July 13, 2014 at 00:45Signerbox - authentication through DSTU 4145
Signerbox is such a web application that allows you to sign data and authenticate in a browser through a digital certificate that connects the person with the public key of the DSTU 4145-2002 standard (elliptic curve copying). Such certificates are issued free of charge by the Ministry of Revenue and Duties, as well as commercial CAs.
A client daemon is attached to the client boxer, which checks the signatures and displays the result. The daemon is called dstud.
The finished assembly is in ppa: ilya-muromec / dstud.
Signerbox itself is hosted on the eusign.org domain and works on a custom OAuth-like protocol - it receives a request when it goes to the page, shows the user a request to authorize the request and sends it back with the finished result.
To add identity verification using signerbox / dstud to the site, you need:
Now I have a ready-made plugin for the workspace, he lives at github.com/themao/dstu-login . When registering the application, you need to specify auth_url in the form https: //: domain / wp-login.php. Only addresses with https scheme are accepted.
After the plugin is configured, the link “Sign with eU” should appear on the login page.
A live demo is available at dstu.enodev.org .
The user of Twitter, hiding under the nickname @niggaslife, took part in the development of the plugin.
The user is redirected to a form that asks for his key and certificate, signs a line from NONCE and your domain, after which he uploads the public key (certificate) to the server and sends the signature as a get parameter back to the site that initiated authentication.
The signature is created on the client using the JS library, so the private key does not leave the machine.
The integrating site does not need to trust the signbox, since the signature is verified by the means of the dstud daemon.
According to the law of Ukraine on electronic signatures, a signature made by a certified or expertly reviewed software is legally significant. Signerbox and the libraries used did not pass certification or examination, therefore, in the case of litigation, you may have gaps in order to prove the connection between the user and the individual. If this is important for you - help the project get certified or consult with lawyers.
Writing your integration plugin is quite simple. To do this, you need to do such things:
Field 1.2.804.2.1.1.1.11.1.4.1.1 will contain the tax user identifier (TIN). Since this field contains certain private information about the user, and is not a synthetic identifier, it is recommended to use it not in its pure form, but a hash with salt from it.
The content of the state parameter specified during authentication can be arbitrary and is returned without changes back to auth_url. It is recommended that you specify a one-time token in it to protect against CSRF.
For ease of development, a test certificate and a key (user.cer and user.key) are distributed with the dstud daemon. To enable logon with a test certificate, you need to stop the dstud daemon and run it from the testCA directory.
The test certificate does not contain the field 1.2.804.2.1.1.1.1.1.1.4.1.1.
A client daemon is attached to the client boxer, which checks the signatures and displays the result. The daemon is called dstud.
The finished assembly is in ppa: ilya-muromec / dstud.
Signerbox itself is hosted on the eusign.org domain and works on a custom OAuth-like protocol - it receives a request when it goes to the page, shows the user a request to authorize the request and sends it back with the finished result.
Integration
To add identity verification using signerbox / dstud to the site, you need:
- install dstud-static from ppa on your host:
add-apt-repository ppa: ilya-muromec / dstud apt-get update apt-get install dstud-static
- register your application at eusign.org/register_app and get app_id.
- install an integration plugin for your site or write a new one
- specify the received app_id in the plugin settings
Wordpress
Now I have a ready-made plugin for the workspace, he lives at github.com/themao/dstu-login . When registering the application, you need to specify auth_url in the form https: //: domain / wp-login.php. Only addresses with https scheme are accepted.
After the plugin is configured, the link “Sign with eU” should appear on the login page.
A live demo is available at dstu.enodev.org .
The user of Twitter, hiding under the nickname @niggaslife, took part in the development of the plugin.
How it works
The user is redirected to a form that asks for his key and certificate, signs a line from NONCE and your domain, after which he uploads the public key (certificate) to the server and sends the signature as a get parameter back to the site that initiated authentication.
The signature is created on the client using the JS library, so the private key does not leave the machine.
The integrating site does not need to trust the signbox, since the signature is verified by the means of the dstud daemon.
Certification
According to the law of Ukraine on electronic signatures, a signature made by a certified or expertly reviewed software is legally significant. Signerbox and the libraries used did not pass certification or examination, therefore, in the case of litigation, you may have gaps in order to prove the connection between the user and the individual. If this is important for you - help the project get certified or consult with lawyers.
Plugin development
Writing your integration plugin is quite simple. To do this, you need to do such things:
- in the login form show a link to eusign.org/auth : app_id? state =: app_state
- add an auth url handler that reads GET parameters sign, nonce, cert_id
- download certificate at eusign.org/api/1/certificates : cert_id
- form parameter data format: nonce |: auth_url
- send a POST request to localhost : 8013 / api / 0 / check with three parameters: c (received certificate), d (data parameter) and s (sign parameter).
- when answering 200 OK, parse the result as a set of lines key = value and create a user, or find an existing one
Field 1.2.804.2.1.1.1.11.1.4.1.1 will contain the tax user identifier (TIN). Since this field contains certain private information about the user, and is not a synthetic identifier, it is recommended to use it not in its pure form, but a hash with salt from it.
The content of the state parameter specified during authentication can be arbitrary and is returned without changes back to auth_url. It is recommended that you specify a one-time token in it to protect against CSRF.
Test certificates
For ease of development, a test certificate and a key (user.cer and user.key) are distributed with the dstud daemon. To enable logon with a test certificate, you need to stop the dstud daemon and run it from the testCA directory.
The test certificate does not contain the field 1.2.804.2.1.1.1.1.1.1.4.1.1.