КриптоПро — набор криптографических утилит и вспомогательных программ, в основном использующихся в программах российских разработчиков для генерации ЭЦП, работы с сертификатами и шифрования передаваемых данных.
До определенного момента софт использовался преимущественно на windows, но с некоторых пор стал популярен и на других платформах, в частности Linux, в связи с вводом государством различных законов, требующих оперативности обмена и простоты последнего в плане автоматизации.
Например, провайдерам необходимо оперативно реагировать на «Черные списки рунета», логично, что решение должно быть автономным и максимально удобным — с этим замечательно справляется Linux.
В моем случае CryptoPro будет работать в паре с eToken.
Установка
1. Архив с программным обеспечением
КриптоПро доступен по ссылке http://www.altlinux.org/КриптоПро (требуется регистрация)
Также нам необходим драйвер eToken PKI Client 5.0 SP1 для Linux
2. Установка не отличается сложностью.
В первом случае есть скрипт для инсталляции, во втором необходимо поставить RPM пакет (токен до момента установки драйверов необходимо извлечь из сервера).
В процессе установки под CentOS 6.5, мне также понадобился модуль поддержки eToken (cprocsp-rdr-jacarta-3.6.1-3.6.219-1.x86_64) идет в поставке КриптоПРО 3.6.
rpm -i cprocsp-rdr-jacarta-3.6.1-3.6.346-1.x86_64.rpm |
rpm -i cprocsp-rdr-jacarta-3.6.1-3.6.346-1.x86_64.rpm
3. После установки, прописываем переменные окружения, или перемещаемся в папку «/opt/cprocsp/»
export PATH="$PATH:$(ls -d /opt/cprocsp/{s,}bin/*|tr '\n' ':')" |
export PATH="$PATH:$(ls -d /opt/cprocsp/{s,}bin/*|tr '\n' ':')"
4. Проверяем лицензию.
С сайта КриптоПро выдаётся лицензия на три месяца.
# cpconfig -license -view
Server license:
36360-U0030-01C97-HQ92Y-#####
Expires: 3 month(s) 0 day(s)
Client license:
36360-U0030-01C97-HQ92Y-#####
Expires: 3 month(s) 0 day(s) |
# cpconfig -license -view
Server license:
36360-U0030-01C97-HQ92Y-#####
Expires: 3 month(s) 0 day(s)
Client license:
36360-U0030-01C97-HQ92Y-#####
Expires: 3 month(s) 0 day(s)
5. Вставляем ключ eToken и проверяем вывод list_pcsc:
# ./list_pcsc
available reader: AKS ifdh 00 00 |
# ./list_pcsc
available reader: AKS ifdh 00 00
Утилита доступна после установки пакета
# rpm -i cprocsp-rdr-pcsc-64-3.9.0-4.x86_64.rpm |
# rpm -i cprocsp-rdr-pcsc-64-3.9.0-4.x86_64.rpm
Как вариант штатными средствами:
# lsusb
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 002: ID 203a:fff9
Bus 002 Device 039: ID ####:#### Aladdin Knowledge Systems eToken Pro 64k (4.2) |
# lsusb
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 002: ID 203a:fff9
Bus 002 Device 039: ID ####:#### Aladdin Knowledge Systems eToken Pro 64k (4.2)
6. Добавляем считыватель:
# ./cpconfig -hardware reader -add "AKS ifdh 00 00"
Adding new reader:
Nick name: AKS ifdh 00 00
Succeeded, code:0x0 |
# ./cpconfig -hardware reader -add "AKS ifdh 00 00"
Adding new reader:
Nick name: AKS ifdh 00 00
Succeeded, code:0x0
7. Просмотр списка настроенных считывателей:
Nick name: AKS ifdh 00 00
Connect name:
Reader name: AKS ifdh 00 00
Nick name: FLASH
Connect name:
Reader name: FLASH
Nick name: HDIMAGE
Connect name:
Reader name: ��������� ������� �� ������� ����� |
Nick name: AKS ifdh 00 00
Connect name:
Reader name: AKS ifdh 00 00
Nick name: FLASH
Connect name:
Reader name: FLASH
Nick name: HDIMAGE
Connect name:
Reader name: ��������� ������� �� ������� �����
Первый ридер «AKS ifdh 00 0» — это наш токен, последний — локальное хранилище. Контейнеры HDIMAGE живут по адресу «/var/opt/cprocsp/keys/<имя пользователя>/»
Создание контейнера.
1. Создаём ключевой контейнер:
# ./csptest -keyset -newkeyset -cont '\\.\HDIMAGE\Bank' |
# ./csptest -keyset -newkeyset -cont '\\.\HDIMAGE\Bank'
2. Создаём запрос на сертификат:
# ./cryptcp -creatrqst -dn "E=test@test.ru,CN=Ivan,L=Moscow,O=Bank" -nokeygen -both -ku -cont Bank cert_request.req |
# ./cryptcp -creatrqst -dn "E=test@test.ru,CN=Ivan,L=Moscow,O=Bank" -nokeygen -both -ku -cont Bank cert_request.req
3. Можно (нужно) запросить сертификат в своем центре сертификации.
Как вариант, откройте в браузере ссылку http://www.cryptopro.ru/certsrv/certrqxt.asp (тестовый удостоверяющий центр КриптоПро) вставьте в поле «Base-64-шифрованный запрос сертификата» содержимое файла cert_request.req и нажмите кнопку «Выдать». Затем сохраните файл по ссылке «Загрузить сертификат» (по умолчанию предлагается имя certnew.cer).
4. Устанавливаем, полученный от УЦ сертификат, в указанный ключевой контейнер:
# ./certmgr -inst -store uMy -file certnew.cer -cont '\\.\HDIMAGE\Bank' |
# ./certmgr -inst -store uMy -file certnew.cer -cont '\\.\HDIMAGE\Bank'
5. Проверка установленного сертификата
# ./certmgr -lis
Certmgr 1.0 (c) "CryptoPro", 2007-2010.
program for managing certificates, CRLs and stores
=============================================================================
1-------
Issuer : E=support@cryptopro.ru, C=RU, L=Moscow, O=CRYPTO-PRO LLC, CN=CRYPTO-PRO Test Center 2
Subject : E=test@test.ru, CN=Ivan, L=Moscow, O=Bank
Serial : 0x12000065ECE1AF809C191F54300000000065EC
SHA1 Hash : 0x1a11194ef7fe628fe371ba0cf1d0421b7bd23448
Not valid before : 14/10/2014 14:52:55 UTC
Not valid after : 14/10/2015 15:02:55 UTC
PrivateKey Link : Yes. Container : HDIMAGE\\Bank.000\2829 |
# ./certmgr -lis
Certmgr 1.0 (c) "CryptoPro", 2007-2010.
program for managing certificates, CRLs and stores
=============================================================================
1-------
Issuer : E=support@cryptopro.ru, C=RU, L=Moscow, O=CRYPTO-PRO LLC, CN=CRYPTO-PRO Test Center 2
Subject : E=test@test.ru, CN=Ivan, L=Moscow, O=Bank
Serial : 0x12000065ECE1AF809C191F54300000000065EC
SHA1 Hash : 0x1a11194ef7fe628fe371ba0cf1d0421b7bd23448
Not valid before : 14/10/2014 14:52:55 UTC
Not valid after : 14/10/2015 15:02:55 UTC
PrivateKey Link : Yes. Container : HDIMAGE\\Bank.000\2829
ЭЦП и шифрование файла
1. Подпись файла
# ./cryptcp -sign -dn "E=test@test.ru,CN=Ivan,L=Moscow,O=Bank" -nocert -der test.txt test.sig
CryptCP 3.41 (c) "Crypto-Pro", 2002-2013.
Command prompt Utility for file signature and encryption.
The following certificate will be used:
RDN:Bank, Moscow, Ivan, test@test.ru
Valid from 14.10.2014 14:52:55 to 14.10.2015 15:02:55
Certificate chain is not checked for this certificate:
RDN:Bank, Moscow, Ivan, test@test.ru
Valid from 14.10.2014 14:52:55 to 14.10.2015 15:02:55
Certificate chain is not checked for this certificate (error code 10000):
/dailybuildsbranches/CSP_3_9/CSPbuild/CSP/samples/CPCrypt/Certs.cpp:416: 0x20000133
Do you want to use this certificate ([Y]es, [N]o, [C]ancel)?y
Certificate chains are checked.
Folder './':
test.txt... CryptoPro CSP: Type password for container "Bank"
Password:
Signing the data...
Signed message is created.
[ReturnCode: 0] |
# ./cryptcp -sign -dn "E=test@test.ru,CN=Ivan,L=Moscow,O=Bank" -nocert -der test.txt test.sig
CryptCP 3.41 (c) "Crypto-Pro", 2002-2013.
Command prompt Utility for file signature and encryption.
The following certificate will be used:
RDN:Bank, Moscow, Ivan, test@test.ru
Valid from 14.10.2014 14:52:55 to 14.10.2015 15:02:55
Certificate chain is not checked for this certificate:
RDN:Bank, Moscow, Ivan, test@test.ru
Valid from 14.10.2014 14:52:55 to 14.10.2015 15:02:55
Certificate chain is not checked for this certificate (error code 10000):
/dailybuildsbranches/CSP_3_9/CSPbuild/CSP/samples/CPCrypt/Certs.cpp:416: 0x20000133
Do you want to use this certificate ([Y]es, [N]o, [C]ancel)?y
Certificate chains are checked.
Folder './':
test.txt... CryptoPro CSP: Type password for container "Bank"
Password:
Signing the data...
Signed message is created.
[ReturnCode: 0]
2. Проверка подписи
# ./cryptcp -verify -dn "E=test@test.ru,CN=Ivan,L=Moscow,O=Bank" -nocert -der test.sig test1.sig
root@localhost amd64]# ./cryptcp -verify -dn "E=test@test.ru,CN=Ivan,L=Moscow,O=Bank" -nocert -der test.sig test1.txt
CryptCP 3.41 (c) "Crypto-Pro", 2002-2013.
Command prompt Utility for file signature and encryption.
The following certificate will be used:
RDN:Bank, Moscow, Ivan, test@test.ru
Valid from 14.10.2014 14:52:55 to 14.10.2015 15:02:55
Certificate chain is not checked for this certificate:
RDN:Bank, Moscow, Ivan, test@test.ru
Valid from 14.10.2014 14:52:55 to 14.10.2015 15:02:55
Certificate chain is not checked for this certificate (error code 10000):
/dailybuildsbranches/CSP_3_9/CSPbuild/CSP/samples/CPCrypt/Certs.cpp:416: 0x20000133
Do you want to use this certificate ([Y]es, [N]o, [C]ancel)?y
Certificate chains are checked.
Folder './':
test.sig... Signature verifying...
Signer: Bank, Moscow, Ivan, test@test.ru
Certificate chain is not checked for this certificate (error code 10000):
/dailybuildsbranches/CSP_3_9/CSPbuild/CSP/samples/CPCrypt/Certs.cpp:416: 0x20000133
Do you want to use this certificate ([Y]es, [N]o, [C]ancel)?y
Signature's verified.
[ReturnCode: 0] |
# ./cryptcp -verify -dn "E=test@test.ru,CN=Ivan,L=Moscow,O=Bank" -nocert -der test.sig test1.sig
root@localhost amd64]# ./cryptcp -verify -dn "E=test@test.ru,CN=Ivan,L=Moscow,O=Bank" -nocert -der test.sig test1.txt
CryptCP 3.41 (c) "Crypto-Pro", 2002-2013.
Command prompt Utility for file signature and encryption.
The following certificate will be used:
RDN:Bank, Moscow, Ivan, test@test.ru
Valid from 14.10.2014 14:52:55 to 14.10.2015 15:02:55
Certificate chain is not checked for this certificate:
RDN:Bank, Moscow, Ivan, test@test.ru
Valid from 14.10.2014 14:52:55 to 14.10.2015 15:02:55
Certificate chain is not checked for this certificate (error code 10000):
/dailybuildsbranches/CSP_3_9/CSPbuild/CSP/samples/CPCrypt/Certs.cpp:416: 0x20000133
Do you want to use this certificate ([Y]es, [N]o, [C]ancel)?y
Certificate chains are checked.
Folder './':
test.sig... Signature verifying...
Signer: Bank, Moscow, Ivan, test@test.ru
Certificate chain is not checked for this certificate (error code 10000):
/dailybuildsbranches/CSP_3_9/CSPbuild/CSP/samples/CPCrypt/Certs.cpp:416: 0x20000133
Do you want to use this certificate ([Y]es, [N]o, [C]ancel)?y
Signature's verified.
[ReturnCode: 0]
3. Сравнение оригинального и расшифрованного после подписи файла
# diff test.txt test1.txt
# ll | grep test| grep txt
-rw-r--r--. 1 root root 12 Окт 14 19:12 test1.txt
-rw-r--r--. 1 root root 12 Окт 14 12:51 test.txt |
# diff test.txt test1.txt
# ll | grep test| grep txt
-rw-r--r--. 1 root root 12 Окт 14 19:12 test1.txt
-rw-r--r--. 1 root root 12 Окт 14 12:51 test.txt
4. Зашифровываем файл:
root@localhost amd64]# ./cryptcp -encr -der -dn "CN=webserver" test.txt test.msg
CryptCP 3.41 (c) "Crypto-Pro", 2002-2013.
Command prompt Utility for file signature and encryption.
The following certificate will be used:
RDN:webserver
Valid from 14.10.2014 08:39:19 to 14.10.2015 08:49:19
Certificate chain is not checked for this certificate:
RDN:webserver
Valid from 14.10.2014 08:39:19 to 14.10.2015 08:49:19
Certificate chain is not checked for this certificate (error code 10000):
/dailybuildsbranches/CSP_3_9/CSPbuild/CSP/samples/CPCrypt/Certs.cpp:416: 0x20000133
Do you want to use this certificate ([Y]es, [N]o, [C]ancel)?y
Certificate chains are checked.
Encrypting the data...
Encrypted message is created.
[ReturnCode: 0] |
root@localhost amd64]# ./cryptcp -encr -der -dn "CN=webserver" test.txt test.msg
CryptCP 3.41 (c) "Crypto-Pro", 2002-2013.
Command prompt Utility for file signature and encryption.
The following certificate will be used:
RDN:webserver
Valid from 14.10.2014 08:39:19 to 14.10.2015 08:49:19
Certificate chain is not checked for this certificate:
RDN:webserver
Valid from 14.10.2014 08:39:19 to 14.10.2015 08:49:19
Certificate chain is not checked for this certificate (error code 10000):
/dailybuildsbranches/CSP_3_9/CSPbuild/CSP/samples/CPCrypt/Certs.cpp:416: 0x20000133
Do you want to use this certificate ([Y]es, [N]o, [C]ancel)?y
Certificate chains are checked.
Encrypting the data...
Encrypted message is created.
[ReturnCode: 0]
5. Расшифровываем файл
# ./cryptcp -decr -dn "CN=webserver" test.msg test.out
CryptCP 3.41 (c) "Crypto-Pro", 2002-2013.
Command prompt Utility for file signature and encryption.
The following certificate will be used:
RDN:webserver
Valid from 14.10.2014 08:39:19 to 14.10.2015 08:49:19
Certificate chain is not checked for this certificate:
RDN:webserver
Valid from 14.10.2014 08:39:19 to 14.10.2015 08:49:19
Certificate chain is not checked for this certificate (error code 10000):
/dailybuildsbranches/CSP_3_9/CSPbuild/CSP/samples/CPCrypt/Certs.cpp:416: 0x20000133
Do you want to use this certificate ([Y]es, [N]o, [C]ancel)?y
Certificate chains are checked.
Decrypting the data... 0%CryptoPro CSP: Type password for container "webserver"
Password:
Message is decrypted.
[ReturnCode: 0] |
# ./cryptcp -decr -dn "CN=webserver" test.msg test.out
CryptCP 3.41 (c) "Crypto-Pro", 2002-2013.
Command prompt Utility for file signature and encryption.
The following certificate will be used:
RDN:webserver
Valid from 14.10.2014 08:39:19 to 14.10.2015 08:49:19
Certificate chain is not checked for this certificate:
RDN:webserver
Valid from 14.10.2014 08:39:19 to 14.10.2015 08:49:19
Certificate chain is not checked for this certificate (error code 10000):
/dailybuildsbranches/CSP_3_9/CSPbuild/CSP/samples/CPCrypt/Certs.cpp:416: 0x20000133
Do you want to use this certificate ([Y]es, [N]o, [C]ancel)?y
Certificate chains are checked.
Decrypting the data... 0%CryptoPro CSP: Type password for container "webserver"
Password:
Message is decrypted.
[ReturnCode: 0]
Работа с токеном.
Не отличается от выше написанного, за исключением того, что в качестве хранилища сертификатов мы используем «\\.\AKS ifdh 00 00\<имя контейнера>»
# ./csptestf -keyset -newkeyset -makecert -cont '\\.\AKS ifdh 00 00\test' -keytype exchange
CSP (Type:75) v3.9.8000 KC1 Release Ver:3.9.8171 OS:Linux CPU:AMD64 FastCode:READY:AVX.
AcquireContext: OK. HCRYPTPROV: 36484147
GetProvParam(PP_NAME): Crypto-Pro GOST R 34.10-2001 KC1 CSP
Container name: "test"
Exchange key is not available.
Attempting to create an exchange key...
Press keys...
[........................................]
CryptoPro CSP: Set pin-code on produced container "test".
Pin-code:
an exchange key created.
Self signed certificate created: E=test@cryptopro.ru, CN=test
Certificate stored in container.
Keys in container:
exchange key
Total:
[ErrorCode: 0x00000000] |
# ./csptestf -keyset -newkeyset -makecert -cont '\\.\AKS ifdh 00 00\test' -keytype exchange
CSP (Type:75) v3.9.8000 KC1 Release Ver:3.9.8171 OS:Linux CPU:AMD64 FastCode:READY:AVX.
AcquireContext: OK. HCRYPTPROV: 36484147
GetProvParam(PP_NAME): Crypto-Pro GOST R 34.10-2001 KC1 CSP
Container name: "test"
Exchange key is not available.
Attempting to create an exchange key...
Press keys...
[........................................]
CryptoPro CSP: Set pin-code on produced container "test".
Pin-code:
an exchange key created.
Self signed certificate created: E=test@cryptopro.ru, CN=test
Certificate stored in container.
Keys in container:
exchange key
Total:
[ErrorCode: 0x00000000]
Вопросы без ответа
Для тестирования можно создать самоподписанный сертификат с закрытым ключом, но почему-то данный сертификат не появляется среди установленных » ./certmgr -list». Почему так происходит, пока разбираюсь.
# ./csptestf -keyset -newkeyset -makecert -cont '\\.\hdimage\webserver2' -keytype exchange
CSP (Type:75) v3.9.8000 KC1 Release Ver:3.9.8171 OS:Linux CPU:AMD64 FastCode:READY:AVX.
AcquireContext: OK. HCRYPTPROV: 16950323
GetProvParam(PP_NAME): Crypto-Pro GOST R 34.10-2001 KC1 CSP
Container name: "webserver2"
Exchange key is not available.
Attempting to create an exchange key...
Press keys...
[........................................]
CryptoPro CSP: Set password on produced container "webserver2".
Password:
Retype password:
an exchange key created.
Self signed certificate created: E=test@cryptopro.ru, CN=webserver2
Certificate stored in container.
Keys in container:
exchange key
Total:
[ErrorCode: 0x00000000] |
# ./csptestf -keyset -newkeyset -makecert -cont '\\.\hdimage\webserver2' -keytype exchange
CSP (Type:75) v3.9.8000 KC1 Release Ver:3.9.8171 OS:Linux CPU:AMD64 FastCode:READY:AVX.
AcquireContext: OK. HCRYPTPROV: 16950323
GetProvParam(PP_NAME): Crypto-Pro GOST R 34.10-2001 KC1 CSP
Container name: "webserver2"
Exchange key is not available.
Attempting to create an exchange key...
Press keys...
[........................................]
CryptoPro CSP: Set password on produced container "webserver2".
Password:
Retype password:
an exchange key created.
Self signed certificate created: E=test@cryptopro.ru, CN=webserver2
Certificate stored in container.
Keys in container:
exchange key
Total:
[ErrorCode: 0x00000000]
При написании поста использовались источники:
https://support.cryptopro.ru/index.php?/Knowledgebase/Article/View/82/10/ustnovk-kriptopro-csp-ubuntu—etoken
http://www.altlinux.org/%D0%9A%D1%80%D0%B8%D0%BF%D1%82%D0%BE%D0%9F%D1%80%D0%BE
RSS
Твиттер
G+
Категория: 
