]>
Using GOST R 34.102012 and GOST R 34.112012 Algorithms with the Internet X.509 Public Key Infrastructure
Linaro Ltd.
Harston Mill Royston Rd
Harston, Cambridge
CB22 7GG
United Kingdom
dbaryshkov@gmail.com
CryptoPro
18, Suschevsky val
Moscow
127018
Russian Federation
+7 (495) 9954820
nikolaev@cryptopro.ru
InfoTeCS JSC
Aleksandr.Chelpanov@infotecs.ru
GOST
PKI
This document describes encoding
formats, identifiers, and parameter formats for the GOST R
34.102012 and GOST R 34.112012 algorithms for use in the Internet X.509 Public Key
Infrastructure (PKI).
This specification is developed to facilitate implementations that
wish to support the GOST algorithms. This document does not imply
IETF endorsement of the cryptographic algorithms used in this
document.
Introduction
This document describes the
conventions for using the GOST R
34.102012 signature algorithm and the GOST R 34.112012 hash function
in the Internet
X.509 Public Key Infrastructure (PKI) .
This specification defines the contents of the signatureAlgorithm,
signatureValue, signature, and subjectPublicKeyInfo fields within X.509
Certificates and Certificate Revocation Lists (CRLs). For each algorithm, the appropriate
alternatives for the keyUsage certificate extension are provided.
This specification is developed to facilitate implementations that
wish to support the GOST algorithms. This document does not imply
IETF endorsement of the cryptographic algorithms used in this
document.
Requirements Language
The key words "MUST", "MUST NOT",
"REQUIRED", "SHALL",
"SHALL NOT", "SHOULD",
"SHOULD NOT",
"RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document
are to be interpreted as described in BCP 14
when, and only
when, they appear in all capitals, as shown here.
Signature Algorithm Support
Conforming Certificate Authorities (CAs) MAY use the GOST R 34.102012 signature algorithm to sign
certificates and CRLs. This signature algorithm MUST always be used
with the GOST R 34.112012 hash function. It may use a key length of either
256 bits or 512 bits.
The ASN.1 object identifier (OID) used to identify the GOST R 34.102012
signature algorithm with a 256bit key length and the GOST R 34.112012 hash
function with a 256bit hash code is:
The GOST R 34.102012 signature algorithm with a 256bit key length generates a digital
signature in the form of two 256bit integers: r and s. Its octet
string representation consists of 64 octets, where the first 32
octets contain the bigendian representation of s and the second 32
octets contain the bigendian representation of r.
The ASN.1 OID used to identify the GOST R 34.102012
signature algorithm with a 512bit key length and the GOST R 34.112012 hash
function with a 512bit hash code is:
The GOST R 34.102012 signature algorithm with a 512bit key length generates a digital
signature in the form of two 512bit integers: r and s. Its octet
string representation consists of 128 octets, where the first 64
octets contain the bigendian representation of s and the second 64
octets contain the bigendian representation of r.
When either of these OIDs is used as the algorithm field in an
AlgorithmIdentifier structure, the encoding MUST omit the parameters
field.
The described definition of a signature value is directly usable in the Cryptographic Message Syntax (CMS) ,
where such values are represented as octet strings. However,
signature values in certificates and CRLs are represented
as bit strings, and thus the octet string representation must be
converted.
To convert an octet string signature value to a bit string, the most
significant bit of the first octet of the signature value SHALL
become the first bit of the bit string, and so on through the least
significant bit of the last octet of the signature value, which SHALL
become the last bit of the bit string.
Hash Function Support
The ASN.1 OID used to identify the GOST R 34.112012 hash
function with a 256bit hash code is:
The ASN.1 OID used to identify the GOST R 34.112012 hash
function with a 512bit hash code is:
When either of these OIDs is used as the algorithm field in an
AlgorithmIdentifier structure, the encoding MUST omit the parameters
field.
Subject Public Keys Information Fields
Public Key Identifiers
GOST R 34.102012 public keys with a 256bit private key length are
identified by the following OID:
GOST R 34.102012 public keys with a 512bit private key length are
identified by the following OID:
Public Key Parameters
When either of these identifiers appears as the algorithm field in the
SubjectPublicKeyInfo.algorithm.algorithm field, the parameters field MUST
have the following structure:
where:

publicKeyParamSet is the public key parameters identifier
for GOST R 34.102012 parameters (see Sections and of or ) or GOST R 34.102001 parameters (see ).

digestParamSet is the parameters identifier for the corresponding GOST R 34.112012 parameters (see ).
The following values, when used as publicKeyParamSet, define
test public key parameter sets and MUST NOT be used outside of testing scenarios:

idGostR34102001TestParamSet

idtc26gost34102012512paramSetTest
The digestParamSet field:
 SHOULD be omitted if the GOST R 34.102012 signature algorithm is used with a 512bit key length

MUST be present and must be equal to idtc26digestgost341112256 if one of the following values is used as publicKeyParamSet:

idGostR34102001TestParamSet

idGostR34102001CryptoProAParamSet

idGostR34102001CryptoProBParamSet

idGostR34102001CryptoProCParamSet

idGostR34102001CryptoProXchAParamSet

idGostR34102001CryptoProXchBParamSet

SHOULD be omitted if publicKeyParamSet is equal to:

idtc26gost34102012256paramSetA

MUST be omitted if one of the following values is used as publicKeyParamSet:

idtc26gost34102012256paramSetB

idtc26gost34102012256paramSetC

idtc26gost34102012256paramSetD
Public Key Encoding
The GOST R 34.102012 public key MUST be ASN.1 DER encoded as an
OCTET STRING. This encoding SHALL be used as the content (i.e., the
value) of the subjectPublicKey field (a BIT STRING) of the
SubjectPublicKeyInfo structure.
GostR34102012256PublicKey MUST
contain 64 octets, where the first 32 octets contain the
littleendian representation of the x coordinate of the public key and the
second 32 octets contain the littleendian representation of the y coordinate of the public key.
GostR34102012512PublicKey MUST
contain 128 octets, where the first 64 octets contain the
littleendian representation of the x coordinate of the public key and the
second 64 octets contain the littleendian representation of the y coordinate of the public key.
Key Usage Extension
If the KeyUsage extension is present in a certificate with the GOST R 34.102012 public key, the following values MAY be present:

digitalSignature (0)

contentCommitment (1)

keyEncipherment (2)

dataEncipherment (3)

keyAgreement (4)

keyCertSign (5)

cRLSign (6)

encipherOnly (7)

decipherOnly (8)
Note that contentCommitment was named nonRepudiation in previous versions of X.509.
If the key is going to be used for key agreement, the keyAgreement flag MUST be present in the KeyUsage extension, with the encipherOnly and decipherOnly flags being optional. However,
the encipherOnly and decipherOnly flags MUST NOT be present
simultaneously.
Qualified Certificate Extensions
This section defines additional OIDs for use in
qualified certificates for checking digital signatures.
Distinguished Name Additions
OGRN is the main state registration number of juridical entities.
The corresponding OID is 1.2.643.100.1.
SNILS is the individual insurance account number.
The corresponding OID is 1.2.643.100.3.
INNLE is the individual taxpayer number (ITN) of the legal entity.
The corresponding OID is 1.2.643.100.4.
OGRNIP is the main state registration number of individual entrepreneurs (sole traders).
The corresponding OID is 1.2.643.100.5.
IdentificationKind represents the way the receiver of the certificate was identified by the CA.
The corresponding OID is 1.2.643.100.114.
INN is the individual taxpayer number (ITN).
The corresponding OID is 1.2.643.3.131.1.1.
Certificate Policies
The Russian national regulation body for cryptography defines several security
levels of cryptographic tools. Depending on
the class of cryptographic token used by the certificate owner, the
following OIDs must be included in certificate policies.
Certificates should include OIDs, starting from the lowest (KC1) up
to the strongest applicable.

1.2.643.100.113.1  class KC1

1.2.643.100.113.2  class KC2

1.2.643.100.113.3  class KC3

1.2.643.100.113.4  class KB1

1.2.643.100.113.5  class KB2

1.2.643.100.113.6  class KA1
Subject Sign Tool
To denote the token or software type used by the certificate owner, the following noncritical SubjectSignTool extension with OID 1.2.643.100.111 should be included. It is defined as
Issuer Sign Tool
To denote the tools used to generate key pairs and tools used by the CA to sign certificates, the following noncritical IssuerSignTool extension with OID 1.2.643.100.112 should be included. It is defined as
where:

signTool identifies tools used to
create key pairs.

cATool identifies tools used by the CA.

signToolCert and cAToolCert contain the notice of
the conformance of respective tools to Russian federal law on
digital signatures.
Historical Considerations
Note that, for a significant period of time, there were no documents describing GostR34102012PublicKeyParameters.
Several old implementations have used GostR34102001PublicKeyParameters instead.
These implementations will return an error if the digestParamSet field is not included in public key parameters.
Thus, an implementation wishing to collaborate with old implementations might want to include digestParamSet equal to idtc26digestgost341112512 if one of the following values is used as publicKeyParamSet:

idtc26gost341012512paramSetA

idtc26gost341012512paramSetB
Note that the usage of keyEncipherment and dataEncipherment values for the
KeyUsage extension is not fully defined for the GOST R 34.102012 public
keys, so they SHOULD be used with additional care.
IANA Considerations
This document has no IANA actions.
Security Considerations
It is RECOMMENDED that applications verify signature values and subject
public keys to conform to the GOST R 34.102012 standard prior to their use.
It is RECOMMENDED that CAs and applications make sure that the private key
for creating signatures is not used for more than its allowed validity period
(typically 15 months for the GOST R 34.102012 algorithm).
Test parameter sets (idGostR34102001TestParamSet
and idtc26gost34102012512paramSetTest) MUST NOT
be used outside of testing scenarios.
The use of parameter sets not described herein
is NOT RECOMMENDED. When different parameters are used, it is
RECOMMENDED that they be subjected to examination by an authorized
agency with approved methods of cryptographic analysis.
For security discussions concerning the use of algorithm parameters, see
and the Security Considerations sections in and .
References
Normative References
Informative References
Information technology. Cryptographic data security. Signature and verification
processes of [electronic] digital signature
GOST R 34.102012, Federal Agency on Technical Regulating and Metrology
Information technology. Cryptographic Data Security. Hashing function
GOST R 34.112012, Federal Agency on Technical Regulating and Metrology
On the security properties of Russian standardized elliptic curves
Mathematical Aspects of Cryptography, 9:3, P. 532
GostR34102012RuStrongCertsSyntax
Public Key Parameters
Here we define three new OIDs for three existing public key parameter sets
defined in . These OIDs MUST be used with
GOST R 34.102012 public keys only.
The elliptic curve of this parameter set is the same as that of
idGostR34102001CryptoProAParamSet (and idGostR34102001CryptoProXchAParamSet),
which can be found in .
The elliptic curve of this parameter set is the same as that of
idGostR34102001CryptoProBParamSet, which can be found in .
The elliptic curve of this parameter set is the same as that of
idGostR34102001CryptoProCParamSet (and idGostR34102001CryptoProXchBParamSet),
which can be found in .
Test Examples
GOST R 34.102001 Test Parameters (256Bit Private Key Length)
This example uses the curve defined in .
The private key is
The public key is
Certificate Revocation List
GOST R 34.102012 TC26256A Parameters (256Bit Private Key Length)
This example uses the curve defined in .
The private key is
The public key is
Certificate Revocation List
GOST R 34.102012 Test Parameters (512Bit Private Key Length)
This example uses the curve defined in .
The private key is
The public key is
Certificate Revocation List
GOST R 34.102012 Test Parameters (Curve Definition)
The following parameters must be used for digital signature generation
and verification.
Elliptic Curve Modulus
The following value is assigned to parameter p in this example:
Elliptic Curve Coefficients
Parameters a and b take the following values in this example:
Elliptic Curve Points Group Order
Parameter m takes the following value in this example:
Order of Cyclic Subgroup of Elliptic Curve Points Group
Parameter q takes the following value in this example:
Elliptic Curve Point Coordinates
Point P coordinates take the following values in this example:
Contributors
InfoTeCS JSC
Semen.Pianov@infotecs.ru
InfoTeCS JSC
Ekaterina.Karelina@infotecs.ru
Cryptocom
beldmit@gmail.com