ããã¯ãã¹ãŠã©ã®ããã«å§ãŸã£ãã®ã
èªäž»éé¢æéã®åãã«ãç§ã¯éµäŸ¿ã§æ¬¡ã®ãããªæçŽãåãåããŸããã
æåã®åå¿ã¯èªç¶ãªãã®ã§ãããããŒã¯ã³ãåãã«è¡ãããæã£ãŠãããã®ã©ã¡ããã§ãããæææ¥ä»¥æ¥ãç§ãã¡ã¯å
šå¡å®¶ã«åº§ã£ãŠããŠã移åã«ã¯å¶éããããäžäœèª°ã§ããïŒãããã£ãŠãçãã¯ããèªç¶ãªãã®ã§ããã
ãããŠçãããåç¥ã®ãšããã1æ11æ¥æææ¥ããã¯ããªãå³æ Œãªèªäž»éé¢æéãå§ãŸããŸããããŸããç§ãã¡å
šå¡ããªã¢ãŒãã¯ãŒã¯ã«åãæ¿ããã®ã§ãVPN ãå¿
èŠã«ãªããŸãããç§ãã¡ã® VPN 㯠OpenVPN ã«åºã¥ããŠããŸããããã·ã¢ã®æå·åããµããŒãããPKCS#12 ããŒã¯ã³ãš PKCS#XNUMX ã³ã³ãããæäœã§ããããã«å€æŽãããŠããŸããåœç¶ã®ããšãªãããç§ãã¡èªèº«ã VPN çµç±ã§äœæ¥ããæºåãã§ããŠããªãããšãå€æããŸãããå€ãã¯åã«èšŒææžãæã£ãŠããªãã£ããã蚌ææžã®æå¹æéãåããŠãã人ãããŸããã
ããã»ã¹ã¯ã©ããªããŸããã?
ããã§ãŠãŒãã£ãªãã£ã圹ã«ç«ã¡ãŸã
cryptoarmpkcs ãŠãŒãã£ãªãã£ã䜿çšãããšãèªå·±éé¢äžã§èªå® ã®ã³ã³ãã¥ãŒã¿ãŒã«ããŒã¯ã³ãæã£ãŠããåŸæ¥å¡ã蚌ææžèŠæ±ãçæã§ããããã«ãªããŸããã
åŸæ¥å¡ã¯ä¿åããããªã¯ãšã¹ããé»åã¡ãŒã«ã§ç§ã«éä¿¡ããŸããã - å人ããŒã¿ã¯ã©ããªã£ãŠããã®ããšå°ãã人ããããããããŸããããããèŠããšãããã¯ãªã¯ãšã¹ãã«å«ãŸããŠããŸããããããŠããªã¯ãšã¹ãèªäœã¯ãã®çœ²åã«ãã£ãŠä¿è·ãããŸãã
åä¿¡ãããšã蚌ææžèŠæ±ã¯ CAFL63 CA ããŒã¿ããŒã¹ã«ã€ã³ããŒããããŸãã
ãã®åŸããªã¯ãšã¹ãã¯æåŠãŸãã¯æ¿èªãããå¿
èŠããããŸãããªã¯ãšã¹ããæ€èšããã«ã¯ããªã¯ãšã¹ããéžæããŠå³ã¯ãªãã¯ããããããããŠã³ ã¡ãã¥ãŒãã [決å®] ãéžæããå¿
èŠããããŸãã
ææ決å®æé èªäœã¯å®å
šã«éæã§ãã
蚌ææžãåæ§ã«çºè¡ãããŸãããã¡ãã¥ãŒé
ç®ã®ã¿ãã蚌ææžã®çºè¡ããšåŒã°ããŸãã
çºè¡ããã蚌ææžã衚瀺ããã«ã¯ãã³ã³ããã¹ã ã¡ãã¥ãŒã䜿çšãããã察å¿ããè¡ãããã«ã¯ãªãã¯ããŸãã
ããã§ãopenssl (ãOpenSSL ããã¹ããã¿ã) ãš CAFL63 ã¢ããªã±ãŒã·ã§ã³ã®çµã¿èŸŒã¿ãã¥ãŒã¢ãŒ (ã蚌ææžããã¹ããã¿ã) ã®äž¡æ¹ãä»ããŠã³ã³ãã³ãã衚瀺ã§ããããã«ãªããŸãããåŸè
ã®å Žåãã³ã³ããã¹ã ã¡ãã¥ãŒã䜿çšããŠãæåã«ã¯ãªããããŒãã«ã次ã«ãã¡ã€ã«ã«èšŒææžãããã¹ã圢åŒã§ã³ããŒã§ããŸãã
ããã§ãæåã®ããŒãžã§ã³ãšæ¯èŒã㊠CAFL63 ã§äœãå€ãã£ãã®ãã«æ³šç®ããŠãã ããã蚌ææžã®è¡šç€ºã«ã€ããŠã¯ããã§ã«è¿°ã¹ãŸããããªããžã§ã¯ãã®ã°ã«ãŒã (蚌ææžããªã¯ãšã¹ããCRL) ãéžæããããããããŒãžã³ã° ã¢ãŒãã§è¡šç€ºããããšãå¯èœã§ã ([éžæããé ç®ã衚瀺] ãã¿ã³)ã
ããããæãéèŠãªããšã¯ããããžã§ã¯ããç¡æã§å©çšã§ããããšã§ãã
CAFL63 ã¢ããªã±ãŒã·ã§ã³ã®ä»¥åã®ããŒãžã§ã³ãšæ¯èŒããŠãã€ã³ã¿ãŒãã§ã€ã¹èªäœãå€æŽãããã ãã§ãªãããã§ã«è¿°ã¹ãããã«æ°ããæ©èœãè¿œå ãããŸãããããšãã°ãã¢ããªã±ãŒã·ã§ã³ã®èª¬æãå«ãããŒãžãåèšèšããããã£ã¹ããªãã¥ãŒã·ã§ã³ãããŠã³ããŒãããããã®çŽæ¥ãªã³ã¯ãè¿œå ãããŸããã
GOST openssl ãã©ãã§å
¥æã§ããããšãã質åãå€ãå¯ããããä»ã§ãå°ããããŠããŸããäŒçµ±çã«ç§ã¯äžããŸã
ãããçŸåšãé
åžãããã«ã¯ãã·ã¢ã®æå·åã䜿çšãã openssl ã®ãã¹ãçãå«ãŸããŠããŸãã
ãããã£ãŠãCA ãèšå®ãããšãã«ã䜿çšãã openssl ãšããŠãLinux ã®å Žå㯠/tmp/lirssl_static ããWindows ã®å Žå㯠$::env(TEMP)/lirssl_static.exe ãæå®ã§ããŸãã
ãã®å Žåã空㮠lirssl.cnf ãã¡ã€ã«ãäœæãããã®ãã¡ã€ã«ãžã®ãã¹ãç°å¢å€æ° LIRSSL_CONF ã«æå®ããå¿
èŠããããŸãã
蚌ææžèšå®ã®ãæ¡åŒµæ©èœãã¿ãã«ãèªèšŒå±æ
å ±ã¢ã¯ã»ã¹ããã£ãŒã«ããè¿œå ãããCA ã«ãŒã蚌ææžãš OCSP ãµãŒããŒãžã®ã¢ã¯ã»ã¹ ãã€ã³ããèšå®ã§ããŸãã
CA ãç³è«è
ããçæããããªã¯ãšã¹ã (PKCS#10) ãåãä»ããªãã£ãããããã«æªãããšã«ãäžéšã® CSP ãéããŠãã£ãªã¢äžã§ã㌠ãã¢ã®çæã䌎ããªã¯ãšã¹ãã®åœ¢æã匷å¶ããããããšãã話ãããèããŸãããŸããPKCS#2.0 ã€ã³ã¿ãŒãã§ã€ã¹çµç±ã§ (åã RuToken EDS-11 äžã§) ååŸäžå¯èœãªããŒãæã€ããŒã¯ã³ã«å¯Ÿãããªã¯ãšã¹ããçæããããšãæåŠããŸãããããã£ãŠãPKCS#63 ããŒã¯ã³ã®æå·åã¡ã«ããºã ã䜿çšããŠãCAFL11 ã¢ããªã±ãŒã·ã§ã³ã®æ©èœã«ãªã¯ãšã¹ãçæãè¿œå ããããšã決å®ãããŸãããããŒã¯ã³ã¡ã«ããºã ãæå¹ã«ããããã«ãããã±ãŒãžã䜿çšãããŸãã
ããŒã¯ã³ãæäœããããã«å¿
èŠãªã©ã€ãã©ãªã¯ã蚌ææžã®èšå®ã§æå®ãããŸãã
ããããç§ãã¡ã¯ãèªå·±éé¢ã¢ãŒãã§äŒæ¥ã® VPN ãããã¯ãŒã¯ã§åãããã®èšŒææžãåŸæ¥å¡ã«æäŸãããšããäž»èŠãªã¿ã¹ã¯ããéžè±ããŠããŸããŸãããäžéšã®åŸæ¥å¡ãããŒã¯ã³ãæã£ãŠããªãããšãå€æããŸããã CAFL12 ã¢ããªã±ãŒã·ã§ã³ã§ã¯ãããèš±å¯ãããŠãããããPKCS#63 ã§ä¿è·ãããã³ã³ãããŒãæäŸããããšã決å®ãããŸããããŸãããã®ãããªåŸæ¥å¡ã«å¯ŸããŠãCIPF ã¿ã€ããOpenSSLãã瀺ã PKCS#10 ãªã¯ãšã¹ããäœæãã蚌ææžãçºè¡ã㊠PKCS12 ã«ããã±ãŒãžåããŸãããããè¡ãã«ã¯ãã蚌ææžãããŒãžã§ç®çã®èšŒææžãéžæããå³ã¯ãªãã¯ããŠãPKCS#12 ã«ãšã¯ã¹ããŒãããéžæããŸãã
ã³ã³ãããŒã§ãã¹ãŠãæ£åžžã«è¡ãããŠããããšã確èªããããã«ãcryptoarmpkcs ãŠãŒãã£ãªãã£ã䜿çšããŠã¿ãŸãããã
çºè¡ããã蚌ææžãåŸæ¥å¡ã«éä¿¡ã§ããããã«ãªããŸããã蚌ææžä»ãã®ãã¡ã€ã« (ããŒã¯ã³ææè
ããªã¯ãšã¹ããéä¿¡ãã人) ãŸã㯠PKCS#12 ã³ã³ãããåã«éä¿¡ããã人ãããŸãã XNUMX çªç®ã®ã±ãŒã¹ã§ã¯ãååŸæ¥å¡ã«é»è©±ã§ã³ã³ããã®ãã¹ã¯ãŒããäžããããŸãããããã®åŸæ¥å¡ã¯ãã³ã³ãããžã®ãã¹ãæ£ããæå®ã㊠VPN æ§æãã¡ã€ã«ãä¿®æ£ããã ãã§æžã¿ãŸãã
ããŒã¯ã³ææè ã«é¢ããŠã¯ãããŒã¯ã³ã®èšŒææžãã€ã³ããŒãããå¿ èŠããããŸããããããè¡ãããã«ã圌ãã¯åã cryptoarmpkcs ãŠãŒãã£ãªãã£ã䜿çšããŸããã
ããã§ãVPN æ§æã«æå°éã®å€æŽãå ããã (ããŒã¯ã³ã®èšŒææžã©ãã«ãå€æŽãããŠããå¯èœæ§ããããŸã)ãããã ãã§ãäŒæ¥ VPN ãããã¯ãŒã¯ã¯æ£åžžã«åäœããããã«ãªããŸãã
ããããŒãšã³ã
ãããŠããªã人ã ãç§ã®ãšããã«ããŒã¯ã³ãæã£ãŠããã®ãããããã¯ç§ã圌ãã®ããã«ã¡ãã»ã³ãžã£ãŒãéãå¿ èŠãããã®ãââããšããããšã«æ°ã¥ããŸããããããŠã次ã®ãããªå 容ã®æçŽãéããŸãã
çãã¯ç¿æ¥ã«æ¥ãŸãã
ããã« cryptoarmpkcs ãŠãŒãã£ãªãã£ã«ãªã³ã¯ãéä¿¡ããŸãã
蚌ææžãªã¯ãšã¹ããäœæããåã«ãããŒã¯ã³ãã¯ãªã¢ããããšããå§ãããŸãã
ãã®åŸãPKCS#10 圢åŒã®èšŒææžã®ãªã¯ãšã¹ããé»åã¡ãŒã«ã§éä¿¡ããã蚌ææžãçºè¡ããŠæ¬¡ã®å®å
ã«éä¿¡ããŸããã
ãããŠã楜ããç¬éããã£ãŠæ¥ãŸããã
ãããŠããããªæçŽããããŸããã
ãããŠãã®åŸããã®èšäºãçãŸããŸããã
Linux ããã³ MS Windows ãã©ãããã©ãŒã çšã® CAFL63 ã¢ããªã±ãŒã·ã§ã³ã®ãã£ã¹ããªãã¥ãŒã·ã§ã³ãèŠã€ãããŸãã
ããã§
Android ãã©ãããã©ãŒã ãå«ã cryptoarmpkcs ãŠãŒãã£ãªãã£ã®ãã£ã¹ããªãã¥ãŒã·ã§ã³ã¯æ¬¡ã®å Žæã«ãããŸãã
ããã§
åºæïŒ habr.com