КЕП

ВИКОРИСТАННЯ

Розпакування файлу підпису

 > {_,bin} = :file.read_file("file.p7s")
 {:ok,<<...>>}
 > {_,{:ContentInfo,_,cert}} = :"KEP".decode(:"ContentInfo", bin)
 {:ok,
  {:ContentInfo, {1, 2, 840, 113549, 1, 7, 2},
   <<48, 130, 36, 107, 2, 1, 1, 49, 14, 48, 12, 6, 10, 42, 134, 36, 2, 1, 1, 1,
    1, 2, 1, 48, 11, 6, 9, 42, 134, 72, 134, 247, 13, 1, 7, 1, 160, 130, 6, 192 ,
    48, 130, 6, 188, 48, ...>>}}
 > :"KEP".decode(:SignedData, cert)
 {:ok,
  {:SignedData, :v1,
   [{:AlgorithmIdentifier, {1, 2, 804, 2, 1, 1, 1, 1, 2, 1}, :asn1_NOVALUE}],
   {:EncapsulatedContentInfo, {1, 2, 840, 113549, 1, 7, 1}, :asn1_NOVALUE},...}}

Розпакування сертифікату

 > {_,bin} = :file.read_file("EU-2B6C7DF9A3891DA104000000C1401B0094F9F000.cer")
 {:ok,<<...>>}
 > :"AuthenticationFramework".decode(:Certificate, bin)
 {:ok,
  {:Certificate,
   {:Certificate_toBeSigned, :v3,
    247906057610293349115230444103114669459234222080,
    {:AlgorithmIdentifier, {1, 2, 804, 2, 1, 1, 1, 1, 3, 1, 1}, :asn1_NOVALUE},
    {:rdnSequence,...}}}}

СПЕЦИФІКАЦІЯ

Специфікація на конверт:


 KEP DEFINITIONS IMPLICIT TAGS ::=

 BEGIN

 IMPORTS Attribute, Name
   FROM  InformationFramework
         {joint-iso-itu-t ds(5) module(1) informationFramework(1) 3}
         AlgorithmIdentifier, AttributeCertificate, Certificate, CertificateList,
         CertificateSerialNumber, HASH{}, SIGNED{}, Extensions, Version
    FROM AuthenticationFramework
         {joint-iso-itu-t ds(5) module(1) authenticationFramework(7) 3}
         PolicyInformation, CRLReason
    FROM CertificateExtensions;

 ContentInfo ::= SEQUENCE {
   contentType ContentType,
   content [0] EXPLICIT ANY DEFINED BY contentType }

 UnknownInfo ::= NULL

 CrlValidatedID ::= SEQUENCE {
   crlHash OtherHash,
   crlIdentifier CrlIdentifier OPTIONAL}

 OtherHash ::= CHOICE {
   sha1Hash OtherHashValue,
   otherHash OtherHashAlgAndValue}

 OcspListID ::= SEQUENCE {
   ocspResponses SEQUENCE OF OcspResponsesID}

 OcspResponsesID ::= SEQUENCE {
   ocspIdentifier OcspIdentifier,
   ocspRepHash OtherHash OPTIONAL }

 OtherRevRefs ::= SEQUENCE {
   otherRevRefType OtherRevRefType,
   otherRevRefs ANY DEFINED BY otherRevRefType }

 OcspIdentifier ::= SEQUENCE {
   ocspResponderID ResponderID,
   producedAt GeneralizedTime }

 OtherRevRefType ::= OBJECT IDENTIFIER
 ContentType  ::= OBJECT IDENTIFIER
 id-data          OBJECT IDENTIFIER ::= {1 2 840 113549 1 7 1}
 id-signedData    OBJECT IDENTIFIER ::= {1 2 840 113549 1 7 2}
 id-contentType   OBJECT IDENTIFIER ::= {1 2 840 113549 1 9 3}
 id-messageDigest OBJECT IDENTIFIER ::= {1 2 840 113549 1 9 4}
 id-signingTime   OBJECT IDENTIFIER ::= {1 2 840 113549 1 9 5}

 id-aa-signTSToken        OBJECT IDENTIFIER ::= {1 2 840 113549 1 9 16 2 14}
 id-aa-ets-sigPolicyId    OBJECT IDENTIFIER ::= {1 2 840 113549 1 9 16 2 15}
 id-aa-ets-ContentTS      OBJECT IDENTIFIER ::= {1 2 840 113549 1 9 16 2 20}
 id-aa-ets-certRefs       OBJECT IDENTIFIER ::= {1 2 840 113549 1 9 16 2 21}
 id-aa-ets-revocationRefs OBJECT IDENTIFIER ::= {1 2 840 113549 1 9 16 2 22}
 id-aa-ets-certValues     OBJECT IDENTIFIER ::= {1 2 840 113549 1 9 16 2 23}
 id-aa-ets-revoValues     OBJECT IDENTIFIER ::= {1 2 840 113549 1 9 16 2 24}
 id-aa-signingCertV2      OBJECT IDENTIFIER ::= {1 2 840 113549 1 9 16 2 47}
 id-spq-ets-uri           OBJECT IDENTIFIER ::= {1 2 840 113549 1 9 16 5 1}
 id-spq-ets-unotice       OBJECT IDENTIFIER ::= {1 2 840 113549 1 9 16 5 2}

 CMSVersion ::= INTEGER {v0(0), v1(1), v2(2), v3(3), v4(4), v5(5)}

 gost34311 OBJECT IDENTIFIER ::= {iso(1) member-body(2) ua(804)
   root(2) security(1) cryptography(1) pki(1) pki-alg(1) pki-alg-hash (2) 1}

 OTHER-NAME ::= TYPE-IDENTIFIER
 GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName

 GeneralName ::= CHOICE {
   otherName                  [0]  INSTANCE OF OTHER-NAME,
   rfc822Name                 [1]  IA5String,
   dNSName                    [2]  IA5String,
   directoryName              [4]  Name,
   uniformResourceIdentifier  [6]  IA5String,
   iPAddress                  [7]  OCTET STRING,
   registeredID               [8]  OBJECT IDENTIFIER }

 TSAPolicyId ::= OBJECT IDENTIFIER
 SignatureAlgorithmIdentifier ::= AlgorithmIdentifier
 KeyIdentifier ::= OCTET STRING
 SubjectKeyIdentifier ::= KeyIdentifier
 RevocationInfoChoices ::= SET OF CertificateList
 SignerInfos ::= SET OF SignerInfo
 CertificateSet ::= SET OF Certificate

 SignedData ::= SEQUENCE {
   version CMSVersion,
   digestAlgorithms DigestAlgorithmIdentifiers,
   encapContentInfo EncapsulatedContentInfo,
   certificates [0] IMPLICIT CertificateSet OPTIONAL,
   crls [1] IMPLICIT RevocationInfoChoices OPTIONAL,
   signerInfos SignerInfos }

 EncapsulatedContentInfo ::= SEQUENCE {
   eContentType ContentType,
   eContent [0] EXPLICIT OCTET STRING OPTIONAL }

 SignerInfo ::= SEQUENCE {
   version CMSVersion,
   sid SignerIdentifier,
   digestAlgorithm DigestAlgorithmIdentifier,
   signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL,
   signatureAlgorithm SignatureAlgorithmIdentifier,
   signature OCTET STRING,
   unsignedAttrs [1] IMPLICIT UnsignedAttributes OPTIONAL }

 SignerIdentifier ::= CHOICE {
   issuerAndSerialNumber IssuerAndSerialNumber,
   subjectKeyIdentifier [0] SubjectKeyIdentifier }

 IssuerAndSerialNumber ::= SEQUENCE {
   issuer Name,
   serialNumber INTEGER }

 Hash ::= OCTET STRING
   IssuerSerial ::= SEQUENCE {
   issuer GeneralNames,
   serialNumber CertificateSerialNumber}

 ESSCertIDv2 ::= SEQUENCE {
   hashAlgorithm AlgorithmIdentifier,
   certHash Hash,
   issuerSerial IssuerSerial}

 OtherHashValue ::= OCTET STRING
 OtherHashAlgAndValue ::= SEQUENCE {
   hashAlgorithm AlgorithmIdentifier,
   hashValue OtherHashValue }

 SPuri ::= IA5String

 SigPolicyId ::= OBJECT IDENTIFIER
 SigPolicyHash ::= OtherHashAlgAndValue
 SigPolicyQualifierId ::= OBJECT IDENTIFIER

 SignaturePolicyIdentifier ::= CHOICE {
   signaturePolicy SignaturePolicyId }

 SigPolicyQualifierInfo ::= SEQUENCE {
   sigPolicyQualifierId SigPolicyQualifierId,
   sigQualifier ANY DEFINED BY sigPolicyQualifierId }

 SignaturePolicyId ::= SEQUENCE {
   sigPolicyId SigPolicyId,
   sigPolicyHash SigPolicyHash OPTIONAL }

 DigestAlgorithmIdentifiers ::= SET OF DigestAlgorithmIdentifier
 DigestAlgorithmIdentifier ::= AlgorithmIdentifier
 CertificateSerialNumber ::= INTEGER
 SignedAttributes ::= SET SIZE (1..MAX) OF Attribute
 UnsignedAttributes ::= SET SIZE (1..MAX) OF Attribute
 AttributeValue ::= ANY
 MessageDigest ::= OCTET STRING
 SignaturePolicyImplied ::= NULL

 Attribute ::= SEQUENCE {
   attrType OBJECT IDENTIFIER,
   attrValues SET OF AttributeValue }

 SigningCertificateV2 ::= SEQUENCE {
   certs SEQUENCE OF ESSCertIDv2,
   policies SEQUENCE OF PolicyInformation OPTIONAL }

 DisplayText ::= CHOICE {
   visibleString VisibleString (SIZE (1..200)),
   bmpString BMPString (SIZE (1..200)),
   utf8String UTF8String (SIZE (1..200))}

 CrlOcspRef ::= SEQUENCE {
   crlids     [0] CRLListID OPTIONAL,
   ocspids    [1] OcspListID OPTIONAL,
   otherRev   [2] OtherRevRefs OPTIONAL }

 CrlIdentifier ::= SEQUENCE {
   crlissuer Name,
   crlIssuedTime UTCTime,
   crlNumber INTEGER OPTIONAL }

 BasicOCSPResponse ::= SEQUENCE {
   tbsResponseData ResponseData,
   signatureAlgorithm AlgorithmIdentifier,
   signature BIT STRING,
   certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL}

 ResponseData ::= SEQUENCE {
   version [0] EXPLICIT Version DEFAULT v1,
   responderID ResponderID,
   producedAt GeneralizedTime,
   responses SEQUENCE OF SingleResponse,
   responseExtensions [1] EXPLICIT Extensions OPTIONAL} 

 ResponderID ::= CHOICE {
   byName [1] Name,
   byKey [2] KeyHash}

 KeyHash ::= OCTET STRING

 CertID ::= SEQUENCE {
   hashAlgorithm AlgorithmIdentifier,
   issuerNameHash OCTET STRING,
   issuerKeyHash OCTET STRING,
   serialNumber CertificateSerialNumber}

 CertStatus ::= CHOICE {
   good [0] IMPLICIT NULL,
   revoked [1] IMPLICIT RevokedInfo,
   unknown [2] IMPLICIT UnknownInfo }

 RevokedInfo ::= SEQUENCE {
   revocationTime GeneralizedTime,
   revocationReason [0] EXPLICIT CRLReason OPTIONAL }

 SingleResponse ::= SEQUENCE {
   certID CertID,
   certStatus CertStatus,
   thisUpdate GeneralizedTime,
   nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
   singleExtensions [1] EXPLICIT Extensions OPTIONAL }

 RevocationValues ::= SEQUENCE {
   crlVals       [0] SEQUENCE OF CertificateList OPTIONAL,
   ocspVals      [1] SEQUENCE OF BasicOCSPResponse OPTIONAL,
   otherRevVals  [2] OtherRevVals OPTIONAL}

 OtherRevValType ::= OBJECT IDENTIFIER
 OtherRevVals ::= SEQUENCE { otherRevValType OtherRevValType }
 CRLListID ::= SEQUENCE { crls SEQUENCE OF CrlValidatedID}

 MessageImprint ::= SEQUENCE {
   hashAlgorithm AlgorithmIdentifier,
   hashedMessage OCTET STRING }

 TimeStampReq ::= SEQUENCE {
   version           INTEGER { v1(1) },
   messageImprint    MessageImprint,
   reqPolicy         TSAPolicyId OPTIONAL,
   nonce             INTEGER OPTIONAL,
   certReq           BOOLEAN DEFAULT FALSE,
   extensions    [0] IMPLICIT Extensions OPTIONAL}

 END

БІБЛІОТЕКА ВЕРИФІКАЦІЇ

Для перевірки електронного підпису на стороні Erlang-сервера МІА:Документообіг ми використовуємо програмне забезпечення ТОВ "Автор", сертифіковане ДССЗЗІ.

БІБЛІОТЕКИ ПІДПИСУ

Для здійснення криптографічної операції підпису електронного документу за допомогою фізичного пристрою на стороні веб-клієнта МІА:Документообіг ми підтримуємо криптографічні бібліотеки основних українських криптопровайдерів, сертифіковані ДССЗЗІ:

ТОВ "Автор" (Київ)
АТ "ІІТ" (Харків)