From 2517eb1a34822353a2308802a5efa0e49dde0696 Mon Sep 17 00:00:00 2001 From: alashkova Date: Mon, 24 Feb 2025 15:43:55 +0300 Subject: [PATCH] =?UTF-8?q?SUPPORT-8941.=20=D0=94=D0=BE=D0=B1=D0=B0=D0=B2?= =?UTF-8?q?=D0=BB=D0=B5=D0=BD=D0=BE=20=D0=BF=D0=BE=D0=BB=D1=83=D1=87=D0=B5?= =?UTF-8?q?=D0=BD=D0=B8=D0=B5=20=D0=BD=D0=B0=D0=B7=D0=B2=D0=B0=D0=BD=D0=B8?= =?UTF-8?q?=D1=8F=20=D0=B8=20=D1=82=D0=B8=D0=BF=D0=B0=20=D0=BF=D1=80=D0=BE?= =?UTF-8?q?=D0=B2=D0=B0=D0=B9=D0=B4=D0=B5=D1=80=D0=B0=20=D0=B8=D0=B7=20?= =?UTF-8?q?=D0=BA=D0=BE=D0=BD=D1=84=D0=B8=D0=B3=D1=83=D1=80=D0=B0=D1=86?= =?UTF-8?q?=D0=B8=D0=BE=D0=BD=D0=BD=D0=BE=D0=B3=D0=BE=20=D1=84=D0=B0=D0=B9?= =?UTF-8?q?=D0=BB=D0=B0=20(=D0=BF=D0=BE=D0=B4=D0=BF=D0=B8=D1=81=D1=8C)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 2 ++ conf/ervu-sign-module.conf.example | 2 ++ src/main_conf.c | 22 ++++++++++++++++++++++ src/main_conf.h | 2 ++ src/modules/service_sign.c | 6 ++++-- src/modules/service_sign.h | 3 ++- src/service_manager.c | 2 +- src/utils/cryptopro.c | 7 ++++--- src/utils/cryptopro.h | 9 +++++++-- src/utils/uuid.c | 4 ++-- src/utils/uuid.h | 2 +- 11 files changed, 49 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index a4b27e3..7b5c8a7 100644 --- a/README.md +++ b/README.md @@ -86,6 +86,8 @@ cmake -DCONFIG_NAME=/opt/ervu-sign-module.conf .. - В секции **\[main\]** задать общие настройки: worker_processes = 10 *\# количество воркеров (значение по умолчанию: 10)* cp_file = libcapi20.so *\# путь до файла библиотеки криптопровайдера* +cp_name = Crypto-Pro GOST R 34.10-2012 KC2 CSP *\# название криптопровайдера* +cp_type = 80 *\# тип криптопровайдера* - В секции **\[fcgi\]** задать настройки fcgi-сервера: fcgi_listen_port = 9009 *\# значение по умолчанию: 9009, должно совпадать со значением в nginx.conf* diff --git a/conf/ervu-sign-module.conf.example b/conf/ervu-sign-module.conf.example index 5d32295..0fa7d13 100644 --- a/conf/ervu-sign-module.conf.example +++ b/conf/ervu-sign-module.conf.example @@ -1,6 +1,8 @@ [main] #worker_processes = 10 cp_file = /opt/cprocsp/lib/amd64/libcapi20.so +#cp_name = Crypto-Pro GOST R 34.10-2012 KC2 CSP +#cp_type = 80 [fcgi] fcgi_listen_port = 9009 diff --git a/src/main_conf.c b/src/main_conf.c index 1238982..8f2c5bb 100644 --- a/src/main_conf.c +++ b/src/main_conf.c @@ -7,9 +7,14 @@ #define MAIN_CONF_SECTION "main" #define MAIN_CONF_KEY_WORKER_PROCESSES "worker_processes" #define MAIN_CONF_KEY_CP_FILE "cp_file" +#define MAIN_CONF_KEY_CP_NAME "cp_name" +#define MAIN_CONF_KEY_CP_TYPE "cp_type" /* default configuration values: */ static const int FCGI_CONF_DEFAULT_WORKER_PROCESSES = 10; +static const char* MAIN_CONF_DEFAULT_CP_NAME = "Crypto-Pro GOST R 34.10-2012 KC2 CSP"; +static const unsigned int MAIN_CONF_DEFAULT_CP_TYPE = 80; + static char* copy_filename(const char *filename) @@ -50,6 +55,22 @@ main_conf_load(main_conf_t* conf, const char *filename, const conf_file_context_ CONF_FILE_VALUE_NONE, NULL }, + { + MAIN_CONF_SECTION, + MAIN_CONF_KEY_CP_NAME, + &(conf->cp_name), + CONF_FILE_VALUE_STRING, + CONF_FILE_VALUE_NONE, + &MAIN_CONF_DEFAULT_CP_NAME + }, + { + MAIN_CONF_SECTION, + MAIN_CONF_KEY_CP_TYPE, + &(conf->cp_type), + CONF_FILE_VALUE_INTEGER, + CONF_FILE_VALUE_NONE, + &MAIN_CONF_DEFAULT_CP_TYPE + }, }; if (conf_file_load_values(conf_file, fields, sizeof(fields) / sizeof(conf_file_field_t))) { @@ -82,6 +103,7 @@ main_conf_clear(main_conf_t* conf) } free(conf->cp_file); + free(conf->cp_name); free(conf->conf_file); memset(conf, 0, sizeof(main_conf_t)); } diff --git a/src/main_conf.h b/src/main_conf.h index c0af5d7..283f79f 100644 --- a/src/main_conf.h +++ b/src/main_conf.h @@ -6,6 +6,8 @@ typedef struct main_conf_s { int worker_processes; char *cp_file; /* файл криптопровайдера */ + char *cp_name; /* название криптопровайдера */ + unsigned int cp_type; /* тип криптопровайдера */ char *conf_file; } main_conf_t; diff --git a/src/modules/service_sign.c b/src/modules/service_sign.c index ea237a7..e887d4c 100644 --- a/src/modules/service_sign.c +++ b/src/modules/service_sign.c @@ -121,7 +121,7 @@ sign_conf_clear(sign_conf_t *conf) } HSign -sign_service_create(const sign_conf_t *conf) +sign_service_create(const sign_conf_t *conf, const main_conf_t *main_conf) { LOG_TRACE("sign_service_create enter"); @@ -138,6 +138,8 @@ sign_service_create(const sign_conf_t *conf) cryptopro_context_set(&hsign->cryptopro_ctx, &conf->sign_cert_thumbprint, &conf->sign_cert_password, + main_conf->cp_name, + main_conf->cp_type, &hsign->timer_ctx); if (open_signer_cert(&hsign->cryptopro_ctx)) { @@ -372,7 +374,7 @@ sign_content_with_state(const sign_service_t *hsign, fcgi_sign_request_t *req_in LOG_TRACE("sign_content_with_state enter"); - state = generate_uuid4(); + state = generate_uuid4(&hsign->cryptopro_ctx); if (state == NULL) { goto error; } diff --git a/src/modules/service_sign.h b/src/modules/service_sign.h index 3bbd02c..b5da5a2 100644 --- a/src/modules/service_sign.h +++ b/src/modules/service_sign.h @@ -1,6 +1,7 @@ #ifndef SERVICE_SIGN_H_INCLUDED #define SERVICE_SIGN_H_INCLUDED +#include "main_conf.h" #include "fcgisrv/fcgi_server.h" #include "utils/conf_file_context.h" @@ -19,7 +20,7 @@ typedef struct sign_conf_s { int sign_conf_load(sign_conf_t *conf, const conf_file_context_t conf_file); void sign_conf_clear(sign_conf_t *conf); -HSign sign_service_create(const sign_conf_t *conf); +HSign sign_service_create(const sign_conf_t *conf, const main_conf_t *main_conf); void sign_service_free(HSign hsign); fcgi_handler_status_t fcgi_sign_handler(FCGX_Request* request, void* ctx); diff --git a/src/service_manager.c b/src/service_manager.c index 03092e6..608e583 100644 --- a/src/service_manager.c +++ b/src/service_manager.c @@ -239,7 +239,7 @@ init_services(service_manager_t* services, const service_manager_conf_t* service } /* sign service */ - services->hsign = sign_service_create(&services_cf->sign_cf); + services->hsign = sign_service_create(&services_cf->sign_cf, &services_cf->main_cf); if (services->hsign == NULL) { goto error; } diff --git a/src/utils/cryptopro.c b/src/utils/cryptopro.c index f059553..7ffa51f 100644 --- a/src/utils/cryptopro.c +++ b/src/utils/cryptopro.c @@ -809,15 +809,16 @@ exit: } int -cryptopro_gen_random(unsigned char* data, size_t len) +cryptopro_gen_random(const cryptopro_context_t *ctx, unsigned char* data, size_t len) { HCRYPTPROV hCryptProv = 0; LOG_TRACE("cryptopro_gen_random enter"); - if (!cp_function_list.CryptAcquireContext(&hCryptProv, NULL, NULL, PROV_GOST_2012_256, + if (!cp_function_list.CryptAcquireContext(&hCryptProv, NULL, ctx->provider, ctx->prov_type, CRYPT_VERIFYCONTEXT)) { - LOG_ERROR("CryptAcquireContext() failed"); + LOG_ERROR("CryptAcquireContext() failed. provider: '%s', prov_type: %u", + ctx->provider, ctx->prov_type); goto error; } diff --git a/src/utils/cryptopro.h b/src/utils/cryptopro.h index 5919fc6..efe129a 100644 --- a/src/utils/cryptopro.h +++ b/src/utils/cryptopro.h @@ -12,6 +12,8 @@ typedef struct cryptopro_context_s { const str_t *cert_thumbprint; const str_t *password; + const char *provider; + unsigned int prov_type; timer_context_t *timer_ctx; HCERTSTORE cert_store; @@ -22,12 +24,15 @@ typedef struct cryptopro_context_s { static inline void cryptopro_context_set(cryptopro_context_t *ctx, const str_t *cert_thumbprint, - const str_t *password, timer_context_t *timer_ctx) + const str_t *password, const char *provider, unsigned int prov_type, + timer_context_t *timer_ctx) { assert(ctx != NULL); ctx->cert_thumbprint = cert_thumbprint; ctx->password = password; + ctx->provider = provider; + ctx->prov_type = prov_type; ctx->timer_ctx = timer_ctx; } @@ -41,6 +46,6 @@ int cryptopro_sign(const cryptopro_context_t *ctx, const str_t *data, /*out*/ st int cryptopro_verify(const str_t* cert_thumbprint, const str_t* alg, const str_t *data, const str_t *sign, bool* is_verified, char** verify_error); -int cryptopro_gen_random(unsigned char* data, size_t len); +int cryptopro_gen_random(const cryptopro_context_t *ctx, unsigned char* data, size_t len); #endif // CRYPTOPRO_H_INCLUDED diff --git a/src/utils/uuid.c b/src/utils/uuid.c index 21149c9..2b86b20 100644 --- a/src/utils/uuid.c +++ b/src/utils/uuid.c @@ -76,7 +76,7 @@ uuid_pack(const struct uuid *uu, uuid_t ptr) } char* -generate_uuid4() +generate_uuid4(const void *crypt_ctx) { char *uuid; uuid_t buf; @@ -91,7 +91,7 @@ generate_uuid4() goto error; } - if (cryptopro_gen_random(buf, sizeof(buf))) { + if (cryptopro_gen_random(crypt_ctx, buf, sizeof(buf))) { goto error; } diff --git a/src/utils/uuid.h b/src/utils/uuid.h index 290aa43..e081cb0 100644 --- a/src/utils/uuid.h +++ b/src/utils/uuid.h @@ -2,6 +2,6 @@ #define UUID_H_INCLUDED // generates uuid version 4 -char* generate_uuid4(); +char* generate_uuid4(const void *crypt_ctx); #endif // UUID_H_INCLUDED \ No newline at end of file