Integration of digital signatures of the National Research Center of the Republic of Kazakhstan in information systems based on web technologies

I will talk about the intricacies of introducing an electronic digital signature (EDS) into information systems (IS) based on web technologies in the context of the National Certification Center of the Republic of Kazakhstan (NCA RK) .



The focus will be on the formation of digital signatures under electronic documents and, accordingly, NCALayer - cryptographic software provided by the National Research Center of the Republic of Kazakhstan. In particular, I will pay attention to issues related to UX and the scope of the supported functionality of NCALayer.



I will divide the process into the following steps:



  • formation of an invariable representation of the document being signed (by the document being signed, I mean any data that needs to be signed, such as: contract, order form, authentication form, etc.);
  • signing a document in the web interface using NCALayer;
  • server side signature verification;
  • (if necessary) preparing a signature for long-term storage.


Formation of a constant presentation of a signed document



, , . , .



β€” . ( , ), , , :



  • , ;
  • XML JSON ;
  • PDF - ;
  • ..


:



  • ( ) ;
  • .


, , , :



  • ;
  • ( , , ).


, - , .



, β€” ( ) , . , , , . . .



NCALayer



β€” NCALayer WebSocket , 127.0.0.1, ( ) . NCALayer β€” .



API NCALayer . , NCALayer WebSocket KAZTOKEN mobile (KAZTOKEN mobile API NCALayer).



NCALayer WebSocket, ncalayer-js-client async .



NCALayer kz.gov.pki.knca.commonUtils, kz.gov.pki.knca.applet.Applet ( Java ) , , , , β€” ( -) .



kz.gov.pki.knca.commonUtils , ( , ), . :



  • , 'PKCS12',
  • ( -), , , getActiveTokens.


, NCALayer , :



  • β€” getActiveTokens, , 'PKCS12' ;
  • β€” getActiveTokens, , , , , , , 'PKCS12'.


( ):



  • createCAdESFromBase64 β€” CMS (CAdES);
  • createCMSSignatureFromBase64 β€” , (TSP) CMS (CAdES) ;
  • signXml β€” XML , (XMLDSIG);
  • signXmls β€” signXml, XML .


, , .



kz.gov.pki.knca.commonUtils :



  • 'AUTHENTICATION' β€” ;
  • 'SIGNATURE' β€” .


NCLayer , .



ncalayer-js-client:



async function connectAndSign(base64EncodedData) {
  const ncalayerClient = new NCALayerClient();

  try {
    await ncalayerClient.connect();
  } catch (error) {
    alert(`    NCALayer: ${error.toString()}`);
    return;
  }

  let activeTokens;
  try {
    activeTokens = await ncalayerClient.getActiveTokens();
  } catch (error) {
    alert(error.toString());
    return;
  }

  const storageType = activeTokens[0] || NCALayerClient.fileStorageType;

  let base64EncodedSignature;
  try {
    base64EncodedSignature = await ncalayerClient.createCAdESFromBase64(storageType, base64EncodedData);
  } catch (error) {
    alert(error.toString());
    return;
  }

  return base64EncodedSignature;
}




, , .



, β€” , . , , - , , , . , , .



β€œ ”. . , .



, , SIGEX.





. , , , , .



TSP. ( createCMSSignatureFromBase64 CMS), . , .



In order to make sure that the certificate was not revoked at the time of signing, you should use the CRL or OCSP response. This nuance and implementation recommendation is described in APPENDIX B - Placing a Signature At a Particular Point in Time in RFC 3161 .




All Articles