PKI¶
Warning
The PKI methods can be used only with GOST cryptography.
Digital signature formats listed in the table below is used in PKI. The digital signature number in the table is consistent for the sigType
field value.
# |
Digital signature format |
---|---|
1 |
CAdES-BES |
2 |
CAdES-X Long Type 1 |
3 |
CAdES-T |
POST /pki/sign¶
Hint
The rules for generating queries to the node are given in module How to use REST API.
This method creates a detached digital signature. inputData
is data for generating a digital signature as an array of bytes in the Base64 coding, keystoreAlias
is a name of the key container of the digital signature private key. Also you need to specify a password in the password
string.
Request example
{ "inputData" : "SGVsbG8gd29ybGQh", "keystoreAlias" : "key1", "password" : "password", "sigType" : "CAdES_X_Long_Type_1", }
Answer example
{ "signature" : "c2RmZ3NkZmZoZ2ZkZ2hmZGpkZ2ZoamhnZmtqaGdmamtkZmdoZmdkc2doZmQjsndjfvnksdnjfn=" }
GET /pki/keystoreAliases¶
This method returns all the keystore aliases based on the GOST cryptography.
Answer example
{ [ "3Mq9crNkTFf8oRPyisgtf4TjBvZxo4BL2ax", "e19a135e-11f7-4f0c-9109-a3d1c09812e3" ] }
POST /pki/verify¶
This method checks the detached digital signature for the sent data. The extendedKeyUsageList
is optional and may contain an array of object identifiers - OID. It is useful for the determination of the scope of the certificate. Any node with query parameters can check the certificate.
Request example
{
"inputData" : "SGVsbG8gd29ybGQh",
"signature" : "c2RmZ3NkZmZoZ2ZkZ2hmZGpkZ2ZoamhnZmtqaGdmamtkZmdoZmdkc2doZmQ=",
"sigType" : "CAdES_X_Long_Type_1",
"extendedKeyUsageList": [
"1.2.643.7.1.1.1.1",
"1.2.643.2.2.35.2"
]
}
Answer example
{
"sigStatus" : "true"
}
Working with POST /pki/verify method¶
Using API Post /pki/verify method you can verify qualified digital signature. You need to install the root certificate on the node for proper using of API Post /pki/verify. The CA root certificate uniquely identifies the certification authority and is the basis in the chain of trust.
How to install a root certificate on a node¶
The root certificate is installing into the following Java directory:
-keystore /Library/Java/JavaVirtualMachines/jdk1.8.0_191.jdk/Contents/Home/jre/lib/security/cacerts
The default password for the Java cacerts certificate store is changeit
. You can change the password if you wish. Install certificates using the following command:
sudo keytool -import -alias testAliasCA_cryptopro -keystore /Library/Java/JavaVirtualMachines/jdk1.8.0_191.jdk/Contents/Home/jre/lib/security/cacerts -file ~/Downloads/cert.cer