We connect Rutoken EDS to OpenSSL
UPDATE. Ready solution for electronic signature in the browser - Ruken Plugin
As you know, OpenSSL version 1.0.0 and later supports the Russian GOST cryptographic algorithms, and the support for these algorithms is fully functional: the signature and encryption in the PKCS # 7, CMS, S / MIME formats are implemented in accordance with Russian standards and RFC; TLS protocol with support for Russian ciphers, etc.
Thus, OpenSSL is fully compatible with proprietary means of cryptographic protection of Russian manufacturers.
')
To support GOSTs, a special “plugin” has been added to it - engine gost. However, there are cryptographic USB tokens with hardware implementation of Russian cryptoalgorithms on the “board”. An example of such a token is Rutoken EDS, which, by the way, is certified as SKZI in class KS2. Rutoken EDS can be connected to OpenSSL in such a way that cryptographic operations will be performed on the “board” of the token.
For Rutoken EDS, there is a special cross-platform plug-in for OpenSSL - engine pkcs11_gost, which allows the use of hardware release of GOSTs through the standard OpenSSL interface.
Here I will describe how it is done on win32.
1. OpenSSL can be taken from here www.slproweb.com/products/Win32OpenSSL.html . When installing, select the “The OpenSSL” binaries (/ bin) directory in the “Select Additional Tasks” dialog.
2. The plugin and the libraries it needs can be downloaded at www.rutoken.ru/download/software/forum/pkcs11-gost-win32-4.2.0.zip .
3. The contents of the archive should be copied to the installation folder OpenSSL / bin. At the same time openssl config. cfg should be replaced, since the archive contains a config sharpened to use the engine pkcs11_gost.
4. Then run cmd.exe (well, or someone like that) and specify in the environment variables our config SET OPENSSL_CONF = full path to the openssl.cfg configuration file.
5. Now you need to install the Rutoken driver, connect the Rutoken EDS to the computer and format it through the Control Panel-> Rutoken Control Panel.
Using the openssl.exe utility, we will follow the path that will allow us to sign the file. At the same time, cryptographic operations (here the key generation and electronic signature are used) will be carried out “on board” Rutoken EDS.
1. Generate the signature key GOST R 34.10-2001:
2. Create an application for a certificate in the PKCS # 10 format for the generated key:
3. Create a self-signed root certificate in order to issue a user certificate for the application. To begin, generate the CA key inside the token:
Then we will issue ourselves the root certificate for this key:
4. Issue the certificate according to the application received in step 2. To do this, in the OpenSSL / bin installation folder, create a demoCA folder, in which we will create the newcerts folder. In the demoCA folder, we will create an empty index.txt file and a serial file in which we will write 01. This will allow us to keep records of the issued certificates. Certificate issuing team:
5. Let's sign an arbitrary file with an “attached” signature in the S / MIME format:
in PKCS format # 7:
in CMS format:
A more detailed description of the use of OpenSSL with Rutoken EDS can be found on page forum.rutoken.ru/topic/1639 .
As you know, OpenSSL version 1.0.0 and later supports the Russian GOST cryptographic algorithms, and the support for these algorithms is fully functional: the signature and encryption in the PKCS # 7, CMS, S / MIME formats are implemented in accordance with Russian standards and RFC; TLS protocol with support for Russian ciphers, etc.
Thus, OpenSSL is fully compatible with proprietary means of cryptographic protection of Russian manufacturers.
')
To support GOSTs, a special “plugin” has been added to it - engine gost. However, there are cryptographic USB tokens with hardware implementation of Russian cryptoalgorithms on the “board”. An example of such a token is Rutoken EDS, which, by the way, is certified as SKZI in class KS2. Rutoken EDS can be connected to OpenSSL in such a way that cryptographic operations will be performed on the “board” of the token.
For Rutoken EDS, there is a special cross-platform plug-in for OpenSSL - engine pkcs11_gost, which allows the use of hardware release of GOSTs through the standard OpenSSL interface.
Here I will describe how it is done on win32.
1. OpenSSL can be taken from here www.slproweb.com/products/Win32OpenSSL.html . When installing, select the “The OpenSSL” binaries (/ bin) directory in the “Select Additional Tasks” dialog.
2. The plugin and the libraries it needs can be downloaded at www.rutoken.ru/download/software/forum/pkcs11-gost-win32-4.2.0.zip .
3. The contents of the archive should be copied to the installation folder OpenSSL / bin. At the same time openssl config. cfg should be replaced, since the archive contains a config sharpened to use the engine pkcs11_gost.
4. Then run cmd.exe (well, or someone like that) and specify in the environment variables our config SET OPENSSL_CONF = full path to the openssl.cfg configuration file.
5. Now you need to install the Rutoken driver, connect the Rutoken EDS to the computer and format it through the Control Panel-> Rutoken Control Panel.
Using the openssl.exe utility, we will follow the path that will allow us to sign the file. At the same time, cryptographic operations (here the key generation and electronic signature are used) will be carried out “on board” Rutoken EDS.
1. Generate the signature key GOST R 34.10-2001:
openssl genpkey -engine pkcs11_gost -algorithm GOST2001 -pkeyopt slot_key_id:50 -pkeyopt paramset:A -pkeyopt pin:123456782. Create an application for a certificate in the PKCS # 10 format for the generated key:
openssl req -engine pkcs11_gost -new -key 50 -keyform engine -out req.csr3. Create a self-signed root certificate in order to issue a user certificate for the application. To begin, generate the CA key inside the token:
openssl genpkey -engine pkcs11_gost -algorithm GOST2001 -pkeyopt slot_key_id:100 -pkeyopt paramset:A -pkeyopt pin:12345678Then we will issue ourselves the root certificate for this key:
openssl req -engine pkcs11_gost -x509 -new -key 100 -keyform engine -out ca.crt4. Issue the certificate according to the application received in step 2. To do this, in the OpenSSL / bin installation folder, create a demoCA folder, in which we will create the newcerts folder. In the demoCA folder, we will create an empty index.txt file and a serial file in which we will write 01. This will allow us to keep records of the issued certificates. Certificate issuing team:
openssl ca -engine pkcs11_gost -keyfile 100 -keyform engine -cert ca.crt -in req.csr -out tester.crt5. Let's sign an arbitrary file with an “attached” signature in the S / MIME format:
openssl smime -engine pkcs11_gost -sign -in [ ] -out [ ] -nodetach -binary -signer tester.crt -inkey 50 -keyform enginein PKCS format # 7:
openssl smime -engine pkcs11_gost -sign -in [ ] -out [ ] -nodetach -binary -signer tester.crt -inkey 50 -keyform engine -outform PEMin CMS format:
openssl cms -engine pkcs11_gost -sign -in [ ] -out [ ] -nodetach -binary -signer tester.crt -inkey 50 -keyform engine -outform PEMA more detailed description of the use of OpenSSL with Rutoken EDS can be found on page forum.rutoken.ru/topic/1639 .
Source: https://habr.com/ru/post/134725/
All Articles