ProHoster > Blog > Utongi > Chiitiko chekushandisa Rutoken tekinoroji yekunyoresa uye kubvumidza vashandisi muhurongwa (chikamu 2)

Chiitiko chekushandisa Rutoken tekinoroji yekunyoresa uye kubvumidza vashandisi muhurongwa (chikamu 2)

Masikati akanaka Ngatienderere mberi nenyaya iyiChikamu chakapfuura chinogona kuwanikwa pane iyi link).

Nhasi tinopfuurira kune chikamu chinoshanda. Ngatitange nekumisikidza CA yedu zvichibva pane yakazara-yakazara yakavhurika sosi cryptographic raibhurari yakavhurikaSSL. Iyi algorithm yakaedzwa uchishandisa windows 7.

Ne openSSL yakaiswa, tinogona kuita akasiyana cryptographic mashandiro (sekugadzira makiyi uye zvitupa) kuburikidza nemutsara wekuraira.

Iyo algorithm yezviito zvinotevera:

  1. Dhawunirodha yekumisikidza kugovera openssl-1.1.1g.
    openSSL ine shanduro dzakasiyana. Zvinyorwa zveRutoken zvakati openSSL vhezheni 1.1.0 kana nyowani inodiwa. Ndakashandisa openssl-1.1.1g shanduro. Unogona kudhawunirodha openSSL kubva kune yepamutemo saiti, asi kuti uise nyore kuisirwa, iwe unofanirwa kutsvaga yekuisa faira yemahwindo pamambure. Ndakakuitira izvi: slproweb.com/products/Win32OpenSSL.html
    Skroka pasi peji uye dhawunirodha Win64 OpenSSL v1.1.1g EXE 63MB Installer.
  2. Isa openssl-1.1.1g pakombuta.
    Kuiswa kunofanirwa kuitwa zvinoenderana neyakajairwa nzira, iyo inongoratidzwa muC: Chirongwa Mafaira folda. Iyo purogiramu ichaiswa muOpenSSL-Win64 folda.
  3. Kuti umise openSSL nenzira yaunoida, pane openssl.cfg faira. Iri faira riri muC:\Program Files\OpenSSL-Win64bin nzira kana wakaisa openSSL sezvakatsanangurwa mundima yapfuura. Enda kune iyo folda iyo openssl.cfg inochengetwa uye vhura iyi faira uchishandisa, semuenzaniso, Notepad ++.
  4. Ungangodaro wakafungidzira kuti chiremera chekupa zvitupa chichagadziriswa neimwe nzira nekushandura zviri mukati me openssl.cfg faira, uye uri right chaizvo. Izvi zvinoda kugadziriswa kwe [ ca ] murairo. Mune openssl.cfg faira, kutanga kwechinyorwa kwatichaita shanduko kunogona kuwanikwa se: [ ca ].
  5. Zvino ini ndichapa muenzaniso wegadziriro ine tsananguro yayo: 
    [ ca ]
default_ca	= CA_default		

 [ CA_default ]
dir		= /Users/username/bin/openSSLca/demoCA		 
certs		= $dir/certs		
crl_dir		= $dir/crl		
database	= $dir/index.txt	
new_certs_dir	= $dir/newcerts	
certificate	= $dir/ca.crt 	
serial		= $dir/private/serial 		
crlnumber	= $dir/crlnumber	
					
crl		= $dir/crl.pem 		
private_key	= $dir/private/ca.key
x509_extensions	= usr_cert

    Iye zvino isu tinoda kugadzira iyo demoCA dhairekitori uye subdirectories sezvakaratidzwa mumuenzaniso uri pamusoro. Uye iise mune ino dhairekitori munzira inotsanangurwa mune dir (ndine /Vashandisi/username/bin/openSSLca/demoCA).

    Izvo zvakakosha kuperetera dir nenzira kwayo - iyi ndiyo nzira inoenda kudhairekitori uko nzvimbo yedu yetifiketi ichave iripo. Iri dhairekitori rinofanira kunge riri mukati / Vashandisi (kureva, muakaundi yemumwe mushandisi). Kana iwe ukaisa iyi dhairekitori, semuenzaniso, muC: Mafaira ePurogiramu, iyo sisitimu haizooni faira ine openssl.cfg marongero (zvishoma zvaive zvakadaro kwandiri).

    $dir - nzira inotsanangurwa mu dir inotsiviwa pano.

    Imwe pfungwa yakakosha ndeyekugadzira isina chinhu index.txt faira, pasina iyi faira iyo "openSSL ca ..." mirairo haishande.

    Iwe zvakare unofanirwa kuve uine serial faira, midzi yakavanzika kiyi (ca.key), chitupa chemidzi (ca.crt). Maitiro ekutora mafaira aya achatsanangurwa pazasi.

  6. Isu tinobatanidza iyo encryption algorithms yakapihwa naRutoken.
    Kubatana uku kunoitika mu openssl.cfg faira.

    • Chekutanga pane zvese, iwe unofanirwa kurodha inodiwa Rutoken algorithms. Aya ndiwo mafaira rtengine.dll, rtpkcs11ecp.dll.
      Kuti uite izvi, tora iyo Rutoken SDK: www.rutoken.ru/developers/sdk.

      Iyo Rutoken SDK ndeye zvese zviripo kune vanogadzira vanoda kuyedza Rutoken. Kune ese ari maviri akapatsanurwa mienzaniso yekushanda naRutoken mumitauro yakasiyana yekuronga, uye mamwe maraibhurari anoratidzwa. Maraibhurari edu rtengine.dll uye rtpkcs11ecp.dll ari muRutoken sdk, zvichiteerana, panzvimbo iyi:

      sdk/openssl/rtengine/bin/windows-x86_64/lib/rtengine.dll
      sdk/pkcs11/lib/windows-x86_64/rtpkcs11ecp.dll

      Chinhu chakakosha zvikuru. Libraries rtengine.dll, rtpkcs11ecp.dll haashande pasina mutyairi akaiswa weRutoken. Zvakare Rutoken inofanira kunge yakabatana nekombuta. (yekuisa zvese zvaunoda zveRutoken, ona chikamu chepfuura chechinyorwa habr.com/en/post/506450)

    • Iwo rtengine.dll uye rtpkcs11ecp.dll maraibhurari anogona kuchengetwa chero kupi muaccount yemushandisi.
    • Tinonyora nzira dzekuraibhurari idzi mu openssl.cfg. Kuti uite izvi, vhura iyo openssl.cfg faira, isa mutsara pakutanga kwefaira iri: 
      openssl_conf = openssl_def

      Pakupera kwefaira iwe unofanirwa kuwedzera:

      [ openssl_def ]
engines = engine_section
[ engine_section ]
rtengine = gost_section
[ gost_section ]
dynamic_path = /Users/username/bin/sdk-rutoken/openssl/rtengine/bin/windows-x86_64/lib/rtengine.dll
MODULE_PATH = /Users/username/bin/sdk-rutoken/pkcs11/lib/windows-x86_64/rtpkcs11ecp.dll
RAND_TOKEN = pkcs11:manufacturer=Aktiv%20Co.;model=Rutoken%20ECP
default_algorithms = CIPHERS, DIGEST, PKEY, RAND

      dynamic_path - unofanira kutsanangura nzira yako kuraibhurari rtengine.dll.
      MODULE_PATH - unofanira kunyora nzira yako kuenda kuraibhurari rtpkcs11ecp.dll.

  7. Kuwedzera mamiriro akasiyana.

    Iva nechokwadi chekuwedzera shanduko yezvakatipoteredza inotsanangura nzira yekuvhura filessl.cfg configuration file. Kana ndiri ini, iyo OPENSSL_CONF shanduko yakagadzirwa negwara C:Program FilesOpenSSL-Win64binopenssl.cfg.

    Muchinjiro yenzira, iwe unofanirwa kutsanangura nzira inoenda kune iyo folda iyo openssl.exe iripo, mune yangu kesi ndeye: C: Chirongwa FilesOpenSSL-Win64bin.

  8. Iye zvino unogona kudzokera kunhanho yechishanu uye gadzira iyo isipo mafaera eiyo demoCA dhairekitori.
    1. Iyo yekutanga yakakosha faira pasina iyo hapana chichashanda ndeye serial. Iyi ifaira isina kuwedzera, kukosha kwayo kunofanira kuva 01. Iwe unogona kugadzira iyi faira iwe pachako uye nyora 01 mukati. Unogonawo kuitora kubva kuRutoken SDK munzira sdk/openssl/rtengine/samples/tool/demoCA. /.
      Iyo demoCA dhairekitori ine serial faira, ndizvo chaizvo zvatinoda.
    2. Gadzira midzi yakavanzika kiyi.
      Kuti tiite izvi, isu tichashandisa openSSL raibhurari raibhurari, iyo inofanirwa kumhanya yakananga pamutsetse wekuraira:

      openssl genpkey -algorithm gost2012_256 -pkeyopt paramset:A -out ca.key

    3. Isu tinogadzira chitupa chemidzi.
      Kuti uite izvi, shandisa inotevera openSSL raibhurari raibhurari:

      openssl req -utf8 -x509 -key ca.key -out ca.crt

      Ndokumbira utarise kuti kiyi yakavanzika, iyo yakagadzirwa munhanho yapfuura, inodiwa kugadzira chitupa chemidzi. Naizvozvo, mutsara wekuraira unofanirwa kutangwa mune imwechete dhairekitori.

    Zvese zvino zvine ese asina mafaera ekugadzirisa kwakazara kwedemoCA dhairekitori. Isa mafaira akagadzirwa mumadhairekitori anoratidzwa muchikamu 5.

Isu tichafungidzira kuti mushure mekupedza ese 8 mapoinzi, yedu certification centre inogadziriswa zvizere.

Muchikamu chinotevera, ini ndichatsanangura mashandisiro atichaita nechiremera chetitifiketi kuitira kuti tiite zvakatsanangurwa mukati chikamu chakapfuura chechinyorwa.

Source: www.habr.com

Voeg