Configure site authorization through ESIA.
Problem: After switching to the generated link, we turn to the authorization page, enter the data, get an error “authorization error”, in the page address there are details
error_description = esia-007005% 3a + the + client + is + not + authorized + to + request + an + access + TOKEN + USING + THIS + METHOD
There is a car with docker.
Docker container https://hub.docker.com/r/required/cryptopro
Installed root certificate, customer certificate, is a trial key for cryptopro.
Certificate chains are checked by copying (https://www.altlinux.org/%D0%9A%D1%80%D0%B8% D0% BF% D1% 82% D0% BE% D0% 9F% D1% 80% D0% BE #% D0% 9F% D1% 80% D0% BE% D0% B2% D0% B5% D1% 80% D0 % Ba% D0% B0_% D1% 86% D0% B5% D0% BF% D0% BE% D1% 87% D0% BA% D0% B8_% D1% 81% D0% B5% D1% 80% D1% 82 % D0% B8% D1% 84% D0% B8% D0% BA% D0% B0% D1% 82% D0% BE% D0% B2 )
cryptcp -copycert -thumbprint "$ thumbprint" -DF TT.CER
at the output
Certificate Chains Are Checked
For ESIA requires Signature in PKCS # 7 Detached Signature in UTF8 encoding, then coded in URL Safe Base64
Google, found this option:
csptest -sfsign -sign -detached -base64 -add -alg "Gost12_256" -in message -out SIG
file signed, check
csptest -sfsign -verify -detached -base64 -add -alg "Gost12_256" -in Message -Signature Sig
Output:
detached Signature Was Verified OK
Question – What could be the problem? Where to dig?
UPD: There is a service that is able to sign the same certificate is written in Java and with his signature of ESIA authorizes. Compare our link and the service link – found differences only in the Client_Secret line, that is, in the signature.
Answer 1, Authority 100%
In general, the necessary signature forms this command:
cryptcp -signf -dir "/ tmp" -der -strict -cert -detached -thumbprint "$ thumbprint" -pin " $ PIN "" / TMP / Message "
Preference must be put in the file / TMP / message the desired row for the signature. And then pick it up from the /tmp/message.sgn
file
// php
File_Put_Contents ('/ Import / Message', $ Content);
After the command is working, convert the signature to the Safe Base64 URL and as a result, the desired value is obtained for client_secret
// php
$ Encoded = Base64_ENCode ($ Signature);
$ Encoded = STR_REPLACE (Array ('+', '/', '='), Array ('-', '_', ''), $ Encoded);