ProHoster > Π‘Π»ΠΎΠ³ > Maamulka > Khibrad u leh adeegsiga tignoolajiyada Rutoken ee diiwaangelinta iyo oggolaanshaha isticmaaleyaasha nidaamka (qaybta 2)

Khibrad u leh adeegsiga tignoolajiyada Rutoken ee diiwaangelinta iyo oggolaanshaha isticmaaleyaasha nidaamka (qaybta 2)

Galab wanaagsan Aan sii wadno mowduucanQaybta hore waxaa laga heli karaa linkiga).

Maanta waxaan u gudbeynaa qeybta dhabta ah. Aynu ku bilowno samaynta CA-yada oo ku salaysan isha furan ee maktabadda cryptographic openSSL. Algorithm-kan waxa lagu tijaabiyay windows 7.

Iyada oo la rakibay OpenSSL, waxaan ku samayn karnaa hawlgallo kala duwan oo qarsoodi ah (sida abuurista furayaal iyo shahaadooyin) iyada oo loo marayo khadka taliska.

Algorithm ee ficilada waa sida soo socota:

  1. Soo deji qaybinta rakibaadda openssl-1.1.1g.
    OpenSSL waxay leedahay noocyo kala duwan. Dukumeentiga Rutoken ayaa sheegay in loo baahan yahay nooca SSL ee furan 1.1.0 ama ka cusub. Waxaan isticmaalay openssl-1.1.1g version. Waxaad ka soo dejisan kartaa OpenSSL goobta rasmiga ah, laakiin si sahlan loo rakibo, waxaad u baahan tahay inaad hesho faylka rakibaadda daaqadaha shabakadda. tan ayaan kuu sameeyay: slproweb.com/products/Win32OpenSSL.html
    Hoos u dhaadhac bogga oo soo deji Win64 OpenSSL v1.1.1g EXE 63MB Installer.
  2. Ku rakib openssl-1.1.1g kombiyuutarka.
    Rakibaadda waa in loo fuliyaa si waafaqsan dariiqa caadiga ah, kaas oo si toos ah loogu tilmaamayo C: folder Files. Barnaamijka waxaa lagu rakibi doonaa galka OpenSSL-Win64.
  3. Si aad u dejiso OpenSSL sida aad ugu baahan tahay, waxa jira faylka openssl.cfg. Faylkan waxa uu ku yaalaa C:\Program Files\OpenSSL-Win64bin dariiqa haddii aad ku rakibtay OpenSSL sida lagu qeexay cutubkii hore. Tag faylka uu openssl.cfg ku kaydsan yahay oo fur faylkan adigoo isticmaalaya, tusaale ahaan, Notepad++.
  4. Waxay u badan tahay inaad qiyaastay in maamulka shahaado-siinta si uun loo habayn doono iyadoo la beddelayo waxa ku jira faylka openssl.cfg, oo aad saxsan tahay. Tani waxay u baahan tahay habaynta amarka [ca]. Faylka openssl.cfg, bilawga qoraalka meesha aan isbeddel ku samayn doono waxaa laga heli karaa sida: [ ca ].
  5. Hadda waxaan ku siin doonaa tusaale goob ay ku sifayso: 
    [ ca ]
default_ca	= CA_default		

 [ CA_default ]
dir		= /Users/username/bin/openSSLca/demoCA		 
certs		= $dir/certs		
crl_dir		= $dir/crl		
database	= $dir/index.txt	
new_certs_dir	= $dir/newcerts	
certificate	= $dir/ca.crt 	
serial		= $dir/private/serial 		
crlnumber	= $dir/crlnumber	
					
crl		= $dir/crl.pem 		
private_key	= $dir/private/ca.key
x509_extensions	= usr_cert

    Hadda waxaan u baahanahay inaan abuurno tusaha demoCA iyo haga-hoosaadyo sida ku cad tusaalaha kore. Oo ku rid buuggan hagaha jidka lagu sheegay dir (I have / Users/username/bin/openSSLca/demoCA).

    Aad bay muhiim u tahay in si sax ah loo higgaadiyo dir - tani waa dariiqa loo maro hagaha halka ay ku taal xaruntayada shahaadooyinka. Hagahani waa inuu ku jiraa / Isticmaalayaasha (taas oo ah, koontada isticmaalayaasha qaarkood). Haddii aad dhigto buuggan, tusaale ahaan, gudaha C: Faylasha Barnaamijka, nidaamku ma arki doono faylka leh goobaha openssl.cfg (ugu yaraan aniga sidaas ayay aniga ahaan ii ahayd).

    $dir - dariiqa lagu sheegay dir halkan ayaa lagu bedelay.

    Qodob kale oo muhiim ah ayaa ah in la abuuro faylka index.txt maran, la'aanteed faylkan amarrada "openSSL ca ..." ma shaqeyn doonaan.

    Waxaad sidoo kale u baahan tahay inaad haysato fayl taxane ah, fure gaar ah oo xidid ah (ca.key), shahaadada xididka (ca.crt). Habka loo helo faylashaas ayaa lagu sharxi doonaa hoos.

  6. Waxaan isku xireynaa algorithms-ka sirta ah ee uu bixiyo Rutoken.
    Xidhiidhkani waxa uu ka dhacaa faylka openssl.cfg

    • Marka hore, waxaad u baahan tahay inaad soo dejiso algorithms Rutoken lagama maarmaanka ah. Kuwani waa faylasha rtengine.dll, rtpkcs11ecp.dll.
      Si tan loo sameeyo, soo deji Rutoken SDK: www.rutoken.ru/developers/sdk.

      Rutoken SDK waa waxa kaliya ee loogu talagalay horumariyeyaasha raba inay tijaabiyaan Rutoken. Waxaa jira laba tusaale oo kala duwan oo loogu talagalay la shaqeynta Rutoken oo ku qoran luqado kala duwan oo barnaamij ah, iyo maktabadaha qaarkood ayaa la soo bandhigay. Maktabadahayada rtengine.dll iyo rtpkcs11ecp.dll waxay ku yaalaan Rutoken sdk, siday u kala horreeyaan, goobta:

      sdk/opensl/rtengine/bin/windows-x86_64/lib/rtengine.dll
      sdk/pkcs11/lib/windows-x86_64/rtpkcs11ecp.dll

      Qodob aad muhiim u ah. Maktabadaha rtengine.dll, rtpkcs11ecp.dll ma shaqeeyaan darawalka Rutoken la'aanteed. Sidoo kale Rutoken waa in lagu xidhaa kombiyuutarka. (si aad ugu rakibto wax kasta oo aad uga baahan tahay Rutoken, eeg qaybta hore ee maqaalka habr.com/en/post/506450)

    • Maktabadaha rtengine.dll iyo rtpkcs11ecp.dll waxa lagu hayn karaa meel kasta oo ka mid ah koontada isticmaalaha.
    • Waxaan ku qornaa waddooyinka loo maro maktabadahaan openssl.cfg. Si tan loo sameeyo, fur faylka openssl.cfg, dhig xariiqda bilowga faylkan: 
      openssl_conf = openssl_def

      Dhamaadka faylka waxaad u baahan tahay inaad ku darto:

      [ openssl_def ]
engines = engine_section
[ engine_section ]
rtengine = gost_section
[ gost_section ]
dynamic_path = /Users/username/bin/sdk-rutoken/openssl/rtengine/bin/windows-x86_64/lib/rtengine.dll
MODULE_PATH = /Users/username/bin/sdk-rutoken/pkcs11/lib/windows-x86_64/rtpkcs11ecp.dll
RAND_TOKEN = pkcs11:manufacturer=Aktiv%20Co.;model=Rutoken%20ECP
default_algorithms = CIPHERS, DIGEST, PKEY, RAND

      dynamic_path - waa inaad qeexdaa jidka aad u marayso maktabadda rtengine.dll.
      MODULE_PATH - waxaad u baahan tahay inaad u qorto jidkaaga maktabadda rtpkcs11ecp.dll.

  7. Ku darida doorsoomayaasha deegaanka.

    Hubi inaad ku darto doorsoomayaasha deegaanka oo qeexaya dariiqa loo maro faylka qaabeynta openssl.cfg. Xaaladeyda, doorsoomiyaha OPENSL_CONF waxaa lagu abuuray jidka C:Program FilesOpenSSL-Win64binopenssl.cfg.

    Doorsoomiyaha dariiqa, waa inaad ku caddaysaa dariiqa loo maro galka meesha openssl.exe ku yaal, xaaladdeyda waa: C: Program FilesOpenSSL-Win64bin.

  8. Hadda waxaad dib ugu noqon kartaa tallaabada 5 oo aad u abuuri kartaa faylasha maqan tusaha demoCA.
    1. Faylka ugu horreeya ee muhiimka ah oo la'aanteed aan waxba shaqayn doonin waa taxane. Kani waa fayl aan lahayn kordhin, qiimihiisu waa inuu noqdaa 01. Adiga ayaa samayn kara faylkan oo ku qor 01 gudaha. Waxa kale oo aad ka soo dejisan kartaa Rutoken SDK ee wadada sdk/openssl/rtengine/samples/tool/demoCA /.
      Hagaha demoCA waxaa ku jira faylka taxanaha ah, kaas oo ah waxa aan u baahanahay.
    2. Abuur furaha gaarka ah ee xididka.
      Si tan loo sameeyo, waxaan isticmaali doonaa amarka maktabadda OpenSSL, kaas oo ay tahay in si toos ah loogu socdo khadka taliska:

      openssl genpkey -algorithm gost2012_256 -pkeyopt paramset:A -out ca.key

    3. Waxaan abuurnaa shahaadada xididka.
      Si tan loo sameeyo, adeegso amarka maktabadda furan ee SSL:

      openssl req -utf8 -x509 -key ca.key -out ca.crt

      Fadlan la soco in furaha gaarka ah ee xididka, kaas oo lagu soo saaray tallaabadii hore, looga baahan yahay inuu soo saaro shahaadada xididka. Sidaa darteed, khadka talisku waa in lagu bilaabo isla buuggaas.

    Wax walba hadda waxay leeyihiin dhammaan faylasha maqan ee qaabeynta dhammaystiran ee hagaha demoCA. Geli faylasha la abuuray tusmooyinka lagu tilmaamay barta 5.

Waxaan u qaadan doonaa in ka dib markii la dhamaystiro dhammaan 8 dhibcood, our xarunta shahaado si buuxda loo habeeyey.

Qaybta soo socota, waxaan ku tilmaami doonaa sida aan ula shaqayn doono maamulka shahaadada si loo fuliyo waxa lagu qeexay qaybta hore ee maqaalka.

Source: www.habr.com

Add a comment