The time has come to use PKCS # 1 1 cryptographic mechanisms on the Android platform. Someone might say that there are no hardware tokens for Android. But, if this is so, then this is only a temporary phenomenon. But today you can put a software token or use a cloud token . Since the cryptoarmpkcs-A utility is developed for the Android platform using Androwish in the Tcl / Tk scripting language, the TclPKCS11 version 1.0.1 package is used to connect tokens .At the same time, no processing of the package was required. All that was done was a script was added to the project to build a package library written in C, for Android and the library distribution itself. It was decided to add the libraries of software ls11sw2016 and cloud ls11cloud tokens for various platforms to the same project.The rest is simple. Add the buttons for selecting the working token to the second window and get:- software token ls11sw2016;
- cloud token ls11cloud;
- another PKCS11 # 11 token.
By default, a software token is connected. If it was not previously created, then it will be proposed to initialize it. Recall that the initialization of the token consists in assigning a label and setting a user PIN:
Note that the software token is designed in accordance with the recommendations of PKCS # 11 v.2.40 and TK-26. To get complete information about the token, including supported cryptographic mechanisms, just click on the “About the token and its cryptography” button in the main menu (“Functional”). Today, not a single hardware token with support for Russian cryptography has this functionality:
The question arises: - how to install a personal certificate for a token. There are two options. The first option is to import the certificate itself and its key pair through the PKCS # 12 container (the “Work with PKCS12 / PFX” button): The
second option involves creating a request (PKCS # 10) for the certificate. This option (the “Request for Certificate” function ) provides key pair generation directly on the token:
Now you can save the request for flash drives and go to the certification center with the documents for the certificate. If you will use the certificate for test purposes or intracorporate, then the CAFL63 utility can also be used to issue the certificate . The received certificate is imported to the token on the “View Request / Certificate” tab:
Now you can sign documents with certificates stored on the token using the "Sign a document" tab .In the next article, we will tell you how to connect to a cloud token. And the question remains so far with the transfer of certificate generation functions to the mobile platform. Is there a need for this?The updated version of the cryptoarmpkcs-A utility for the Android platform can be downloaded here:PS Saving Journal
To build the package, the bones utility from the AndroWish SDK is used . After successfully assembling the package, the Install & run button appears, after clicking which a log window opens, which displays the output of adb logcat (Android Debug Bridge logging facility). The disadvantage of this screen is that it is difficult to find an error message in it, especially with the “V” (verbose) flag turned on. Therefore, the “Save” button was added, which saves the log in the file /tmp/logBone.txt (we are talking about Linux):
With the advent of this button, the process of debugging the application was greatly simplified.To add a button, just add the following code to the bones file after line 2591: ttk::button $l.frame.clear -text "Clear" -width 6 \
-command [list adb_logcat_clear $l.text]
#
ttk::button $l.frame.save -text "Save" -width 6 \
-command [list adb_logcat_save $l.text]
ttk::button $l.frame.run -text "Run" -width 6 \
-command [list adb_logcat_run $l]
The save command adb_logcat_save has the form:proc adb_logcat_save {text} {
set tt [$text get 1.0 end]
set file "/tmp/logBone.txt"
file delete -force $file
#
set fd [open $file w]
chan configure $fd -translation binary
puts -nonewline $fd $tt
close $fd
}