EldoS | Feel safer!

Software components for data protection, secure storage and transfer

gost algorithms support

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
#24055
Posted: 03/13/2013 05:48:32
by Dmitry Sokolov (Basic support level)
Joined: 03/13/2013
Posts: 7

Hello!

I need a solution for supporting russian crypto algorithms and CSPs in my applications. Documentation on Your website does not describe usage of specific GOST properties of components (such as TElMessageEncryptor ‘s GOSTParamSet) and constants. I could not accomplish sample applications, using the certificates and private keys obtained through russian CSPs CryptoPro 3.6 and VipNet 3.2:
- when using the component TElMessageEncryptor according “How To”, I am getting error «invalid property value»
- when using the component TElXMLSigner in the sample application “AdvancedSigner”, I am getting error «unsupported hash algorithm ».

Sorry for my poor English, with best regards
Dmitry Sokolov
#24056
Posted: 03/13/2013 06:24:18
by Mykola Olshevsky (Basic support level)
Joined: 07/07/2005
Posts: 450

Hi. Thank you for contacting us.
Which Paramset you trying to use with ElMessageEncryptor?
We support paramsets, defined in RFC 4357.

And, which key/certificate are you trying to use with XML signer?
#24090
Posted: 03/14/2013 05:08:16
by Dmitry Sokolov (Basic support level)
Joined: 03/13/2013
Posts: 7

Hi, Mykola!

Thanks for the quick reply! I tried to use the component TElMessageEncryptor without specifying additional parameters of the algorithms (using parameters by default, as I had hoped). I used the certificate x.509, similar to this: http://q.cryptopro.ru/qcacer.p7b. It was issued by means of the most common in Russia CSP CryptoPro CSP 3.6 with its default parameters (according to the mentioned RFC 4357 as i hope).

Mykola! I have the following questions:

1. Is it right: SecureBlackbox by default implements the GOST algorithms independently without external CSPs as it usual in Windows CriptoApi? What settings should I use in this case for TElMessageEncryptor and TElXMLSigner components to use with certificates like this: http://q.cryptopro.ru/qcacer.p7b?

2. How to use capabilities of the TElWin32CryptoProvider for working with TElMessageEncryptor and TElXMLSigner components? Is it possible? If so, it would be nice to get the sample code. In some cases It is necessary for me to use the implementation of the GOST algorithms by the external CSPs like Infotecs VipNet CSP 2.3 and CryptoPro CryptoPro CSP 3.6. I need it to legitimize my programs according to the ancient russian laws :)

Regards, Dmitry
#24092
Posted: 03/14/2013 06:04:29
by Mykola Olshevsky (Basic support level)
Joined: 07/07/2005
Posts: 450

Checked certificate - we support such certificates, they use defined in RFC parameter set.
Most likely you didn't set ElMessageEncryptor.Algorithm to SB_ALGORITHM_CNT_GOST_28147_1989

1. Yes, we have implemented all GOST algorithms natively, so our implementation doesn't depend on any side libraries or crypto providers. To use them you should use algorithms from Gost set.
2. I cannot answer for sure right now, we need to recheck support for CryptoPro CP within ElWin32CryptoProvider, this will need some time.
#24096
Posted: 03/14/2013 06:40:37
by Dmitry Sokolov (Basic support level)
Joined: 03/13/2013
Posts: 7

Hi.
0.
Quote
Most likely you didn't set ElMessageEncryptor.Algorithm to SB_ALGORITHM_CNT_GOST_28147_1989

Unfortunately, it is not, here is my test code, that generates 'Invalid property value' error:

Code
procedure TForm1.Button1Click(Sender: TObject);
var
  Err : integer;
  lCertStorage: TElMemoryCertStorage;
  lEncryptor: TElMessageEncryptor;
  lInFile, lOutFile:  TFileStream;
begin
  if Length(cbCert.Text) = 0 then begin
    ShowMessage('Choose certificate to validate!');
    Exit;
  end
  ;
  if FileExists(cbCert.Text) then begin
    Err := ElX509Certificate.LoadFromFileAuto(OpenDialog1.Filename, '');
    if Err <> 0 then begin
      ShowMessage('Error loading certificate [' + IntToStr(Err) + ']');
      Exit;
    end
    ;
  end else
    ElX509Certificate.Assign(WinCertStorage[cbCert.ItemIndex])
  ;
  try
    lCertStorage := TElMemoryCertStorage.Create(Self);
    try
      lInFile := TFileStream.Create('1.txt', fmOpenRead);
      lOutFile := TFileStream.Create('1.enc', fmCreate);

      lEncryptor := TElMessageEncryptor.Create(Self);
      with lEncryptor do begin
        CertStorage := lCertStorage;
        lCertStorage.Add(ElX509Certificate);
        Algorithm := SB_ALGORITHM_CNT_GOST_28147_1989;
        //BitsInKey := 256;
        Encrypt(lInFile, lOutFile);
      end
      ;
    finally
      FreeAndNil(lEncryptor);
      FreeAndNil(lInFile);
      FreeAndNil(lOutFile);
      FreeAndNil(lCertStorage);
    end
    ;
  except
    on Ex: Exception do
      mmLog.Lines.Add('ERROR:'#13#10 + Ex.Message + #13#10);
  end
  ;
end;


1.
Quote
To use them you should use algorithms from Gost set.
How exactly?
2. I will wait with hope :)

Thank you, Mykola!
#24098
Posted: 03/14/2013 07:04:25
by Mykola Olshevsky (Basic support level)
Joined: 07/07/2005
Posts: 450

Strange. Do you use the certificate, loaded from file? Please try with CryptoPro certificate from the link you specified (there is aPKCS#7 file, so you should extract certificate from it).

Also please try to do the same with MessagesDemo (there you should manually set .Algorithm to GOST before calling .Encrypt), it works for me.

With TElMessageEncryptor you should just set GOST .Algorithm, and add valid GOST certificate to CertStorage.
With ElXMLSigner - please check XML SimpleSigner demo. You should just change SignatureMethod to xsmGOST2001, and load correct GOST certificate with private key.

Also, I assume that you use the latest SBB build (10.0.233), downloaded from our site.
#24107
Posted: 03/14/2013 16:16:01
by Dmitry Sokolov (Basic support level)
Joined: 03/13/2013
Posts: 7

Hi again!

1. I encrypt a file with no errors by downloading the certificate from the file - wonderful! Loading the same certificate from WinCertStorage still results in the same error.

2. Which version of TElMessageEncryptor.Encrypt method to use: buffer or stream? Unfortunately they produce results of different lengths.

3. I was not able to decrypt the encrypted file - sad... I exported the private key from the CryptoPro container into p12 (pfx) file together with the certificate, but I was not able to load the private key into the TElX509Certificate component. I used code from the MessagesDemo to load private key, but it didn't work (Cert.SaveKeyToBuffer(nil, Sz) returns Sz = 0). Also PrivateKeyExtractable returns false, but CryptoPro itself says, that key is extractable for this certificate! Maybe You know the recommended way for exporting private keys from CryptoPro for SecureBlackbox?

Thank you for your cooperation.
#24108
Posted: 03/14/2013 16:32:11
by Mykola Olshevsky (Basic support level)
Joined: 07/07/2005
Posts: 450

1. We will also check the work with WinCertStorage.
2. Do you check the result length of Encrypt function, which works with buffer, after the second call? First call is just the estimation.
3. When we implemented GOST algorithms support (some years ago) CryptoPro crypto provider didn't support exporting private keys to the file in any readable way (as far as I remember, they exported keys to PFX, but there were no any documentation on how to decrypt and read the private key).
#24118
Posted: 03/15/2013 04:14:53
by Dmitry Sokolov (Basic support level)
Joined: 03/13/2013
Posts: 7

1. Ok, thank You.

2. Yes, I used test code for buffer version TElMessageEncryptor.Encrypt from MessagesDemo (with two iterations) and the length of the result differs from the stream-version result.
Moreover, I am sorry but I was not able to decrypt the result of TElMessageEncryptor no one way (with the help of utilities that use external CSPs such as CryptoPro or Infotecs). At the same time, I can easily decode the results of the test program that using call to function CryptEncryptMessage from Windows Crypto Api.

3. What You have said, means that the gost-algorithm is not yet implemented properly (at least - not tested). I don't realize how to use it without private keys. Or i am wrong?
#24119
Posted: 03/15/2013 04:18:52
by Mykola Olshevsky (Basic support level)
Joined: 07/07/2005
Posts: 450

Hi. GOST is completely implemented in native code.
You can generate private keys, certificates, certificate requests and use them with PKI/XML whatever else methods.
However, Windows/CryptoAPI side needs some more work/testing.

Anyway you should deside what to do - use native code or use CryptoPro crypto provider since their private keys are not exportable or importable in any way, that's how they designed their crypto provider.
Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.

Reply

Statistics

Topic viewed 3162 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!