Installation and usage of the platform

gRPC: generation and checking of data digital signatures (PKI)

For networks using GOST cryptography, the gRPC interface has the ability to form a disconnected digital signature for transmitted data, as well as to verify it.

For this purpose, two methods described in the protobuf file contract_pki_service.proto are provided:

  • Sign – generating a disconnected DS for the data transmitted in the request.

  • Verify – verifying a disconnected DS for the data transmitted in the request.

Important

The field data types for the request and response are specified in the protobuf files.

Generating a disconnected digital signature

The Sign method requires the following parameters:

  • input_data – data for which a DS is required (as an array of bytes in base64 encoding);

  • keystore_alias – name of the storage for the DS private key;

  • password – a password for the private key storage;

  • sig_type – DS format. Supported formats:

    • 1 – CAdES-BES;

    • 2 – CAdES-X Long Type 1;

    • 3 – CAdES-T.

The method response contains the signature field with generated digital signature in base64 format.

Verifying a disconnected digital signature

The Verify method requires following parameters:

  • input_data – data signed by a DS (as an array of bytes in base64 encoding);

  • signature – digital signature in the form of an array of bytes in base64 encoding;

  • sig_type – DS format. Supported values:

    • 1 – CAdES-BES;

    • 2 – CAdES-X Long Type 1;

    • 3 – CAdES-T.

  • extended_key_usage_list – list of object identifiers (OIDs) of cryptographic algorithms that are used in DS generation (optional field).

Method response contains a status field with boolean data type:

  • true – the signature is valid,

  • false – the signature is compromised.

Verifying an advanced qualified digital signature

The verify method has the ability to verify an advanced qualified digital signature. To verify the AQDS correctly, install the root AQDS certificate of the certification authority (CA) on your node, which will be used to validate the signature.

The root certificate is installed in the cacerts certificate storage of the Java virtual machine (JVM) you are using the keytool utility:

sudo keytool -import -alias certificate_alias -keystore path_to_your_JVM/lib/security/cacerts -file path_to_the_certificate/cert.cer

After the -alias flag, specify your preferred certificate name in the repository.

The cacerts certificate storage is located in the /lib/security/ subdirectory of your Java virtual machine. To find out the path to the virtual machine on Linux, use the following command:

readlink -f /usr/bin/java | sed "s:bin/java::"

Then add /lib/security/cacerts to the resulting path and paste the resulting absolute path to cacerts after the -keystore flag.

After the -file flag, specify the absolute or relative path to the received EDS certificate of the Certification Authority.

The default password for cacerts is changeit. If necessary, you can change it using the keytool utility:

sudo keytool -keystore cacerts -storepasswd
See also