Статус: Активный участник
Группы: Участники
Зарегистрирован: 22.12.2021(UTC) Сообщений: 36  Сказал(а) «Спасибо»: 5 раз
|
Здравствуйте! Необходимо подписывать данные ключом из контейнера. Вот так я получаю ключ и сертификат Код:
HCRYPTPROV hProv = 0;
BOOL acqRes = CryptAcquireContext(
&hProv,
"\\\\.\\HDIMAGE\\CP_TEST0",
NULL,
PROV_GOST_2012_256,
0);
BOOL setRes = CryptSetProvParam(
hProv,
PP_KEYEXCHANGE_PIN,
(BYTE*)"1",
0);
HCRYPTKEY phUserKey = 0;
BOOL getKeyRes = CryptGetUserKey(hProv, AT_KEYEXCHANGE, &phUserKey);
DWORD pdwDataLen = 0;
PCCERT_CONTEXT pUserCert=0;
LPBYTE pbUserCert;
BOOL getKeyParamRes = CryptGetKeyParam(phUserKey, KP_CERTIFICATE, NULL, &pdwDataLen, 0);
DWORD err = GetLastError();
printf("Error number : 0x%x\n", err);
pbUserCert = (LPBYTE)malloc(pdwDataLen);
getKeyParamRes = CryptGetKeyParam(phUserKey, KP_CERTIFICATE, pbUserCert, &pdwDataLen, 0);
PCCERT_CONTEXT pCertContext = CertCreateCertificateContext( X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, pbUserCert, pdwDataLen);
Вот как выгллядет подписывание Код:pbMessage =
(BYTE*)TEXT("CryptoAPI is a good way to handle security");
// Calculate the size of message. To include the
// terminating null character, the length is one more byte
// than the length returned by the strlen function.
cbMessage = (DWORD)(strlen((char *)pbMessage)+1);
// Create the MessageArray and the MessageSizeArray.
const BYTE* MessageArray[] = {pbMessage};
DWORD MessageSizeArray[1];
MessageSizeArray[0] = cbMessage;
SigParams.cbSize = sizeof(CRYPT_SIGN_MESSAGE_PARA);
SigParams.dwMsgEncodingType = MY_ENCODING_TYPE;
SigParams.pSigningCert = pCertContext;
SigParams.HashAlgorithm.pszObjId = SigParams.pSigningCert->pCertInfo->SignatureAlgorithm.pszObjId;
SigParams.HashAlgorithm.Parameters.cbData = NULL;
SigParams.cMsgCert = 1;
SigParams.rgpMsgCert = &pCertContext;
SigParams.cAuthAttr = 0;
SigParams.dwInnerContentType = 0;
SigParams.cMsgCrl = 0;
SigParams.cUnauthAttr = 0;
SigParams.dwFlags = 0;
SigParams.pvHashAuxInfo = NULL;
SigParams.rgAuthAttr = NULL;
// First, get the size of the signed BLOB.
if(CryptSignMessage(
&SigParams,
FALSE,
1,
MessageArray,
MessageSizeArray,
NULL,
&cbSignedMessageBlob))
{
_tprintf(TEXT("%d bytes needed for the encoded BLOB.\n"),
cbSignedMessageBlob);
}
else
{
HandleError(TEXT("Getting signed BLOB size failed"));
}
// Allocate memory for the signed BLOB.
if(!(pbSignedMessageBlob =
(BYTE*)malloc(cbSignedMessageBlob)))
{
HandleError(
TEXT("Memory allocation error while signing."));
}
if(CryptSignMessage(
&SigParams,
FALSE,
1,
MessageArray,
MessageSizeArray,
pbSignedMessageBlob,
&cbSignedMessageBlob))
{
_tprintf(TEXT("The message was signed successfully. \n"));
// pbSignedMessageBlob now contains the signed BLOB.
fReturn = true;
}
else
{
HandleError(TEXT("Error getting signed BLOB"));
}
При этом возникает ошибка Error number : 0x8009200b Error description: Getting signed BLOB size failed Вот данные контейнера с сертификатом Код:Private key container
name CP_TEST0
unique name HDIMAGE\\CPrTEST0.000\435D
FQCN \\.\HDIMAGE\CP_TEST0
location user
integrity check successful
loading of keys successful
container version 2
Exchange key
public key length 512
key export forbidden
private key valid to 13/09/2025 07:56:42 UTC
private key usage is permitted before the end of the key validity
algorithm ГОСТ Р 34.10-2012 DH 256 бит
ГОСТ Р 34.10 256 бит, параметры обмена по умолчанию
ГОСТ Р 34.11-2012 256 бит
public key export successful
public key calculation successful
public key import successful
signature successful
verification successful
key exchange is allowed
certificate in container
matches private key yes
certificate name pkcs7
subject CN=pkcs7
issuer E=support@cryptopro.ru, C=RU, L=Moscow, O=CRYPTO-PRO LLC, CN=CRYPTO-PRO Test Center 2
valid from 13/06/2024 08:33:11 UTC
valid to 13/08/2024 08:43:11 UTC
serial number 1200643091678f6c067c8cb9b7000200643091
thumbprint (SHA1 hash) 7333E8F1D861426FED41951F55E808C32E7F0174
certificate chain verified
certificate in store my
CN=pkcs7
HDIMAGE\\CPrTEST0.000\435D; Crypto-Pro GOST R 34.10-2012 KC1 CSP; dwProvType: 80; dwFlags: 0; dwKeySpec: 1
Signature key
does not exist
Symmetric key
does not exist
Container extensions
1.2.643.2.2.37.3.10
critical no
valid to 13/09/2025 07:56:42 UTC
Provider information
version 5.0.13000 KC1 Linux AMD64
type and name 80, Crypto-Pro GOST R 34.10-2012 KC1 CSP
mode library
private key time validity control 1 (enabled)
При этом этим же сертификатом из локального хранилища всё подписывается Вот так сертификат был добавлен cryptcp -instcert -cont '\\.\HDIMAGE\CP_TEST0' -ku -askpin /home/andrey/Downloads/pkcs7.cer Вот так был создан запрос на сертификат cryptcp -createrqst -rdn "CN=pkcs7" -cont '\\.\HDIMAGE\CP_TEST0' /home/andrey/work/certs/pkc7.req
|
