ProHoster > Блог > Gudanarwa > Ƙwarewa cikin amfani da fasahar Rutoken don yin rajista da ba da izini ga masu amfani a cikin tsarin (sashe na 2)

Ƙwarewa cikin amfani da fasahar Rutoken don yin rajista da ba da izini ga masu amfani a cikin tsarin (sashe na 2)

Barka da rana Mu ci gaba da wannan batuZa a iya samun sashin da ya gabata a mahaɗin).

A yau za mu ci gaba zuwa bangaren aiki. Bari mu fara ta hanyar kafa CA ɗinmu bisa cikakken buɗewar ɗakin karatu na sirri na buɗe SSL. An gwada wannan algorithm ta amfani da windows 7.

Tare da buɗe SSL, za mu iya yin ayyuka daban-daban na sirri (kamar ƙirƙirar maɓalli da takaddun shaida) ta layin umarni.

A algorithm na ayyuka kamar haka:

  1. Zazzage rarraba shigarwa openssl-1.1.1g.
    OpenSSL yana da nau'i daban-daban. Takardun don Rutoken sun ce ana buƙatar buɗaɗɗen sigar SSL 1.1.0 ko sabo. Na yi amfani da sigar openssl-1.1.1g. Kuna iya saukar da openSSL daga rukunin yanar gizon hukuma, amma don sauƙin shigarwa, kuna buƙatar nemo fayil ɗin shigarwa don windows akan yanar gizo. Na yi muku wannan: slproweb.com/products/Win32OpenSSL.html
    Gungura ƙasa shafin kuma zazzage Win64 OpenSSL v1.1.1g EXE 63MB Mai sakawa.
  2. Shigar openssl-1.1.1g akan kwamfutar.
    Dole ne a aiwatar da shigarwa bisa ga daidaitaccen hanya, wanda aka nuna ta atomatik a cikin babban fayil ɗin C: Fayilolin Shirin. Za a shigar da shirin a cikin babban fayil na OpenSSL-Win64.
  3. Domin saita openSSL yadda kuke buƙata, akwai fayil openssl.cfg. Wannan fayil ɗin yana cikin C: \ Fayilolin Shirin Buɗe hanyar SSL-Win64bin idan kun shigar da openSSL kamar yadda aka bayyana a cikin sakin layi na baya. Je zuwa babban fayil inda openssl.cfg ke adana kuma buɗe wannan fayil ta amfani da, misali, Notepad++.
  4. Wataƙila kun yi hasashen cewa za a daidaita ikon takaddun shaida ta wata hanya ta canza abubuwan da ke cikin fayil ɗin openssl.cfg, kuma kun yi daidai. Wannan yana buƙatar gyare-gyaren umarnin [ ca ]. A cikin fayil openssl.cfg, farkon rubutun da za mu yi canje-canje za a iya samu kamar: [ ca ].
  5. Yanzu zan ba da misali na saitin tare da bayaninsa: 
    [ ca ]
default_ca	= CA_default		

 [ CA_default ]
dir		= /Users/username/bin/openSSLca/demoCA		 
certs		= $dir/certs		
crl_dir		= $dir/crl		
database	= $dir/index.txt	
new_certs_dir	= $dir/newcerts	
certificate	= $dir/ca.crt 	
serial		= $dir/private/serial 		
crlnumber	= $dir/crlnumber	
					
crl		= $dir/crl.pem 		
private_key	= $dir/private/ca.key
x509_extensions	= usr_cert

    Yanzu muna buƙatar ƙirƙirar kundin adireshi na demoCA da kundin adireshi kamar yadda aka nuna a misalin da ke sama. Kuma sanya shi a cikin wannan kundin adireshi tare da hanyar da aka ƙayyade a cikin dir (Ina da / Users/username/bin/openSSLca/demoCA).

    Yana da matukar mahimmanci a rubuta dir daidai - wannan ita ce hanyar zuwa kundin adireshi inda cibiyar ba da takaddun shaida za ta kasance. Dole ne wannan littafin ya kasance a cikin /Masu amfani (wato, a cikin asusun wasu masu amfani). Idan ka sanya wannan directory, alal misali, a cikin C: Fayilolin Shirin, tsarin ba zai ga fayil ɗin tare da saitunan openssl.cfg (aƙalla ya kasance haka a gare ni).

    $dir - an maye gurbin hanyar da aka ƙayyade a cikin dir anan.

    Wani muhimmin batu shine ƙirƙirar fayil ɗin index.txt mara komai, ba tare da wannan fayil ɗin umarnin "buɗe SSL ca ..." ba zai yi aiki ba.

    Hakanan kuna buƙatar samun fayil ɗin serial, tushen sirrin maɓalli (ca.key), takardar shaidar tushe (ca.crt). Hanyar samun waɗannan fayilolin za a bayyana a ƙasa.

  6. Muna haɗa algorithms na ɓoyewa da Rutoken ya bayar.
    Wannan haɗin yana faruwa a cikin fayil openssl.cfg.

    • Da farko, kuna buƙatar zazzage mahimman algorithms Rutoken. Waɗannan su ne fayilolin rtengine.dll, rtpkcs11ecp.dll.
      Don yin wannan, zazzage Rutoken SDK: www.rutoken.ru/developers/sdk.

      Rutoken SDK shine kawai don masu haɓakawa waɗanda ke son gwada Rutoken. Akwai misalai daban-daban na aiki tare da Rutoken a cikin harsunan shirye-shirye daban-daban, kuma an gabatar da wasu ɗakunan karatu. Laburaren mu rtengine.dll da rtpkcs11ecp.dll suna cikin Rutoken sdk, bi da bi, a wurin:

      sdk/openssl/rtengine/bin/windows-x86_64/lib/rtengine.dll
      sdk/pkcs11/lib/windows-x86_64/rtpkcs11ecp.dll

      Batu mai mahimmanci. Laburaren rtengine.dll, rtpkcs11ecp.dll ba sa aiki ba tare da shigar da direban Rutoken ba. Hakanan dole ne a haɗa Rutoken zuwa kwamfutar. (don shigar da duk abin da kuke buƙata don Rutoken, duba sashin da ya gabata na labarin habr.com/ha/post/506450)

    • Ana iya adana ɗakunan karatu na rtengine.dll da rtpkcs11ecp.dll a ko'ina cikin asusun mai amfani.
    • Muna rubuta hanyoyin zuwa waɗannan ɗakunan karatu a cikin openssl.cfg. Don yin wannan, buɗe fayil ɗin openssl.cfg, sanya layin a farkon wannan fayil ɗin: 
      openssl_conf = openssl_def

      A ƙarshen fayil ɗin kuna buƙatar ƙara:

      [ openssl_def ]
engines = engine_section
[ engine_section ]
rtengine = gost_section
[ gost_section ]
dynamic_path = /Users/username/bin/sdk-rutoken/openssl/rtengine/bin/windows-x86_64/lib/rtengine.dll
MODULE_PATH = /Users/username/bin/sdk-rutoken/pkcs11/lib/windows-x86_64/rtpkcs11ecp.dll
RAND_TOKEN = pkcs11:manufacturer=Aktiv%20Co.;model=Rutoken%20ECP
default_algorithms = CIPHERS, DIGEST, PKEY, RAND

      dynamic_path - dole ne ka saka hanyarka zuwa ɗakin karatu na rtengine.dll.
      MODULE_PATH - kuna buƙatar rubuta hanyarku zuwa ɗakin karatu na rtpkcs11ecp.dll.

  7. Ƙara masu canjin yanayi.

    Tabbatar ƙara canjin yanayi wanda ke ƙayyadaddun hanyar zuwa fayil ɗin sanyi na openssl.cfg. A cikin yanayina, an ƙirƙiri madaidaicin OPENSL_CONF tare da hanyar C: Fayilolin ShirinOpenSSL-Win64binopenssl.cfg.

    A cikin madaidaicin hanyar, dole ne ka saka hanyar zuwa babban fayil inda openssl.exe yake, a cikin yanayina shine: C: Fayilolin ShirinOpenSSL-Win64bin.

  8. Yanzu zaku iya komawa zuwa mataki na 5 kuma ƙirƙirar fayilolin da suka ɓace don kundin adireshin demoCA.
    1. Fayil mai mahimmanci na farko wanda ba tare da abin da zai yi aiki ba shine serial. Wannan fayil ne ba tare da tsawo ba, darajar wanda ya kamata ya zama 01. Kuna iya ƙirƙirar wannan fayil ɗin da kanku kuma ku rubuta 01 a ciki. Hakanan zaka iya sauke shi daga Rutoken SDK tare da hanyar sdk/openssl/rtengine/samfurori/tool/demoCA /.
      Jagorar demoCA ta ƙunshi babban fayil ɗin, wanda shine ainihin abin da muke buƙata.
    2. Ƙirƙiri maɓallin keɓaɓɓen tushen tushe.
      Don yin wannan, za mu yi amfani da umarnin ɗakin karatu na OpenSSL, wanda dole ne a gudanar da shi kai tsaye akan layin umarni:

      openssl genpkey -algorithm gost2012_256 -pkeyopt paramset:A -out ca.key

    3. Muna ƙirƙirar takardar shaidar tushe.
      Don yin wannan, yi amfani da umarnin ɗakin karatu na bude SSL mai zuwa:

      openssl req -utf8 -x509 -key ca.key -out ca.crt

      Lura cewa tushen keɓaɓɓen maɓalli, wanda aka ƙirƙira a mataki na baya, ana buƙata don samar da tushen takaddun shaida. Don haka, dole ne a ƙaddamar da layin umarni a cikin wannan kundin adireshi.

    Komai yanzu yana da duk fayilolin da suka ɓace don cikakken tsarin tsarin demoCA. Sanya fayilolin da aka ƙirƙira a cikin kundayen adireshi da aka nuna a aya ta 5.

Za mu ɗauka cewa bayan kammala duk maki 8, cibiyar ba da takaddun shaida ta kasance cikakke.

A kashi na gaba, zan bayyana yadda za mu yi aiki tare da hukumar ba da takaddun shaida don cika abin da aka bayyana a ciki bangaren da ya gabata na labarin.

source: www.habr.com

Add a comment