Public Key Infrastructure: utility for generating requests for a qualified certificate

Public Key Infrastructure: utility for generating requests for a qualified certificate One of the central objects of the public key infrastructure (PKI /PKI) along with the key pair is the certificate, which today is actually an analog of a civil passport.
State service , pay taxes, defend your e-mail , sign and encrypt documents and much more.
Certificate, as well as passport , is issued on the basis of the application and the provision of a number of documents. The list of documents for obtaining a certificate is on any certification center that has accreditation of the Ministry of Communications (the new name is the Ministry of Digital Development, Communication and Mass Communications). The application for a passport has the applicant's own signature. At the time of receipt of the passport, the applicant will put his signature on the passport, which will be certified by the passport officer and stamped. Photography and the ability of the owner to reproduce his signature and allow him to identify him as the owner of a particular passport.
In the same way, the key of the electronic signature verification key (CEPEP) is obtained. First, a citizen who wants to get a certificate must acquire a "skill" in putting his own handwritten signature. This "skill" is realized through the receipt by the applicant of a key pair that contains a public key or an electronic signature verification key (CEP) and a private key or an electronic signature key that actually allows the generation of an electronic signature and the signing of an electronic document. The identification of the electronic signature under the document is carried out according to the following algorithm. From the certificate is determined by what key (GOST R ???-200? GOST R ???-2012 with a key length of 64 or 128 bytes) a document was signed. By the type of key, a hash algorithm is defined that was used when signing the document. This can be GOST R ???-94 or GOST R ???-2012 with a hash length of 256 or 512 bits. The selected algorithm is a hash from the source document. And according to the value of the calculated hash from the source document, public key (CEP) and its parameters (all this is taken from the SCPEP certificate) and the reliability of the electronic signature under the document is checked.
To create a key pair, various means of cryptographic information protection (CJSI) are used that support cryptographic algorithms GOST R ???-2001 and GOST R ???-2012. It should be remembered that the use of the signature scheme of GOST R ???-2001 to form a signature after December 3? 2018 is not allowed! CICs that implement various cryptographic algorithms and protocols can be either software or hardware. Access to CIPI is carried out through cryptographic interfaces. The vast majority of certified CIP with Russian cryptography supports either the universal cryptographic interface PKCS # 11 , which is supported on all platforms, or the CSP and CryptoAPI interface from Microsoft on MS Windows platforms (MS CSP). It is these two cryptographic interfaces that are supported, for example, by the portal State service . It is these two types of CPSI that will be considered below:

It should be noted that if there is a desire or the need to work with an electronic signature, not only on the Windows platform, but on other platforms (Linux, macOS, etc.), you should choose PKCS # 11 tokens with support for Russian cryptography.
In addition to the main function associated with query generation, the utility provides functions for working with tokens and certificates:

The combobox "Select token:" on the main window contains a list of available CIPs for generating the key pair. If the query generation utility is running on the Windows platform and CSP crypto-providers with Russian cryptography support are installed, the virtual token "MS_CSP" will be defined in the list of available CIPs ("Select Token:"). So, if there is a desire to use the MS CSP crypto provider, then it must be installed in the system before the utility starts.
To add support for the new PKCS # 11 token, just select the "Token Management-> Add Token" menu item. Adding support for a new token consists in selecting the PKCS # 11 library for the plug-in token /smartcard type and setting a convenient name (nickname). When adding support for a new type of token (and also when the utility is started, if the token support was previously added), when a token is attached (inserted), a PIN-code will be requested to access it:

But this will happen only if the token is not only connected, but also is in working order, i.e. is initialized. Check the token and, if necessary, initialize it, change the PIN code to access it, etc. utility utility p11conf :

Having selected the item "Token Management-> Token Mechanisms" you can see the cryptographic mechanisms of this or that token, for example, whether there is support for the GOST R ???-2012 algorithm. For the virtual token MS_CSP, all CSP providers supporting GOST algorithms and the mechanisms supported by them are listed:

If the selected token does not support the selected key pair type, a corresponding message will be issued:

Before you go directly to filling in the fields of the request, you need to decide for what purposes you need a certificate, i.e. specify "Certificate role". Today, not a single dozen of such roles have accumulated:

And each role is associated with a number of different OIDs included in the certificate. So, for example, to access the portal of the State Service, the following oid-s are needed:
{State services} {clientAuth, emailProtection, ???.???.???.? ???.100.2.?
???.???.? ???.???.7.3.? ???.???.7.3.? ???.???.2.1.?
???.6.1? ???.???.? ???.???.? ???.???.? ???.???.?
???.???.? ???.???.? ???.???? ???.???? ???.???? ???.???.???.? ???.???.1.? 1.2. ???.???? ???.6.3.?
???.???.2.4? ???.???.1.? ???.???.2.3? ???.???.?
???.???.? ???.???.8}

OIDs for other roles (for example, "Gazprombank" site, "Alcohol consumer", etc.) can be found in the source code of the utility (variable oid_roles_bad, operator

    set oid_roses_bad {. . .}    

The presence of so many oid-s is difficult to understand. We are talking about qualified certificates, in which there are oid-s of TIN, OGRN, SNILS, etc., which uniquely identify both the individual and the legal entity and it seems that this would be sufficient for access to the portal of the State Service, and to other also. But, Dura lex, sed lex - The law is harsh, but it's the law.

In the field "Name of CIP" it is necessary to indicate the name of CIP (token /smart card, CSP), which is prescribed in the certificate of compliance (not to be confused with the X509 certificate) of the FSB of Russia or another similar document, a copy of which should be provided at the time of acquisition of CPS. Later, the value of this field will be included in the certificate.

And so, having determined the CIP and the key pair, you can start filling out the electronic application /request for the certificate of the electronic signature verification key (CCPEP):


First, the "Common Name" field is filled in, in which the full name of the future owner of the certificate is entered. For an individual, this is the same as in the passport. For a legal entity, this is the name of the company from the Unified State Register of Legal Entities. This information for the legal entity will automatically be duplicated in the field "Organization name" ("O"):


When filling out the form, the correctness of filling in the fields of TIN, OGRN, SUNLS (when entering no numbers the field turns red, the correctly filled fields become greenish), e-mail addresses:


After filling in all the fields of the request and pressing the "Finish" button, you will eventually receive a certificate request:


During the creation of the request, a key pair on the selected token will be generated. In this case, if the virtual token "MS_CSP" is selected as the token, which in turn supports different media for storing the key pair, it will be suggested to select a specific medium:


Recall that the key pair contains two keys: closed and open. The public key, which is also called the electronic signature verification key, is sent to the certificate request. To view the generated request, which contains the public key, use the menu "Certificates-> View query":


The private key remains with the applicant for his token, the PIN-code (password) from which it is necessary to store as the apple of his eye. And since there is single-valued correspondence between the public and private keys, you can always check who owns the certificate request, and then the certificate itself, the signature under the document, etc.

Now with all the necessary documents, with the generated request on the flash drive, you can go to the nearest certifying center and get a certificate. And so the request comes in order to issue a certificate to one of the CAs created with the Federal Law of April ? 2011. №63-ФЗ "On electronic signature":


The request to the CA will pass the stage of import, examination, approval and issue of the certificate for this request:


The issued certificate will be published on one of the services of the CA, where it can be downloaded. And now it is enough that the issued certificate was exported to the applicant's flash drive:


And now, when the certificate is received, it remains to put it on the CIP (PKCS # 1? MS CSP) (Certificates-> Import x509):


To verify that the certificate is on a token, you can view the contents of the token /smart card (Certificates-> View x509 on the token):


Well, that it was an "armor" (Give me such a PAPER! Final Paper, Armor. (Dog Heart k /f)), connect the token to the browser Firefox with the support of Russian cryptography, and find the released certificate in personal certificates (among such certificates, for which the private key is on the token):


The CreateCSRCAFL63 utility is designed for Tcl /Tk . To access the cryptographic functions of MS CSP and PKCS # 11 tokens, a cwapi package has been developed that implements the requirements for T libraries from C. Implement these requirements not difficult , but sometimes it takes a lot of time because of its routine. And then the public utility comes to the rescue. SWIG. , which allows you to create interface modules between C /C ++ libraries and other languages. This is not only Tcl, but Java and others. The project is very well documented and has excellent examples. Use it is not difficult. In our case, to get the interface module, we wrote a simple source file cwapi.i for the swig utility:

    % module cwapi
% inline% {
#include "cwapi.h"
% include "cwapi_SWIG.h"

The cwapi.h file contains function descriptions from the main cwapi project:
    #ifdef __cplusplus
extern "C" {
int CW_Initialize (char * configdir);
int CW_Finalize ();
int addp11mod (char * nickname, char * library);
int remp11mod (char * nickname);
char * lmod ();
char * ltok ();
char * lcert (char * token, int priv_cert);
char * createreq (char * token, char * subject, char * keyusage, int keyparams, int pem, char * skzi, char * role);
char * viewx509 (char * nickname, int CertOrReq);
char * x509pem (char * nickname);
char * x509fromfile (char * token, char * infile, char * trusts);
int delcert (char * nickname, int priv_cert);
int p12tofile (char * token, char * nickname, char * outfile);
char * p12fromfile (char * token, char * infile);
char * lmech (char * token);
char * tinfo (char * token);
#ifdef __cplusplus

Having executed the command:

    $ export SWIG_LIB = /usr /local /swig-??? /Lib
$ /usr /local /swig-??? /swig -tcl8 -o cwapi_wrap.c cwapi_.i

in the file cwapi_wrap.c we get a ready-made interface module. We add it to the cwapi project, recompile it and get a new package, which is used in this utility.
It's very convenient to use the utility to get the distribution. freewrap , while the cwapi library is also included in the distribution itself. Source code utilities and distributions are available for Windows and Linux platforms.

I would like to mention one more utility, namely tcl2c . This utility wraps the tcl /tk-code into the C-code.

To get the executable code, simply run the command:

    $ cc -o create_csr_C create_csr.c -ltcl -ltk

The composition of dLinux distributions are also included in the C distribution package with the static connection of the cwapi package.
+ 0 -

Add comment