IFCPlugin не работает с PKCS#11 библиотекой Рутокен
При авторизации на госуслугах плагин не видит открытый ключ через библиотеку PKCS#11 Рутокен.
Настройки в /etc/ifc.cfg
log = {
level = "DEBUG";
}
config = {
cert_from_registry = "false";
set_user_pin = "false";
}
params =
(
{ name = "CryptoPro CSP";
alias = "cprocsp";
type = "pkcs11";
alg = "gost2001";
model = "CPPKCS 3";
lib_linux = "/opt/cprocsp/lib/amd64/libcppkcs11.so";
},
{ name = "Актив руТокен ЭЦП";
alias = "ruTokenECP";
type = "pkcs11";
alg = "gost2001";
model = "Rutoken ECP";
lib_win = "rtpkcs11ecp.dll";
lib_linux = "librtpkcs11ecp.so";
lib_mac = "librtpkcs11ecp.dylib";
}
);Если закомментировать криптопро, то логи плагина /var/log/ifc/engine_logs/engine.log выглядят вот так: https://gist.github.com/olegshtch/72d88 … fc31a18b53
С библиотекой PKCS#11 ключ находится, и авторизация проходит успешно:
2022-11-23 23:20:17:IFC:ifc_list_certificates_in_store:STARTED
2022-11-23 23:20:17:pkcs11_engine-cprocsp-0:gost_store_list_start:STARTED
2022-11-23 23:20:17:pkcs11_engine-cprocsp-0:gost_store_list_start:PASSED
2022-11-23 23:20:17:pkcs11_engine-cprocsp-0:gost_store_list_next:STARTED
2022-11-23 23:20:17:pkcs11_engine-cprocsp-0:make_object_to_return:STARTED
2022-11-23 23:20:17:pkcs11_engine-cprocsp-0:make_x509_by_handle:STARTED
2022-11-23 23:20:17:pkcs11_engine-cprocsp-0:make_x509_by_handle:PASSED
2022-11-23 23:20:17:pkcs11_engine-cprocsp-0:make_object_to_return:PASSED
2022-11-23 23:20:17:pkcs11_engine-cprocsp-0:gost_store_list_next:PASSED
2022-11-23 23:20:17:IFC:ifc_list_certificates_in_store:cert ID [24B61DAD984E3AE8]
2022-11-23 23:20:17:IFC:ifc_list_certificates_in_store:check a public key for found cert ID
2022-11-23 23:20:17:IFC:get_pub_key_by_id:STARTED
2022-11-23 23:20:17:IFC:get_pub_key_by_id:ID to find: 24B61DAD984E3AE8
2022-11-23 23:20:17:pkcs11_engine-cprocsp-0:gost_store_list_start:STARTED
2022-11-23 23:20:17:pkcs11_engine-cprocsp-0:gost_store_list_start:PASSED
2022-11-23 23:20:17:IFC:get_pub_key_by_id:STORE_list_publice_key_start done
2022-11-23 23:20:17:pkcs11_engine-cprocsp-0:gost_store_list_next:STARTED
2022-11-23 23:20:17:pkcs11_engine-cprocsp-0:make_object_to_return:STARTED
2022-11-23 23:20:17:pkcs11_engine-cprocsp-0:make_pkey_by_pub_key_handle:STARTED
2022-11-23 23:20:17:pkcs11_engine-cprocsp-0:get_pub_key_value_and_sign_oid_and_hash_oid_by_handle:STARTED
2022-11-23 23:20:17:pkcs11_engine-cprocsp-0:get_pub_key_value_and_sign_oid_and_hash_oid_by_handle:PASSED
2022-11-23 23:20:17:pkcs11_engine-cprocsp-0:make_pkey_by_pub_key_handle:PASSED
2022-11-23 23:20:17:pkcs11_engine-cprocsp-0:make_object_to_return:PASSED
2022-11-23 23:20:17:pkcs11_engine-cprocsp-0:gost_store_list_next:PASSED
2022-11-23 23:20:17:IFC:get_pub_key_by_id:STORE_list_public_key_next done
2022-11-23 23:20:17:pkcs11_engine-cprocsp-0:gost_store_list_end:STARTED
2022-11-23 23:20:17:pkcs11_engine-cprocsp-0:gost_store_list_end:PASSED
2022-11-23 23:20:17:IFC:get_pub_key_by_id:STORE_list_public_key_end done
2022-11-23 23:20:17:IFC:get_pub_key_by_id:result [found key handle]
2022-11-23 23:20:17:IFC:ifc_list_certificates_in_store:public key was foundПри этом ключи и сертификаты видны через каждую библиотеку:
$ pkcs11-tool --module /opt/cprocsp/lib/amd64/libcppkcs11.so -O --login
Using slot 0 with a present token (0x0)
Logging in to "CryptoPro Token".
Please enter User PIN:
Private Key Object; GOSTR3410-2012-256
PARAMS OID: 06072a850302022400
label: Shelykalnov_Oleg_Urevich_1669138159386
ID: 32344236314441443938344533414538
Usage: decrypt, sign, unwrap, derive
warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
Access: extractable
Public Key Object; GOSTR3410-2012-256
PARAMS OID: 06072a850302022400
VALUE: 24b61dad984e3ae8899ac9016320b5faa379e5b681636744f27ee65a7aaea77a
3d0472d1479bf76b4931453a4751ee38abb01d3bb1b39e546718a7f0bd02472e
label: Shelykalnov_Oleg_Urevich_1669138159386
ID: 32344236314441443938344533414538
Usage: encrypt, verify, wrap, derive
Access: none
Certificate Object; type = X.509 cert
label: Shelykalnov_Oleg_Urevich_1669138159386
subject: DN: emailAddress=olegshtch@yandex.ru/SNILS=...
ID: 32344236314441443938344533414538
Object 3221225476, type 3461563219$ pkcs11-tool --module /usr/lib/librtpkcs11ecp.so -O --login
Using slot 0 with a present token (0x0)
Logging in to "Rutoken ECP <no label>".
Please enter User PIN:
Public Key Object; EC EC_POINT 256 bits
EC_POINT: 0441044a05c87131a0e03bb1eb21967b7d8ba8887c1c4994fc47e4aa0b091c008d2c0a6e8a11870ae325d4851fc9ea04dcc7f61b2c38ef6fcd533ab1fb2592e2c1d32f
EC_PARAMS: 06082a8648ce3d030107
label: SSH
ID: 99
Usage: verify
Access: local
Private Key Object; EC
label: SSH
ID: 99
Usage: sign
Access: sensitive, always sensitive, never extractable, local
Public Key Object; GOSTR3410-2012-256
PARAMS OID: 06072a850302022400
VALUE: 24b61dad984e3ae8899ac9016320b5faa379e5b681636744f27ee65a7aaea77a
3d0472d1479bf76b4931453a4751ee38abb01d3bb1b39e546718a7f0bd02472e
label: Shelykalnov_Oleg_Urevich_1669138159386
ID: 5368656c796b616c6e6f765f4f6c65675f557265766963685f3136363931333831353933383600
Usage: verify
Access: local
Private Key Object; GOSTR3410-2012-256
PARAMS OID: 06072a850302022400
label: Shelykalnov_Oleg_Urevich_1669138159386
ID: 5368656c796b616c6e6f765f4f6c65675f557265766963685f3136363931333831353933383600
Usage: sign, derive
Access: sensitive, always sensitive, never extractable, local
Data object 3262127904
label: 'Shelykalnov_Oleg_Urevich_1669138159386'
application: 'CryptoPro CSP'
app_id: <empty>
flags: modifiable
Certificate Object; type = X.509 cert
label: Rutoken Plugin
subject: DN: emailAddress=olegshtch@yandex.ru/SNILS=...
ID: 5368656c796b616c6e6f765f4f6c65675f557265766963685f3136363931333831353933383600Я сначала предположил, что это разные ключи и приложение создания сертификата создало аппаратный и программный ключ, но на ra.rutoken.ru сертификат привязан к ключу, и подпись, сделанная на нём, успешно проверяется через госуслуги.