GET Signing files through a browser / Active Blog / Sudo Null IT News FREE

In a number of projects, it is required to sign files of arbitrary format (for example, immature documentation in PDF format) when uploading them to the server.
Typically, a signature is required reported to GOST R 34.10-2001, using digital certificates X.509. At the same time, the signature itself is then conveniently stored along the server in the CMS detached format.
I straight off wishing to greenbac that this problem has been solved for a long time (CryptoPro CSP, CAPICOM, etc). But there are nuances that make such a decision not always accessible. For uncomparable of the projects, we proposed a solution for sign language files, which real made spirit easier for end users and technical support. About him below.

The general solution dodging is shown in the picture.
Components on the client.

1. Rutoken EDS as a ironware cryptographic information protection tool
2. Rutoken Plugin to subscribe Rutoken EDS in the browser + hold for digital certificates

On the server we use the modified openssl + wrapper for ASP.NET. Using openssl makes it possible to upgrade to a certified SKZI MagPro CryptoPacket 2.1 without leading changes to the server side.

Description of the protocol wont to preindication.

1. Uploading a written document to the server using monetary standard browser tools (or generating a written document connected the server, as oftentimes happens)
2. Calculation of the hash come from the document along the waiter according to GOST R 34.11-94 victimisation openssl
3. Sending the calculated hasheesh amount to the client
4. Signed in conformity with GOST R 34.10-2001 hash amounts on the client with the private key associated with the certificate
5. Sending a signature and certificate to the server
6. Signature Verification
7. Signature and certification packaging in CMS detached initialise

Now about the technical way.
The server wrapper library all over openssl has the following API:

1. Hash sum affair
   unsigned char * HashData (unsigned cleaning woman * buffer store, size_t size);
   
2. CMS generation function detached
   char * CreateSignedCMSDetached (unsigned char * signature, const char * cert);
   
3. The signature substantiation function is not universal and is implemented only for this project, so I will not describe it here

As you stool see, these functions are easy enough to visit from ASP.NET (and not only).

On the client, the hash is signed by the sequence of calls Rootoken Plugin:

1. User selects certificate
2. Incu the nonpublic key aside getKeyByCertificate certificate
   (deviceId, certId, resultCallback, errorCallback) → {string}
   
3. Get the "body" of the certificate to send to the host
   getCertificate (deviceId, certId, resultCallback, errorCallback) → {string}
   
4. Sign the hash with the private key
   rawSign (deviceId, keyId, data, options, resultCallback, errorCallback) → {string}
   Returns the signature tune of GOST R 34.10-2001 in hex from the transmitted hash
   

The hash and certificate are sent to the server.
The solution is spatula-shaped for both the developer and the stop user.

DOWNLOAD HERE

GET Signing files through a browser / Active Blog / Sudo Null IT News FREE

Posted by: phillipsolkill.blogspot.com

Share this post