Pulogalamu ya ProHoster > Blog > Ulamuliro > Zochitika pakugwiritsa ntchito ukadaulo wa Rutoken polembetsa ndi kuvomereza ogwiritsa ntchito mudongosolo (gawo 2)

Zochitika pakugwiritsa ntchito ukadaulo wa Rutoken polembetsa ndi kuvomereza ogwiritsa ntchito mudongosolo (gawo 2)

Masana abwino Tiyeni tipitilize ndi mutuwuGawo lapitalo lingapezeke pa ulalo).

Lero tikupita ku gawo lothandiza. Tiyeni tiyambe ndikukhazikitsa CA yathu kutengera laibulale yotseguka ya cryptographic openSSL. Algorithm iyi idayesedwa pogwiritsa ntchito Windows 7.

Ndi openSSL yoyikidwa, titha kuchita ntchito zosiyanasiyana za cryptographic (monga kupanga makiyi ndi ziphaso) kudzera pamzere wolamula.

Zomwe machitidwe akuchita ndi izi:

  1. Tsitsani kugawa unsembe openssl-1.1.1g.
    OpenSSL ili ndi mitundu yosiyanasiyana. Zolemba za Rutoken zidati OpenSSL version 1.1.0 kapena yatsopano ndiyofunika. Ndinagwiritsa ntchito Openssl-1.1.1g version. Mutha kutsitsa openSSL patsamba lovomerezeka, koma kuti muyike mosavuta, muyenera kupeza fayilo yoyika windows paukonde. Ndinakuchitirani izi: slproweb.com/products/Win32OpenSSL.html
    Mpukutu pansi tsamba ndi kukopera Win64 OpenSSL v1.1.1g EXE 63MB Installer.
  2. Ikani openssl-1.1.1g pa kompyuta.
    Kuyika kuyenera kuchitidwa molingana ndi njira yokhazikika, yomwe imangowonetsedwa mufoda ya C: Program Files. Pulogalamuyi idzayikidwa mufoda ya OpenSSL-Win64.
  3. Kuti mukhazikitse OpenSSL momwe mukufunira, pali fayilo ya openssl.cfg. Fayiloyi ili mu C:\Program Files\OpenSSL-Win64bin njira ngati mwayika openSSL monga tafotokozera m'ndime yapitayi. Pitani ku foda yomwe openssl.cfg imasungidwa ndikutsegula fayiloyi pogwiritsa ntchito, mwachitsanzo, Notepad ++.
  4. Mwinamwake munaganiza kuti olamulira a certification adzakonzedwa mwanjira ina posintha zomwe zili mufayilo ya openssl.cfg, ndipo mukulondola. Izi zimafuna kusintha makonda a [ ca ] lamulo. Mu fayilo ya openssl.cfg, chiyambi cha malemba omwe tidzasintha chikhoza kupezeka monga: [ ca ].
  5. Tsopano ndipereka chitsanzo cha makonda ndi kufotokozera kwake: 
    [ ca ]
default_ca	= CA_default		

 [ CA_default ]
dir		= /Users/username/bin/openSSLca/demoCA		 
certs		= $dir/certs		
crl_dir		= $dir/crl		
database	= $dir/index.txt	
new_certs_dir	= $dir/newcerts	
certificate	= $dir/ca.crt 	
serial		= $dir/private/serial 		
crlnumber	= $dir/crlnumber	
					
crl		= $dir/crl.pem 		
private_key	= $dir/private/ca.key
x509_extensions	= usr_cert

    Tsopano tifunika kupanga chikwatu cha demoCA ndi ma subdirectories monga momwe tawonetsera pachitsanzo pamwambapa. Ndipo yiyikeni mu bukhuli m'njira yomwe yatchulidwa mu dir (ndili ndi / Ogwiritsa ntchito / dzina lolowera / bin / openSSLca/demoCA).

    Ndikofunikira kuti mutchule dir molondola - iyi ndi njira yopita ku chikwatu komwe likulu lathu la certification lidzakhala. Bukuli liyenera kukhala mu / Ogwiritsa (ndiko kuti, mu akaunti ya ogwiritsa ntchito). Ngati muyika bukhuli, mwachitsanzo, mu C: Mafayilo a Pulogalamu, dongosololi siliwona fayilo ndi zoikamo openssl.cfg (osachepera zinali choncho kwa ine).

    $dir - njira yotchulidwa mu dir imalowetsedwa m'malo apa.

    Mfundo ina yofunika ndikupanga fayilo yopanda kanthu index.txt, popanda fayiloyi malamulo a "openSSL ca ..." sangagwire ntchito.

    Muyeneranso kukhala ndi fayilo ya serial, kiyi yachinsinsi (ca.key), satifiketi ya mizu (ca.crt). Njira yopezera mafayilowa ifotokozedwa pansipa.

  6. Timalumikiza ma aligorivimu achinsinsi operekedwa ndi Rutoken.
    Kulumikizana uku kumachitika mufayilo ya openssl.cfg.

    • Choyamba, muyenera kutsitsa ma aligorivimu a Rutoken. Awa ndi owona rtengine.dll, rtpkcs11ecp.dll.
      Kuti muchite izi, koperani Rutoken SDK: www.rutoken.ru/developers/sdk.

      Rutoken SDK ndi zonse zomwe zilipo kwa opanga omwe akufuna kuyesa Rutoken. Pali zitsanzo zosiyana zogwirira ntchito ndi Rutoken m'zilankhulo zosiyanasiyana zamapulogalamu, ndipo malaibulale ena amaperekedwa. Ma library athu rtengine.dll ndi rtpkcs11ecp.dll ali ku Rutoken sdk, motsatana, pamalopo:

      sdk/openssl/rtengine/bin/windows-x86_64/lib/rtengine.dll
      sdk/pkcs11/lib/windows-x86_64/rtpkcs11ecp.dll

      Mfundo yofunika kwambiri. Ma library rtengine.dll, rtpkcs11ecp.dll sagwira ntchito popanda dalaivala woyikidwa wa Rutoken. Komanso Rutoken iyenera kulumikizidwa ndi kompyuta. (pokhazikitsa zonse zomwe mukufuna pa Rutoken, onani gawo lapitalo la nkhaniyi habr.com/ru/post/506450)

    • Ma library a rtengine.dll ndi rtpkcs11ecp.dll amatha kusungidwa paliponse muakaunti ya ogwiritsa ntchito.
    • Timalemba njira zopita ku malaibulale awa mu openssl.cfg. Kuti muchite izi, tsegulani fayilo ya openssl.cfg, ikani mzere kumayambiriro kwa fayiloyi: 
      openssl_conf = openssl_def

      Pamapeto pa fayilo muyenera kuwonjezera:

      [ openssl_def ]
engines = engine_section
[ engine_section ]
rtengine = gost_section
[ gost_section ]
dynamic_path = /Users/username/bin/sdk-rutoken/openssl/rtengine/bin/windows-x86_64/lib/rtengine.dll
MODULE_PATH = /Users/username/bin/sdk-rutoken/pkcs11/lib/windows-x86_64/rtpkcs11ecp.dll
RAND_TOKEN = pkcs11:manufacturer=Aktiv%20Co.;model=Rutoken%20ECP
default_algorithms = CIPHERS, DIGEST, PKEY, RAND

      dynamic_path - muyenera kufotokoza njira yanu yopita ku library ya rtengine.dll.
      MODULE_PATH - muyenera kukhazikitsa njira yopita ku laibulale ya rtpkcs11ecp.dll.

  7. Kuwonjezera zosintha zachilengedwe.

    Onetsetsani kuti mwawonjezera kusintha kwa chilengedwe komwe kumatchula njira yopita ku fayilo ya openssl.cfg. Kwa ine, kusintha kwa OPENSSL_CONF kudapangidwa ndi njira C:Program FilesOpenSSL-Win64binopenssl.cfg.

    Pakusintha kwanjira, muyenera kufotokoza njira yopita ku chikwatu komwe openssl.exe ilipo, kwa ine ndi: C: Program FilesOpenSSL-Win64bin.

  8. Tsopano mutha kubwereranso ku gawo 5 ndikupanga mafayilo omwe akusowa pa bukhu la demoCA.
    1. Fayilo yofunika yoyamba popanda yomwe palibe chomwe chingagwire ntchito ndi serial. Iyi ndi fayilo yopanda kuwonjezereka, mtengo wake uyenera kukhala 01. Mukhoza kupanga fayilo nokha ndikulemba 01 mkati. Mukhozanso kukopera kuchokera ku Rutoken SDK panjira sdk/openssl/rtengine/samples/tool/demoCA /.
      Buku la demoCA lili ndi fayilo ya serial, zomwe ndizomwe timafunikira.
    2. Pangani chinsinsi chachinsinsi.
      Kuti tichite izi, tidzagwiritsa ntchito lamulo la library la openSSL, lomwe liyenera kuyendetsedwa mwachindunji pamzere wolamula:

      openssl genpkey -algorithm gost2012_256 -pkeyopt paramset:A -out ca.key

    3. Timapanga chizindikiro cha mizu.
      Kuti muchite izi, gwiritsani ntchito lamulo lotsatira la library la openSSL:

      openssl req -utf8 -x509 -key ca.key -out ca.crt

      Chonde dziwani kuti kiyi yachinsinsi ya mizu, yomwe idapangidwa m'mbuyomu, ikufunika kuti ipange chiphaso cha mizu. Chifukwa chake, mzere wolamula uyenera kukhazikitsidwa m'ndandanda womwewo.

    Chilichonse tsopano chili ndi mafayilo onse omwe akusowa kuti akonzeretu chikwatu cha demoCA. Ikani mafayilo opangidwa muzowongolera zomwe zasonyezedwa pamfundo 5.

Tidzaganiza kuti tikamaliza mfundo zonse za 8, malo athu ovomerezeka amakonzedwa bwino.

Mu gawo lotsatira, ndifotokoza momwe tidzagwirira ntchito ndi olamulira a certification kuti tikwaniritse zomwe tafotokozazi gawo lapitalo la nkhaniyi.

Source: www.habr.com

Kuwonjezera ndemanga