0

I need to extract a private key from .p12 file encrypted using GOST algorithms, I'm using the command below:

openssl pkcs12 -engine gost -in GOSTKCNA_file.p12 -nodes -nocerts

I have already set up several environments (using docker) with different versions of openssl and gost engines, but whenever I type in the command, there is an error:

140221432510272:error:0609E09C:digital envelope routines:pkey_set_type:unsupported algorithm:crypto/evp/p_lib.c:210:
140221432510272:error:0606F076:digital envelope routines:EVP_PKCS82PKEY:unsupported private key algorithm:crypto/evp/evp_pkey.c:36:TYPE=1.2.398.3.10.1.1.1.1

I'm sure I installed everything correctly and configured /etc/ssl/openssl.cnf file. Typing openssl ciphers | tr ':' '\n' | grep GOST in terminal shows:

GOST2012-GOST8912-GOST8912
GOST2001-GOST89-GOST89

The pkcs#12 is also correct, since we are using it in other services, what might be wrong?

Ersain
  • 1,466
  • 1
  • 9
  • 20
  • Do you have the gost engine installed? you can check it running `openssl engine gost` it should print `(gost) Reference implementation of GOST engine`. – Lucas Martins Jan 24 '22 at 21:03
  • @LucasMartins yes, the engine is installed, I also overriden a /etc/ssl/openssl.cnf as suggested [here](https://gist.github.com/nook-ru/e697d4748085ab6d2a76b2ac037a76c0) – Ersain Jan 25 '22 at 04:54
  • I'm not familiarized with the gost algorithms, but, the OID printed in the error, 1.2.398.3.10.1.1.1.1, is related to the algorithm GOST2004-34310 , and looks like the engine supports only GOST2001 and 2012. – Lucas Martins Jan 25 '22 at 11:32
  • In https://forum-nag-ru.translate.goog/index.php?/topic/146668-openssl-i-gost-r-3411-94/&_x_tr_sl=ru&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=sc , someone suggested: "that in openssl-1.1.* support for gost has been cut. I had to install separately from here: https://github.com/gost-engine/engine" – auspicious99 Feb 12 '22 at 14:28

0 Answers0