Zviviri-zvinhu kuvimbiswa pane saiti uchishandisa USB tokeni. Iye zvino zvakare kune Linux

В chimwe chezvinyorwa zvedu zvakapfuura takataura nezvekukosha kwezviviri-zvinhu kuvimbiswa pamakambani emakambani emakambani. Nguva yekupedzisira takaratidza nzira yekumisikidza yakachengeteka muIIS web server.

Mune zvirevo, isu takakumbirwa kunyora mirairo kune akajairika mawebhu maseva eLinux - nginx uye Apache.

Iwe wakabvunza - takanyora.

Chii chaunoda kuti utange?

• Chero kugoverwa kweLinux kwemazuva ano. Ndakaita bvunzo yekuseta paMX Linux 18.2_x64. Uku hakusi kugovera sevha, asi pane zvingangoita kuti pave nemisiyano yeDebian. Kune kumwe kugoverwa, nzira dzekugadzirisa maraibhurari dzinogona kusiyana zvishoma.
• Chiratidzo. Tinoramba tichishandisa muenzaniso Rutoken EDS PKI, iyo yakanaka maererano nekumhanya kwemaitiro ekushandiswa kwemakambani.
• Kuti ushande nechiratidzo muLinux, unofanirwa kuisa anotevera mapakeji:
  libccid libpcsclite1 pcscd pcsc-zvishandiso opensc

Kuburitsa zvitupa

Muzvinyorwa zvakapfuura, taivimba nenyaya yekuti sevha uye zvitupa zvemutengi zvichapihwa uchishandisa Microsoft CA. Asi sezvo isu tiri kumisikidza zvese muLinux, isu zvakare tichakuudza nezve imwe nzira yekuburitsa izvi zvitupa - pasina kusiya Linux.
Tichashandisa XCA seCA (https://hohnstaedt.de/xca/), inowanikwa pane chero yazvino Linux kugovera. Zvese zviito zvatichaita muXCA zvinogona kuitwa mukuraira mutsara modhi uchishandisa iyo OpenSSL uye pkcs11-chishandiso chekushandisa, asi kuti zvive nyore uye zvakajeka, isu hatizviratidze muchinyorwa chino.

kutanga

1. Isa:

   $ apt-get install xca

2. Uye isu tinomhanya:

   $ xca

3. Isu tinogadzira database yedu yeCA - /root/CA.xdb
   Isu tinokurudzira kuchengetedza Chitupa Chiremera dhatabhesi mune folda umo chete maneja anogona kuwana. Izvi zvakakosha kuchengetedza makiyi epachivande emidzi zvitupa, ayo anoshandiswa kusaina zvimwe zvese zvitupa.

Gadzira makiyi uye mudzi CA chitupa

A public key infrastructure (PKI) yakavakirwa pane hierarchical system. Chinhu chikuru mune ino sisitimu ndiyo midzi certification chiremera kana mudzi CA. Chitupa chayo chinofanira kutanga chagadzirwa.

1. Isu tinogadzira RSA-2048 yakavanzika kiyi yeCA. Kuti uite izvi, pane tab Yakavanzika Keys kusunda Kiyi itsva uye sarudza rudzi rwakakodzera.
2. Seta zita remakiyi maviri matsva. Ndakaitumidza kuti CA Key.
3. Isu tinoburitsa iyo CA setifiketi pachayo, tichishandisa iyo yakagadzirwa kiyi peya. Kuti uite izvi, enda kune tab certificate uye pfugama New Certificate.
4. Iva nechokwadi chekusarudza SHA-256, nekuti kushandisa SHA-1 hakuchanzi kwakachengeteka.
5. Iva nechokwadi chekusarudza se template [default] CA. Usakanganwa kudzvanya pa Isa zvese, kana zvisina kudaro template haina kushandiswa.
6. Mune tab chidzidzo sarudza makiyi maviri edu. Ikoko iwe unogona kuzadza ese makuru minda yechitupa.

Kugadzira makiyi uye sevha ye https

1. Nenzira imwecheteyo, isu tinogadzira RSA-2048 yakavanzika kiyi yeseva, ndakaidaidza kuti Server Key.
2. Paunenge uchigadzira chitupa, isu tinosarudza kuti server setifiketi inofanira kusainwa neCA certificate.
3. Usakanganwa kusarudza SHA-256.
4. Isu tinosarudza se template [default] HTTPS_server. Dzvanya pa Isa zvese.
5. Zvadaro pane tab chidzidzo sarudza kiyi yedu uye uzadze minda inodiwa.

Gadzira makiyi uye chitupa chemushandisi

1. Yakavanzika kiyi yemushandisi ichachengetwa pane yedu tokeni. Kuti ushande nayo, unofanirwa kuisa raibhurari yePKCS#11 kubva pawebhusaiti yedu. Nekugovera kwakakurumbira, tinogovera mapakeji akagadzirira, ayo ari pano - https://www.rutoken.ru/support/download/pkcs/. Isu tinewo magungano earm64, armv7el, armv7hf, e2k, mipso32el, anogona kutorwa kubva kuSDK yedu - https://www.rutoken.ru/developers/sdk/. Pamusoro pemagungano eLinux, kune zvakare maassemblies eMacOS, freebsd uye android.
2. Kuwedzera PKCS#11 Provider kuXCA. Kuti uite izvi, enda kumenyu Options kune tab PKCS#11 Provider.
3. Tinodzvanya wedzera uye sarudza nzira inoenda ku PKCS#11 raibhurari. Muchiitiko changu isrliblibrtpkcs11ecp.so.
4. Tichada yakarongwa Rutoken EDS PKI token. Dhawunirodha iyo rtAdmin yekushandisa - https://dev.rutoken.ru/pages/viewpage.action?pageId=7995615
5. Tinoita

   $ rtAdmin -f -q -z /usr/lib/librtpkcs11ecp.so -u <PIN-код пользователя>

6. Isu tinosarudza RSA-2048 kiyi yeRutoken EDS PKI semhando yakakosha. Ndakafonera kiyi yeClient iyi.

   

7. Isa iyo PIN kodhi. Uye isu takamirira kupedzwa kwekugadzirwa kwehardware kweiyo kiyi mbiri

   

8. Isu tinogadzira chitupa chemushandisi nekuenzanisa nesevha setifiketi. Panguva ino tinosarudza template [default] HTTPS_client uye usakanganwa kudzvanya Isa zvese.
9. Mune tab chidzidzo isa ruzivo nezve mushandisi. Isu tinopindura mukusimbisa kune chikumbiro chekuchengetedza chitupa chechiratidzo.

Somugumisiro, pane tab Zvitupa muXCA iwe unofanirwa kuwana chimwe chinhu chakadai.

Iyi shoma seti yemakiyi uye zvitupa zvakakwana kuti utange kuseta maseva pachawo.

Kugadzirisa, isu tinofanirwa kuendesa kunze chitupa cheCA, chitupa cheseva uye server yakavanzika kiyi.

Kuti uite izvi, sarudza iyo yaunoda yekupinda pane inoenderana tebhu muXCA uye tinya ekisipoti.

Nginx

Ini handisi kuzonyora maitiro ekuisa uye kumhanya nginx server - pane zvakakwana zvinyorwa pane iyi nyaya paInternet, tisingataure zvinyorwa zvepamutemo. Ngatitorei takananga kumisikidza HTTPS uye mbiri-chinhu chechokwadi tichishandisa chiratidzo.

Wedzera mitsara inotevera kune sevha chikamu mu nginx.conf:

server {
	listen 443 ssl;
	ssl_verify_depth 1;
	ssl_certificate /etc/nginx/Server.crt;
	ssl_certificate_key /etc/nginx/ServerKey.pem;
	ssl_client_certificate /etc/nginx/CA.crt;
	ssl_verify_client on;
}

Tsanangudzo yakadzama yeese ma paramita ane chekuita nekugadzirisa ssl mu nginx inogona kuwanikwa pano - https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_client_certificate

Ndichangotsanangura muchidimbu izvo zvandakazvibvunza:

• ssl_verify_client - inotsanangura kuti cheni yekuvimba yechitupa inoda kusimbiswa.
• ssl_verify_depth - Inotsanangura kudzika kwekutsvaga kweiyo yakavimbika midzi chitupa mumaketani. Sezvo chitupa chedu chemutengi chikasaina pakarepo pamudzi weti, kudzika kunoiswa ku 1. Kana chitupa chemushandisi chakasainwa pane yepakati CA, ipapo 2 inofanira kutsanangurwa mune iyi parameter, zvichingodaro.
• ssl_client_certificate - inotsanangura nzira inoenda kune yakavimbika midzi chitupa, iyo inoshandiswa pakutarisa kuvimba nechitupa chemushandisi.
• ssl_certificate/ssl_certificate_key - ratidza nzira inoenda kune server certificate/private key.

Usakanganwa kumhanya nginx -t kutarisa kuti hapana typos mune config, uye kuti mafaera ese ari munzvimbo chaiyo, zvichingodaro.

Uye ndizvo zvose! Sezvauri kuona, iyo setup iri nyore kwazvo.

Kutarisa kuti iri kushanda muFirefox

Sezvo isu tichiita zvese zvizere muLinux, isu tichafunga kuti vashandisi vedu vanoshandawo muLinux (kana vaine Windows, ipapo ona mirairo yekumisikidza mabhurawuza muchinyorwa chakapfuura.

1. Ngatitangei Firefox.
2. Ngatiedzei kupinda pasina chiratidzo kutanga. Tinowana mufananidzo uyu:

   

3. Enda ku nezve: zvaunofarira # kuvanzika, uye tinoenda Chengetedzo Devices...
4. Tinodzvanya mutorokuwedzera imwe PKCS#11 Mutyairi Wemudziyo uye tsanangura nzira kune yedu librtpkcs11ecp.so.
5. Kuti uone kuti chitupa chiri kuoneka, unogona kuenda Chitupa Manager. Iwe unozokumbirwa kuisa PIN yako. Mushure mekuisa chaiko, unogona kutarisa zviri pane tab Zvitupa zvako chitupa chedu kubva pachiratidzo chakaonekwa.
6. Zvino ngatiendei nechiratidzo. Firefox inokukurudzira kuti usarudze chitupa chinozosarudzirwa sevha. Sarudza chitupa chedu.

   

7. Purofiti!

   

Kuseta kunoitwa kamwe chete, uye sezvauri kuona muhwindo rekukumbira chitupa, tinogona kuchengetedza sarudzo yedu. Mushure meizvi, pese patinopinda mune portal, isu tichangoda kuisa chiratidzo uye kuisa mushandisi PIN kodhi iyo yakatsanangurwa panguva yekufomatidza. Mushure mehuchokwadi hwakadaro, sevha inotoziva kuti ndeupi mushandisi apinda mukati uye hauchagone kugadzira chero yekuwedzera windows kuti ionekwe, asi pakarepo rega mushandisi muakaundi yake yega.

Apache

Kungofanana nenginx, hapana munhu anofanira kunge aine matambudziko ekuisa apache. Kana iwe usingazivi nzira yekuisa iyi web server, ingoshandisa zvinyorwa zvepamutemo.

Uye isu tinotanga kumisikidza yedu HTTPS uye mbiri-chinhu chechokwadi:

1. Kutanga iwe unofanirwa kumisa mod_ssl:

   $ a2enmod ssl

2. Uye wogonesa iyo saiti yekusarudzika HTTPS marongero:

   $ a2ensite default-ssl

3. Iye zvino isu tinogadzirisa faira yekumisikidza: /etc/apache2/sites-enabled/default-ssl.conf:

       SSLEngine on
       SSLProtocol all -SSLv2
   
       SSLCertificateFile	/etc/apache2/sites-enabled/Server.crt
       SSLCertificateKeyFile /etc/apache2/sites-enabled/ServerKey.pem
   
       SSLCACertificateFile /etc/apache2/sites-enabled/CA.crt
   
       SSLVerifyClient require
       SSLVerifyDepth  10

   Sezvauri kuona, mazita emaparamita anowirirana nemazita emaparamita mu nginx, saka ini handisi kuzoatsanangura. Zvekare, ani nani anofarira ruzivo anogamuchirwa kune zvinyorwa.
   Iye zvino tinotangazve server yedu:

   $ service apache2 reload
   $ service apache2 restart

Sezvauri kuona, kumisikidza mbiri-chinhu chechokwadi pane chero webhu server, ingave paWindows kana Linux, inotora awa imwe chete. Uye kumisikidza mabhurawuza kunotora anenge maminetsi mashanu. Vanhu vazhinji vanofunga kuti kumisikidza uye kushanda nehuviri-chinhu chechokwadi kwakaoma uye hakuna kujeka. Ndinovimba kuti chinyorwa chedu chinobvisa ngano iyi, zvishoma.

Vashandisi vakanyoresa chete ndivo vanogona kutora chikamu muongororo. Nyorera mu, Munogamuchirwa.

Unoda mirairo yekumisikidza TLS nezvitupa zvinoenderana neGOST 34.10-2012:

• Hongu, TLS-GOST inonyanya kukosha

• Kwete, kugadzirisa neGOST algorithms hakusi kunakidza

44 vashandisi vakavhota. 9 vashandisi vakaramba.

Source: www.habr.com