Статус: Новичок
Группы: Участники
Зарегистрирован: 26.01.2018(UTC) Сообщений: 2 Откуда: Орел
|
Здравствуйте. Стоит задача переноса процесса обмена зашифрованными/подписанными файлами на Unix системы. На тестовой системе (Linux - Debian 9 - CryptoPro CSP 4.0 KC2 - OpenSSL 1.1) Код:lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 9.3 (stretch)
Release: 9.3
Codename: stretch
Код:/opt/cprocsp/bin/amd64/csptest -keyset -verifycontext
CSP (Type:80) v4.0.9014 KC2 Release Ver:4.0.9842 OS:Linux CPU:AMD64 FastCode:READY:AVX.
AcquireContext: OK. HCRYPTPROV: 18518739
GetProvParam(PP_NAME): Crypto-Pro GOST R 34.10-2012 KC2 CSP
Total: SYS: 0,000 sec USR: 0,000 sec UTC: 0,010 sec
[ErrorCode: 0x00000000]
/opt/cprocsp/sbin/amd64/cpconfig -license -view
License validity:
4040E-...-HCXQG
Expires: 2 month(s) 19 day(s)
License type: Server.
/opt/cprocsp/sbin/amd64/cpconfig -defprov -view_type
Listing Available Provider Types:
Provider type Provider Type Name
_____________ _____________________________________
75 GOST R 34.10-2001 Signature with Diffie-Hellman Key Exchange
80 GOST R 34.10-2012 (256) Signature with Diffie-Hellman Key Exchange
81 GOST R 34.10-2012 (512) Signature with Diffie-Hellman Key Exchange
Код:openssl version
OpenSSL 1.1.0f 25 May 2017
openssl engine
(dynamic) Dynamic engine loading support
(gost) Reference implementation of GOST engine
openssl ciphers | tr ":" "\n" | grep -i gost
GOST2012-GOST8912-GOST8912
GOST2001-GOST89-GOST89
Установлены сертификаты с закрытыми ключами в контейнерах Код:/opt/cprocsp/bin/amd64/certmgr -list -dn 'E=...' |egrep 'PrivateKey|Signature|PublicKey|PrivateKey|Issuer|Container|Provider'
Issuer : E=cpca@cryptopro.ru, C=RU, L=Москва, O=ООО КРИПТО-ПРО, CN=УЦ KPИПTO-ПPO
Signature Algorithm : ГОСТ Р 34.11/34.10-2001
PublicKey Algorithm : ГОСТ Р 34.10-2001 (512 bits)
PrivateKey Link : Yes
Container : HDIMAGE\\134a2d65.000\1F79
Provider Name : Crypto-Pro GOST R 34.10-2012 KC2 CSP
Provider Info : ProvType: 80, KeySpec: 1, Flags: 0x0
Issuer : E=cpca@cryptopro.ru, C=RU, L=Москва, O=ООО КРИПТО-ПРО, CN=УЦ KPИПTO-ПPO
Signature Algorithm : ГОСТ Р 34.11/34.10-2001
PublicKey Algorithm : ГОСТ Р 34.10-2001 (512 bits)
PrivateKey Link : Yes
Container : HDIMAGE\\2599581c.000\04ED
Provider Name : Crypto-Pro GOST R 34.10-2012 KC2 CSP
Provider Info : ProvType: 80, KeySpec: 1, Flags: 0x0
Issuer : E=cpca@cryptopro.ru, C=RU, L=Москва, O=ООО КРИПТО-ПРО, CN=УЦ KPИПTO-ПPO
Signature Algorithm : ГОСТ Р 34.11/34.10-2001
PublicKey Algorithm : ГОСТ Р 34.10-2001 (512 bits)
PrivateKey Link : Yes
Container : HDIMAGE\\le-69731.000\91C9
Provider Name : Crypto-Pro GOST R 34.10-2012 KC2 CSP
Provider Info : ProvType: 80, KeySpec: 1, Flags: 0x0
Установлены корневые сертификаты УСЦ Код:/opt/cprocsp/bin/amd64/certmgr -list -store uRoot
Certmgr 1.0 (c) "CryptoPro", 2007-2010.
program for managing certificates, CRLs and stores
=============================================================================
1-------
Issuer : E=cpca@cryptopro.ru, C=RU, L=Москва, O=ООО КРИПТО-ПРО, CN=УЦ KPИПTO-ПPO
Subject : E=cpca@cryptopro.ru, C=RU, L=Москва, O=ООО КРИПТО-ПРО, CN=УЦ KPИПTO-ПPO
Serial : 0x4AAD6F10E49BBBB14BCEA513D2C81E0B
SHA1 Hash : 0x86ebc03e3b3b14ee4ca70ca5ccd7db30eb80e258
SubjKeyID : 551b514c6edf5065d849e41d9da16ce9d75e6d26
Signature Algorithm : ГОСТ Р 34.11/34.10-2001
PublicKey Algorithm : ГОСТ Р 34.10-2001 (512 bits)
Not valid before : 12/05/2014 13:33:42 UTC
Not valid after : 12/05/2029 13:33:42 UTC
PrivateKey Link : No
2-------
Issuer : E=cpca@cryptopro.ru, C=RU, L=Москва, O=ООО КРИПТО-ПРО, CN=УЦ KPИПTO-ПPO
Subject : E=cpca@cryptopro.ru, C=RU, L=Москва, O=ООО КРИПТО-ПРО, CN=УЦ KPИПTO-ПPO
Serial : 0x6A7C887538F2CD8B4126FF8E40C3DDBA
SHA1 Hash : 0x3b41b9931b7d8bb4fa54850686aabfef0aff7b6f
SubjKeyID : 2f8d57cc878349b0819a7afd46ac1f2704a92558
Signature Algorithm : ГОСТ Р 34.11/34.10-2001
PublicKey Algorithm : ГОСТ Р 34.10-2001 (512 bits)
Not valid before : 09/09/2015 15:01:35 UTC
Not valid after : 09/09/2030 15:01:35 UTC
PrivateKey Link : No
Локально файлы шифруются и дешифруются корректно Код:echo 'test' > ./test.txt
/opt/cprocsp/bin/amd64/cryptcp -encr -thumbprint '8b8fbabd8740b936f42c5a60fd7baab4d8221c58' ./test.txt test.txt.enc
CryptCP 4.0 (c) "Crypto-Pro", 2002-2015.
Command prompt Utility for file signature and encryption.
...
Certificate chains are checked.
Encrypting the data...
Encrypted message is created.
[ReturnCode: 0]
ls -la ./test.txt*
-rw-r--r-- 1 root root 5 янв 26 15:56 ./test.txt
-rw-r--r-- 1 root root 622 янв 26 15:57 ./test.txt.enc
head -n2 ./test.txt.enc && tail -n2 ./test.txt.enc
MIAGCSqGSIb3DQEHA6CAMIACAQAxggFzMIIBbwIBADCBoTCBkjEgMB4GCSqGSIb3
DQEJARYRY3BjYUBjcnlwdG9wcm8ucnUxCzAJBgNVBAYTAlJVMRUwEwYDVQQHHgwE
tQQIzq7juXDYodswgAYJKoZIhvcNAQcBMB0GBiqFAwICFTATBAjf72OREHL+YwYH
KoUDAgIfAaCABAWEY8V9mAAAAAAAAAAAAAA=
/opt/cprocsp/bin/amd64/cryptcp -decr -thumbprint '8b8fbabd8740b936f42c5a60fd7baab4d8221c58' ./test.txt.enc test.txt.dec
CryptCP 4.0 (c) "Crypto-Pro", 2002-2015.
Command prompt Utility for file signature and encryption.
...
Certificate chains are checked.
Decrypting the data...
Message is decrypted.
[ReturnCode: 0]
diff -s ./test.txt.dec ./test.txt
Файлы ./test.txt.dec и ./test.txt идентичны
А вот дешифровка присланных файлов не проходит (напомню, на Win системах сейчас все с такими же сертификатами и теми же файлами рабтает) Код:/opt/cprocsp/bin/amd64/cryptcp -decr -thumbprint '4bbe47626fb7da2b3b8d1dfeab64312de3c26794' ./20180112134058.txt.sgn.enc 20180112134058.txt.sgn
CryptCP 4.0 (c) "Crypto-Pro", 2002-2015.
Command prompt Utility for file signature and encryption.
...
Certificate chains are checked.
Decrypting the data...
Error: The parameter is incorrect./dailybuildsbranches/CSP_4_0/CSPbuild/CSP/samples/CPCrypt/Encr.cpp:558: 0x57
[ErrorCode: 0x00000057]
С подписями наблюдается проблема "Access denied" и это для суперпользователя (пока для тестовой настройки) Код:/opt/cprocsp/bin/amd64/cryptcp -sign -dn 'E=...' -nochain /root/test.txt /tmp/test.txt.sig
CryptCP 4.0 (c) "Crypto-Pro", 2002-2015.
Command prompt Utility for file signature and encryption.
...
Folder '/root/':
/root/test.txt... Signing the data...
Error: Access denied./dailybuildsbranches/CSP_4_0/CSPbuild/CSP/samples/CPCrypt/DSign.cpp:319: 0x80090010
[ErrorCode: 0x80090010]
/opt/cprocsp/bin/amd64/cryptcp -sign -thumbprint '4bbe47626fb7da2b3b8d1dfeab64312de3c26794' -nochain /root/test.txt test.txt.sig
CryptCP 4.0 (c) "Crypto-Pro", 2002-2015.
Command prompt Utility for file signature and encryption.
...
Folder '/root/':
/root/test.txt... Signing the data...
Error: Access denied./dailybuildsbranches/CSP_4_0/CSPbuild/CSP/samples/CPCrypt/DSign.cpp:319: 0x80090010
[ErrorCode: 0x80090010]
При чем пока был импортирован один пользовательский сертификат и не настроен ГОСТ на OpenSSL - подписание работало Код:/opt/cprocsp/bin/amd64/cryptcp -sign -dn 'E=...' -nochain /root/test.txt test.txt.sig
CryptCP 4.0 (c) "Crypto-Pro", 2002-2015.
Command prompt Utility for file signature and encryption.
...
Folder '/root/':
/root/test.txt... Signing the data...
Signed message is created.
[ReturnCode: 0]
head -n2 ./test.txt.sig && tail -n2 ./test.txt.sig
MIAGCSqGSIb3DQEHAqCAMIACAQExDDAKBgYqhQMCAgkFADCABgkqhkiG9w0BBwGg
gCSABAV0ZXN0CgAAAAAAAKCCBXkwggV1MIIFJKADAgECAgpQ1D6QAA4AAg+oMAgG
EwUABEDVrcsa3mzP39CusnKfa72p9yBzlMYgxylyXWQ3vWixubY9QEk97uBMNe8S
9vKwpI5Cs0TRB2RsynxhyprJ+gTsAAAAAAAA
/opt/cprocsp/bin/amd64/cryptcp -verify test.txt.sig
CryptCP 4.0 (c) "Crypto-Pro", 2002-2015.
Command prompt Utility for file signature and encryption.
Certificates found: 3
Certificate chains are checked.
Folder './':
test.txt.sig... Signature verifying...
...
Signatures verified.
[ReturnCode: 0]
Подскажите в чем может быть проблема? Куда смотреть? И еще, есть команда которой можно просмотреть каким сертификатом зашифрован файл? Так же как ниже для подписей: Код:/opt/cprocsp/bin/amd64/certmgr -list -file ./20180125100539.txt.sgn
Certmgr 1.0 (c) "CryptoPro", 2007-2010.
program for managing certificates, CRLs and stores
=============================================================================
1-------
...
Serial : 0x11355135C718CF6D
SHA1 Hash : 0xbc624244f2b3020e73bd960dab927e16664c4e70
SubjKeyID : 5dae3ca7f8a3734e1ead3f682709e8744d0600058802c5b886f62b36cf1ac741
Signature Algorithm : ГОСТ Р 34.11/34.10-2001
PublicKey Algorithm : ГОСТ Р 34.10-2001 (512 bits)
Not valid before : 25/09/2017 09:52:14 UTC
Not valid after : 22/10/2019 09:52:14 UTC
PrivateKey Link : No
=============================================================================
[ErrorCode: 0x00000000]
|