Web services with digital signature support based on GOST cryptography
- From RSS
Starting with version 2008.2, Caché and Ensemble have built-in support for WS-Security , including mechanisms for verifying and generating electronic signatures of SOAP messages. Currently there is “out of the box” support for digital signatures based on cryptographic algorithms of the RSA family .
Systems created for Russian customers are often required to use certified cryptographic information protection tools that use GOST crypto algorithms. The following describes one of the approaches to the development of Caché web services protected by digital signatures based on GOST's cryptography.
As a certified cryptographic information protection system, we will use the CryptoPro JCP product , which is a set of Java libraries that implement the signature algorithm - GOST R 34.10-2001as well as the hash algorithm of GOST R 34.11-94 .
First of all, install Java Runtime Environment (JRE) version 1.6 or later on the system server .
Download the CryptoPro JCP distribution kit from the manufacturer’s website, unzip it to a folder on the server and run the install.bat installation script. The script is located in the lib folder of the distribution. When you run it, you must specify the path to JRE:
install.bat "C: \ Program Files \ Java \ jdk1.6.0_20 \ jre"
If you have a license, the serial number and company name are also indicated when running the script:
install.bat "C : \ Program Files \ Java \ jdk1.6.0_20 \ jre "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX" Your Company "
Under Windows 7, the installation script must be run with administrator privileges. After the script completes, make sure that the following libraries appear in the jre \ lib \ ext folder:
We will need the iscjcp.jar library (source here ), which contains a number of helper classes for working with JCP from Caché. In addition, three open source libraries will be required - Commons Logging , Santuario (aka XML Security) and WSS4J . Their use is regulated by the Apache Software License 2.0 .
Download the jars.zip archive with the four libraries listed and unzip it into the jre \ lib \ ext folder.
If you are using Windows 7, you must give permissions to the Everyone group to read and execute all libraries in the jre \ lib \ ext folder.
To make it possible to call Java classes from Caché / Ensemble, you must configure and run Java Gateway, as well as create projections of the Java classes used.
Add a new entry to the Java Gateway settings table in the% SYS area:
insert into% Net_Remote.ObjectGateway (Name, Type, Server, Port, JavaHome) values ('JCPGate', '1', '127.0.0.1', '55555', 'C: \ Program Files \ Java \ jdk1.6.0_20 \ jre')
Here, in the Name field, the value is “JCPGate” - this is the name of the new Java Gateway. In the JavaHome field, you must specify the path to the JRE for which the JCP was installed. The Port field specifies the TCP port used to communicate with this Java Gateway from Caché.
Now you can start the new Java Gateway by running the following command in the Caché terminal:
write ## class (% Net.Remote.Service) .StartGateway ("JCPGate")
To stop it, call the StopGateway method:
write ## class (% Net.Remote.Service) .StopGateway ("JCPGate")
Start / Stop Java Gateway can be from any area.
We ’ll go to the area where web services are being developed and create a projection for the isc.jcp.JcpFacade Java class by executing the following command in the Caché terminal:
do ## class (% Net.Remote.Java.JavaGateway).% ExpressImport (" isc.jcp.JcpFacade "," 55555 ")
Here 55555 is the TCP port number used to communicate with the Java Gateway. This port was specified by us earlier when adding an entry to the% Net_Remote.ObjectGateway table.
Download and unzip the iscjcp-cos-sources2012.zip archive with the source code for the smev.JcpUtils and smev.JcpSignature classes. Import the smev.JcpUtils class into Caché using Studio, after moving to the area where web services are being developed. Open the imported class in Studio and edit the values of the JAVAGATEWAYPORT and JAVAGATEWAYSERVER parameters, specifying the TCP port and IP address of the Java Gateway used, respectively. Compile the class.
Now, to add a digital signature check to an existing web service, just add the following method to the web service class:
This has been running on versions of Caché / Ensemble since 2009.1. The following is an example of a web service that verifies the signature of all incoming SOAP messages.
Next, we consider the case when all the responses of the web service must be signed by the EDS of the organization. In this situation, the system server hosts the repository containing the secret key, which is used to generate the signature. In addition, a certificate matching this key must be available. The iscjcp.jar library implements work with storage of the FloppyStore type. Therefore, to form an EDS, we need a virtual diskette with a keystore.
To create such a diskette, follow these steps:
As a result of the described manipulations on the A: \ server disk, we have a keystore containing a test secret key. The A: \ SelfSigned.cer file is a test certificate that matches the private key.
You can generate keys and certificates yourself using CryptoPro JCP. These procedures are described in the product documentation.
The previously downloaded iscjcp-cos-sources2012.zip archive with the Caché Object Script source code contained the smev.JcpSignature class . Import this class into Caché using Studio.
Open the smev.JcpUtils class in Studio and edit the value of the CERTFILENAME parameter with the full path to the certificate file - “A: \ SelfSigned.cer”. This certificate corresponds to the secret key that will be used in the formation of the digital signature. Compile the class.
Now, in order to add functionality to create a digital signature for the returned messages, you need to insert the following line into the code of this method:
do ..SecurityOut.AddElement (## class (smev.JcpSignature).% New ())
This works on versions of Caché / Ensemble from 2009.1 through 2012.1 inclusive. The following is an example of a web service where the response signing is added to the echo () method.
In order to test the check / formation of the digital signature by the test.TestService web service, the source code of which is given above, we will perform the following actions.
All the actions described in the article can be seen in the following video:
Systems created for Russian customers are often required to use certified cryptographic information protection tools that use GOST crypto algorithms. The following describes one of the approaches to the development of Caché web services protected by digital signatures based on GOST's cryptography.
As a certified cryptographic information protection system, we will use the CryptoPro JCP product , which is a set of Java libraries that implement the signature algorithm - GOST R 34.10-2001as well as the hash algorithm of GOST R 34.11-94 .
Installing CryptoPro JCP on Windows
First of all, install Java Runtime Environment (JRE) version 1.6 or later on the system server .
Download the CryptoPro JCP distribution kit from the manufacturer’s website, unzip it to a folder on the server and run the install.bat installation script. The script is located in the lib folder of the distribution. When you run it, you must specify the path to JRE:
install.bat "C: \ Program Files \ Java \ jdk1.6.0_20 \ jre"
If you have a license, the serial number and company name are also indicated when running the script:
install.bat "C : \ Program Files \ Java \ jdk1.6.0_20 \ jre "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX" Your Company "
Under Windows 7, the installation script must be run with administrator privileges. After the script completes, make sure that the following libraries appear in the jre \ lib \ ext folder:
| asn1rt.jar | Jcp.jar | JCPRevCheck.jar | JCP_ASN.jar |
| AsnLite.jar | JCPinst.jar | JCPRevTools.jar | JCryptoP.jar |
| forms_rt.jar | JCPRequest.jar | JCPxml.jar |
Additional Java Libraries
We will need the iscjcp.jar library (source here ), which contains a number of helper classes for working with JCP from Caché. In addition, three open source libraries will be required - Commons Logging , Santuario (aka XML Security) and WSS4J . Their use is regulated by the Apache Software License 2.0 .
Download the jars.zip archive with the four libraries listed and unzip it into the jre \ lib \ ext folder.
If you are using Windows 7, you must give permissions to the Everyone group to read and execute all libraries in the jre \ lib \ ext folder.
Configure and run Java Gateway, create class projections
To make it possible to call Java classes from Caché / Ensemble, you must configure and run Java Gateway, as well as create projections of the Java classes used.
Add a new entry to the Java Gateway settings table in the% SYS area:
insert into% Net_Remote.ObjectGateway (Name, Type, Server, Port, JavaHome) values ('JCPGate', '1', '127.0.0.1', '55555', 'C: \ Program Files \ Java \ jdk1.6.0_20 \ jre')
Here, in the Name field, the value is “JCPGate” - this is the name of the new Java Gateway. In the JavaHome field, you must specify the path to the JRE for which the JCP was installed. The Port field specifies the TCP port used to communicate with this Java Gateway from Caché.
Now you can start the new Java Gateway by running the following command in the Caché terminal:
write ## class (% Net.Remote.Service) .StartGateway ("JCPGate")
To stop it, call the StopGateway method:
write ## class (% Net.Remote.Service) .StopGateway ("JCPGate")
Start / Stop Java Gateway can be from any area.
We ’ll go to the area where web services are being developed and create a projection for the isc.jcp.JcpFacade Java class by executing the following command in the Caché terminal:
do ## class (% Net.Remote.Java.JavaGateway).% ExpressImport (" isc.jcp.JcpFacade "," 55555 ")
Here 55555 is the TCP port number used to communicate with the Java Gateway. This port was specified by us earlier when adding an entry to the% Net_Remote.ObjectGateway table.
Checking EDS in incoming SOAP messages
Download and unzip the iscjcp-cos-sources2012.zip archive with the source code for the smev.JcpUtils and smev.JcpSignature classes. Import the smev.JcpUtils class into Caché using Studio, after moving to the area where web services are being developed. Open the imported class in Studio and edit the values of the JAVAGATEWAYPORT and JAVAGATEWAYSERVER parameters, specifying the TCP port and IP address of the Java Gateway used, respectively. Compile the class.
Now, to add a digital signature check to an existing web service, just add the following method to the web service class:
Method OnPreSOAP (mode As% String, action As% String, request)
{
do ## super (mode, action, request)
#dim stream As% Stream.Object = request
if '$ isObject (stream)
{
// in case of MIME attachments
#dim index As% Integer =% request.NextMimeData ("")
set stream = $ select (index = "": "", 1:% request.GetMimeData (index))
}
if $ isObject (stream)
{
#dim fault As% SOAP.Fault = ## class (smev.JcpUtils) .verifySignatureOnPreSoap (stream)
if $ isObject (fault) set ..SoapFault = fault
}
}
This has been running on versions of Caché / Ensemble since 2009.1. The following is an example of a web service that verifies the signature of all incoming SOAP messages.
Class test.TestService Extends% SOAP.WebService
{
Parameter SERVICENAME = "TestService";
Parameter NAMESPACE = "http: // test / wsdl";
Method echo (request As% String) As% String [ProcedureBlock = 1, SoapAction = "urn: echo",
SoapBindingStyle = document, SoapBodyUse = literal, WebMethod]
{
quit request
}
Method OnPreSOAP (mode As% String, action As% String, request)
{
do ## super (mode, action, request)
#dim stream As% Stream.Object = request
if '$ isObject (stream)
{
// in case of MIME attachments
#dim index As% Integer =% request.NextMimeData ("")
set stream = $ select (index = "": "", 1:% request.GetMimeData (index))
}
if $ isObject (stream)
{
#dim fault As% SOAP.Fault = ## class (smev.JcpUtils) .verifySignatureOnPreSoap (stream)
if $ isObject (fault) set ..SoapFault = fault
}
}
}
Digital Signature Generation for Outgoing SOAP Messages of a Web Service
Next, we consider the case when all the responses of the web service must be signed by the EDS of the organization. In this situation, the system server hosts the repository containing the secret key, which is used to generate the signature. In addition, a certificate matching this key must be available. The iscjcp.jar library implements work with storage of the FloppyStore type. Therefore, to form an EDS, we need a virtual diskette with a keystore.
Placement of the secret key and certificate on a virtual diskette on the system server
To create such a diskette, follow these steps:
- Install a driver that simulates an FDD drive, for example, ImDisk .
- From the Windows control panel, run the ImDisk Virtual Disk Driver setup program and configure the disk with the following parameters:
- Drive letter: A,
- Size of virtual disk: 1 Megabyte,
- Device type: Floppy.
- Format the virtual diskette with the FAT file system.
- Unzip the contents of the FDD.zip archive to drive A: \.
As a result of the described manipulations on the A: \ server disk, we have a keystore containing a test secret key. The A: \ SelfSigned.cer file is a test certificate that matches the private key.
You can generate keys and certificates yourself using CryptoPro JCP. These procedures are described in the product documentation.
EDS formation
The previously downloaded iscjcp-cos-sources2012.zip archive with the Caché Object Script source code contained the smev.JcpSignature class . Import this class into Caché using Studio.
Open the smev.JcpUtils class in Studio and edit the value of the CERTFILENAME parameter with the full path to the certificate file - “A: \ SelfSigned.cer”. This certificate corresponds to the secret key that will be used in the formation of the digital signature. Compile the class.
Now, in order to add functionality to create a digital signature for the returned messages, you need to insert the following line into the code of this method:
do ..SecurityOut.AddElement (## class (smev.JcpSignature).% New ())
This works on versions of Caché / Ensemble from 2009.1 through 2012.1 inclusive. The following is an example of a web service where the response signing is added to the echo () method.
Class test.TestService Extends% SOAP.WebService
{
Parameter SERVICENAME = "TestService";
Parameter NAMESPACE = "http: // test / wsdl";
Method echo (request As% String) As% String [ProcedureBlock = 1, SoapAction = "urn: echo",
SoapBindingStyle = document, SoapBodyUse = literal, WebMethod]
{
do ..SecurityOut.AddElement (## class (smev.JcpSignature).% New ())
quit request
}
Method OnPreSOAP (mode As% String, action As% String, request)
{
do ## super (mode, action, request)
#dim stream As% Stream.Object = request
if '$ isObject (stream)
{
// in case of MIME attachments
#dim index As% Integer =% request.NextMimeData ("")
set stream = $ select (index = "": "", 1:% request.GetMimeData (index))
}
if $ isObject (stream)
{
#dim fault As% SOAP.Fault = ## class (smev.JcpUtils) .verifySignatureOnPreSoap (stream)
if $ isObject (fault) set ..SoapFault = fault
}
}
}
Web Service Testing
In order to test the check / formation of the digital signature by the test.TestService web service, the source code of which is given above, we will perform the following actions.
- Using Studio, create the test.TestService class in the same area where the smev. * Classes were imported. Copy the source code of the new class from the above listing.
- Using Notepad, create a file C: \ Temp \ input.xml containing the body of the incoming SOAP message for the test.TestService service:
The file must be saved in UTF-8 encoding. Note the wsu: Id attribute of the root element of the Body.
The finished input.xml file is available in the xmls.zip archive . - Run the signFile () method of smev.JcpUtils class:
write ## class (smev.JcpUtils) .signFile ("id1", "C: \ Temp \ input.xml", "C: \ Temp \ output.xml" in the Caché terminal )
Make sure that as a result of the method’s work, a file C: \ Temp \ output.xml was created containing a signed SOAP message (Envelope): in the header (Header) there is an electronic digital signature in the WS-Security format, and the body represents This is an XML document taken from the input.xml file.
The finished output.xml file is available in the xmls.zip archive . - Let's direct the received SOAP message from the digital signature to the input of the test.TestService service. To do this, execute the following commands in the Caché terminal (if necessary, replace the web server port - “57772” with the correct one, as well as the “user” area in the penultimate command):
set httprequest = ## class (% Net.HttpRequest).% New () set httprequest.Server = "localhost" set httprequest.Port = "57772" set httprequest.WriteRawMode = 1 set httprequest.ContentType = "text / xml" do httprequest.SetHeader ("SOAPAction", "urn: echo") set fileStream = ## class (% Library.FileBinaryStream).% New () set fileStream.Filename = "C: \ Temp \ output.xml" do httprequest.EntityBody.CopyFrom (fileStream) do httprequest.Post ("/ csp / user / test.TestService.cls") do httprequest.HttpResponse.OutputToDevice ()
If the digital signature of the incoming message has been successfully verified, and then the electronic digital signature of the outgoing message has been generated, the response of the web service will look like this:
HTTP / 1.1 200 OK
CACHE-CONTROL: no-cache
CONNECTION: close
CONTENT-LENGTH: 2352
CONTENT- TYPE: text / xml; charset = UTF-8
DATE: Thu, 01 Dec 2011 20:08:40 GMT
EXPIRES: Thu, 29 Oct 1998 17:04:19 GMT
PRAGMA: no-cache
SERVER: Apache
SET-COOKIE: CSPSESSIONID-SP-57774-UP -csp-user- = 0000000100001odLLhtp000000igxIuSVnd12z6BtrSIFFJA--; path = / csp / user /;
ES4aVXFSkHr1cnXUcdZYJTPTa + e5 // ASQRYhrRMy46pWSwRW93VxgrW + GhATD2xwK3l + 8T1Dfsi2
beVfrkQS0g ==
MIIB9TCCAaSgAwIBAgIIRdAY3dqebKUwCAYGKoUDAgIEMCkxJzAlBgNVBAMeHgB0AC4AZQAuAG0A
LgBwAEAAbQBhAGkAbAAuAHIAdTAeFw0xMTExMjkxMzQwMTFaFw0xMjExMjkxMzQwMTFaMCkxJzAl
BgNVBAMeHgB0AC4AZQAuAG0ALgBwAEAAbQBhAGkAbAAuAHIAdTBjMBwGBiqFAwICEzASBgcqhQMC
AiMBBgcqhQMCAh4BA0MABECebxtl5EDpwaWKy2MeJQ7v NCiIRHiXBeqaqJnNi5AS4aW + + 14FKKHH
Llu7jjggB06d + / + 4U29OtDbjfIkPqRUcio4GtMIGqMB0GA1UdDgQWBBTz0qujqn CC0O9L1aSv39a
ga3EhDALBgNVHQ8EBAMCAcYwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDwYDVR0TBAgwBgEB / wIBATBW
BgNVHQEETzBNgBTz0qujqn + CC0O9L1aSv39aga3EhKErMCkxJzAlBgNVBAMeHgB0AC4AZQAuAG0A
LgBwAEAAbQBhAGkAbAAuAHIAdYIIRdAY3dqebKUwCAYGKoUDAgIEA0EANUalM3ag0xYJ7MqzmCzh
w8ejPqUds37UXKadbyqogZ2yJBMbhWUCsQFyZZZzfc6gXQbRThBTAftfdXxjW8Yusg ==Hello world!
All the actions described in the article can be seen in the following video: