Installation and usage of the platform
REST API: generation and checking of data digital signatures (PKI)¶
A group of pki
methods is provided for generating and verifying digital signatures.
The principle of POST /pki/sign
and POST /pki/verify
methods is similar to the gRPC methods packaged into the contract_pki_service.proto protobuf-file.
All methods of the group are available only for networks with GOST cryptography.
GET /pki/keystoreAliases¶
The method returns a list with the names of all available signature private key storages.
Response example:
POST /pki/sign¶
The method generates a disconnected DS for the data transmitted in the request. The request consists of the following fields:
inputData
– data for which a DS is required (as an array of bytes in base64 encoding);keystoreAlias
– name of the storage for the DS private key;password
– a password for the private key storage;sigType
– DS format. Supported formats:1
– CAdES-BES;2
– CAdES-X Long Type 1;3
– CAdES-T.
Query example:
The method returns the signature
field containing the generated disconnected DS.
Response example:
POST /pki/verify¶
The method is designed to verify the disconnected DS for the data transmitted in the request. The request consists of the following fields:
inputData
– data signed by a DS (as an array of bytes in base64 encoding);signature
– digital signature in the form of an array of bytes in base64 encoding;sigType
- DS format. Supported formats:1
– CAdES-BES;2
– CAdES-X Long Type 1;3
– CAdES-T;
extended_key_usage_list
– list of object identifiers (OIDs) of cryptographic algorithms that are used in DS generation (optional field).
Query example:
Method’s response contains a sigStatus
field with boolean data type: true
– signature is valid, false
– signature is compromised.
Response example:
Verifying an advanced qualified digital signature¶
The POST /pki/verify
method has the ability to verify an advanced qualified digital signature. To verify the AQDS correctly, install the root AQDS certificate of the certification authority (CA) on your node, which will be used to validate the signature.
The root certificate is installed in the cacerts certificate storage of the Java virtual machine (JVM) you are using the keytool utility:
sudo keytool -import -alias certificate_alias -keystore path_to_your_JVM/lib/security/cacerts -file path_to_the_certificate/cert.cer
After the -alias
flag, specify your preferred certificate name in the repository.
The cacerts certificate storage is located in the /lib/security/
subdirectory of your Java virtual machine. To find out the path to the virtual machine on Linux, use the following command:
readlink -f /usr/bin/java | sed "s:bin/java::"
Then add /lib/security/cacerts
to the resulting path and paste the resulting absolute path to cacerts after the `
-keystore` flag.
After the -file
flag, specify the absolute or relative path to the received EDS certificate of the Certification Authority.
The default password for cacerts is changeit
. If necessary, you can change it using the keytool utility:
sudo keytool -keystore cacerts -storepasswd