<div dir="ltr">On Tue, Aug 27, 2013 at 12:41 PM, Rickard Bellgrim <span dir="ltr"><<a href="mailto:rickard@opendnssec.org" target="_blank">rickard@opendnssec.org</a>></span> wrote:<br><div class="gmail_extra"><div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div>SoftHSMv2 are now supporting GOST. This after patches from Francis Dupont and some fixes to the PKCS#11 interface and the Botan implementation.<br>
</div><div><br></div><div>The code in libhsm has been tweaked in order to be compliant with PKCS#11. The DNSSEC signatures from OpenDNSSEC has been validated using ldns-verify-zone and BIND. So all combinations of crypto library and mechanisms for GOST are now working as required.</div>
<div><br></div><div>Only the Enforcer needs to be updated (algorithm number and key generation) before we can say that OpenDNSSEC supports GOST. The Signer Engine works as it is.</div><span class=""><font color="#888888"><div>
</div></font></span></div></blockquote></div><br></div><div class="gmail_extra">This also applies to ECDSA (P-256 and P-384), except that the code for libhsm has not been committed to trunk. Will do that once Enforcer NG has been migrated.</div>
<div class="gmail_extra"><br></div><div class="gmail_extra"><a href="https://issues.opendnssec.org/browse/OPENDNSSEC-450">https://issues.opendnssec.org/browse/OPENDNSSEC-450</a><br></div><div class="gmail_extra"><br></div>
<div class="gmail_extra">// Rickard</div></div>