GOST digital signature verification with OpenSSL in Ruby

Question

I have my certificate, source document, detached signature in Base64 format. Signature created by UEC (Universal Electronic Card - Russian smart card project) on Windows in CryptoARM program (I think GOST hash function is used).

I'm using Ubuntu 13.10 and have installed OpenSSL 1.0.1e (GOST support is included by default AFAIK).

I've installed UEC CA sertificate in Ubuntu CA store:

sudo cp ~/uec/uec.cer /usr/local/share/ca-certificates/uec.crt
sudo update-ca-certificates

And console verification succeeds (sure if file wasn't changed):

$ openssl smime -verify -engine gost -inform DER -in ~/uec/to_be.txt.sig -content ~/uec/to_be.txt 
engine "gost" set.
Verification successful
Original file contents goes here

So, I'm trying to do validation in Ruby (2.0.0 and 2.1.0), as noted in this question: Digital signature verification with OpenSSL

require 'openssl'
OpenSSL::Engine.load
engine = OpenSSL::Engine.by_id('gost')

cert_store = OpenSSL::X509::Store.new
cert_store.set_default_paths
my_cert = File.read('/home/envek/uec/envek-b64.cer')
data = File.read('/home/envek/uec/to_be.txt')
signature = OpenSSL::PKCS7.new(File.read('/home/envek/uec/to_be.txt.der.sig'))

signature.verify([my_cert], cert_store, data, OpenSSL::PKCS7::DETACHED || OpenSSL::PKCS7::NOVERIFY)
# => false
signature
# => #<OpenSSL::PKCS7:0x00000002168918 @data="\xEF\xBB\xBF\xD0\xAD\xD1\x82\xD0\xBE \xD1\x84\xD0\xB0\xD0\xB9\xD0\xBB, \xD0\xBA\xD0\xBE\xD1\x82\xD0\xBE\xD1\x80\xD1\x8B\xD0\xB9 \xD1\x8F \xD0\xBF\xD0\xBE\xD0\xB4\xD0\xBF\xD0\xB8\xD1\x88\xD1\x83", @error_string="unsupported algorithm">

So, I really don't know why it's just returns false, does my engine loading impacts anything or not. How to say PKCS7#verify to use correct algorithm, provided by GOST engine?

Any ideas?

Files:

My certificate: https://www.dropbox.com/s/16pvqwyd58h93u0/envek-b64.cer
UEC CA certificate: https://www.dropbox.com/s/vylglojbrqk5uww/uec_b64.cer
Original file: https://www.dropbox.com/s/ciw1tr63eullhrx/to_be.txt
Signature: https://www.dropbox.com/s/4kx77qdaoesi6gf/to_be.txt.sig

P.S. To make OpenSSL work properly next steps are required (found here):

This string should be added at most top of /etc/ssl/openssl.cnf

openssl_conf = openssl_def

These strings should be added at most bottom of /etc/ssl/openssl.cnf

[openssl_def]
engines = engine_section
[engine_section]
gost = gost_section
[gost_section]
default_algorithms = ALL
engine_id = gost

After that next command should show next output:

$ openssl ciphers | tr ":" "\n" | grep GOST
GOST2001-GOST89-GOST89
GOST94-GOST89-GOST89

Envek Envek · Accepted Answer · 2014-04-14T21:57:07

Weird thing, I've just tried to call OpenSSL::Engine#set_default method with value of 0xFFFF on it. Just:

engine.set_default(0xFFFF)

And it works!!!

Documentation is absolutely unclear about it. What it does, what flags it receives as values? Anyone, explain me, please.

GOST digital signature verification with OpenSSL in Ruby

1 Answers