Hello.
I am currently in the process of adding support for GOST algorithms (RFC
4357,4490,4491) into the NSS.
At this moment I implemented GOST hashing and GOST signature verification
algorithms in the NSS. This works throughout the whole stack of mozilla code,
from adding GOST X.509 certificate into the PSM GUI to the freebl backend.
I'd like to contribute my work to Mozilla, and would like to communicate with
one of the NSS project owners/developers for code review and guidelines.
Best regards,
--
Konstantin Andreev, software engineer.
Nelson Bolyard wrote:
On 2009-09-10 23:14 , nsk yatree wrote:
Hi.
Most likely I will not be the first person who asks such questions.
I think you might well be the first to ask how to add GOST. Others have asked
the NSS team to do it. You've asked how to do it yourself. That's a much
better question. :)
More recently, in OpenSSL-1.0.0 was added support of GOST algorithms. ( in
vers. 1.0.0 http://openssl.org/news/ )
How can I implement support for these algorithms in Mozilla/NSS? I found a
patch for Camellia. ( https://bugzilla.mozilla.org/show_bug.cgi?id=361025 ) Is
it possible to integrate the GOST in the NSS, by analogy with the Camellia?
Yes. The Camellia team did an EXCELLENT job of integrating their work, and you
would do well to follow their example very closely.
The necessary steps include (but may not be limited to):
1. There must be a freely available public definition of GOST. (I suppose this
is already done if the code is in OpenSSL)
2. TLS cipher suite(s) must be defined in RFC or internet Draft (I suppose this
is already done if the code is in OpenSSL)
3. The PKCS#11 crypto API standard must be amended to have one or more "mechanisms"
defined for doing GOST encryption and decryption in CBC mode. This definition must be proposed to
the PKCS#11 ("cryptoki") working group as a proposed amendment to the standard.
4. Then implementation of the GOST code is added to libfreebl.
test program for libfreebl is enhanced to test GOST.
test script for freebl is enhanced to test GOST.
implementation of the new PKCS#11 mechanism(s) is added to libsoftokn,
implementation of the new cipher suites is added to libSSL.
SSL test programs are enhanced to test the new cipher suites.
SSL test scripts are enhanced to test the new cipher suites.
The Camellia folks did all those steps, and very well.
The South Korean SEED algorithm was similarly added, but that work was
delayed when it came to the PKCS#11 mechanism proposal.
[ ... SKIP ... ]
Regards,
/Nelson
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
