Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gost2012, ruby > 2.3.1 #25

Open
slim1979 opened this issue Jun 15, 2019 · 6 comments
Open

gost2012, ruby > 2.3.1 #25

slim1979 opened this issue Jun 15, 2019 · 6 comments

Comments

@slim1979
Copy link

good day
will you upgrade your gem to provide support for gost2012 and ruby bigger, then 2.3.1?
or there is no hope?)
@Envek
Copy link
Collaborator

Envek commented Jun 15, 2019

Look at #22 for GOST2012 signature support (does it cover your use cases?).

Support for GOST cryptoalgorithms in newer Ruby versions should be done in Ruby itself, unfortunately.

@ekzobrain
Copy link
Contributor

@slim1979 What version of Ruby do you need? Signer supports gost2012 (for SMEV as I guess?), but you have to use a patched version of ruby (to be able to use proper key formats and algorithms) and openssl-gost >= 1.0 or gostengy (CryptoPro).
We have a patch for Ruby 2.5 to support these. I may provide links is you still need it.

@slim1979
Copy link
Author

@netcitylife it will be good) I'm on 2.5.2 with gost 2012. I was found python signer and successfully use it for now, but will be pleased to see ruby signer.

@ekzobrain
Copy link
Contributor

ekzobrain commented Aug 20, 2019
edited
Loading

Ruby OpenSSL Gost Docker image - it uses Ruby 2.5 and OpenSSL GOST + Gostengy (engine from CryptoPro to connect openssl to CryptoPro CSP if you need to use certified solution). You may also find a patch for Ruby 2.5 there, if you want to install ruby and openssl manually.
Be aware that both engines (gost and gostengy) cannot be used at one time. If you with to use this image - you will have to comment out unused engine manually.

@ekzobrain
Copy link
Contributor

ekzobrain commented Aug 20, 2019
edited
Loading

This is signer extension to support SMEV 3. You will need to add thid dependency to your project https://github.com/Imomoi/xml_normalizer_rb

class Smev3Signer < Signer
    def canonicalize(node = document, inclusive_namespaces = nil, algorithm: canonicalize_algorithm)
      xml = super

      xml = XMLNormalizer.new(xml).
        remove_processing_instructions.
        remove_spaces_characters.
        remove_unsed_prefixes.
        to_s.strip if node.node_name != 'SignedInfo'

      xml
    end

    protected

    def transform!(transforms_node, options)
      super

      transform_node = Nokogiri::XML::Node.new('Transform', document)
      set_namespace_for_node(transform_node, DS_NAMESPACE, ds_namespace_prefix)
      transform_node['Algorithm'] = 'urn://smev-gov-ru/xmldsig/transform'
      transforms_node.add_child(transform_node)
    end
  end

@ekzobrain
Copy link
Contributor

And code to sign SMEV 3 requests:

signer                     = Smev3Signer.new(xml, wss: false)
signer.document.encoding   = 'utf-8'
signer.cert                = cert
signer.private_key         = key
signer.security_node       = signer.document.xpath('//ns:CallerInformationSystemSignature', ns: 'urn://x-artefacts-smev-gov-ru/services/message-exchange/types/1.1').first
signer.ds_namespace_prefix = 'ds'
signer.digest_algorithm = signer.signature_digest_algorithm = :gostr34112012_256
 
# Digest soap:Body tag
signer.document.xpath("//*[@Id='#{node_id}']").each do |node|
  signer.digest!(node)
end

# Sign document itself
signer.sign!(issuer_serial: true)

signer.to_xml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Envek @ekzobrain @slim1979