Elektronen podpis za rabota pod Linux i OpenSSL
	ot RealEnder(9-04-2010) reiting (25)   [ dobre ]  [ zle ]  Variant za otpechatvane v. 1.2, April 2010 TSelta na nastoiashtoto rukovodstvo e da opishe stupkite, neobhodimi za instalirane i konfigurirane na elektronen podpis pod Linux operatsionni sistemi, kakto i izpolzvaneto na OpenSSL za podpisvane na failove. Pri razrabotvaneto na rukovodstvoto e izpolzvano Ubuntu 9.10 Karmic Koala 64bit, no stupkite sa prilozhimi i analogichni i za ostanalite distributsii. Za primera e izpolzvan elektronen podpis na StampIt vurhu smartkarta Siemens CardOS V4.3B prez CCID suvmestim USB chetets ACS ACR 38U-CCID. Izpolzvat se iztsialo softuerni biblioteki i prilozheniia s otvoren kod. 1. Bazovi paketi Veroiatno veche imate instalirani povecheto ot neobhodimite bazovi paketi. Izpulnete slednata komanda, za da podsigurite nalichieto im: alex@volatile:~$ sudo apt-get install openct opensc libccid mozilla-opensc libengine-pkcs11-openssl pcsc-tools Sled uspeshna instalatsiia mozhete da izpolzvate slednata komanda za da proverite sustoianieto pri vklyuchen chetets sus sertifikat za elektronen podpis: alex@volatile:~$ pcsc_scan PC/SC device scanner V 1.4.15 (c) 2001-2009, Ludovic Rousseau Compiled with PC/SC lite version: 1.4.102 Scanning present readers... 0: ACS ACR 38U-CCID 00 00 Thu Mar 18 15:29:43 2010 Reader 0: ACS ACR 38U-CCID 00 00 Card state: Card inserted, Shared Mode, ... Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): 3B F2 18 00 02 C1 0A 31 FE 58 C8 08 74 Siemens CardOS V4.3B 2. Konfigurirane na Firefox/Thunderbird/OpenOffice Purvo instaliraite bazovite (root) sertifikati na Vashiia Dostavchik na udostoveritelni uslugi. Neobhodimo e da se instalira tsialata veriga (Root CA, Intermediate CA i t.n.) V sluchaia sus StampIt tova sa StampIt Domestic Root CA i StampIt Domestic CA NGL, koito mozhete da svalite ot stranitsata na dostavchika. Instalatsiiata stava prez menyuto Edit -> Preferences -> Advanced -> Encryption , kudeto natiskate butona View Certificates, izbirate Authorities i sled tova Import. Kogato izberete dadeniiat bazov sertifikat, otbelezhete i trite kutiiki, otnasiashti se do tselite za izpolzvane na sertifikatite: Trust this CA to identify web pages, Trust this CA to identify email users i Trust this CA to identify software developers. Za dostup do elektronniiat podpis shte izpolzvate PKCS#11 interfeis. Za da go konfigurirate izberete Edit -> Preferences -> Advanced -> Encryption , kudeto za udobstvo izberete Select one automatically i natisnete butonut Security Devices. Ot tam natisnete Load i ukazhete putiat kum PKCS#11 bibliotekata. Za OpenSC pod Ubuntu 9.10 bibliotekata se namira tuk: /usr/lib/onepin-opensc-pkcs11.so . Za distributsiite, koito ne sa obnovili versiiata na OpenSC, izpolzvaite bazovata biblioteka /usr/lib/opensc-pkcs11.so Ako ste instalirali druga PKCS#11 biblioteka se konsultiraite s rukovodstvoto na potrebitelia na izbraniiat ot Vas dostavchik. Za da se podvklyuchi korektno ustroistvoto mozhe da se nalozhi da izvadite i svurzhete otnovo chetetsut, kakto i da restartirate Firefox/Thunderbird. OpenOffice raboti s konfiguriranite Security devices ot profila na Firefox i pri korektna instalatsiia tam sushto shte mozhete da podpisvate tsifrovo dokumenti prez menyuto File -> Digital signatures -> Add , ot kudeto izbirate sertifikata si. 3. Konfigurirane na draiverite Ako izpolzvate /usr/lib/onepin-opensc-pkcs11.so niama nuzhda ot nastroikite v tazi tochka. Ako izpolzvate smartkarta s edin sertifikat (obshtiiat sluchai), i imate problemi s niakolkokratno vizualizirane na dialoga za PIN, mozhete da korigirate slednite parametri vuv faila /etc/opensc/opensc.conf , sektsiia app opensc-pkcs11 : max_virtual_slots=1; slots_per_card=1; num_slots=1; 4. Podpisvane na fail s OpenSSL sus sertifikat na smartkarta v detached PKCS#7 struktura Predi da generirate podpis e neobhodimo da imate na razpolozhenie sledite failove v PEM format: publichnata chast (v primera Alex_Stanev.pem) i mezhdinniia bazov sertifikat ot verigata (v primera StampIT_Domestic_CA_NGL_base64.crt) Osven tova e neobhodimo i da izvlechete i identifikatora sertifikata na smartkartata po sledniiat nachin: alex@volatile:~$ pkcs15-tool --list-certificates Using reader with a card: ACS ACR 38U-CCID 00 00 X.509 Certificate [X.509V3 Certificate 0] Flags : 2 Authority: no Path : 3f00501543044303 ID : ac89c641d155029139df57d70c71a706 X.509 Certificate [X.509V3 CA Certificate 0] Flags : 2 Authority: no Path : 3f00501543044302 ID : 4fa93c2efb44e05b6e1c89f0fecb6a10 alex@volatile:~$ pkcs11-tool --list-slots Available slots: Slot 0 (empty) Slot 1 (empty) Slot 2 ACS ACR 38U-CCID 00 00 token label: CardOS V4.3B PKCS15 profile (PIN token manuf: Siemens AG (C) token model: PKCS#15 token flags: login required, PIN initialized, token initialized serial num : 3030383037383834 Slot 3 (empty) Slot 4 (empty) Slot 5 (empty) Slot 6 (empty) Slot 7 (empty) Slot 8 (empty) Slot 9 (empty) Slot 10 (empty) Slot 11 (empty) Slot 12 (empty) Slot 13 (empty) Slot 14 (empty) Slot 15 (empty) Podpisvaneto se izvurshva kato purvo se initsializira OpenSSL PKCS#11 engine i sled tova se podavat neobhodimite failove i parametri. V primera po-dolu triabva da zamestite otsvetenite poleta s Vashite stoinosti: alex@volatile:~$ openssl OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/onepin-opensc-pkcs11.so (dynamic) Dynamic engine loading support [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so [Success]: ID:pkcs11 [Success]: LIST_ADD:1 [Success]: LOAD [Success]: MODULE_PATH:/usr/lib/onepin-opensc-pkcs11.so Loaded: (pkcs11) pkcs11 engine OpenSSL> smime -pk7out -outform der -binary -sign -signer Alex_Stanev.pem -engine pkcs11 -keyform engine -in data.txt -out data.p7s -inkey 2:ac89c641d155029139df57d70c71a706 -certfile StampIT_Domestic_CA_NGL_base64.crt engine "pkcs11" set. PKCS#11 token PIN: OpenSSL> Gorniiat primer generira PKCS#7 detached signatura v DER format na faila data.txt v data.p7s , s vklyuchen mezhdinen bazov sertifikat. Rukovodstvoto v PDF format mozhete da svalite ot tuk: https://inetdec.nra.bg/docs/DigSig_linux_howto.pdf << Elektronen podpis na Bankserviz pod Ubuntu 9.10 i 10.04 | FreeBSD 8.0 Obedinenie na niakolko mrezhovi interfeisa v edin >>

Komentari: (obshto 14)	Otseneni s -1 0 1 2 3 4 5 ili poveche	[Pulen pregled>>]
[Dobavi komentar]

• I oshte malko pomosht po temata [19-03-2010] {1/Neutralen}
• Kum: I oshte malko pomosht po temata [10-03-2011] {1/Neutralen}
• Niakolko korektsii [19-03-2010] {1/Neutralen}
• Kum: Niakolko korektsii [19-03-2010] {1/Neutralen}
• Kum: Kum: Niakolko korektsii [19-03-2010] {1/Neutralen}
• Kum: Kum: Kum: Niakolko korektsii [9-04-2010] {1/Neutralen}
• Kum: Kum: Kum: Kum: Niakolko korektsii [9-04-2010] {1/Neutralen}
• Po-lesno podpisvane? [9-04-2010] {1/Neutralen}
• dopulnitelen paket [3-06-2010] {1/Neutralen}
• More How to [3-06-2010] {1/Neutralen}
• Kum: More How to [7-08-2010] {1/Neutralen}
• Kum: Po-lesno podpisvane? [15-05-2011] {1/Neutralen}
• Kum: Kum: Po-lesno podpisvane? [21-05-2011] {1/Neutralen}
• Alternativen metod za podpisvane [6-06-2011] {1/Neutralen}