Add support of cryptopro #77
Comments
|
I don't think that GOST should be supported in the default implementation of this package. The best way to get there is likely to make the set of public-key algorithms pluggable, via some sort of table lookup mechanism, which would enable extension via hooks that add more table rows, and then GOST could be provided via an optional module, maintained by a suitably motivated GOST user. |
|
Main issue that users that have cryptopro installed on windows can't start nor haskell nor elm on their machines. So I dont expect to have gost supported but at least have some way to avoid app crash in this case. |
|
Is this because some of the certificates in the trust store have GOST signatures? |
|
To be honest I have same usecase that described in http://stackoverflow.com/questions/39086758/haskell-or-elm-error-unknown-public-key-oid |
|
That URL also fails to provide a useful problem description. This is not a sufficiently detailed report. Have you added GOST-based trusted CAs to your system-wide list of trusted CA certificates? Are you able to look more closely and determine the context in which that error happens. Is there any way to point Elm at a non-default certificate store that contains only CA certs that are understood by Data.X509.PublicKey (RSA or ECDSA with P-256, P-384 or P-521)? |
|
Yes GOST certificate is installed system wide. It is app requirement. |
|
You've provided a URL for a PKCS#7 file containing a bunch of GOST-based CA certificates. This still does not answer the question of how these are deployed and used on your system. When I construct a PEM CAfile, with all the GOST certs from the PKCS#7 bundle and a CA that's the actual issue of the certificate for a test site, with a TLS connection to the site its certificate is still verified, despite the GOST certs listed first in the CAfile. When I test with just the GOST CA certificates, the connection fails with Now I must admit that I'm testing a TLS client on MacOS/X and not You need to obtain and post a more detailed description of the failure. What program is failing. What version of "hs-certificate" is it using? What is the failing program doing when it fails? The error message your report happens when public keys are decoded from ASN1. Is your server certificate using a GOST public key? That's not supported. It it's issuing CA using a GOST public key? That's not supported either. Just having some CAs in the trust store that use GOST public keys seems to not cause any problems on my end... |
|
@skie What happens if you make the GOST OID known in the OID list ? Making sure the whole thing don't fail apart if there are unknown certificates is definitely what we want here. |
|
I dont write any code, all i have - empty folder where i trying to run elm-make and just getting "elm-make: unknown public key OID: [1,2,643,2,2,19]. Tracking where error coming lead to this library. I haven't used haskell in the past and not doing it right now. That's what i trying to explain. |
|
It's probably best to file a bug report with the Elm maintainers. They should be well-positioned to figure out whether the bug is a result of Elm doing the wrong thing, or if the problem is with Data.X509, they should be able to make a more detail upstream bug report. |
General failure happen when start haskell when CryptoPro installed.
Getting unknown public key OID: [1,2,643,2,2,19]
Here is the list of cryptopro OIDS ftp://soft.lissi.ru/Utils/GenRequest/openssl/crypto_oid.h
The text was updated successfully, but these errors were encountered: