Converting the private key of CryptoPro CSP according to GOST 2012 into a p12 container that understands java

The CryptoPro CSP private key is a flash drive, on which the primary.key, primary2.key, masks.key, masks2.key, name.key and header.key files are located in the xxxx.000 directory.

Such keys are read only by the CryptoProJCP program, the server license of which currently costs 120 thousand rubles.

But our task is to get the .p12 container at the lowest cost)

You can work with the .p12 container from java, for example, using the library bouncycastle. But this is the topic of the next article)

Step 1.

A wonderful utility will help us to export the key P12FromGostCSPwhich allows you to convert the key to the format .pfx

We insert the flash drive, run the utility and select the key to convert. Next, we specify the password for the storage and at the output we get the storage of the format .pfx

However, this is only the beginning, because after the conversion, the container is still not readable from java.

Step 2

Next, we need to use OpenSSL to extract the private key and certificate and place them in .p12 storage.

But there is a problem – OpenSSL does not work out of the box with the GOST 2012 algorithm
To do this, we need the openssl program with the gost engine add-on installed on it (link here). We need to install this add-on following the instructions by compiling it from source.

But there is a better option…
We can use a docker container that already has OpenSSL installed along with an add-on to work correctly with the GOST 2012 algorithm.
Link to an article describing how to work with this docker image:
https://habr.com/ru/post/353534/

In the simplest version, we need to start this docker container, connect to it by forwarding volume and execute a couple of console commands to extract the private key and certificate from .pfx and place them in .p12

Let’s start the container by forwarding the tmp folder. In it we will perform transformations.

docker run -v "c:/tmp:/usr/tmp" --rm -i -t rnix/openssl-gost bash

Step 3

#Get the key
openssl pkcs12 -in gost.pfx -out gost.key -nocerts
#After the command, set the password for the key

#Get the certificate
openssl pkcs12 -in gost.pfx -out gost.cer -nokeys

#Combine them into the p12 storage, giving the key the name prod, it will need to be registered in application.properties as key.alias
openssl pkcs12 -export -inkey gost.key -in gost.cer -out gost.p12 -name prod

Received Storage gost.p12 and certificate gost.cer can be placed in a folder resources/security. Do not forget to specify all passwords and logins, as well as file names in application.properties.

PS If the topic is interesting, I will write an article on how to make a service on spring boot that will sign files and messages using a key and a certificate in .p12 container according to the GOST 2012 algorithm.

Thank you for your attention 🙂

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *