Installation and usage of the platform

gRPC: verification of data digital signature (PKI)

On the networks using GOST cryptography, you can use the gRPC interface to verify a disconnected digital signature for transmitted data.

For this purpose, the Verify method described in the protobuf file contract_pki_service.proto is provided.

Important

The Verify method is not available when PKI is used, that is, when the node configuration file parameter node.crypto.pki.mode is set to ON. The method can be used in PKI test mode (node.crypto.pki.mode = TEST) or with PKI disabled (node.crypto.pki.mode = OFF).

Important

The field data types for the request and response are specified in the protobuf file.

Verifying a disconnected digital signature

The Verify method requires following parameters:

  • input_data – data signed by a DS (as an array of bytes in base64 encoding);

  • signature – digital signature in the form of an array of bytes in base64 encoding;

  • sig_type – DS format. Supported values:

    • 1 – CAdES-BES;

    • 2 – CAdES-X Long Type 1;

    • 3 – CAdES-T.

  • extended_key_usage_list – the list of object identifiers (OIDs) of cryptographic algorithms that are used in DS generation; optional field.

Method response contains a status field with boolean data type:

  • true – the signature is valid,

  • false – the signature is compromised.

Verifying an advanced qualified digital signature

The verify method provides the ability to verify an advanced qualified digital signature. To verify the AQDS correctly, install the root AQDS certificate of the certification authority (CA) on your node, which will be used to validate the signature.

The root certificate is installed in the cacerts certificate storage of the Java virtual machine (JVM) you are using the keytool utility:

sudo keytool -import -alias certificate_alias -keystore path_to_your_JVM/lib/security/cacerts -file path_to_the_certificate/cert.cer

After the -alias flag, specify your preferred certificate name in the repository.

The cacerts certificate storage is located in the /lib/security/ subdirectory of your Java virtual machine. To find out the path to the virtual machine on Linux, use the following command:

readlink -f /usr/bin/java | sed "s:bin/java::"

Then add /lib/security/cacerts to the resulting path and paste the resulting absolute path to cacerts after the -keystore flag.

After the -file flag, specify the absolute or relative path to the received EDS certificate of the Certification Authority.

The default password for cacerts is changeit. If necessary, you can change it using the keytool utility:

sudo keytool -keystore cacerts -storepasswd
See also