PKI

https://img.shields.io/badge/auth-required-orange.svg

Warning

The PKI methods can be used only with GOST cryptography.

Digital signature formats listed in the table below is used in PKI. The digital signature number in the table is consistent for the sigtype field value.

Digital signature formats

#

Digital signature format

1

CAdES-BES

2

CAdES-X Long Type 1

3

CAdES-T

POST /pki/sign

Hint

The rules for generating queries to the node are given in module How to use REST API.

This method creates a detached digital signature. inputData is data for generating a digital signature as an array of bytes in the Base64 coding, keystoreAlias is a name of the key container of the digital signature private key. Also you need to specify a password in the password string.

Request example

{
"inputData" : "SGVsbG8gd29ybGQh",
"keystoreAlias" : "key1",
"password" : "password",
"sigType" : "CAdES_X_Long_Type_1",
}

Answer example

{
  "signature" : "c2RmZ3NkZmZoZ2ZkZ2hmZGpkZ2ZoamhnZmtqaGdmamtkZmdoZmdkc2doZmQjsndjfvnksdnjfn="
 }

GET ​/pki​/keystoreAliases

This method returns all the keystore aliases based on the GOST cryptography.

Answer example

{
 [
  "3Mq9crNkTFf8oRPyisgtf4TjBvZxo4BL2ax",
  "e19a135e-11f7-4f0c-9109-a3d1c09812e3"
 ]
 }

POST /pki/verify

This method checks the detached digital signature for the sent data. The extendedKeyUsageList is optional and may contain an array of object identifiers - OID. It is useful for the determination of the scope of the certificate. Any node with query parameters can check the certificate.

Request example

{
 "inputData" : "SGVsbG8gd29ybGQh",
 "signature" : "c2RmZ3NkZmZoZ2ZkZ2hmZGpkZ2ZoamhnZmtqaGdmamtkZmdoZmdkc2doZmQ=",
 "sigType" : "CAdES_X_Long_Type_1",
 "extendedKeyUsageList": [
 "1.2.643.7.1.1.1.1",
 "1.2.643.2.2.35.2"
 ]
 }

Answer example

{
 "sigStatus" : "true"
 }

Working with POST /pki/verify method

Using API Post /pki/verify method you can verify qualified digital signature. You need to install the root certificate on the node for proper using of API Post /pki/verify. The CA root certificate uniquely identifies the certification authority and is the basis in the chain of trust.

How to install a root certificate on a node

The root certificate is installing into the following Java directory:

-keystore /Library/Java/JavaVirtualMachines/jdk1.8.0_191.jdk/Contents/Home/jre/lib/security/cacerts

The default password for the Java cacerts certificate store is changeit. You can change the password if you wish. Install certificates using the following command:

sudo keytool -import -alias testAliasCA_cryptopro -keystore /Library/Java/JavaVirtualMachines/jdk1.8.0_191.jdk/Contents/Home/jre/lib/security/cacerts -file ~/Downloads/cert.cer