Electronic signature

An electronic signature is generated by the algorithm ГОСТ R 34.10-2012 (256 and 512 bits) according to the XMLDSig standard. The Signature section, which contains the XMLDSig-generated EP, is placed in the SgntrSt section inside the SplmtryData section, which is designed to accommodate arbitrary data. Each Signature section contains a link to the section to be signed (s) inside the xml document. The message must be fully signed, including the section

<SplmtryData>
    <Envlp>
        <SgntrSt>
        </SgntrSt>
    </Envlp>
</SplmtryData>

General recommendations for generating an XMLDSig signature:

1) You can use a certified combination of the cryptographic provider CryptoPro CSP and the API from Java to it CryptoPro JavaCSP, but you must specify JavaCSP in your software

2)You can use CryptoPro JCP 2.0. There is .jar with examples: samples.jar samples-sources.jar including xmlSign in its distribution.

When you sign with two keys, you should sign only the data. When you sign with the second signature, the first signature is not signed

To avoid the "UnrecoverableKeyException: Get Key failed" error, you need to transfer the keys and certificate from the * .pfx repository to the HDImageStore repository (this will be a folder with 6 * .key files), which Java distinguishes with installed CryptoPro (more details https://www.cryptopro.ru/forum2/default.aspx?g=posts&t=8271)

Examples of implementation and signed documents: https://github.com/Host-to-Host-Instructions/iso20022-signature

Signature Formation Example
<CstmrCdtTrfInitn>
    ...
    <SplmtryData>
        <Envlp>
            <SgntrSt>
                <Signature хmlns="http://www.w3.org/2000/09/xmldsig#">
                    {ЭП #1 …}
                </Signature>

                <Signature хmlns="http://www.w3.org/2000/09/xmldsig#">
                    {ЭП #2 …}
                </Signature>
            </SgntrSt>
        </Envlp>
    </SplmtryData>
</CstmrCdtTrfInitn>
Example request summary extract with signature
<?xml version="1.0" encoding="UTF-8"?>
<p:Document xmlns:p="urn:iso:std:iso:20022:tech:xsd:camt.060.001.03" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:iso:std:iso:20022:tech:xsd:camt.060.001.03">
    <p:AcctRptgReq>
        <p:GrpHdr>
            <p:MsgId>MSG_20170830_test_55</p:MsgId>
            <p:CreDtTm>2017-05-26T12:00:00</p:CreDtTm>
        </p:GrpHdr>
        <p:RptgReq>
            <p:Id>REQ_20170830_test_55</p:Id>
            <p:ReqdMsgNmId>HMQSTASCF</p:ReqdMsgNmId>
            <p:Acct>
                <p:Id>
                    <p:Othr>
                        <p:Id>40702810200000000083</p:Id>
                    </p:Othr>
                </p:Id>
            </p:Acct>
            <p:AcctOwnr>
                <p:Pty>
                    <p:Nm>ООО "Тест Альфа-Линк"</p:Nm>
                </p:Pty>
            </p:AcctOwnr>
            <p:RptgPrd>
                <p:FrToDt>
                    <p:FrDt>2017-02-23</p:FrDt>
                    <p:ToDt>2017-02-23</p:ToDt>
                </p:FrToDt>
                <p:FrToTm>
                    <p:FrTm>00:00:00</p:FrTm>
                    <p:ToTm>24:00:00</p:ToTm>
                </p:FrToTm>
                <p:Tp>ALLL</p:Tp>
            </p:RptgPrd>
        </p:RptgReq>
        <p:RptgReq>
            <p:Id>REQ_20170830_test_56</p:Id>
            <p:ReqdMsgNmId>HMQSTASCF</p:ReqdMsgNmId>
            <p:Acct>
                <p:Id>
                    <p:Othr>
                        <p:Id>40702810100000000921</p:Id>
                    </p:Othr>
                </p:Id>
            </p:Acct>
            <p:AcctOwnr>
                <p:Pty>
                    <p:Nm>ООО "Тест Альфа-Линк"</p:Nm>
                </p:Pty>
            </p:AcctOwnr>
            <p:RptgPrd>
                <p:FrToDt>
                    <p:FrDt>2017-02-23</p:FrDt>
                    <p:ToDt>2017-02-23</p:ToDt>
                </p:FrToDt>
                <p:FrToTm>
                    <p:FrTm>00:00:00</p:FrTm>
                    <p:ToTm>24:00:00</p:ToTm>
                </p:FrToTm>
                <p:Tp>ALLL</p:Tp>
            </p:RptgPrd>
        </p:RptgReq>
        <p:SplmtryData>
            <p:Envlp>
                <SgntrSt>
                    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="sigID1">
                        <ds:SignedInfo>
                            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                            <ds:SignatureMethod Algorithm="urn:ietf:params:xml:ns:cpxmlsec:algorithms:gostr34102012-gostr34112012-256"/>
                            <ds:Reference URI="">
                                <ds:Transforms>
                                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                                </ds:Transforms>
                                <ds:DigestMethod Algorithm="urn:ietf:params:xml:ns:cpxmlsec:algorithms:gostr34112012-256"/>
                                <ds:DigestValue>Xv/EW5v1khoK3nKbs3GVK5JtFW6Ij4sl7i17Vk+zkhA=</ds:DigestValue>
                            </ds:Reference>
                        </ds:SignedInfo>
                        <ds:SignatureValue>dPJn/pPMbY3If7iThchSUnhLiCv40FMiOkxxBtQ3gKtCAi2xvHq0u17xsLCQr5nVW13PG02+8SsKF0ohqv+gug==</ds:SignatureValue>
                        <ds:KeyInfo>
                            <ds:X509Data>
                                <ds:X509Certificate>MIIJAzCCCLCgAwIBAgIRBTd/twDprFm+QYXHcVcbqLQwCgYIKoUDBwEBAwIwggELMRgwFgYFKoUDZAESDTEwMjc3MDAwNjczMjgxGjAYBggqhQMDgQMBARIMMDA3NzI4MTY4OTcxMQswCQYDVQQGEwJSVTEYMBYGA1UECAwPNzcg0JzQvtGB0LrQstCwMRUwEwYDVQQHDAzQnNC+0YHQutCy0LAxKjAoBgNVBAkMIdCj0LsuINCa0LDQu9Cw0L3Rh9C10LLRgdC60LDRjyAyNzEPMA0GA1UECwwG0KPQmNCRMSEwHwYDVQQKDBjQkNCeINCQ0JvQrNCk0JAt0JHQkNCd0JoxNTAzBgNVBAMMLNCi0JXQodCiINCj0KYgMi4wINCQ0J4gItCQ0JvQrNCk0JAt0JHQkNCd0JoiMB4XDTIxMDMxMjEwNTgwNloXDTIyMDYxMjExMDgwNlowggH5MTIwMAYDVQQqDCnQodC10YDRgtC40YTQuNC60LDRgiDQodC+0YLRgNGD0LTQvdC40LrQsDEZMBcGA1UEBAwQ0KLQtdGB0YLQvtCy0YvQuTFJMEcGA1UECQxAMTA3MDc4LCDQsy4g0JzQvtGB0LrQstCwLCDRg9C7LiDQmtCw0LvQsNC90YfQtdCy0YHQutCw0Y8sINC0LiAyNzEaMBgGCCqFAwOBAwEBEgwwMDc3MjgxNjg5NzExGDAWBgUqhQNkARINMTAyNzcwMDA2NzMyODE0MDIGA1UEDAwr0JDRgNGF0LjRgtC10LrRgtC+0YAg0L3QsNC/0YDQsNCy0LvQtdC90LjRjzEmMCQGCSqGSIb3DQEJARYXdmJ1cm1pc3Ryb3ZAYWxmYWJhbmsucnUxCzAJBgNVBAYTAlJVMRUwEwYDVQQIDAzQnNC+0YHQutCy0LAxFTATBgNVBAcMDNCc0L7RgdC60LLQsDEjMCEGA1UECgwa0JDQniAi0JDQu9GM0YTQsC3QkdCw0L3QuiIxUDBOBgNVBAsMR9CU0LjRgNC10LrRhtC40Y8g0YDQsNC30YDQsNCx0L7RgtC60Lgg0YbQuNGE0YDQvtCy0YvRhSDRgdC10YDQstC40YHQvtCyMRcwFQYDVQQDDA4xdHJ1c3Rjb3JlLTI1NjBmMB8GCCqFAwcBAQEBMBMGByqFAwICJAAGCCqFAwcBAQICA0MABEA8fBN/QZKE4T03YEHTMTldxRHPF/SdYGSPFEmUMGlrEuLFycdkDBxSFTaFfewyYVTDpJ53/1JGp60sKVFvyvIxo4IE9DCCBPAwDgYDVR0PAQH/BAQDAgOoMB8GCSsGAQQBgjcVBwQSMBAGCCqFAwICLgAIAgEBAgEAMB0GA1UdDgQWBBSXVVvUtLRiPz8231/48DKMZsLbVDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwJwYJKwYBBAGCNxUKBBowGDAKBggrBgEFBQcDAjAKBggrBgEFBQcDBDBxBggrBgEFBQcBAQRlMGMwYQYIKwYBBQUHMAKGVWh0dHA6Ly90ZXN0LXVjMi5tb3Njb3cuYWxmYWludHJhLm5ldC9haWEvNmYwYjBkNTI1ZDE5YTc0OGJlMDUxODkzOTdkODA5NTU3ZDM4OGNhMi5jcnQwHQYDVR0gBBYwFDAIBgYqhQNkcQEwCAYGKoUDZHECMIIBQwYFKoUDZHAEggE4MIIBNAw00KHQmtCX0JggItCa0YDQuNC/0YLQvtCf0YDQviBDU1AiICjQstC10YDRgdC40Y8gNC4wKQxa0J/QkNCaICLQo9C00L7RgdGC0L7QstC10YDRj9GO0YnQuNC5INGG0LXQvdGC0YAgItCa0YDQuNC/0YLQvtCf0YDQviDQo9CmIiDQstC10YDRgdC40LggMi4wDE/QodC10YDRgtC40YTQuNC60LDRgiDRgdC+0L7RgtCy0LXRgtGB0YLQstC40Y8g4oSWINCh0KQvMTI0LTMwMTAg0L7RgiAzMC4xMi4yMDE2DE/QodC10YDRgtC40YTQuNC60LDRgiDRgdC+0L7RgtCy0LXRgtGB0YLQstC40Y8g4oSWINCh0KQvMTI4LTI5ODMg0L7RgiAxOC4xMS4yMDE2MD8GBSqFA2RvBDYMNNCh0JrQl9CYICLQmtGA0LjQv9GC0L7Qn9GA0L4gQ1NQIiAo0LLQtdGA0YHQuNGPIDQuMCkwgb0GA1UdHwSBtTCBsjBboFmgV4ZVaHR0cDovL3Rlc3QtdWMyLm1vc2Nvdy5hbGZhaW50cmEubmV0L2NkcC82ZjBiMGQ1MjVkMTlhNzQ4YmUwNTE4OTM5N2Q4MDk1NTdkMzg4Y2EyLmNybDBToFGgT4ZNaHR0cDovL2NhLmFsZmFpbnRyYS5uZXQvY2VydGRhdGEvNmYwYjBkNTI1ZDE5YTc0OGJlMDUxODkzOTdkODA5NTU3ZDM4OGNhMi5jcmwwggFNBgNVHSMEggFEMIIBQIAUbwsNUl0Zp0i+BRiTl9gJVX04jKKhggETpIIBDzCCAQsxGDAWBgUqhQNkARINMTAyNzcwMDA2NzMyODEaMBgGCCqFAwOBAwEBEgwwMDc3MjgxNjg5NzExCzAJBgNVBAYTAlJVMRgwFgYDVQQIDA83NyDQnNC+0YHQutCy0LAxFTATBgNVBAcMDNCc0L7RgdC60LLQsDEqMCgGA1UECQwh0KPQuy4g0JrQsNC70LDQvdGH0LXQstGB0LrQsNGPIDI3MQ8wDQYDVQQLDAbQo9CY0JExITAfBgNVBAoMGNCQ0J4g0JDQm9Cs0KTQkC3QkdCQ0J3QmjE1MDMGA1UEAwws0KLQldCh0KIg0KPQpiAyLjAg0JDQniAi0JDQm9Cs0KTQkC3QkdCQ0J3QmiKCEQWXkJ8A26z9j0tjSIs3FfK5MCsGA1UdEAQkMCKADzIwMjEwMzEyMTA1ODA1WoEPMjAyMjA2MTIxMDU4MDVaMAoGCCqFAwcBAQMCA0EAHvrxKAto/T3htcx89MTL17HjVlLFJMt1rjCg2lg1jhUof6rY4FVArNEOsIRWxhwG8hV8j3rhl15wvpTgmOTvLg==</ds:X509Certificate>
                            </ds:X509Data>
                        </ds:KeyInfo>
                    </ds:Signature>
                </SgntrSt>
            </p:Envlp>
        </p:SplmtryData>
    </p:AcctRptgReq>
</p:Document>

Getting test certificates

To issue test certificates, you can:

  1. Follow the link: https://www.cryptopro.ru/certsrv/certrqma.asp

  2. Answer "yes" to the message: do I allow this operation?

  3. Fill in all fields (Latin letters are used):

    • Name - for whom the certificate is issued

    • E-mail

    • Organization

    • Division

    • City

    • State

    • Country (RU)

    • Key usage: Signature

    • User-specified container name

  4. Click "Issue"

  5. CryptoPro CSP window will appear with a choice of media. Choose the storage path (if the key is installed on the computer, you must select the "Personal" folder).

  6. Biological sensor: It is necessary to randomly move the mouse cursor inside the window until the loading lane is filled.

  7. Click "Install this certificate"

  8. Enter the password.

  9. A folder with keys should be saved on the media.

To upload the public key of the certificate it is necessary:

  1. Open the Certificates program from CryptoPro

  2. Go to "Certificates - Current User" → "Personal" → "Certificates"

  3. Find the certificate by name

  4. Open the "Certificate Export Wizard" (Right-click on the certificate and go to "All tasks" → "Export…​")

  5. Click the "Next" button. Select "No, do not export the private key" and click "Next"

  6. Select the item "Files X.509 (.CER) in DER encoding" and click "Next"

  7. Click browse, specify the directory where the file will be saved, specify the file name, click "Save" and click "Next"

  8. Click the "Done" button

  9. The export was successfully completed.

  10. Send the public key in the archive .zip to the address akopyltsova@alfabank.ru with the theme "Connecting to the Host-to-host test stand"