Генерация пары ГОСТ-2012 в OpenSC

Здравствуйте!
Использую OpenSC 0.18, OpenSSL 1.1.0, librtpkcs11ecp 1.6.5, rtengine.
В samples/tool/README.txt написано, что сгенерировать ключ OpenSSL через rtengine нельзя.
Пытаюсь сгенерировать через OpenSC.

$ opensc-tool -l
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    Yes             Aktiv Rutoken ECP 00 00


$ pkcs11-tool --module /opt/aktivco/rutokenecp/x86_64/librtpkcs11ecp.so  -M

*** Cryptoki library has already been initialized ***
Using slot 0 with a present token (0x0)
Supported mechanisms:
  RSA-PKCS-KEY-PAIR-GEN, keySize={512,2048}, hw, generate_key_pair
  RSA-PKCS, keySize={512,2048}, hw, encrypt, decrypt, sign, verify
  RSA-PKCS-OAEP, keySize={512,2048}, hw, encrypt, decrypt
  MD5, digest
  SHA-1, digest
  GOSTR3410-KEY-PAIR-GEN, hw, generate_key_pair
  GOSTR3410, hw, sign, verify
  mechtype-0x1204, hw, derive
  mechtype-0xD4321005, hw, generate_key_pair
  mechtype-0xD4321006, hw, sign, verify
  mechtype-0xD4321007, hw, derive
  GOSTR3411, hw, digest
  mechtype-0xD4321012, hw, digest
  mechtype-0xD4321013, hw, digest
  GOSTR3410-WITH-GOSTR3411, hw, digest, sign
  mechtype-0xD4321008, hw, digest, sign
  mechtype-0xD4321009, hw, digest, sign
  mechtype-0x1224, hw, wrap, unwrap
  mechtype-0x1221, hw, encrypt, decrypt
  mechtype-0x1222, hw, encrypt, decrypt
  mechtype-0x1220, hw, generate
  mechtype-0x1223, hw, sign, verify
$ pkcs11-tool --module /opt/aktivco/rutokenecp/x86_64/librtpkcs11ecp.so --login --pin 12345678 --keypairgen --key-type GOSTR3410:B --id 3132

*** Cryptoki library has already been initialized ***
Using slot 0 with a present token (0x0)
Key pair generated:
Private Key Object; GOSTR3410 
  PARAMS OID: 06072a850302022302
  label:      
  ID:         3132
  Usage:      sign
Public Key Object; GOSTR3410 
  PARAMS OID: 06072a850302022302
  VALUE:      619d56126639eda006b22207ebcc362da6f2c1cd9bfbf7b909a7a68765941d24
              493eb5182c629a6503df5ba35e620a1cea978b35f97655f6574a755a7185084c
  label:      
  ID:         3132
  Usage:      verify
openssl req -new -x509 -days 365 -subj '/CN=test/'   -engine rtengine -keyform engine -key "pkcs11:id=12" > gost.pem
openssl x509 -inform pem -in gost.pem -outform der -out gost.der
$ openssl x509 -inform der -in gost.der  -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            93:40:53:45:fc:cc:7c:ce
    Signature Algorithm: GOST R 34.11-94 with GOST R 34.10-2001
        Issuer: CN = test
        Validity
            Not Before: Aug 26 23:18:00 2018 GMT
            Not After : Aug 26 23:18:00 2019 GMT
        Subject: CN = test
        Subject Public Key Info:
            Public Key Algorithm: GOST R 34.10-2001
                Public key:
                   X:241D946587A6A709B9F7FB9BCDC1F2A62D36CCEB0722B206A0ED396612569D61
                   Y:4C0885715A754A57F65576F9358B97EA1C0A625EA35BDF03659A622C18B53E49
                Parameter set: id-GostR3410-2001-CryptoPro-B-ParamSet
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                DB:0B:9D:4D:15:F8:73:FC:AD:94:76:CC:BE:45:7F:CA:98:4E:48:3C
            X509v3 Authority Key Identifier: 
                keyid:DB:0B:9D:4D:15:F8:73:FC:AD:94:76:CC:BE:45:7F:CA:98:4E:48:3C

            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: GOST R 34.11-94 with GOST R 34.10-2001
         1d:45:33:94:94:d7:36:d6:05:66:ab:15:6d:40:5d:52:9f:4d:
         7d:ea:60:fc:76:6c:90:19:af:8d:05:4f:23:0b:47:16:80:8a:
         a3:c9:82:2a:e5:05:e4:e1:f1:56:27:39:d1:d3:b5:f7:80:ed:
         1c:6f:05:42:6b:11:9c:c5:f1:86
-----BEGIN CERTIFICATE-----
MIIBazCCARigAwIBAgIJAJNAU0X8zHzOMAoGBiqFAwICAwUAMA8xDTALBgNVBAMM
BHRlc3QwHhcNMTgwODI2MjMxODAwWhcNMTkwODI2MjMxODAwWjAPMQ0wCwYDVQQD
DAR0ZXN0MGMwHAYGKoUDAgITMBIGByqFAwICIwIGByqFAwICHgEDQwAEQGGdVhJm
Oe2gBrIiB+vMNi2m8sHNm/v3uQmnpodllB0kST61GCximmUD31ujXmIKHOqXizX5
dlX2V0p1WnGFCEyjUzBRMB0GA1UdDgQWBBTbC51NFfhz/K2Udsy+RX/KmE5IPDAf
BgNVHSMEGDAWgBTbC51NFfhz/K2Udsy+RX/KmE5IPDAPBgNVHRMBAf8EBTADAQH/
MAoGBiqFAwICAwUAA0EAHUUzlJTXNtYFZqsVbUBdUp9Nfepg/HZskBmvjQVPIwtH
FoCKo8mCKuUF5OHxVic50dO194DtHG8FQmsRnMXxhg==
-----END CERTIFICATE-----

Получается ГОСТ-2001.
Если попытаться задать хэш явно:

$ openssl req -new -x509 -days 365 -subj '/CN=test/' -md_gost12_256  -engine rtengine -keyform engine -key "pkcs11:id=12" > gost.pem
engine "rtengine" set.
Enter PKCS#11 token PIN: 
unable to load 'random state'
This means that the random number generator has not been seeded
with much random data.
140112944571648:error:8107506F:lib(129):PKEY_GOST_CTRL:invalid digest type:/home/jenkins/newjenkins/workspace/rtengine-build/03532063/engine/orig/gost_pmeth.c:132:

Возможно ли сгенерировать пару ГОСТ-2012 через OpenSC? Если нет, то как?

Re: Генерация пары ГОСТ-2012 в OpenSC

Добрый день, RV.

В нашей инструкции по работе с rtengine и OpenSSL есть пример генерации ключевой пары с помощью OpenSC, а также дальнейшей работы с этой парой. Смотрите - https://dev.rutoken.ru/pages/viewpage.a … d=43450389

Re: Генерация пары ГОСТ-2012 в OpenSC

Приведенные выше команды соответствуют инструкции, создать ключевую пару ГОСТ-2012 не выходит.

Команда OpenSC аналогичная:

    pkcs11-tool.exe --module rtPKCS11ECP.dll --login --pin 12345678 --keypairgen  --key-type GOSTR3410:A --id 3132

Попытка создать запрос на сертификат. Получается тоже ГОСТ-2001.

$ openssl req -utf8 -new -subj '/CN=test/' -keyform engine -key "pkcs11:id=12" -engine rtengine -out req.csr
engine "rtengine" set.
Enter PKCS#11 token PIN:

$ openssl asn1parse -in req.csr 
    0:d=0  hl=3 l= 204 cons: SEQUENCE          
    3:d=1  hl=2 l= 123 cons: SEQUENCE          
    5:d=2  hl=2 l=   1 prim: INTEGER           :00
    8:d=2  hl=2 l=  15 cons: SEQUENCE          
   10:d=3  hl=2 l=  13 cons: SET               
   12:d=4  hl=2 l=  11 cons: SEQUENCE          
   14:d=5  hl=2 l=   3 prim: OBJECT            :commonName
   19:d=5  hl=2 l=   4 prim: UTF8STRING        :test
   25:d=2  hl=2 l=  99 cons: SEQUENCE          
   27:d=3  hl=2 l=  28 cons: SEQUENCE          
   29:d=4  hl=2 l=   6 prim: OBJECT            :GOST R 34.10-2001
   37:d=4  hl=2 l=  18 cons: SEQUENCE          
   39:d=5  hl=2 l=   7 prim: OBJECT            :id-GostR3410-2001-CryptoPro-B-ParamSet
   48:d=5  hl=2 l=   7 prim: OBJECT            :id-GostR3411-94-CryptoProParamSet
   57:d=3  hl=2 l=  67 prim: BIT STRING        
  126:d=2  hl=2 l=   0 cons: cont [ 0 ]        
  128:d=1  hl=2 l=  10 cons: SEQUENCE          
  130:d=2  hl=2 l=   6 prim: OBJECT            :GOST R 34.11-94 with GOST R 34.10-2001
  138:d=2  hl=2 l=   0 prim: NULL              
  140:d=1  hl=2 l=  65 prim: BIT STRING

Выпуск самоподписанного сертификата точно соответствует примеру в первом сообщении.

openssl req -utf8 -x509 -keyform engine -key "pkcs11:your_pkcs11_uri" -engine rtengine -out cert.cer


Предполагаю, что

GOSTR3410-KEY-PAIR-GEN, hw, generate_key_pair
GOSTR3410, hw, sign, verify

приводит к ГОСТ-2001, а не ГОСТ-2012

mechtype-0xD4321005, hw, generate_key_pair
mechtype-0xD4321006, hw, sign, verify

(2018-08-27 22:36:47 отредактировано RV)

Re: Генерация пары ГОСТ-2012 в OpenSC

Сгенерировал ключевую пару в браузере через плагин. Получился ГОСТ-2012, однако не понятно в чем разница и хотелось бы OpenSC.

$ openssl req -utf8 -new -x509 -subj '/CN=test/' -keyform engine -key "pkcs11:id=3135" -engine rtengine -out g2012.cer
engine "rtengine" set.
Enter PKCS#11 token PIN: 

$ openssl x509 -in g2012.cer -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            b6:ca:fd:76:a1:ec:ff:85
    Signature Algorithm: GOST R 34.10-2012 with GOST R 34.11-2012 (256 bit)
        Issuer: CN = test
        Validity
            Not Before: Aug 27 17:30:21 2018 GMT
            Not After : Sep 26 17:30:21 2018 GMT
        Subject: CN = test
        Subject Public Key Info:
            Public Key Algorithm: GOST R 34.10-2012 with 256 bit modulus
                Public key:
                   X:5FB11415DE7A243EC3DC49CF2BA45C082F748435E4F71692066D0C5E6B02882B
                   Y:F53294212CBAD8E892E2A166699F356ED748E6BBE45FC3F067C508DD24F08B09
                Parameter set: id-GostR3410-2001-CryptoPro-A-ParamSet
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                AA:B1:D6:A8:7A:45:21:D3:A3:EC:56:D9:97:50:B0:F3:DD:47:EE:DB
            X509v3 Authority Key Identifier: 
                keyid:AA:B1:D6:A8:7A:45:21:D3:A3:EC:56:D9:97:50:B0:F3:DD:47:EE:DB

            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: GOST R 34.10-2012 with GOST R 34.11-2012 (256 bit)
         e2:d0:1f:ac:73:36:78:06:4d:33:90:ab:9d:dc:17:0d:b6:67:
         f1:d8:4c:6a:6e:40:60:5d:13:56:34:9c:f5:63:39:a8:1f:d4:
         91:97:7f:62:58:12:1b:5b:d8:b0:9e:3c:40:cd:6a:d2:a2:19:
         66:ae:02:04:2d:02:a5:c1:9e:ba
-----BEGIN CERTIFICATE-----
MIIBcjCCAR2gAwIBAgIJALbK/Xah7P+FMAwGCCqFAwcBAQMCBQAwDzENMAsGA1UE
AwwEdGVzdDAeFw0xODA4MjcxNzMwMjFaFw0xODA5MjYxNzMwMjFaMA8xDTALBgNV
BAMMBHRlc3QwZjAfBggqhQMHAQEBATATBgcqhQMCAiMBBggqhQMHAQECAgNDAARA
K4gCa14MbQaSFvfkNYR0LwhcpCvPSdzDPiR63hUUsV8Ji/Ak3QjFZ/DDX+S75kjX
bjWfaWah4pLo2LosIZQy9aNTMFEwHQYDVR0OBBYEFKqx1qh6RSHTo+xW2ZdQsPPd
R+7bMB8GA1UdIwQYMBaAFKqx1qh6RSHTo+xW2ZdQsPPdR+7bMA8GA1UdEwEB/wQF
MAMBAf8wDAYIKoUDBwEBAwIFAANBAOLQH6xzNngGTTOQq53cFw22Z/HYTGpuQGBd
E1Y0nPVjOagf1JGXf2JYEhtb2LCePEDNatKiGWauAgQtAqXBnro=
-----END CERTIFICATE-----
$ pkcs11-tool --module /opt/aktivco/rutokenecp/x86_64/librtpkcs11ecp.so -Ol

*** Cryptoki library has already been initialized ***
Using slot 0 with a present token (0x0)
Logging in to "Rutoken ECP <no label>".
WARNING: user PIN to be changed
Please enter User PIN: 

...
Public Key Object; GOSTR3410 
  PARAMS OID: 06072a850302022302
  VALUE:      619d56126639eda006b22207ebcc362da6f2c1cd9bfbf7b909a7a68765941d24
              493eb5182c629a6503df5ba35e620a1cea978b35f97655f6574a755a7185084c
  label:      
  ID:         3132
  Usage:      verify
Private Key Object; GOSTR3410 
  PARAMS OID: 06072a850302022302
  label:      
  ID:         3132
  Usage:      sign

...

Public Key Object; GOSTR3410 
  PARAMS OID: 06072a850302022301
  VALUE:      2b88026b5e0c6d069216f7e43584742f085ca42bcf49dcc33e247ade1514b15f
              098bf024dd08c567f0c35fe4bbe648d76e359f6966a1e292e8d8ba2c219432f5
  label:      
  ID:         33313335
  Usage:      verify
Private Key Object; GOSTR3410 
  PARAMS OID: 06072a850302022301
  label:      
  ID:         33313335
  Usage:      sign, derive

(2018-08-27 22:45:14 отредактировано RV)

Re: Генерация пары ГОСТ-2012 в OpenSC

При попытке генерации OpenSC ключевой пары с набором параметров А тоже получаем ГОСТ-2001.

$ pkcs11-tool --module /opt/aktivco/rutokenecp/x86_64/librtpkcs11ecp.so --login --pin 12345678 --keypairgen --key-type GOSTR3410:A --id 3136

*** Cryptoki library has already been initialized ***
Using slot 0 with a present token (0x0)
Key pair generated:
Private Key Object; GOSTR3410 
  PARAMS OID: 06072a850302022301
  label:      
  ID:         3136
  Usage:      sign
Public Key Object; GOSTR3410 
  PARAMS OID: 06072a850302022301
  VALUE:      5565a613b7a138a826e164b51c5b4525cd45348190f41340bb3a19c6367a3349
              8f82855d7d24dbaabf8b6bdd2c37538355b2f0f45d1c96743fd919c3c5c0aa25
  label:      
  ID:         3136
  Usage:      verify

$ openssl req -utf8 -new -x509 -subj '/CN=test/' -keyform engine -key "pkcs11:id=16" -engine rtengine -out g.cer 
engine "rtengine" set.
Enter PKCS#11 token PIN:

$ openssl x509 -in g.cer -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            8a:05:30:a7:43:1a:02:b4
    Signature Algorithm: GOST R 34.11-94 with GOST R 34.10-2001
        Issuer: CN = test
        Validity
            Not Before: Aug 27 19:40:20 2018 GMT
            Not After : Sep 26 19:40:20 2018 GMT
        Subject: CN = test
        Subject Public Key Info:
            Public Key Algorithm: GOST R 34.10-2001
                Public key:
                   X:49337A36C6193ABB4013F490813445CD25455B1CB564E126A838A1B713A66555
                   Y:25AAC0C5C319D93F74961C5DF4F0B2558353372CDD6B8BBFAADB247D5D85828F
                Parameter set: id-GostR3410-2001-CryptoPro-A-ParamSet
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                E5:A5:69:99:8B:24:C1:A5:79:F2:FE:CF:84:B7:F5:B8:04:0B:8C:C0
            X509v3 Authority Key Identifier: 
                keyid:E5:A5:69:99:8B:24:C1:A5:79:F2:FE:CF:84:B7:F5:B8:04:0B:8C:C0

            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: GOST R 34.11-94 with GOST R 34.10-2001
         b8:3c:7e:23:d4:7b:50:00:c8:27:d5:74:f6:11:97:e2:b7:53:
         78:cf:1d:f6:75:09:47:7d:af:48:a7:d2:7d:a9:54:67:19:92:
         10:31:fd:10:64:d3:28:6d:89:9f:02:7d:12:1a:70:3a:86:d3:
         26:dd:4e:60:c4:f4:08:ac:59:be
-----BEGIN CERTIFICATE-----
MIIBazCCARigAwIBAgIJAIoFMKdDGgK0MAoGBiqFAwICAwUAMA8xDTALBgNVBAMM
BHRlc3QwHhcNMTgwODI3MTk0MDIwWhcNMTgwOTI2MTk0MDIwWjAPMQ0wCwYDVQQD
DAR0ZXN0MGMwHAYGKoUDAgITMBIGByqFAwICIwEGByqFAwICHgEDQwAEQFVlphO3
oTioJuFktRxbRSXNRTSBkPQTQLs6GcY2ejNJj4KFXX0k26q/i2vdLDdTg1Wy8PRd
HJZ0P9kZw8XAqiWjUzBRMB0GA1UdDgQWBBTlpWmZiyTBpXny/s+Et/W4BAuMwDAf
BgNVHSMEGDAWgBTlpWmZiyTBpXny/s+Et/W4BAuMwDAPBgNVHRMBAf8EBTADAQH/
MAoGBiqFAwICAwUAA0EAuDx+I9R7UADIJ9V09hGX4rdTeM8d9nUJR32vSKfSfalU
ZxmSEDH9EGTTKG2JnwJ9EhpwOobTJt1OYMT0CKxZvg==
-----END CERTIFICATE-----

$ pkcs11-tool --module /opt/aktivco/rutokenecp/x86_64/librtpkcs11ecp.so -Ol

*** Cryptoki library has already been initialized ***
Using slot 0 with a present token (0x0)
Logging in to "Rutoken ECP <no label>".
WARNING: user PIN to be changed
Please enter User PIN: 

...

Public Key Object; GOSTR3410 
  PARAMS OID: 06072a850302022301
  VALUE:      5565a613b7a138a826e164b51c5b4525cd45348190f41340bb3a19c6367a3349
              8f82855d7d24dbaabf8b6bdd2c37538355b2f0f45d1c96743fd919c3c5c0aa25
  label:      
  ID:         3136
  Usage:      verify
Private Key Object; GOSTR3410 
  PARAMS OID: 06072a850302022301
  label:      
  ID:         3136
  Usage:      sign

Re: Генерация пары ГОСТ-2012 в OpenSC

Установка librtpkcs11ecp 1.8.2.0-1 не помогла.

Re: Генерация пары ГОСТ-2012 в OpenSC

Добрый день, RV.

Проблема понятна. Дайте нам пару дней на разобраться\воспроизвести и мы предложим решение.

Re: Генерация пары ГОСТ-2012 в OpenSC

Здравствуйте, RV!

Вы правы, pkcs11-tool пока не умеет создавать объекты ГОСТ 2012, но мы работаем над этим.

Пока есть следующие обходные пути:
1) использовать Центр сертификации Рутокен
2) создавать через PKCS#11 ключи, используя пример из SDK из папки sdk\pkcs11\samples\Standard\CreateGOST34.10-2012-256