Electronic signature of an individual (part 2)
In the first part, we discussed what a qualified electronic signature of an individual is, how to get the keys to generate this signature, as well as a certificate to verify it. In this topic, I will offer a tool to generate a signature and describe the problems I encountered. If someone is not interested in technology, welcome to the very end of the topic, where the project files are posted.
As I have already said, the third pig from the state was that, although it provided me with means of creating an electronic signature, it did not provide an opportunity to use these tools at my own discretion.
Once again, a little distracted in the legal side. The fact is that in the regulatory acts of the Russian Federation there are two remarkable points: first, certified information security tools should be used ( Presidential Decree No. 334 of April 3, 1995, “On Measures to Respect the Rule of Law in the Field of Design, Production, Sale and Operation encryption tools, as well as the provision of information encryption services "), and secondly, this certificate can be obtained only by domestic development tools that use algorithms recommended by the FSB (the Provision on certification of protection of information, approved by the Government of the Russian Federation dated June 26, 1995 No. 608).
And, therefore, my key necessarily domestic production and its manufacturer can be found, one has only to want. At the very key, the marking is minimal, but I still managed to find a developer, this is Aladdin RD . After reviewing the page, I noted with regret that the SDK for the key can be obtained only by contacting the technical support service. On other sites, the developer kit is even better, it was suggested to buy.
I decided to go the other way, I found the plugin installed from the site of public services in the folder
')
The plugin consisted of three files:
Investigating these files, I concluded that eTPKCS11g and eTPKCS11gx are the interfaces for the key of the PKCS # 11 standard, that is, the standard for interacting with hardware keys. All the algorithms needed to create a signature are embedded in the device, which means I just have to fasten the interface and, of course, I will not need to certify my program in the FSB, which is nice. So I had a means, it remains to choose a goal.
In order for public authorities to recognize my signature, they must have a tool to verify this signature, which means I must use this verification tool to verify my research. I found such a tool directly on the website of public services:
Being an old bearded win-admin, I’m on the list of .NET fans in general and PowerShell in particular, but using PS as a tool for writing a program that creates an electronic signature, I was careful. No, it is possible and even, probably, interesting, but for a start I selected C #.
Once upon a time, a long time ago, my teacher at the university said, poking his next student with his nose: “What is this? Again the "bubbles"? And STL for whom it was written? ” (Upd. My friend recalled the exact quotation:“ A stupid programmer will sort by a bubble, a clever programmer with a quick sort algorithm, and a good programmer will look in STL ”) Of course, you shouldn’t invent what has already been invented. Having missed paid libraries, I adopted free ones that are published under the license of Massachusetts Technology, which allows me to use them in my project unhindered. I myself publish my project under the GPL license , in my understanding the means of electronic interaction with the state should be free and open.
The first step is to extract the certificate from the container on the device and verify it. The interface of my application is quite ascetic:
We pull out the certificate in DER-encoding, we look into the fields. We clearly see that the signature algorithm has a value of 1.2.643.2.2.3 , it is nothing more than GOST R 34.11 / 34.10-2001 , the same hash and signature algorithms recommended by the FSB. Interesting subject:
It's me. Here they put my email address and pension insurance number. According to the law, they had to indicate the number and name, and the e-mail, according to my wish, but something, you see, they did not grow together. In addition, I found a pig 4.
I don’t know who is to blame, the law does not define the terms of validity, it only provides for the obligation to indicate these terms. It would be very good if a year later I would have other data recorded for free on the same medium, there are 72 kilobytes of memory on it, this is enough, but I am afraid, with our clumsiness, they will again demand to pay 660 rubles.
I uploaded the certificate to the website of public services, and this is what I received:
Very good. Now I try the second button, sign the file and upload it to the site:
Charming. Well, the tool is ready.
The project on GITHub , everything is there: the source code, binaries and examples are my certificate and the signed document.
As I have already said, the third pig from the state was that, although it provided me with means of creating an electronic signature, it did not provide an opportunity to use these tools at my own discretion.
Once again, a little distracted in the legal side. The fact is that in the regulatory acts of the Russian Federation there are two remarkable points: first, certified information security tools should be used ( Presidential Decree No. 334 of April 3, 1995, “On Measures to Respect the Rule of Law in the Field of Design, Production, Sale and Operation encryption tools, as well as the provision of information encryption services "), and secondly, this certificate can be obtained only by domestic development tools that use algorithms recommended by the FSB (the Provision on certification of protection of information, approved by the Government of the Russian Federation dated June 26, 1995 No. 608).
And, therefore, my key necessarily domestic production and its manufacturer can be found, one has only to want. At the very key, the marking is minimal, but I still managed to find a developer, this is Aladdin RD . After reviewing the page, I noted with regret that the SDK for the key can be obtained only by contacting the technical support service. On other sites, the developer kit is even better, it was suggested to buy.
I decided to go the other way, I found the plugin installed from the site of public services in the folder
')
%APPDATA%\NVisionGroup\CSuser\The plugin consisted of three files:
eTPKCS11g.dll, eTPKCS11gx.dll, npCSuser.dll .Investigating these files, I concluded that eTPKCS11g and eTPKCS11gx are the interfaces for the key of the PKCS # 11 standard, that is, the standard for interacting with hardware keys. All the algorithms needed to create a signature are embedded in the device, which means I just have to fasten the interface and, of course, I will not need to certify my program in the FSB, which is nice. So I had a means, it remains to choose a goal.
Verification
In order for public authorities to recognize my signature, they must have a tool to verify this signature, which means I must use this verification tool to verify my research. I found such a tool directly on the website of public services:
- Confirmation of the authenticity of the ES certificate
- Confirmation of authenticity of electronic signature of electronic document
- Confirmation of the authenticity of the electronic document in the document
- Confirmation of the authenticity of the electronic document of an electronic document using the value of the hash function
To code
Being an old bearded win-admin, I’m on the list of .NET fans in general and PowerShell in particular, but using PS as a tool for writing a program that creates an electronic signature, I was careful. No, it is possible and even, probably, interesting, but for a start I selected C #.
Once upon a time, a long time ago, my teacher at the university said, poking his next student with his nose: “What is this? Again the "bubbles"? And STL for whom it was written? ” (Upd. My friend recalled the exact quotation:“ A stupid programmer will sort by a bubble, a clever programmer with a quick sort algorithm, and a good programmer will look in STL ”) Of course, you shouldn’t invent what has already been invented. Having missed paid libraries, I adopted free ones that are published under the license of Massachusetts Technology, which allows me to use them in my project unhindered. I myself publish my project under the GPL license , in my understanding the means of electronic interaction with the state should be free and open.
The first step is to extract the certificate from the container on the device and verify it. The interface of my application is quite ascetic:
We pull out the certificate in DER-encoding, we look into the fields. We clearly see that the signature algorithm has a value of 1.2.643.2.2.3 , it is nothing more than GOST R 34.11 / 34.10-2001 , the same hash and signature algorithms recommended by the FSB. Interesting subject:
SERIALNUMBER = 11028310690
CN =
C = RU
E = thunderquack@mail.ruIt's me. Here they put my email address and pension insurance number. According to the law, they had to indicate the number and name, and the e-mail, according to my wish, but something, you see, they did not grow together. In addition, I found a pig 4.
Pig 4. The certificate is valid for only one year.
I don’t know who is to blame, the law does not define the terms of validity, it only provides for the obligation to indicate these terms. It would be very good if a year later I would have other data recorded for free on the same medium, there are 72 kilobytes of memory on it, this is enough, but I am afraid, with our clumsiness, they will again demand to pay 660 rubles.
I uploaded the certificate to the website of public services, and this is what I received:
Very good. Now I try the second button, sign the file and upload it to the site:
Charming. Well, the tool is ready.
The project on GITHub , everything is there: the source code, binaries and examples are my certificate and the signed document.
Source: https://habr.com/ru/post/131448/
All Articles