Add derive on GOSTR-3410-2012#3577
Add derive on GOSTR-3410-2012#3577AktivCoAndreyTimofeev wants to merge 1 commit intoOpenSC:masterfrom
Conversation
AktivCoAndreyTimofeev
force-pushed
the
gost-derive-key
branch
from
41e9339 to
0e4f40a
Compare
|
One comprehensive note, not just for this PR. I would not like to use deprecated functions in OpenSC code anymore. Sooner or later the "openssl engine" will become unusable and everything will need to be rewritten to the provider API. Given that openssl 4.0 will no longer support "engine", I recommend not using any patches that depend on the openssl engine anymore. (Please note that openssl has already deprecated the engine API in version 3.0) |
AktivCoAndreyTimofeev
force-pushed
the
gost-derive-key
branch
from
0e4f40a to
f5e21d7
Compare
|
We are currently developing a provider with support for GOST algorithms. |
AktivCoAndreyTimofeev
force-pushed
the
gost-derive-key
branch
from
f5e21d7 to
be5b826
Compare
| } | ||
| } | ||
|
|
||
| read_binary_file(opt_input, &file_buf, &file_len); |
There was a problem hiding this comment.
There are already options --salt-file and --input-file for pkcs11-tool.
There was a problem hiding this comment.
Thanks for the note — I understand the concern about adding yet another file option when pkcs11-tool already provides --input-file and --salt-file.
Just to confirm I got your point right: you’re suggesting we should reuse the existing --input-file for the peer public key and reuse --salt-file for the UKM/salt, instead of introducing any new dedicated options for this feature.
In the current version of the patch that’s exactly what I did: GOSTR3410-12 derive reads the peer key from --input-file and requires UKM via --salt-file, and I updated the help text to reflect the dual use of --salt-file (HKDF salt / GOST UKM). If you’d prefer different semantics or naming (e.g., stricter validation or a different help wording), I’m happy to adjust.
src/tools/pkcs11-tool.c
Outdated
|
|
||
| #if defined(__clang__) || defined(__GNUC__) | ||
| #pragma GCC diagnostic push | ||
| #pragma GCC diagnostic ignored "-Wdeprecated-declarations" |
There was a problem hiding this comment.
I don't think we want to disable the deprecation warnings just to support a temporary solution. Please have a look at sc_pkcs11_register_openssl_mechanisms() from src/libopensc/openssl.c if you can reuse the gost initialization.
There was a problem hiding this comment.
Thanks, I'll pay attention to that.
There was a problem hiding this comment.
Thanks for the review. Your comments have been taken into account, and the corresponding changes have been incorporated into the codebase.
AktivCoAndreyTimofeev
force-pushed
the
gost-derive-key
branch
2 times, most recently
from
fbdb2d9 to
14408ce
Compare
DenisSolomatinDev
force-pushed
the
gost-derive-key
branch
from
14408ce to
59367c4
Compare
4 participants
Checklist