Creating a signature for authorization via ESIA with a CryptoPro certificate
Setting up the site authorization via ESIA.
Problem: After clicking on the generated link with the signature, we go to the authorization page, enter the data, get the error "Authorization error", the page address has details
error_description=ESIA-007005%3A+The+client+is+not+authorized+to+request+an+access+token+using+this+method
There is a machine with a docker.
Docker container installed https://hub.docker.com/r/required/cryptopro
The root certificate is installed, the client certificate, there is a trial key for CryptoPro.
Certificate chains are verified by the copy method(https://www.altlinux.org/%D0%9A%D1%80%D0%B8%D0%BF%D1%82%D0%BE%D0%9F%D1%80%D0%BE#%D0%9F%D1%80%D0%BE%D0%B2%D0%B5%D1%80%D0%BA%D0%B0_%D1%86%D0%B5%D0%BF%D0%BE%D1%87%D0%BA%D0%B8_%D1%81%D0%B5%D1%80%D1%82%D0%B8%D1%84%D0%B8%D0%BA%D0%B0%D1%82%D0%BE%D0%B2)
cryptcp -copycert -thumbprint "$thumbprint" -df tt.cer
Output
Certificate chains are checked
The ESIA requires a signature in the PKCS#7 detached signature format in UTF8 encoding, then encoded in the safe url. base64
Googling, I found this option:
csptest -sfsign -sign -detached -base64 -add -alg "GOST12_256" -in message -out sig
The file is signed, I check
csptest -sfsign -verify -detached -base64 -add -alg "GOST12_256" -in message -signature sig
At the exit:
Detached Signature was verified OK
Question - what could be the problem? Where to dig?
UPD: There is a service that can sign with the same certificate, written in Java and signed by ESIA authorizes it. Comparing our link and the service link, we found differences only in the client_secret line, that is, in the signature.
1 answers
In general, the necessary signature for the ESIA is formed by this command:
cryptcp -signf -dir "/tmp" -der -strict -cert -detached -thumbprint "$thumbprint" -pin "$pin" "/tmp/message"
First, you need to put the necessary signature string in the /tmp/message file. And then take it from the file /tmp/message. sgn
// php
file_put_contents('/import/message', $content);
After the command works, convert the signature to the safe base64 url and the result is the desired value for client_secret
// php
$encoded = base64_encode($signature);
$encoded = str_replace(array('+','/','='),array('-','_',''),$encoded);