1C:Enterprise 8.3. Developer Guide. Chapter 22. The Cryptographic Mechanism

1C:Enterprise 8.3. Developer Guide. Contents


THE CRYPTOGRAPHIC MECHANISM

When 1C:Enterprise is used in automation systems, you might need to check that a document stored in the system wasn't modified (for example, a document with a text of the agreement is attached to the Agreement database object). There also could be a need to transfer some signed information or implement approval of a document within the system. Some scenarios are possible when you need to transfer information via public channels so that it would be impossible to read the information if it is intercepted (data encryption).

For that purpose, 1C:Enterprise implements a cryptographic mechanism based on asymmetric encryption (a couple of keys are used, public and private).

IMPORTANT!

The 1C:Enterprise cryptographic mechanism does not actually implement cryptographic algorithms. It provides a set of objects that can be used to communicate with third parties’ external cryptographic modules.

22.1. GENERAL MECHANISM DESCRIPTION

The public key is used to transfer data via public channels, and the private key is not distributed and should be protected to a maximum degree.

The receiver public keys should be known to encrypt data. A private key coupled with the public key used for encryption is needed to decrypt data. A private key is required to generate a digital signature, and the signer's public key is required to validate the signature (most often, a public key is included in a signature).

To confirm that a public key really belongs to a subject, a certificate authority is used that ensures this fact with a signature.

A certificate is a public key signed by a certificate authority. Since a private key should be protected, it exists in a container. Key container can include an open key in addition to a private key (e.g., as a certificate).

Cryptographic extension should be installed for the web client to work. The web client specifies that the user permission query is executed for some operations (file system access and private key access).

22.2. MAIN CONCEPTS

Some terms will be used to describe the mechanisms covered in this section.

Digital signature – a series of data generated as a result of cryptographic transformation of source information using a digital signature private key. It can be used to confirm integrity and invariability of this information and its authenticity, if a digital signature public key and its certificate are used.

Digital signature authenticity confirmation center (hereinafter referred to as Certification authority) – a legal entity or a dedicated legal entity department with privileges to confirm the authenticity of the digital signature public key owner.

Key certificate owner – a person for which a public key certificate is generated by a certification authority and who owns a corresponding private (secret) key.

Certificate – a digital document including a public key and information about the key owner certified by a certification authority using a digital signature.

Cryptographic module – a library of functions that directly implements cryptographic algorithms or provides access to encryption mechanisms.

22.3. GENERAL PRINCIPLES OF USING CRYPTOGRAPHIC MECHANISMS

Two main usage options can be identified when cryptographic mechanisms are used:

„ data encryption/decryption

„ data signing/signature validation

General encryption/decryption principles can be described as follows:

„ A necessary object for access to cryptographic functionality is created (the CryptoManager object).

„ A necessary certificate is selected that is a public key of the receiver side (the CryptoCertificate object). This certificate is used to encrypt data.

„ Required files or binary data are encrypted using the Encrypt() methods of the CryptoManager object created.

„ Encrypted data are ready for transfer via public channels.

„ When encrypted data are received, reverse operation is executed.

„ A necessary object for access to cryptographic functionality is created that should match the object used for data encryption.

„ Received data are decrypted using the Decrypt() method of the created cryptographic functionality object.

General signing/signature validation principles can be described as follows:

„ A necessary object for access to cryptographic functionality is created (the CryptoManager object).

„ A necessary certificate is selected that is a private key of the signing side (the CryptoCertificate object). This key is used to generate a digital signature.

„ A digital signature for the required file or binary data is generated using the Sign() method of the CryptoManager object created.

„ Signed data with the digital signature are sent to the receiver side.

„ When signed data and the digital signature are received, reverse operation is executed.

„ A necessary object for access to cryptographic functionality is created that should match the object used to generate a digital signature.

„ The digital signature is validated using the VerifySignature() method of the cryptographic functionality object created.

Certificates necessary for cryptographic operations are received from a corresponding certification authority.

It is not recommended to get several certificate storages with similar characteristics when you are working with the CryptoManager object, since changing one storage will lead to a different behavior of the other storage depending on the cryptographic modules being used.

22.4. WORKING WITH CRYPTOGRAPHIC MODULES

Microsoft CryptoAPI is used to interact with cryptographic modules in Windows.

Direct interaction with the installed components is used to interact with cryptographic modules in Linux.

The following components are supported:

„ CryptoPro cryptographic information protection tool. To use this tool, specify 75 as the CryptographicModuleType parameter of the CryptoManager object.

22.5. USAGE EXAMPLES

This section provides examples of some typical tasks executed using cryptographic mechanisms.

Creating an object to access cryptographic functionality

Creating an object to access cryptographic functionality is a basic operation, without which further operations with the cryptographic mechanism are not available.

CryptoManager = New CryptoManager("", "", 75);

This example creates a module to work with Russian cryptographic modules (the CryptographicModuleType parameter value is 75).

Getting a list of certificates

A list of certificates from selected certificate storages is generated that will be used in further operations.

&AtClient
Function  GetCertificateList(CryptographyManagerType, TypesArray, CheckExpirationDate)

// List of certificates
CertificateList = New Array;

CryptoManager = New CryptoManager("", "",  CryptographyManagerType);

For Each StorageType In TypesArray Do

// Get certificates for each type of certificates storage
Storage = CryptoManager.GetCertificateStore(StorageType);

// Select all certificates
StorageCertificates = Storage.GetAll();
CurrentDate = CurrentDate();

For Each Certificate In StorageCertificates Do

If CheckExpirationDate And  Certificate.EndDate < CurrentDate Then

//  Skip expired certificates, if needed
Continue;

EndIf;

CertificateList.Add(Certificate);

EndDo;

EndDo;

Return CertificateList;

EndFunction

&AtClient
Procedure  ObtainCertificateList()

StorageTypes = New Array;
StorageTypes.Add(CryptoCertificateStoreType.PersonalCertificates);
StorageTypes.Add(CryptoCertificateStoreType.RecipientCertificates);
List = GetCertificateList(75, StorageTypes, True);

// ...

EndProcedure

File encryption

A file selected interactively is encrypted and then written to a disk of a client computer.

For demonstration, encryption operation always uses the first certificate in the list of all of certificates installed on the computer.

&AtServer
Function  EncryptAtServer(DataAddress, CertificatesData)

// Create certificates on the basis of binary data  certificates  // from the client
Certificates = New Array();
For Each CertificateData In CertificatesData Do

Certificates.Add(New CryptoCertificate(CertificateData));

EndDo;

CryptoManager = New CryptoManager("", "", 75);

// Get file for encryption from the temporary storage
Data = GetFromTempStorage(DataAddress);
If TypeOf(Data) <> Type("BinaryData") Then

Return False;

EndIf;

// Encrypt binary data
EncryptedBinaryData = CryptoManager.Encrypt(Data, Certificates);

// Save to temporary storage
DataAddress = PutToTempStorage(EncryptedBinaryData);

Return True;

EndFunction
&AtClient
Procedure  FileEncryption()
Address = "";
Result = PutFile(Address, , , True);
If Not Result Then
Return;
EndIf;
CertificateTypes = New Array;
CertificateTypes.Add(CryptoCertificateStoreType.PersonalCertificates);
List = GetCertificateList(75, CertificateTypes, True);
// In this example we always encrypt using the first by order  certificate
Certificates = New Array;
Certificates.Add(List[0].Unload());
// Encrypt file
Result = EncryptAtServer(Address, Certificates);
If Not Result Then
Return;
EndIf;
// Interactively save encrypted file to disk
GetFile(Address, , True);

EndProcedure

File decryption

An attempt to decrypt the selected file is executed. It is necessary to implement the GetAccessPassword() function that returns the password to access the private key.

NOTE

When the Decrypt() method is used, an exception is called only when decryption attempts using all available certificates have failed, not just after the first error.

&AtClient
Procedure  FileDecryption()
// Choose encrypted file
Address = "";
Result = PutFile(Address, , , True);
If Not Result Then
Return;
EndIf;

Data = GetFromTempStorage(Address);
// Decrypt file
CryptoManager = New CryptoManager("", "", 75);
CryptoManager.PrivateKeyAccessPassword = GetAccessPassword();
DecryptedData = CryptoManager.Decrypt(Data);
Address = PutToTempStorage(DecryptedData);
GetFile(Address, , True);

EndProcedure

Digital signature generation

A file with a digital signature is generated. In this example the digital signature is always saved in the signature.sign file. It is necessary to implement the GetAccessPassword() function that returns the password to access the private key.

&AtClient
Procedure  SignFile()

Address = "";
Result = PutFile(Address, , , True);
If Not Result Then

Return;

EndIf;

CertificateTypes = New Array;
CertificateTypes.Add(CryptoCertificateStoreType.PersonalCertificates);
List = GetCertificateList(75, CertificateTypes, True);

Certificate = List[0];
Data = GetFromTempStorage(Address);
CryptoManager = New CryptoManager("", "", 75);
CryptoManager.PrivateKeyAccessPassword = GetAccessPassword();
CryptoManager.Sign(Data, "signature.sign", Certificate);

EndProcedure

Digital signature validation

This function validates digital signature authenticity for the original file – digital signature file combination.

&AtClient
Function  CheckFileSignature(SignedFileName, SignatureFileName)

	Certificate = Undefined;
	CryptoManager = New CryptoManager("", "", 75);
	
	Try
		CryptoManager.VerifySignature(SignedFileName, SignatureFileName, Certificate);
	Except
		Return False;
	EndTry

	Return True;

EndFunction

Leave a Reply

Your email address will not be published.

 

1C:Enterprise Developer's Community