Signerbox - authentication via DSTU 4145
Signerbox is a web application that allows you to sign data and authenticate in the browser through a digital certificate that associates the person with the public key of the standard DSTU 4145-2002 (sheeting on elliptic curves). Such certificates are issued free of charge by the Ministry of Revenue and Fees, as well as Commercial CA.
A server daemon is attached to the client signature box, which verifies the signatures and issues the result. The demon is called dstud.
The finished build is in ppa: ilya-muromec / dstud.
')
The signbox box itself is hosted on the eusign.org domain and works using the custom OAuth-like protocol — it receives a request when going to the page, shows the user a request to authorize the request, and flips it back with the finished result.
To add identity verification using signerbox / dstud to the site, you need:
Now I have a ready-made plug-in for the wizard, it lives at github.com/themao/dstu-login . When registering the application, you need to specify auth_url in the form https: //: domain / wp-login.php. Only addresses with the https scheme are accepted.
After the plugin is configured, the “Sign with eU” link should appear on the login page.
A live demo is available at dstu.enodev.org .
The user of twitter, hiding under the nickname @niggaslife, took part in the development of the plugin.
The user will redirect to the form that requests his key and certificate, signs a string from NONCE and your domain, then uploads the public key (certificate) to the server and sends the signature as a get parameter back to the site that initiated the authentication.
Creating a signature occurs on the client using the JS-library, so the private key does not leave the machine.
The integrating site does not need to trust the signerbox, since the signature is verified by the means of the “dstud” daemon.
According to the law of Ukraine on electronic signature, the signature made certified or passed the expertise of software is legally significant. Signerbox and the libraries used have not been certified or reviewed, therefore, in the event of a trial, you may have glimpses to prove the connection between the user and the individual. If this is important to you, help the project get certified or consult with lawyers.
Write your integration plugin is quite simple. To do this, do the following things:
The field 1.2.804.2.1.1.1.11.1.4.1.1 will contain the tax user identifier (TIN). Since this field contains certain private information about the user, and is not a synthetic identifier, it is recommended to use it not in its pure form, but as a hash with salt from it.
The content of the state parameter specified during authentication can be arbitrary and is returned back to auth_url unchanged. It is recommended to indicate in it a one-time token to protect against CSRF.
For ease of development, a test certificate and key (user.cer and user.key) are distributed along with the dstud daemon. To allow entry under a test certificate, you must stop the dstud daemon and start it from the testCA directory.
The test certificate does not contain the field 1.2.804.2.1.1.1.11.1.4.1.1.
A server daemon is attached to the client signature box, which verifies the signatures and issues the result. The demon is called dstud.
The finished build is in ppa: ilya-muromec / dstud.
')
The signbox box itself is hosted on the eusign.org domain and works using the custom OAuth-like protocol — it receives a request when going to the page, shows the user a request to authorize the request, and flips it back with the finished result.
Integration
To add identity verification using signerbox / dstud to the site, you need:
- Install dstud-static from ppa on your host:
add-apt-repository ppa: ilya-muromec / dstud apt-get update apt-get install dstud-static
- register your application at eusign.org/register_app and get app_id.
- install an integration plugin for your site or write a new one
- specify the app_id in the plugin settings
WordPress
Now I have a ready-made plug-in for the wizard, it lives at github.com/themao/dstu-login . When registering the application, you need to specify auth_url in the form https: //: domain / wp-login.php. Only addresses with the https scheme are accepted.
After the plugin is configured, the “Sign with eU” link should appear on the login page.
A live demo is available at dstu.enodev.org .
The user of twitter, hiding under the nickname @niggaslife, took part in the development of the plugin.
How it works
The user will redirect to the form that requests his key and certificate, signs a string from NONCE and your domain, then uploads the public key (certificate) to the server and sends the signature as a get parameter back to the site that initiated the authentication.
Creating a signature occurs on the client using the JS-library, so the private key does not leave the machine.
The integrating site does not need to trust the signerbox, since the signature is verified by the means of the “dstud” daemon.
Certification
According to the law of Ukraine on electronic signature, the signature made certified or passed the expertise of software is legally significant. Signerbox and the libraries used have not been certified or reviewed, therefore, in the event of a trial, you may have glimpses to prove the connection between the user and the individual. If this is important to you, help the project get certified or consult with lawyers.
Plugin development
Write your integration plugin is quite simple. To do this, do the following things:
- in the login form show link to eusign.org/auth : app_id? state =: app_state
- add an auth url handler that reads GET parameters sign, nonce, cert_id
- Download the certificate at eusign.org/api/1/certificates : cert_id
- create data parameter of the format: nonce |: auth_url
- send a POST request to the address localhost : 8013 / api / 0 / check with three parameters: c (received certificate), d (data parameter) and s (sign parameter).
- when the answer is 200 OK, parse the result, as a set of lines key = value and create a user, or find an existing
The field 1.2.804.2.1.1.1.11.1.4.1.1 will contain the tax user identifier (TIN). Since this field contains certain private information about the user, and is not a synthetic identifier, it is recommended to use it not in its pure form, but as a hash with salt from it.
The content of the state parameter specified during authentication can be arbitrary and is returned back to auth_url unchanged. It is recommended to indicate in it a one-time token to protect against CSRF.
Test certificates
For ease of development, a test certificate and key (user.cer and user.key) are distributed along with the dstud daemon. To allow entry under a test certificate, you must stop the dstud daemon and start it from the testCA directory.
The test certificate does not contain the field 1.2.804.2.1.1.1.11.1.4.1.1.
Source: https://habr.com/ru/post/229631/
All Articles