Home computickets Signature formation for authorization through the ESIA with a cryptopro certificate

Signature formation for authorization through the ESIA with a cryptopro certificate




Configure site authorization through ESIA.

Problem: After switching to the generated link, we turn to the authorization page, enter the data, get an error “authorization error”, in the page address there are details

error_description = esia-007005% 3a + the + client + is + not + authorized + to + request + an + access + TOKEN + USING + THIS + METHOD

There is a car with docker.

Docker container https://hub.docker.com/r/required/cryptopro

Installed root certificate, customer certificate, is a trial key for cryptopro.

Certificate chains are checked by copying (https://www.altlinux.org/%D0%9A%D1%80%D0%B8% D0% BF% D1% 82% D0% BE% D0% 9F% D1% 80% D0% BE #% D0% 9F% D1% 80% D0% BE% D0% B2% D0% B5% D1% 80% D0 % Ba% D0% B0_% D1% 86% D0% B5% D0% BF% D0% BE% D1% 87% D0% BA% D0% B8_% D1% 81% D0% B5% D1% 80% D1% 82 % D0% B8% D1% 84% D0% B8% D0% BA% D0% B0% D1% 82% D0% BE% D0% B2 )

cryptcp -copycert -thumbprint "$ thumbprint" -DF TT.CER

at the output

Certificate Chains Are Checked

For ESIA requires Signature in PKCS # 7 Detached Signature in UTF8 encoding, then coded in URL Safe Base64

Google, found this option:

csptest -sfsign -sign -detached -base64 -add -alg "Gost12_256" -in message -out SIG

file signed, check

csptest -sfsign -verify -detached -base64 -add -alg "Gost12_256" -in Message -Signature Sig


detached Signature Was Verified OK

Question – What could be the problem? Where to dig?

UPD: There is a service that is able to sign the same certificate is written in Java and with his signature of ESIA authorizes. Compare our link and the service link – found differences only in the Client_Secret line, that is, in the signature.

Answer 1, Authority 100%

In general, the necessary signature forms this command:

cryptcp -signf -dir "/ tmp" -der -strict -cert -detached -thumbprint "$ thumbprint" -pin " $ PIN "" / TMP / Message "

Preference must be put in the file / TMP / message the desired row for the signature. And then pick it up from the /tmp/message.sgn


// php
File_Put_Contents ('/ Import / Message', $ Content);

After the command is working, convert the signature to the Safe Base64 URL and as a result, the desired value is obtained for client_secret

// php
$ Encoded = Base64_ENCode ($ Signature);
$ Encoded = STR_REPLACE (Array ('+', '/', '='), Array ('-', '_', ''), $ Encoded);

Programmers, Start Your Engines!

Why spend time searching for the correct question and then entering your answer when you can find it in a second? That's what CompuTicket is all about! Here you'll find thousands of questions and answers from hundreds of computer languages.

Recent questions