Electronic signature of an individual (part 2)

    In the first part, we examined what a qualified electronic signature of an individual is, how to get the keys to generate this signature, as well as a certificate for its verification. In this topic, I will offer a tool for generating signatures and describe the problems that I encountered. If someone is not interested in technology - welcome to the very end of the topic, where the project files are posted.

    As I already said, the third pig from the state was that although it provided me with the means to create an electronic signature, it did not provide the opportunity to use these funds at its discretion.

    Once again, a little distraction to the legal side. The fact is that in the regulatory acts of the Russian Federation there are two noteworthy points: firstly, certified means of information protection should be used ( Decree of the President of April 3, 1995 No. 334 “On measures to comply with the law in the field of development, production, sale and operation encryption tools, as well as the provision of services in the field of information encryption ”), and secondly, only domestic tools that use the algorithms recommended by the FSB ( Regulation on certification of funds) can receive this certificate information protection, approved by the Decree of the Government of the Russian Federation of June 26, 1995 No. 608).

    And, therefore, my key must be of domestic production and its manufacturer can be found, you just need to. In fact, a small spring minimal labeling, but I still managed to find a developer is ZAO "Aladdin RD" . After reviewing the page, I regretted that the key SDK can be obtained only by contacting the technical support service. On other sites, the developer kit, and even better, was offered to buy.
    I decided to go the other way, I found a site with a set of public services plug-in folder


    plugin consists of three files

    eTPKCS11g.dll, eTPKCS11gx.dll, npCSuser.dll.

    Examining these files, I concluded that eTPKCS11g and eTPKCS11gx are interfaces for the PKCS # 11 standard key, that is, the standard for interacting with hardware keys. All the algorithms necessary to create a signature are sewn into the device, which means I can only screw the interface on and, of course, I don’t need to certify my program with the FSB, which is nice. So I got a tool, it remains to choose the goal.


    In order for public authorities to recognize my signature, they must have a verification tool for this signature, which means that I must use this verification tool to verify my findings. I found such a tool directly on the website of public services:
    • ES Certificate Authentication
    • Electronic authentication of electronic document
    • Authentication of the electronic signature of an electronic document as part of a document
    • Electronic document authentication using a hash value
    I decided to focus on the first two points: verify my own certificate and verify my own electronic signature.

    To code

    As an old bearded win-admin, I am on the list of admirers of .NET in general and PowerShell in particular, but I was careful to use PS as a tool for writing a program that creates an electronic signature. No, this is possible and even, probably, interesting, but for starters I chose C #.

    Once upon a time, my teacher at the university said, poking another student with his nose: “What is it? Bubbles again? And for whom is STL written? ” (Upd. My friend recalled the exact quote to me:“ A stupid programmer will sort by a bubble, a smart programmer will use a quick sort algorithm, and a good programmer will look into STL ”) Of course, you should not invent what has already been invented. Having skipped paid libraries, I adopted free oneswhich are published under the license of the Massachusetts Technological, which allows me to use them non-selectively in my project. The very same I publish my project under the GPL , in my understanding of the electronic means of interaction with the state should be free and open.
    The first step is to extract the certificate from the container on the device and verify it. The interface of my application is quite ascetic: We

    pull out the certificate in DER encoding, we look into the fields. We clearly see that the signature algorithm has a value of 1.2.643.2.2.3 , it is nothing like GOST R 34.11 / 34.10-2001 , the same hashing and signature algorithms recommended by the FSB. Interesting subject:

    SERIALNUMBER = 11028310690
    CN = Иванов Егор Игоревич
    C = RU
    E = thunderquack@mail.ru

    It's me. Here they put my email address and pension insurance number. According to the law, they had to indicate the number and name, and the e-mail at my request, but something, they see, did not grow together. In addition, I discovered pig 4.

    Pig 4. The certificate is valid for only one year.

    I don’t know who is to blame, the law doesn’t define the validity periods, only an obligation to indicate these terms is provided. It would be very good if a year later I would have written other data on the same medium for free, there are 72 kilobytes of memory on it, this is enough, but, I'm afraid, with our clumsiness, they will again demand to pay 660 rubles.
    I uploaded the certificate to the public services website, and this is what I got:

    Very good. Now I try the second button, sign the file and upload it to the site:

    Charming. Well, the tool is ready.

    The project on GITHub , there it is: source codes, binaries and examples - my certificate and a signed document.

    Also popular now: