1.12.1.80.Реализации
gost.so) — OpenSSL 3.x без патчей libcrypto.gostprov.so) — OpenSSL 3.4 / 3.6 / 4.0; Требует libcrypto-патчpatches/pkcs12/openssl-pkcs12-provider-pbe-${MAJOR}.${MINOR}.patch(поставляется для каждой версии отдельно).OMAC-варианты (
kuznyechik-ctr-acpkm-omac,magma-ctr-acpkm-omac) работают в engine-режиме на 3.x. В provider-режиме они заблокированы наgost2015_acpkm_omac_init(нужен отдельный рефакторинг engine-исходников наEVP_MAC_fetch).Состав
gost_cryptopro_keybag*.c,gost_prov_*.c, и др.).patches/pkcs12/.docker/dev_pkcs12/: контейнеры под три версии OpenSSL + соседний CryptoPro CSP.engine_to_csp_matrix.sh,cryptopro_keybag_decode.sh.Документация
README.pkcs12.md/README.pkcs12.ru.md— обзор + CLI-примеры + переменные окружения.patches/pkcs12/README.md/README.ru.md— описание патчей и воспроизведение проверочных матриц.docker/dev_pkcs12/README.md/README.ru.md— поднятие dev-стека.