v. 1.2, April 2010
TSelta
na nastoiashtoto rukovodstvo e da opishe
stupkite, neobhodimi za instalirane i
konfigurirane na elektronen podpis pod
Linux operatsionni sistemi, kakto i
izpolzvaneto na OpenSSL za podpisvane na
failove.
Pri
razrabotvaneto na rukovodstvoto e
izpolzvano Ubuntu 9.10 Karmic Koala 64bit, no stupkite
sa prilozhimi i analogichni i za ostanalite
distributsii. Za primera e izpolzvan
elektronen podpis na StampIt vurhu smartkarta
Siemens CardOS V4.3B prez CCID suvmestim USB chetets
ACS ACR 38U-CCID. Izpolzvat se iztsialo softuerni
biblioteki i prilozheniia s otvoren kod.
1. Bazovi paketi
Veroiatno veche imate instalirani povecheto ot neobhodimite bazovi paketi.
Izpulnete slednata komanda, za da podsigurite nalichieto im:
alex@volatile:~$ sudo apt-get install openct opensc
libccid mozilla-opensc libengine-pkcs11-openssl pcsc-tools
Sled
uspeshna instalatsiia mozhete da izpolzvate
slednata komanda za da proverite
sustoianieto pri vklyuchen chetets sus
sertifikat za elektronen podpis:
alex@volatile:~$ pcsc_scan
PC/SC device scanner
V 1.4.15 (c) 2001-2009,
Ludovic Rousseau
Compiled with PC/SC lite
version: 1.4.102
Scanning present
readers...
0: ACS ACR 38U-CCID 00 00
Thu Mar 18 15:29:43 2010
Reader 0: ACS ACR
38U-CCID 00 00
Card state: Card
inserted, Shared Mode,
...
Possibly identified card
(using /usr/share/pcsc/smartcard_list.txt):
3B F2 18 00 02 C1 0A 31 FE
58 C8 08 74
Siemens CardOS V4.3B
2. Konfigurirane na
Firefox/Thunderbird/OpenOffice
Purvo instaliraite bazovite (root) sertifikati na Vashiia Dostavchik na
udostoveritelni uslugi. Neobhodimo e da se instalira tsialata veriga
(Root CA, Intermediate CA i t.n.) V sluchaia sus StampIt tova sa StampIt
Domestic Root CA i StampIt Domestic CA NGL, koito mozhete da svalite ot
stranitsata na dostavchika. Instalatsiiata stava prez menyuto Edit ->
Preferences -> Advanced -> Encryption , kudeto natiskate butona
View Certificates, izbirate Authorities i sled tova Import. Kogato
izberete dadeniiat bazov sertifikat, otbelezhete i trite kutiiki,
otnasiashti se do tselite za izpolzvane na sertifikatite: Trust this CA to
identify web pages, Trust this CA to identify email users i Trust this
CA to identify software developers.
Za dostup do elektronniiat podpis shte izpolzvate PKCS#11 interfeis. Za da go konfigurirate izberete Edit -> Preferences -> Advanced -> Encryption , kudeto za udobstvo izberete Select one automatically i natisnete butonut Security Devices. Ot tam natisnete Load i ukazhete putiat kum PKCS#11 bibliotekata. Za OpenSC pod Ubuntu 9.10 bibliotekata se namira tuk: /usr/lib/onepin-opensc-pkcs11.so . Za distributsiite, koito ne sa obnovili versiiata na OpenSC, izpolzvaite bazovata biblioteka /usr/lib/opensc-pkcs11.so
Ako ste instalirali druga PKCS#11 biblioteka se konsultiraite s
rukovodstvoto na potrebitelia na izbraniiat ot Vas dostavchik.
Za da se podvklyuchi korektno ustroistvoto mozhe da se nalozhi da izvadite
i svurzhete otnovo chetetsut, kakto i da restartirate Firefox/Thunderbird.
OpenOffice raboti s konfiguriranite Security devices ot profila na
Firefox i pri korektna instalatsiia tam sushto shte mozhete da podpisvate
tsifrovo dokumenti prez menyuto File -> Digital signatures -> Add ,
ot kudeto izbirate sertifikata si.
3. Konfigurirane na draiverite
Ako izpolzvate /usr/lib/onepin-opensc-pkcs11.so niama nuzhda ot nastroikite v tazi tochka.
Ako izpolzvate smartkarta s edin sertifikat (obshtiiat sluchai), i imate
problemi s niakolkokratno vizualizirane na dialoga za PIN, mozhete da
korigirate slednite parametri vuv faila /etc/opensc/opensc.conf ,
sektsiia app opensc-pkcs11 :
max_virtual_slots=1;
slots_per_card=1;
num_slots=1;
4. Podpisvane na fail s OpenSSL sus sertifikat na smartkarta
v detached PKCS#7 struktura
Predi da generirate podpis e
neobhodimo da imate na razpolozhenie sledite failove v PEM format:
publichnata chast (v primera Alex_Stanev.pem) i mezhdinniia bazov
sertifikat ot verigata (v primera StampIT_Domestic_CA_NGL_base64.crt)
Osven tova e neobhodimo i da izvlechete i identifikatora sertifikata na
smartkartata po sledniiat nachin:
alex@volatile:~$ pkcs15-tool --list-certificates
Using reader with a card:
ACS ACR 38U-CCID 00 00
X.509 Certificate [X.509V3
Certificate 0]
Flags : 2
Authority: no
Path : 3f00501543044303
ID : ac89c641d155029139df57d70c71a706
X.509 Certificate [X.509V3
CA Certificate 0]
Flags : 2
Authority: no
Path : 3f00501543044302
ID :
4fa93c2efb44e05b6e1c89f0fecb6a10
alex@volatile:~$ pkcs11-tool --list-slots
Available slots:
Slot 0 (empty)
Slot 1 (empty)
Slot 2 ACS ACR 38U-CCID 00 00
token label: CardOS V4.3B PKCS15 profile (PIN
token manuf: Siemens AG (C)
token model: PKCS#15
token flags: login required, PIN initialized, token initialized
serial num : 3030383037383834
Slot 3 (empty)
Slot 4 (empty)
Slot 5 (empty)
Slot 6 (empty)
Slot 7 (empty)
Slot 8 (empty)
Slot 9 (empty)
Slot 10 (empty)
Slot 11 (empty)
Slot 12 (empty)
Slot 13 (empty)
Slot 14 (empty)
Slot 15 (empty)
Podpisvaneto
se izvurshva kato purvo se initsializira
OpenSSL PKCS#11 engine i sled tova se podavat
neobhodimite failove i parametri. V
primera po-dolu triabva da zamestite
otsvetenite poleta s Vashite stoinosti:
alex@volatile:~$ openssl
OpenSSL> engine dynamic -pre
SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre
LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/onepin-opensc-pkcs11.so
(dynamic) Dynamic engine
loading support
[Success]:
SO_PATH:/usr/lib/engines/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]:
MODULE_PATH:/usr/lib/onepin-opensc-pkcs11.so
Loaded: (pkcs11) pkcs11
engine
OpenSSL> smime -pk7out -outform der -binary
-sign -signer Alex_Stanev.pem -engine pkcs11 -keyform engine -in data.txt -out data.p7s -inkey 2:ac89c641d155029139df57d70c71a706 -certfile StampIT_Domestic_CA_NGL_base64.crt
engine "pkcs11" set.
PKCS#11 token PIN:
OpenSSL>
Gorniiat
primer generira PKCS#7 detached signatura v
DER format na faila data.txt v data.p7s , s vklyuchen
mezhdinen bazov sertifikat.
Rukovodstvoto v PDF format mozhete da svalite ot tuk: https://inetdec.nra.bg/docs/DigSig_linux_howto.pdf