ProHoster > Blog > Tsamaiso > Boiphihlelo ba ho sebelisa theknoloji ea Rutoken bakeng sa ho ngolisa le ho fana ka tumello ea basebelisi tsamaisong (karolo ea 2)

Boiphihlelo ba ho sebelisa theknoloji ea Rutoken bakeng sa ho ngolisa le ho fana ka tumello ea basebelisi tsamaisong (karolo ea 2)

Lumelang Ha re tsoeleng pele ka sehlooho senaKarolo e fetileng e ka fumanoa ho sehokelo).

Kajeno re fetela karolong e sebetsang. Ha re qaleng ka ho theha CA ea rona e ipapisitse le laeborari e felletseng e bulehileng ea mohloli oa li-cryptographic openSSL. Algorithm ena e lekoa ho sebelisoa Windows 7.

Ka openSSL e kentsoeng, re ka etsa ts'ebetso e fapaneng ea li-cryptographic (joalo ka ho theha linotlolo le litifikeiti) ka mohala oa taelo.

Algorithm ea liketso e tjena:

  1. Khoasolla kabo ea ho kenya openssl-1.1.1g.
    OpenSSL e na le mefuta e fapaneng. Litokomane tsa Rutoken li boletse hore mofuta oa OpenSSL 1.1.0 kapa o mocha oa hlokahala. Ke sebelisitse mofuta oa openssl-1.1.1g. U ka khoasolla openSSL sebakeng sa semmuso, empa bakeng sa ho kenya habonolo, o hloka ho fumana faele ea ho kenya lifensetere marang-rang. Ke u etselitse sena: slproweb.com/products/Win32OpenSSL.html
    Tsamaisetsa tlase leqepheng 'me u khoasolle Win64 OpenSSL v1.1.1g EXE 63MB Installer.
  2. Kenya openssl-1.1.1g khomphuteng.
    Ho kenyelletsa ho tlameha ho etsoa ho latela tsela e tloaelehileng, e bonts'itsoeng ka bo eona ho foldara ea C: Program Files. Lenaneo le tla kenngoa foldareng ea OpenSSL-Win64.
  3. Bakeng sa ho theha OpenSSL ka tsela eo o e hlokang ka eona, ho na le faele ea openssl.cfg. Faele ena e fumaneha tseleng ea C:\Program FilesOpenSSL-Win64bin haeba u kentse openSSL joalo ka ha ho hlalositsoe serapeng se fetileng. E-ea foldareng moo openssl.cfg e bolokiloeng 'me u bule faele ena u sebelisa, mohlala, Notepad ++.
  4. Mohlomong u nahanne hore bolaoli ba setifikeiti bo tla hlophisoa ka tsela e itseng ka ho fetola litaba tsa faele ea openssl.cfg, 'me u nepile. Sena se hloka ho itlhophisa ha taelo ea [ ca ]. Ho file openssl.cfg, qalo ea mongolo moo re tla etsa liphetoho e ka fumanoa e le: [ ca ].
  5. Joale ke tla fana ka mohlala oa boemo bo nang le tlhaloso ea eona: 
    [ ca ]
default_ca	= CA_default		

 [ CA_default ]
dir		= /Users/username/bin/openSSLca/demoCA		 
certs		= $dir/certs		
crl_dir		= $dir/crl		
database	= $dir/index.txt	
new_certs_dir	= $dir/newcerts	
certificate	= $dir/ca.crt 	
serial		= $dir/private/serial 		
crlnumber	= $dir/crlnumber	
					
crl		= $dir/crl.pem 		
private_key	= $dir/private/ca.key
x509_extensions	= usr_cert

    Joale re hloka ho theha bukana ea demoCA le li-subdirectories joalo ka ha ho bonts'itsoe mohlaleng o kaholimo. 'Me u e behe bukeng ena tseleng e boletsoeng ho dir (ke na le /Users/username/bin/openSSLca/demoCA).

    Ho bohlokoa haholo ho peleta dir ka nepo - ena ke tsela e eang bukeng moo setsi sa rona sa setifikeiti se tla ba teng. Bukana ena e tlameha ho ba ho / Basebelisi (ke hore, akhaonteng ea mosebelisi e mong). Haeba u beha bukana ena, ka mohlala, ho C: Lifaele tsa Lenaneo, tsamaiso e ke ke ea bona faele e nang le litlhophiso tsa openssl.cfg (bonyane ho ne ho le joalo ho 'na).

    $dir - tsela e boletsoeng ho dir e nkeloa sebaka mona.

    Ntlha e 'ngoe ea bohlokoa ke ho etsa faele ea index.txt e se nang letho, ntle le faele ena litaelo tsa "openSSL ca ..." li ke ke tsa sebetsa.

    Hape o hloka ho ba le faele ea serial, senotlolo sa lekunutu (ca.key), setifikeiti sa motso (ca.crt). Mokhoa oa ho fumana lifaele tsena o tla hlalosoa ka tlase.

  6. Re hokahanya li-algorithms tsa encryption tse fanoeng ke Rutoken.
    Khokahano ena e etsahala faeleng ea openssl.cfg.

    • Pele ho tsohle, o hloka ho jarolla li-algorithms tsa Rutoken tse hlokahalang. Tsena ke lifaele tsa rtengine.dll, rtpkcs11ecp.dll.
      Ho etsa sena, khoasolla Rutoken SDK: www.rutoken.ru/developers/sdk.

      Rutoken SDK ke tsohle tse teng bakeng sa bahlahisi ba batlang ho leka Rutoken. Ho na le mehlala ka bobeli e arohaneng ea ho sebetsa le Rutoken ka lipuo tse fapaneng tsa lenaneo, 'me lilaebrari tse ling li hlahisoa. Lilaebrari tsa rona rtengine.dll le rtpkcs11ecp.dll li fumaneha Rutoken sdk, ka ho latellana, sebakeng sena:

      sdk/openssl/rtengine/bin/windows-x86_64/lib/rtengine.dll
      sdk/pkcs11/lib/windows-x86_64/rtpkcs11ecp.dll

      Ntlha ea bohlokoa haholo. Libraries rtengine.dll, rtpkcs11ecp.dll ha li sebetse ntle le mokhanni ea kentsoeng bakeng sa Rutoken. Hape Rutoken e tlameha ho hokahanngoa le k'homphieutha. (bakeng sa ho kenya tsohle tseo o li hlokang bakeng sa Rutoken, bona karolo e fetileng ea sengoloa habr.com/en/post/506450)

    • Lilaebrari tsa rtengine.dll le rtpkcs11ecp.dll li ka bolokoa kae kapa kae akhaonteng ea mosebelisi.
    • Re ngola litsela tsa ho lilaebraring tsena ka openssl.cfg. Ho etsa sena, bula file ea openssl.cfg, beha mola qalong ea faele ena: 
      openssl_conf = openssl_def

      Qetellong ea faele o hloka ho eketsa:

      [ openssl_def ]
engines = engine_section
[ engine_section ]
rtengine = gost_section
[ gost_section ]
dynamic_path = /Users/username/bin/sdk-rutoken/openssl/rtengine/bin/windows-x86_64/lib/rtengine.dll
MODULE_PATH = /Users/username/bin/sdk-rutoken/pkcs11/lib/windows-x86_64/rtpkcs11ecp.dll
RAND_TOKEN = pkcs11:manufacturer=Aktiv%20Co.;model=Rutoken%20ECP
default_algorithms = CIPHERS, DIGEST, PKEY, RAND

      dynamic_path - o tlameha ho hlakisa tsela ea hau ho laeborari ea rtengine.dll.
      MODULE_PATH - o hloka ho hlophisa tsela ea hau ho laeborari ea rtpkcs11ecp.dll.

  7. Ho eketsa mefuta-futa ea tikoloho.

    Etsa bonnete ba hore o kenya mofuta o fapaneng oa tikoloho o hlalosang tsela e eang ho file ea tlhophiso ea openssl.cfg. Boemong ba ka, phetoho ea OPENSSL_CONF e entsoe ka tsela ea C: Program FilesOpenSSL-Win64binopenssl.cfg.

    Phapang ea tsela, o tlameha ho hlakisa tsela e eang foldareng moo openssl.exe e leng teng, molemong oa ka ke: C: Program FilesOpenSSL-Win64bin.

  8. Joale u ka khutlela mohatong oa 5 'me u thehe lifaele tse sieo bakeng sa bukana ea demoCA.
    1. Faele ea pele ea bohlokoa eo ntle le eona ho seng letho le tla sebetsa ke serial. Ena ke faele e se nang katoloso, boleng ba eona e lokelang ho ba 01. U ka iketsetsa faele ena 'me u ngole 01 ka hare. U ka boela ua e kopitsa ho tsoa ho Rutoken SDK haufi le tsela sdk/openssl/rtengine/samples/tool/demoCA /.
      Sengoloa sa demoCA se na le faele ea serial, e leng sona seo re se hlokang.
    2. Theha senotlolo sa lekunutu sa motso.
      Ho etsa sena, re tla sebelisa taelo ea laeborari ea openSSL, e tlamehang ho tsamaisoa ka kotloloho moleng oa taelo:

      openssl genpkey -algorithm gost2012_256 -pkeyopt paramset:A -out ca.key

    3. Re theha setifikeiti sa motso.
      Ho etsa sena, sebelisa taelo e latelang ea laebrari ea OpenSSL:

      openssl req -utf8 -x509 -key ca.key -out ca.crt

      Ka kopo hlokomela hore senotlolo sa lekunutu sa motso, se hlahisitsoeng mohatong o fetileng, sea hlokahala ho hlahisa setifikeiti sa motso. Ka hona, mola oa taelo o tlameha ho hlahisoa bukeng e le 'ngoe.

    Ntho e 'ngoe le e' ngoe e na le lifaele tsohle tse sieo bakeng sa tlhophiso e feletseng ea buka ea demoCA. Beha lifaele tse entsoeng ho li-directory tse bontšitsoeng ntlheng ea 5.

Re tla nka hore ka mor'a ho qeta lintlha tsohle tse 8, setsi sa rona sa setifikeiti se hlophisitsoe ka botlalo.

Karolong e latelang, ke tla hlalosa hore na re tla sebetsa joang le bolaoli ba setifikeiti ho fihlela se hlalositsoeng ho karolo e fetileng ea sengoloa.

Source: www.habr.com

Eketsa ka tlhaloso