Installation and usage of the platform

REST API: generation and checking of data digital signatures (PKI)

https://img.shields.io/badge/auth-required-orange.svg

A group of pki methods is provided for generating and verifying digital signatures.

The principle of POST /pki/sign and POST /pki/verify methods is similar to the gRPC methods packaged into the contract_pki_service.proto protobuf-file.

All methods of the group are available only for networks with GOST cryptography.

GET ​/pki​/keystoreAliases

The method returns a list with the names of all available signature private key storages.

Response example:

GET ​/pki​/keystoreAliases:
{
   [
    "3Mq9crNkTFf8oRPyisgtf4TjBvZxo4BL2ax",
    "e19a135e-11f7-4f0c-9109-a3d1c09812e3"
   ]
 }

POST /pki/sign

The method generates a disconnected DS for the data transmitted in the request. The request consists of the following fields:

  • inputData – data for which a DS is required (as an array of bytes in base64 encoding);

  • keystoreAlias – name of the storage for the DS private key;

  • password – a password for the private key storage;

  • sigType – DS format. Supported formats:

    • 1 – CAdES-BES;

    • 2 – CAdES-X Long Type 1;

    • 3 – CAdES-T.

    Query example:

    POST /pki/sign:
    {
      "inputData" : "SGVsbG8gd29ybGQh",
      "keystoreAlias" : "key1",
      "password" : "password",
      "sigType" : 1,
    }
    

The method returns the signature field containing the generated disconnected DS.

Response example:

POST /pki/sign:
{
  "signature" : "c2RmZ3NkZmZoZ2ZkZ2hmZGpkZ2ZoamhnZmtqaGdmamtkZmdoZmdkc2doZmQjsndjfvnksdnjfn="
}

POST /pki/verify

The method is designed to verify the disconnected DS for the data transmitted in the request. The request consists of the following fields:

  • inputData – data signed by a DS (as an array of bytes in base64 encoding);

  • signature – digital signature in the form of an array of bytes in base64 encoding;

  • sigType - DS format. Supported formats:

    • 1 – CAdES-BES;

    • 2 – CAdES-X Long Type 1;

    • 3 – CAdES-T;

  • extended_key_usage_list – list of object identifiers (OIDs) of cryptographic algorithms that are used in DS generation (optional field).

Query example:

POST /pki/verify:
{
 "inputData" : "SGVsbG8gd29ybGQh",
 "signature" : "c2RmZ3NkZmZoZ2ZkZ2hmZGpkZ2ZoamhnZmtqaGdmamtkZmdoZmdkc2doZmQ=",
 "sigType" : "CAdES_X_Long_Type_1",
 "extendedKeyUsageList": [
 "1.2.643.7.1.1.1.1",
 "1.2.643.2.2.35.2"
 ]
 }

Method’s response contains a sigStatus field with boolean data type: true – signature is valid, false – signature is compromised.

Response example:

POST /pki/verify:
{
  "sigStatus" : "true"
}

Verifying an advanced qualified digital signature

The POST /pki/verify method has the ability to verify an advanced qualified digital signature. To verify the AQDS correctly, install the root AQDS certificate of the certification authority (CA) on your node, which will be used to validate the signature.

The root certificate is installed in the cacerts certificate storage of the Java virtual machine (JVM) you are using the keytool utility:

sudo keytool -import -alias certificate_alias -keystore path_to_your_JVM/lib/security/cacerts -file path_to_the_certificate/cert.cer

After the -alias flag, specify your preferred certificate name in the repository.

The cacerts certificate storage is located in the /lib/security/ subdirectory of your Java virtual machine. To find out the path to the virtual machine on Linux, use the following command:

readlink -f /usr/bin/java | sed "s:bin/java::"

Then add /lib/security/cacerts to the resulting path and paste the resulting absolute path to cacerts after the ` -keystore` flag.

After the -file flag, specify the absolute or relative path to the received EDS certificate of the Certification Authority.

The default password for cacerts is changeit. If necessary, you can change it using the keytool utility:

sudo keytool -keystore cacerts -storepasswd
See also