Pkcs# 7 than to open. Primary classical signature. Electronic signatures of subjects of interaction - individuals

4.3. Rules for generating electronic signatures When generating electronic signatures of all types, the following algorithms should be used:

	Name	URI
Hash sum calculation	GOST R 34.11-94	http://www.w3.org/2001/04/xmldsig-more#gostr3411
Formation of a signature	GOST R 34.10-2001	http://www.w3.org/2001/04/xmldsig-more#gostr34102001-gostr3411
Canonicalization (for XMLDSig)	Exclusive XML Canonicalization dated July 18, 2002	http://www.w3.org/2001/10/xml-exc-c14n#
Additional transformation (for XMLDSig)	Normalization of SMEV

Throughout this section, if an element name is specified without a namespace, the namespace urn://x-artefacts-smev-gov-ru/services/message-exchange/types/1.1 is assumed.

4.3.1 Signatures in PKCS#7 format

The PKCS#7 format is used to sign files attached to messages.

Version 1.5 of the PKCS#7 specification (RFC-2315) is used.

The following restrictions apply to the signature format:

For the root ContentInfo element, the only valid contentType is SignedData.

The signature must be detached (i.e., the only valid value for the SignedData/contentInfo/contentType element is 1.2.840.113549.1.7.1, and the SignedData/contentInfo/content element must be absent).

To calculate message digest, only the GOST 34.11-94 algorithm is allowed.

To generate digital signatures, only the GOST 34.10-2001 algorithm is allowed.

It is prohibited to place more than one digital signature in a PKCS#7 crypto message.

The SignerInfo element must contain the following authenticated attributes:

1. 
   contentType (1.2.840.113549.1.9.3), always has the value 1.2.840.113549.1.7.1.
2. 
   messageDigest (1.2.840.113549.1.9.4), contains the GOST digest of the file to be signed.

More formally O Most of these restrictions are described in the PKCS#7 format profile, Appendix 2. The profile also reflects the fact that in this context the PKCS#7 format is used only for the transmission of electronic signatures, and is not used for the transmission of encrypted data and CRL. The profile uses types defined in the PKCS#9 standard (RFC-2985).

4.4. Electronic signatures of subjects of interaction - individuals

4.4.1 General requirements for an electronic signature formed on behalf of government officials during interdepartmental information exchange

Certificates and keys of an electronic signature (Clause 3 of Article 14 of Federal Law No. 63-FZ “On Electronic Signature”) of an official are issued in the name of an individual representative of an authority and are used in information systems when providing state and municipal services/executing state and municipal functions using the interdepartmental electronic interaction system for generating and (or) verifying electronic signatures.

These signatures are similar to the handwritten signatures of these employees and confirm, among other things, the fact that an electronic document was generated by a specific OV employee in the OV IS.

Responsibility for storing and using the ES-SP signature key lies with the official and is controlled by government officials.

Re-issuance of existing ES-SP key certificates of OV officials for use in interdepartmental interaction is not mandatory - it is possible to use previously issued and valid signature key certificates of officials, provided that they were issued by one of the certification centers included in the single ES trust space formed by the Ministry of Telecom and Mass Communications RF.

4.4.2 Electronic signature for interdepartmental interaction

ES-SP signs the business data of the message presented in XML, as well as attached files. Since attachments are transferred separately from business data, the ES-SP is placed separately on business data, separately on each attached file.

4.4.2.1 Rules for generating an electronic signature for messages

Signature Format	XMLDSig detached
Transformation, in addition to canonization	urn://smev-gov-ru/xmldsig/transform
Formatting Requirements	In the XML signature structure, between elements not allowed presence of text nodes, including line breaks.
Signable element	For requests and responses, the root element of the XML document that represents the business data of the request or response.
Posting in a message	//SenderProvidedRequestData/ PersonalSignature/dsig:Signature (for requests), //SenderProvidedResponseData/PersonalSignature/dsig:Signature (for answers),
Method of placing a signature on a message	Transmitted web service client in the structure of parameters of the SendRequest and SendResponse methods.
Method for extracting signature for verification	ES is retrieved and checked web service client.

Using the "CryptoARM" program you can sign

• separate file
• folder of files (this will create a signature for each file included in the specified folder. Signed files are automatically saved to the folder with the original data)

File format P7S is used more often. *.p7s – signed files in PKCS #7 format, but in base64 text form (like PEM)

For PKCS#7 Message format in Base64 encoding, you can specify the flag Disable service headers(in this case, the signature file will not use headers indicating the beginning and end of the block with signed data. Headers are necessary so that digital signature verification can be performed more earlier versions programs "CryptoARM").

1. Enter the required signature properties (signature comment*, resource ID ** , inclusion of signature creation time). In addition, you can set the option “enable time stamp on signed data”, which can be enabled when an additional module is installed TSP.

* A signature comment can be information intended to be read by people viewing the signed document (for example, “Agreed!”)

** The resource identifier means:

• path to the source file to be signed (on the computer or on the Internet where this file is located)
• file name (indicated so that if the file name is changed, the recipient of the signed document can determine its original name)

Flag	Explanation
Save signature in a separate file	When you set the flag, a separate electronic signature will be created on the file (for example, it can be convenient if you are sending a document to a person who does not use CryptoARM and is not so much interested in the signature as in the data itself) If the flag is absent, an electronic signature will be generated, including a file with the original data (in this case, the document and digital signature will be stored together)
Delete the original file after the operation is completed	If you choose to create a combined signature file, you can delete the original file after the operation is complete. This feature is important first of all, for the convenience of working with documents for those who need to store and exchange only documents signed with digital signature (within the framework of the electronic document management regulations adopted by the organization) If you set the flag opposite the line Delete the source file after the operation is completed, the document(s) selected for signature will be deleted upon successful completion of the operation.
Include signature creation time	When setting the flag, the signature time will be included in the signature file
Enable time stamp on signed data	When setting the flag to digital signature file a timestamp will be included on the original data This flag only appears if the TSP Module is installed.
Include proof of authenticity in the signature

1. If the flag was set Turn on time stamp for signed data , in the next step specify the parameters Time stamp services :

1. Specify the required digital signature parameters - personal certificate for creation of digital signature and hash algorithm.

1. To access the selected key container(GOST certificate) enter the password.

After collecting data to create a digital signature, a window will appear with information about the status of the operation and the parameters used: the certificate with which the file was signed.

The specified digital signature parameters can be saved in the setup as a template for future use. To do this, check the box Save data to settings for later use and enter a name for the setting. You can also save all data to an existing setting by selecting its name from the list.

1. The file signing process will begin. You can stop the process by clicking the button Cancel.
2. The generated digital signature file will by default be saved in the same directory in which the file with the source data is located. The name of the digital signature file coincides with the name of the file being signed, supplemented by an extension (the extension corresponds to the selected output format). If a file with the same name already exists, save it under a different name.
3. After the operation is completed, a window will appear Result of the operation. To view detailed information about the results of signature creation and the parameters used: source file name, output file name, operation completion status, operation duration, click the button Details >>.

If you want to view information about the digital signature and the subscriber certificate, select the entry in the list of the window Result of the operation and click on the button Message Manager.

A window will open Signed data management, in which you can view the signature and certificate information:

• view the signed file by clicking the button View opposite the file name,
• save to the specified path by clicking the button Save,
• view information about the signature, certificate and its status (button View)

Bookmark	Information in the bookmark
Signature	Information about the attributes of the signature, the time it was created, the signature and hashing algorithms used.
Certificate	Information about the certificate (certificate status /valid, etc./, number, information about the owner and issuer, validity period of the certificate and its use).
Certificate statuses	General status of checking the full certification path (read more about certificate statuses in the chapter Checking Certificate Status). In addition, in the tab you can set the method for checking the status of certificates (by local SOS; by SOS received from a CA; using the Revocation Provider; in the OCSP service)
Time stamps	Timestamp information (timestamp status, timestamp properties, Stamp Service properties, Service certificate status and details)

Files of this type, as well as for what purposes they are intended, will be described in detail below. The original name of this material is PKCS-7 Signature file.

Description of the extension

So, let’s start talking about the format; we’ll tell you further, but for now let’s try to understand the purpose of this solution. Material of this format is an e-mail message that contains digital signature. This format used for securely sending emails. They can only be viewed by the recipient. This method transmission authenticates the sender and also confirms that a particular letter has not been altered in any way during the sending process. If the email program you are using does not support digital signatures, the P7S file will typically appear as an attachment in the message. E-mail clients working with this format use the PKCS standard. This creates a signature for email messages.

Mozilla Thunderbird

So, we have a P7S file. This email client will tell you how to open it. Mozilla Thunderbird largely replicates the interface of the proprietary browser. This solution works on a similar principle. You can choose according to your taste suitable topic registration It is possible to customize 5 font levels, as well as the background in letters. The application includes a library of emoticons. The operating speed is close to that of the branded browser. The maximum waiting period for receiving or sending a letter is 10 minutes. After the specified period has expired, the application determines that the connection is broken and as a result stops sending. This problem can be easily fixed by changing the software settings.

Other applications

There are other tools that support the P7S format. The PostBox program will help you figure out how to open such a document. Microsoft Outlook can also help in this case. We are talking about an information manager that was created by Microsoft. The program combines features mail client with collaboration tools. Outlook is part of the package office programs Microsoft Office. You can also solve the question of how to open the P7S file using the CryptoARM application. It's about universal software package. It allows you to use cryptographic means for business and personal correspondence. Using this solution, you can ensure the protection of both corporate and personal information.

The application received a very pleasant GUI. This decision provides reliable encryption as well as decryption of data. Also, using this tool, you can create and use public keys, and also support working with certificates and crypto providers. With help this application can be created arbitrary quantity EDS, and also check their authenticity. File decryption is supported. Execution of operations in one stage.

Now you know what P7S is. How to open a file with this extension and what this format is used for is described in detail above.