I-ProHoster > Π‘Π»ΠΎΠ³ > Ukuphatha > Isipiliyoni sokusebenzisa ubuchwepheshe beRutoken ukubhalisa nokugunyaza abasebenzisi ohlelweni (ingxenye 2)

Isipiliyoni sokusebenzisa ubuchwepheshe beRutoken ukubhalisa nokugunyaza abasebenzisi ohlelweni (ingxenye 2)

Sawubona Asiqhubeke nalesi sihlokoIngxenye edlule ingatholakala kusixhumanisi).

Namuhla sidlulela engxenyeni ephathekayo. Ake siqale ngokusetha i-CA yethu ngokusekelwe kumtapo wezincwadi ogcwele ogcwele we-cryptographic ovulekile we-OpenSSL. Le algorithm ihlolwe kusetshenziswa iWindows 7.

Uma i-openSSL ifakiwe, singenza imisebenzi ehlukahlukene yokufihla ulwazi (njengokudala okhiye nezitifiketi) ngomugqa womyalo.

I-algorithm yezenzo imi kanje:

  1. Landa ukusabalalisa kokufaka i-openssl-1.1.1g.
    I-openSSL inezinguqulo ezahlukene. Imibhalo kaRutoken ithe i-openSSL version 1.1.0 noma entsha iyadingeka. Ngisebenzise inguqulo ye-openssl-1.1.1g. Ungadawuniloda i-openSSL esizeni esisemthethweni, kodwa ukuze ufake kalula, udinga ukuthola ifayela lokufaka lamafasitela enethini. Ngikwenzele lokhu: slproweb.com/products/Win32OpenSSL.html
    Skrolela phansi ekhasini bese ulanda i-Win64 OpenSSL v1.1.1g EXE 63MB Isifaki.
  2. Faka i-openssl-1.1.1g kukhompyutha.
    Ukufakwa kufanele kwenziwe ngokuya ngendlela ejwayelekile, ekhonjiswa ngokuzenzakalelayo kufolda C: Amafayela Ohlelo. Uhlelo luzofakwa kufolda ye-OpenSSL-Win64.
  3. Ukuze umise i-openSSL ngendlela oyidinga ngayo, kukhona ifayela le-openssl.cfg. Leli fayela litholakala kundlela ethi C:\Program Files\OpenSSL-Win64bin uma ufake i-openSSL njengoba kuchazwe endimeni edlule. Iya kufolda lapho i-openssl.cfg igcinwe khona futhi uvule leli fayela usebenzisa, isibonelo, i-Notepad++.
  4. Cishe uqagele ukuthi igunya lokunikeza izitifiketi lizolungiswa ngandlela thize ngokushintsha okuqukethwe kwefayela le-openssl.cfg, futhi uqinisile impela. Lokhu kudinga ukwenziwa ngendlela oyifisayo umyalo we-[ ca ]. Efayeleni le-openssl.cfg, isiqalo sombhalo lapho sizokwenza khona izinguquko singatholakala njengokuthi: [ ca ].
  5. Manje ngizonikeza isibonelo sesilungiselelo esinencazelo yaso: 
    [ ca ]
default_ca	= CA_default		

 [ CA_default ]
dir		= /Users/username/bin/openSSLca/demoCA		 
certs		= $dir/certs		
crl_dir		= $dir/crl		
database	= $dir/index.txt	
new_certs_dir	= $dir/newcerts	
certificate	= $dir/ca.crt 	
serial		= $dir/private/serial 		
crlnumber	= $dir/crlnumber	
					
crl		= $dir/crl.pem 		
private_key	= $dir/private/ca.key
x509_extensions	= usr_cert

    Manje sidinga ukudala uhla lwemibhalo lwe-demoCA kanye nemibhalo engezansi njengoba kukhonjisiwe esibonelweni esingenhla. Futhi uyibeke kulolu hlu lwemibhalo endleleni eshiwo ku-dir (nginayo /Abasebenzisi/igama lomsebenzisi/umgqomo/openSSLca/demoCA).

    Kubaluleke kakhulu ukupela i-dir ngendlela efanele - lena indlela eya kuhla lwemibhalo lapho kuzotholakala khona isikhungo sethu sokunikeza izitifiketi. Lolu hlu lwemibhalo kufanele lube ku/Abasebenzisi (okungukuthi, ku-akhawunti yomunye umsebenzisi). Uma ubeka lolu hlu lwemibhalo, isibonelo, kokuthi C: Amafayela Ohlelo, isistimu ngeke ilibone ifayela elinezilungiselelo ze-openssl.cfg (okungenani bekunje kimi).

    $dir - indlela ecaciswe ku-dir ithathelwa indawo lapha.

    Elinye iphuzu elibalulekile ukwakha ifayela elithi index.txt elingenalutho, ngaphandle kwaleli fayela imiyalo ethi β€œopenSSL ca …” ngeke isebenze.

    Udinga futhi ukuba nefayela le-serial, ukhiye oyimfihlo wempande (ca.key), isitifiketi sempande (ca.crt). Inqubo yokuthola lawa mafayela izochazwa ngezansi.

  6. Sixhuma ama-algorithms wokubethela anikezwe nguRutoken.
    Lokhu kuxhumana kwenzeka kufayela le-openssl.cfg.

    • Okokuqala, udinga ukulanda ama-algorithms we-Rutoken adingekayo. Lawa amafayela rtengine.dll, rtpkcs11ecp.dll.
      Ukuze wenze lokhu, landa i-Rutoken SDK: www.rutoken.ru/developers/sdk.

      I-Rutoken SDK iphelele kubathuthukisi abafuna ukuzama i-Rutoken. Kukhona zombili izibonelo ezihlukene zokusebenza no-Rutoken ngezilimi zokuhlela ezihlukene, kanti eminye imitapo yolwazi yethulwa. Imitapo yolwazi yethu ethi rtengine.dll kanye ne-rtpkcs11ecp.dll itholakala e-Rutoken sdk, ngokulandelana, endaweni:

      sdk/openssl/rtengine/bin/windows-x86_64/lib/rtengine.dll
      sdk/pkcs11/lib/windows-x86_64/rtpkcs11ecp.dll

      Iphuzu elibaluleke kakhulu. Imitapo yolwazi rtengine.dll, rtpkcs11ecp.dll ayisebenzi ngaphandle komshayeli ofakiwe we-Rutoken. Futhi, i-Rutoken kumele ixhunywe kukhompyutha. (ukufaka konke okudingayo ku-Rutoken, bheka ingxenye yangaphambilini yesihloko habr.com/zu/post/506450)

    • Imitapo yolwazi ye-rtengine.dll kanye ne-rtpkcs11ecp.dll ingagcinwa noma yikuphi ku-akhawunti yomsebenzisi.
    • Sibhala izindlela eziya kulamitapo yolwazi ku-openssl.cfg. Ukwenza lokhu, vula ifayela le-openssl.cfg, beka umugqa ekuqaleni kwaleli fayela: 
      openssl_conf = openssl_def

      Ekupheleni kwefayela udinga ukwengeza:

      [ openssl_def ]
engines = engine_section
[ engine_section ]
rtengine = gost_section
[ gost_section ]
dynamic_path = /Users/username/bin/sdk-rutoken/openssl/rtengine/bin/windows-x86_64/lib/rtengine.dll
MODULE_PATH = /Users/username/bin/sdk-rutoken/pkcs11/lib/windows-x86_64/rtpkcs11ecp.dll
RAND_TOKEN = pkcs11:manufacturer=Aktiv%20Co.;model=Rutoken%20ECP
default_algorithms = CIPHERS, DIGEST, PKEY, RAND

      dynamic_path - kufanele ucacise indlela yakho eya kumtapo wezincwadi we-rtengine.dll.
      MODULE_PATH - udinga ukusetha indlela yakho eya kulabhulali ethi rtpkcs11ecp.dll.

  7. Ukwengeza okuguquguqukayo kwemvelo.

    Qiniseka ukuthi ungeza okuhlukile kwemvelo okucacisa indlela eya kufayela lokumisa le-openssl.cfg. Esimeni sami, okuguquguqukayo kwe-OPENSSL_CONF kwadalwa ngendlela ethi C:Program FilesOpenSSL-Win64binopenssl.cfg.

    Ekuguquguqukeni kwendlela, kufanele ucacise indlela eya kufolda lapho i-openssl.exe itholakala khona, kimina ithi: C: Program FilesOpenSSL-Win64bin.

  8. Manje ungabuyela emuva esinyathelweni sesi-5 futhi udale amafayela angekho ohla lwemibhalo lwe-demoCA.
    1. Ifayela lokuqala elibalulekile ngaphandle kwalokho akukho okuzosebenza liyi-serial. Leli yifayela elingenaso isandiso, inani lalo okufanele libe ngu-01. Ungakha leli fayela ngokwakho bese ubhala 01 ngaphakathi. Ungayilanda futhi ku-Rutoken SDK endleleni sdk/openssl/rtengine/samples/tool/demoCA /.
      Uhla lwemibhalo lwedemoCA luqukethe ifayela le-serial, okuyilona kanye esilidingayo.
    2. Dala ukhiye oyimfihlo wempande.
      Ukuze senze lokhu, sizosebenzisa umyalo welabhulali ye-openSSL, okumele iqhutshwe ngqo kulayini womyalo:

      openssl genpkey -algorithm gost2012_256 -pkeyopt paramset:A -out ca.key

    3. Sakha isitifiketi sempande.
      Ukuze wenze lokhu, sebenzisa umyalo olandelayo welabhulali ye-openSSL:

      openssl req -utf8 -x509 -key ca.key -out ca.crt

      Sicela uqaphele ukuthi ukhiye oyimfihlo wempande, owenziwe esinyathelweni sangaphambilini, uyadingeka ukuze ukhiqize isitifiketi sempande. Ngakho-ke, umugqa womyalo kufanele uqaliswe kuhla lwemibhalo olufanayo.

    Yonke into manje inawo wonke amafayela angekho wokucushwa okuphelele kohla lwemibhalo lwe-demoCA. Beka amafayela adaliwe kunkhombandlela ekhonjiswe esinyathelweni sesi-5.

Sizothatha ngokuthi ngemva kokuqeda wonke amaphuzu angu-8, isikhungo sethu sokunikeza izitifiketi silungiselelwe ngokugcwele.

Engxenyeni elandelayo, ngizochaza ukuthi sizosebenzisana kanjani nesiphathimandla sokunikeza izitifiketi ukuze sifeze lokho okuchazwe kuyo ingxenye yangaphambili ye-athikili.

Source: www.habr.com

Engeza amazwana