This is a fork of Go 1.23.4 with:
crypto/x509
supporting GOST 34.10-2012
X.509 certificates and PKCS#8 private keys
crypto/tls
supporting GOST TLS 1.3
You can build it with the following steps:
$ git clone https://go.googlesource.com/go $ cd go $ git remote add gostls13 git://git.cypherpunks.su/gostls13.git $ git fetch gostls13 $ git checkout go1.23.4-gost
pub rsa2048/0x6D3CFF7C76DADF42 2020-09-03 ADC9 BE5B 198E 8B56 90A8 EC50 6D3C FF7C 76DA DF42 uid Go GOST TLS 1.3 <gostls13 at cypherpunks dot su>
$ gpg --auto-key-locate dane --locate-keys gostls13 at cypherpunks dot su $ gpg --auto-key-locate wkd --locate-keys gostls13 at cypherpunks dot su
-----BEGIN PGP PUBLIC KEY BLOCK----- mQENBF9Qn0cBCADORW5ccCbaFTTSsBqeGoPo66RJd+rM0EOmJWPrG10ZX/3FAZlG +5iBqmoUQexuK1+/qnD98ghTH2TCxle0BXPzirjuX/pGHJLaR62ps/2kXl8xypAt 5/78npdo7TlWMN7Y7gDgz25QzuBVPIQW8esJC+/4r/CSuj6NTPJOyhJs/osToQUQ LAvJ0thSA61L8oVMToKQgkpatOV2X5em4naoUgMvsh2RpAcWJbp/C7tWL/q+oneN OBoapJmv+Sy2QFNAzx1AEclhb5W3AhCJCqaF3QxAo3tWyUSrQXYwGLHDc4dAoY0U cJcQ0QZwoyt0xTLuUfB8FXEgjsKtHLt6TqIHABEBAAG0KUdvIEdPU1QgVExTIDEu MyA8Z29zdGxzMTNAY3lwaGVycHVua3MucnU+iQFXBBMBCgBBAhsDDAsKCQ0IDAcL AwQBAgcVCgkICwMCBRYCAQMAAh4BAheAFiEErcm+WxmOi1aQqOxQbTz/fHba30IF Al9QoLIACgkQbTz/fHba30JJmwgArWo/vmmy95vm48He36mv74n6dqCvPCyZkfL+ aVNcSRX/08yiwgMznoxSBRzYnXmXyEEaE/nNE7ZJvzl8t2GibMP0nnHwhULayowR blSPF+OVIK7OcOUdrnpyYTJqXf2JZH9hoEkur3U48JldBdAJ+qYteF9Jc181UH9i Wv+ggHlgIt9R363ail7qUnEDNhuyqt11Kb2m7HvH1jYTXtwSbgsLvH+SCNqzWihH 9/cw1kIYgOp9Tr1SGZltpiM7o8D0p//2WIAM9F4NCi/YuqVZK/6LNEQxHIZU6jE+ w3ee/f4dWiEO2N/n5Bbec8MfXb/3LbiX0PVx6PT+pAoWEVyNuYh1BBARCgAdFiEE z2DomlkjHnbiY2QirhqBCeSYV+8FAl9QoMoACgkQrhqBCeSYV+/pcQD8C6VmHI8U FRE/Qso1G0oEiry+2J9qE8N7VIbrV+njgwYA/R/kkLSkcgRLcIuQVrJPXyjx5IwX HHSRAxR0w9sfiB9riHUEEBYKAB0WIQQSrTJonGYNQmln/XXLggVjIQetigUCYuo5 WAAKCRDLggVjIQetisQxAQCH2OyxJf8hJwSwZ25k8abhhdlDhkoxr0nP3Tre30gc vAD/QfX9gHKejMQRVDdnznpgaKUoyFJ7UTQO+W95hZobawe0KUdvIEdPU1QgVExT IDEuMyA8Z29zdGxzMTNAY3lwaGVycHVua3Muc3U+iQFMBBMBCgA2FiEErcm+WxmO i1aQqOxQbTz/fHba30IFAmaZOM4CGwMECwkKBwIiAgIVCgQWAgEAAh4HAheAAAoJ EG08/3x22t9Cjf0H/1lFKOvXWLW/zAFD5e5GwEQjNCYAMOki2sc1r88EA/wq9uCn w2uX3L8T8/+xV8/Tt69dNGe/p0cY3JlVwimnfE2Oo13dLoYBJnhp4azBMs5vFFIE 5HJVLFC6YL+kBQ+S+1udj3ght45rrIdlkyGTjeXk0su/y2kvRCVGZuUxL1C6rEll UrHWvf0dyRbjGrDN1cI+2mDRMO/JwAkFcWYm7E9DV5EAiR6AxRe6icMgjcyt1CYY 2n/vsclVS6pkkWe5qho2zJaHlM81hgUvohGSV13Req7M6MBFSNEmvA2f200qJUmG dfQySvayDbhXOzMJeMRL3u5cvZV/nHluLmQRmkOIdQQQFgoAHRYhBBKtMmicZg1C aWf9dcuCBWMhB62KBQJmmTjiAAoJEMuCBWMhB62KZeoA/0SH5idBAg282DknLU0N BpNUIlz+9XczurXojWkHoSmFAQCQIKI2VkHlw+aw4h69A1MngebCWpfI9MFpGera jEg2AA== =bi20 -----END PGP PUBLIC KEY BLOCK-----
It is signed with author’s one.
$ gpg --verify PUBKEY-SSH.pub.asc $ git config gpg.ssh.allowedSignersFile `realpath PUBKEY-SSH.pub` $ git tag --verify go1.23.4-gost
$ ./gogost-install
# $ ./debash # can help on adequate systems without GNU Bash $ cd src ; GOROOT_BOOTSTRAP=$HOME/go1.20 ./all.bash
Dependencies-related unittests will fail.
GOST-related crypto/tls.SignatureSchemes
are not enabled by
default, simply because it will fail native unittests. crypto/tls
also does not provide ability to control TLS 1.3 CipherSuite
choice and GOST-related suites are not enabled by default too. You can
use tls.GOSTInstall*()
functions for enabling all of that.
Pay attention that:
gogost/gost3410
output) during signing, so you should use
gogost/gost3410.PrivateKeyReverseDigest
crypto.Signer
gogost/gost3410.PrivateKeyReverseDigestAndSignature
in that case
Look at src/crypto/x509/x509_test.go
and
src/crypto/tls/gost_test.go
for example usage.
If you want to always enable GOST TLS 1.3 support, then you can just simply:
$ cat >>src/crypto/tls/gost.go <<EOF func init() { GOSTInstall() } EOF
GOST preferred client connection:
serverCAs := x509.NewCertPool() serverCAs.AddCert(serverCertGOST) clientConfig := &tls.Config{ MinVersion: tls.VersionTLS13, MaxVersion: tls.VersionTLS13, CurvePreferences: []tls.CurveID{tls.GOSTCurve256A}, RootCAs: serverCAs, ServerName: "server.com", } conn, err := tls.Dial("tcp", "...", clientConfig)