誰ãããªããšåããããæ·±ãã³ãŒããèŠãããšããªããšæããŸãã翻蚳ïŒ
ChristianHohnstÀdtãããã°ã©ãã³ã°ã翻蚳ããã¹ãXCA
ç§ã®ã³ãŒããããªãã»ã©æ·±ãèŠã人ã¯ããªããšæããŸãã
ChristianHohnstÀdtãXCAéçºè

x509蚌ææžãšåžæ°ãã¹ããŒãã®å
±éç¹ã¯äœã§ããïŒ
ãã¹ããŒããªãã£ã¹ãšèªèšŒå±ã®å
±éç¹ã¯äœã§ããïŒ
CAã»ã³ã¿ãŒã®äž»ãªæ©èœã¯ãé»å眲åæ€èšŒããŒïŒSKEPEPïŒã®èšŒææžã®äœæãšä¿å®ã§ããããã«ã¯ã蚌ææžææè ã®èŠæ±ã«å¿ããããŒãã¢ã®äœæãå«ãŸããŸãã ããã«äºçŽãå ¥ããŠãã ãããç§ã®ç¢ºä¿¡ã§ã¯ãCAã»ã³ã¿ãŒã®ææ°ã®ãµãŒãã¹ã¯æ害ã§å±éºã§ãã
蚌ææžãšããŒãã¢ïŒç§å¯ããŒãšå ¬éããŒããŸãã¯é»å眲åæ€èšŒããŒãšãåŒã°ããŸãïŒãåãåã£ã人ã¯ããã€ã§ãããã¥ã¡ã³ãã®äžã§é»å眲åïŒESïŒãæŸæ£ããCAã§ããŒãçãŸããå¯èœæ§ããããšäž»åŒµã§ããŸããã®äžä»£ã®ç¬éã ãããã£ãŠãèªåã§ããŒãã¢ãçæãããããç®ã®åœãããšããŠä¿åããCAã§çæããå Žåã¯ãå埩äžèœãªããŒãæã€PKCSïŒ11ããŒã¯ã³/ã¹ããŒãã«ãŒãã§ã®ã¿æ£ããã§ãã
CAã¯ãæšæºX.509 v.3ïŒ RFC 5280 ïŒã«åŸã£ãŠèšŒææžãçºè¡ããããšã«æ³šæããŠãã ããã
äžè¬ã«ãCAã®æ©èœã¯ããã¹ããŒããªãã£ã¹ã®æ©èœãšã»ãŒäžèŽããŸã ãããã¯ããã·ã¢å åçã®è²¬ä»»ã§ãã
ãã¹ããŒãã®ãããªèšŒææžã¯ãç³è«æžãšããã€ãã®ææžã®æäŸã«åºã¥ããŠçºè¡ãããŸãã 蚌ææžãååŸããããã®ããã¥ã¡ã³ãã®ãªã¹ãã¯ãéä¿¡çã«ãã£ãŠèªå®ãããŠããèªèšŒã»ã³ã¿ãŒã«ãããŸãã

ãããŠã蚌ææžã®äž»ãªãã®ã¯äœã§ããïŒ ãŸããçºè¡è ã®ã·ãªã¢ã«çªå·ãSNILSãšTINã®äž¡æ¹ãå«ãåžæ°ã«é¢ããæ å ±ãããã³åžæ°ã®åçãšææžã眲åã®é¡äŒŒç©ãæã£ãŠããŸããããã¯å ¬éããŒãŸãã¯é»å眲åæ€èšŒããŒã§ãã ãããŠãããã¯ãã¹ãŠCAã®é»å眲åã«ãã£ãŠèªèšŒãããŠããŸãã ãŸããåä¿¡ããããã¥ã¡ã³ãïŒãã¡ã€ã«ïŒã¯èšŒææžãšåŒã°ããŸãã ããªãã¯ãç§å¯éµã¯ã©ãã«ããã®ããšå°ããŸããå®éããã®å©ããåããŠãææžã®äžã«é»å眲åã眮ãããŠããŸããïŒ ãããŠãç§ãã¡ãäžã§èšã£ãããã«ãç§å¯éµã¯åžæ°ãé»åã¡ãã£ã¢ïŒãã©ãã·ã¥ãã©ã€ããããŒã¯ã³/ã¹ããŒãã«ãŒãïŒã«ä¿ç®¡ããå¿ èŠããããŸããããã¯ã圌ãå人ã®çœ²åã眮ãæ¹æ³ãç¥ã£ãŠããæ¹æ³ãšäŒŒãŠããŸãã ãã®ãããææžã«åžæ°ã®æå¹ãªçœ²åã絶察ã«èªä¿¡ãæã£ãŠèšãããšãã§ããŸãã å¥åŠãªããšã«ãé»å眲åã䜿çšããåæ§ã®ç¶æ³ã ç§å¯éµãæã£ãŠãããšãåžæ°ã¯æ確ã«å ¬ééµãååŸããææžã眲åãããŠãããã©ããã蚌ææžã§ç¢ºèªã§ããŸãïŒ

x509蚌ææžãå¿ èŠãªã®ã¯ãªãã§ããïŒ

ãã·ã¢é£éŠã®æ³äººãšåžæ°ã«ããããã¹ãŠãæ確ã§ãã ãŸããç¹å®ã®äŒæ¥ã®åŸæ¥å¡ãé»å眲åã®æ€èšŒèšŒææžãå¿ èŠãšããã®ã¯ãªãã§ããïŒ å€ãã®ããšãå€æããŸããã PKCSïŒ11ã€ã³ã¿ãŒãã§ãŒã¹ãåããããŒã¯ã³ãŸãã¯ã¹ããŒãã«ãŒãã«ä¿åãããå人蚌ææžïŒèšŒææžãšããŒãã¢ïŒã¯ãäŒæ¥ã®é åãžã®ãã¹ãšããŠãæ©èœããã³ã³ãã¥ãŒã¿ãŒãžã®ã¢ã¯ã»ã¹ãæäŸããããã¥ã¡ã³ããžã®çœ²åãšæå·åããšã³ã¿ãŒãã©ã€ãºããŒã¿ã«ã§ã®å人ã¢ã«ãŠã³ããžã®ã¢ã¯ã»ã¹ãäŒæ¥VPNãµãŒãã¹ã¯ãæ¿èªãããHTTPSãä»ããŠãšã³ã¿ãŒãã©ã€ãºããŒã¿ã«ã«ã¢ã¯ã»ã¹ã§ããŸãã ãã®ãããéä¿¡çããã³ãã¹ã¡ãã£ã¢ã®èªå¯ãåããCAã§äŒæ¥å€ã®èšŒææžãååŸããããã«ãéãæãå¿ èŠã¯ãŸã£ãããããŸããã äžæ¹ãäžå°èŠæš¡ã®äŒæ¥ã§ã®æ¬æ ŒçãªCAã®å±éã¯ãæé ãªäŸ¡æ Œã§ããã ãã§ãªããå€§ç ²ããã¹ãºã¡ãæã€ããšã«äŒŒãŠããŸãã äžå°äŒæ¥ã¯ããã®ãããªè€åäœã®ã»ãšãã©ã®æ©èœãå¿ èŠãšããŸãããã¹ã±ãŒã©ããªãã£ããããããã¯ã¢ãããæš©éã®åé¢ãªã©ãå¿ èŠã§ãã
XCA ïŒX Window SystemèªèšŒå±ïŒã®åºçŸã®åææ¡ä»¶
å ¬éã®ããã«x509v.3蚌ææžãçºè¡ããã«ã¯ãåºã䜿çšãããŠããOpenSSLã³ãã³ããŠãŒãã£ãªãã£ã䜿çšã§ããŸããç¹ã«ã次ã®æ©èœãå®è¡ã§ããŸãã
- éµã®çæïŒäŸïŒopenssl genrsa ...ïŒ;
- x509 v.3蚌ææžãååŸããããã®èŠæ±ãPKCSïŒ10圢åŒã§çæããŸãã
- x509 v.3蚌ææžãšãã£ã·ã§ã³ã
- 倱å¹ãã蚌ææžã®ãªã¹ãã®äœæïŒ/ CRLïŒ;
- ãªã©
泚ææ·±ãèŠããšããããã¯ãã¹ãŠCAã®æ©èœã§ãããããã«ãOpenSSLãŠãŒãã£ãªãã£ã®ã³ãã³ãã®1ã€ãã€ãŸãCAã³ãã³ãã¯ãæäœéå¿ èŠãªæ©èœãåããCAã§ããããšãããããŸãã
$openssl ca -md <hash> -in <req_file> -out <cert_file>
ããã§ïŒ
- ca-CAãšååããããŒã
- md-é»å眲åïŒESïŒã®èšŒææžèšŒææžããŒãçºè¡ããããã«äœ¿çšããããã·ã¥é¢æ°ïŒsha1ãsha512ãgosthashãªã©ïŒã瀺ããªãã·ã§ã³
- in-ESæ€èšŒããŒã®èšŒææžã®èŠæ±ããã¡ã€ã«<req_file>ããååŸããããšã瀺ããªãã·ã§ã³
- out-ESããã§ãã¯ããããã®ããŒã®çæããã蚌ææžããã¡ã€ã«<cert_file>ã«æžã蟌ãå¿ èŠãããããšã瀺ããªãã·ã§ã³
- å€æ°ã®ããŒã ãšããã«å€ãã®ã³ãã³ããã©ã¡ãŒã¿ãŒãç¹ã«ã å°ãªããšã5ã€ã®ããŒã ã蚌ææžã®çºè¡ã«ã®ã¿å¿ èŠã§ãã
- ããªãè€éãªæ§æãã¡ã€ã«openssl.cnf;
- ããããæãéèŠãªããšã¯ã蚌ææžã®åäžã®ä¿ç®¡åº«ïŒããŒã¿ããŒã¹ïŒããªãããšã§ããããã«ããã蚌ææžã®ç®¡çããã»ã¹ãéåžžã«å°é£ã«ãªããŸãã
ãããžã§ã¯ãNSSïŒNetwork Security SystemïŒã¯ãMozillaã®ãããžã§ã¯ããGoogleã®Chromeãã©ãŠã¶ãŒãªã©ã§èšŒææžã®åŠçã«åºã䜿çšãããŠããOpenSSLãããžã§ã¯ããšæ¬è³ªçã«åäžã§ãããããããè¯ãç¹ãåºå¥ããæåŸã®ãã€ã³ãã§ãã ãŸããå©äŸ¿æ§ã«ã€ããŠè©±ãå Žåã蚌ææžïŒèªèšŒå±ïŒã®å ¬éãšç®¡çã®ããã®X Windowsã·ã¹ãã ã«åºã¥ãåäžã®ã°ã©ãã£ã«ã«ã€ã³ã¿ãŒãã§ã€ã¹ãå¿ èŠã§ãã X Window System-ã°ã©ãã£ã«ã«ãŠãŒã¶ãŒã€ã³ã¿ãŒãã§ã€ã¹ãæ§ç¯ããããã®æšæºããŒã«ãšãããã³ã«ãæäŸãããŠã£ã³ããŠã·ã¹ãã ã
XCAæ©èœ


XCAã«CAãªããžã§ã¯ããä¿åããããã«ããã¹ã¯ãŒãã§ä¿è·ãããããŒã¿ããŒã¹ãäœæãããŸãã
蚌ææ©é¢ãšããŠã®XCAã°ã©ãã£ãã¯ã€ã³ã¿ãŒãã§ã€ã¹ã¯ã5ã€ã®æ©èœã¿ããš2ã€ã®ããããããŠã³ã¡ãã¥ãŒã®åœ¢åŒã§å®è£ ãããŸãã







XCAã°ã©ãã£ã«ã«ã¢ããªã±ãŒã·ã§ã³ã¯ã蚌ææžçºè¡ããã³ç®¡çã»ã³ã¿ãŒïŒä»¥éãXCA CAãšåŒã³ãŸãïŒã§ãããšå®å šã«èšããŸãã
XCAã§ã®ãã·ã¢ã®æå·åã¢ã«ãŽãªãºã ã®ãµããŒãã«ã€ããŠ
次ã«ãXCA CAã§ãã·ã¢ã®æå·åã¢ã«ãŽãªãºã ããµããŒãããããšã«èå³ããããŸãã ãããŠãããã2012幎以åã«èµ·ãã£ãå Žåããã¹ãŠãããŸãããã§ãããããã®æãŸã§ã«ãOpenSSLãããžã§ã¯ãã¯ãã§ã«GOST R 34.10-2001ãšGOST R 34.11-94ãšGOST 28147-89ã®äž¡æ¹ããµããŒãããŠããŸããã ãããã2012幎ã«ã¯æ°ããæå·åã¢ã«ãŽãªãºã GOST R 34.10-2012ãšGOST R 34.11-2012ãæ¿èªããã2015幎ã«ã¯ããã¿ãšãã°ãã®æ°ããæå·åã¢ã«ãŽãªãºã ãããªãã¡GOST R 34.12-2015ãšGOST R 34.13ãæ¿èªãããŸãã2015幎ã
æ®å¿µãªãããçŸåšOpenSSLã¯æ°ãããã·ã¢ã®ã¢ã«ãŽãªãºã ããµããŒãããŠããŸããã ãã®å Žåãåé¡ã解決ããæ¹æ³ã¯2ã€ãããŸãã 1ã€ç®ã¯ãæ¢åã®libgostãšåæ§ã«ãæ°ãããã·ã¢ã¢ã«ãŽãªãºã ããµããŒãããæ°ãããšã³ãžã³ã®éçºã«é¢é£ããŠããŸãã 2çªç®ã®æ¹æ³ã¯ããã·ã¢èªã®ã¢ã«ãŽãªãºã ãOpenSSLã«çŽæ¥åã蟌ãããšã§ãã TK-26ã®æ°ããèŠä»¶ãå®è£ ãããšãã芳ç¹ããã¯ãå°ãªããšãPKCSïŒ12ã³ã³ããã«å¯ŸããŠã¯ãæåã®ã±ãŒã¹ã§ã¯OpenSSLãã¢ããã°ã¬ãŒãããå¿ èŠãããããã2çªç®ã®æ¹æ³ãããæãŸããããã§ãã æ°ããã¢ã«ãŽãªãºã ã®ã€ã³ã¹ããŒã«ã¯ããŸããOpenSSLãããžã§ã¯ãïŒobj_mac.hïŒã«TK-26ãæšå¥šãããã·ã¢ã®OIDãå«ããããšãæå³ããŸãã
#define SN_cryptopro "cryptopro" #define NID_cryptopro 805 #define OBJ_cryptopro OBJ_member_body,643L,2L,2L #define SN_cryptocom "cryptocom" #define NID_cryptocom 806 #define OBJ_cryptocom OBJ_member_body,643L,2L,9L #define SN_id_tc26 "id-tc26" #define NID_id_tc26 958 #define OBJ_id_tc26 OBJ_member_body,643L,7L,1L âŠ
XCAã«GOSTã¢ã«ãŽãªãºã ãçµã¿èŸŒã¿ãOpenSSLã䜿çšããŠIDãçµã¿èŸŒãããã«ãGOSTã®ããŒã®ã¿ã€ãã決å®ããå°å ¥ãããå®æ°ã«ã泚æããŠãã ããã
#define EVP_PKEY_GOST3410 NID_id_GostR3410_2001 #define EVP_PKEY_GOST3410_2012_256 NID_id_GostR3410_2012_256 #define EVP_PKEY_GOST3410_2012_512 NID_id_GostR3410_2012_512
NewKey.cppã®struct typelist typelist []æ§é ã¯æ¬¡ã®ããã«ãªããŸãã
static const struct typelist typeList[] = { { "RSA", EVP_PKEY_RSA }, { "DSA", EVP_PKEY_DSA }, #ifndef OPENSSL_NO_EC { "EC", EVP_PKEY_EC }, #endif /* 34.10-2001 */ { "GOSTR3410-2001", EVP_PKEY_GOST3410}, /* 34.10-2012 256 */ { "GOSTR3410-2012-256", EVP_PKEY_GOST3410_2012_256}, /* 34.10-2012 512 */ { "GOSTR3410-2012-512", EVP_PKEY_GOST3410_2012_512}, };
ãããŠããã®ãããªOpenSSLã®æ¹è¯ã«ããããã·ã¢ã®æå·åã¢ã«ãŽãªãºã ããXCAãCAã«åã蟌ãããšãã§ããŸãã ãXCAãCAã¯ãGOSTããŒã®çæããå§ããŠãCAã®ãã¹ãŠã®æ©èœãå®è¡ã§ããããã«ãªããŸããã

蚌ææžã®çºè¡ãšèšŒææžå€±å¹ãªã¹ãã®çºè¡ã§çµããïŒCRL / CACïŒïŒ

ãã©ã€ããŒãããŒãšèšŒææžã¯ãäŒæ¥ã®åŸæ¥å¡ãåŒãè£ãåªäœã§åãåãå¿ èŠããããšäžèšã§è¿°ã¹ãŸããã ãã®ãããªåªäœãšããŠãPKCSïŒ11ã€ã³ã¿ãŒãã§ãŒã¹ãåããããŒã¯ã³/ã¹ããŒãã«ãŒãããXCAãCAã§äœ¿çšãããŸãã ãã·ã¢ã®æå·åã®ãµããŒãã«ã€ããŠè©±ãå ŽåãTK-26ïŒpkcs11_gost.hïŒã®æšå¥šäºé ã«åŸã£ãŠPKCSïŒ11ããŒã¯ã³ããµããŒãããããã«ãããžã§ã¯ããå®æãããå¿ èŠããããŸãã
⊠#define NSSCK_VENDOR_PKCS11_RU_TEAM 0xd4321000 //0x80000000|0x54321000 #define NSSCK_VENDOR_PKSC11_RU_TEAM NSSCK_VENDOR_PKCS11_RU_TEAM #define CK_VENDOR_PKCS11_RU_TEAM_TC26 NSSCK_VENDOR_PKCS11_RU_TEAM âŠ
ãšã³ã¿ãŒãã©ã€ãºã§ã®CAãXCAãã®é
眮
ãã®ãããæçµçã«ã¯ããã·ã¢ã®æå·åãå®å šã«ãµããŒããããå®å šã«æ©èœãããšã³ã¿ãŒãã©ã€ãºèŠæš¡ã®CAãã§ããŸãã
XCA CAãé 眮ããå Žæ æãåççãªã®ã¯ã人äºéšéãŸãã¯ã»ãã¥ãªãã£ãµãŒãã¹ã§ãã éçšæã«ãããã®ãµãŒãã¹ã®ããããã«å°çãããšãåŸæ¥å¡ã¯ããã§ããšããããå埩äžèœãªããŒãçæãããããŒã¯ã³ãåãåããŸãã

ãããŠãã®èšŒææžãã€ã³ã¹ããŒã«ãããŸãïŒ

ãã®çµæãã»ã³ã¿ãŒã®ã«ãŒãèªå·±çœ²å蚌ææžãšäŒç€Ÿã®åŸæ¥å¡ã®èšŒææžã®äž¡æ¹ããXCAãCAã®ããŒã¿ããŒã¹ã«ä¿åãããŸãã

ããŒã¿ããŒã¹ã«ã¯ãç§å¯éµã®ä¿åå Žæã«é¢ããæ å ±ãå«ãŸããŠããŸãã

ãæ£æã®éçš
ãããŠä»ããããžã§ã¯ãã®ç¶¿å¯ãªç 究ã®åŸãæ°å¹Žã®åå€ã«æ¬¡ã®æçŽãèè ã¯ãªã¹ãã£ã³ã»ããŒã³ã·ã¥ã¿ããã«éãããŸããïŒ
ããã«ã¡ã¯ã¯ãªã¹ãã£ã³ïŒ
補åXCAãç£èŠããŸãã ãããæ¢æ±ããç§ãã¡ã¯ãããè²ãŠãŸã
ã¬ãã«ã ãã·ã¢ã®æå·åã¢ã«ãŽãªãºã ã䜿çšããããã«èª¿æŽããŸãã æè¬ã®æ°æã¡ã§
ããªãã®ä»äºã®ããã«ãç§ãã¡ã¯ããªãã«èŽãç©ïŒãã·ã¢ã®ãŠã©ãã«ã®ããã«ïŒãéãããã§ãã
ããããæ®å¿µãªãããããªãã®éµäŸ¿ã¢ãã¬ã¹ã¯ããããŸããã æããŠãã ãã
ããã§ãç§ãã¡ã¯ããªãã«èŽãç©ãéãããšãã§ããŸãã
翻蚳ãããšã次ã®ããã«ãªããŸãã
ããã«ã¡ã¯ã¯ãªã¹ãã£ã³ïŒ
XCA補åããã©ããŒããŠããŸãã ãããæ¢æ±ããŠãç§ãã¡ã¯å°éã¬ãã«ãåäžãããŸãã ãã·ã¢ã®æå·åã¢ã«ãŽãªãºã ã«é©åãããŸããã ããªãã®ä»äºã«æè¬ããŠãç§ãã¡ã¯ããªãã«èŽãç©ïŒãã·ã¢ã®ãŠã©ãã«ã®ããã«ïŒãéããããšæã£ãŠããŸãããæ®å¿µãªãããç§ãã¡ã¯ããªãã®äœæãç¥ããŸããã æããŠãã ããã
ãããŠèè ã¯çããïŒ
ããããšããäŒç€Ÿã®äœæã«éã£ãŠãã ããã
å°å ãµãŒãã¹ããã±ãããé éãããšããç§ã¯é垞家ã«ããŸããã
Innominate Security Technologies
ã¯ãªã¹ãã£ã³ã»ããŒã³ã·ã¥ãšãã
ã«ãŒãã¯ãŒã»ã·ã§ãã»13
12489ãã«ãªã³
ãã€ã
èè ã®åçã§æ³šç®ã«å€ãããã®ïŒ
ããããšããç§ã®äŒç€Ÿã«éã£ãŠãã ããã é éãµãŒãã¹ãè·ç©ãé éãããšããç§ã¯é垞家ã«ããŸããã

ãããŠãã¡ãããç§ãã¡ã®äŒçµ±çãªãã·ã¢ã®ãã¬ãŒã³ãããŠã©ãã«ã®ããã«ãšãã§ã³ã¬ãŒãã®ç®±ããæãããããã¡ãã®Lysenkoãè¿œå ããŠãèè ã«å±ããããŸãã!!!
ãããããã®åã«ãèšäºã®åé ã«ããæç²ã§ããæçŽããããŸããã
ããã°ã©ããŒãç§ã®ã³ãŒãã«åé¡ããã°ãèŠã€ããå Žåã
ç§ãããããä¿®æ£ã§ããããã«ããããã«ã€ããŠæããŠãã ããã
誰ãããªããšåããããæ·±ãã³ãŒããèŠãããšããªããšæããŸãã
ãããŠãããã«ç¿»èš³ããããŸãïŒ
ããªãã®ããã°ã©ããŒãç§ã®ã³ãŒãã«ãšã©ãŒãèŠã€ããå Žåãç§ãããããä¿®æ£ã§ããããã«ããããã«ã€ããŠç§ã«ç¥ãããŠãã ããã
ç§ã®ã³ãŒããããªãã»ã©æ·±ãèŠã人ã¯ããªããšæããŸãã
ãã®ãããªè©äŸ¡ã«ã¯å€§ããªäŸ¡å€ããããŸãã
ããã«äœãè¿œå ã§ããŸããïŒ ãXCAãCAãLinuxãMac OS Xãä»ã®Unixãã©ãŒã¯ãMS Windowsãå®è¡ããŠããã ãã§ãã
PS Oneã¯ããã·ã¢é£éŠãšãã€ãé£éŠå ±ååœãšãã2ã€ã®å倧ãªåœã®ããã°ã©ããŒã®ãã®ãããªååãšç解ã倢èŠãŠããŸãã