EDS - Isn't It That Easy?

Write Close
Close
Do you have any questions? Contact us!
I agree the Terms of Service
published October 22, 2019

In June 2016, we began work on a large project, "Tengri Wallet," which was ordered by Kazakhstan Tengri Bank.
Our Middle Full Stack Developer Andrey Shmelev will help to tell about a small part of this project.

For several years now, the Government of Kazakhstan has been working on the introduction of electronic public services. Now, most certificates, contracts, and certificates can be issued through the e-Government Portal.

I think you know from your own experience that receiving any public service is always accompanied by the collection and signing of a large number of documents. You should always be prepared for the fact that you will need to confirm your identity. For this, the use of an electronic digital signature - EDS, was once legally fixed for a long time. The basic wording of the use of EDS: "EDS is equivalent to a handwritten signature."
Carrying out banking operations is always accompanied by a large number of documents that need to be signed both by the bank itself and its customers.

So, from the very beginning, Tengri Bank planned to create a web-based tool that would allow their customers to receive the necessary banking services via the Internet. This tool was intended to help and more effectively manage the business of the bank's customers. With his appearance, people would no longer have to go to the bank branch, stand in line, and fill out a large number of documents. The development team was tasked with creating an electronic wallet that would provide customers with easy access to various payments from utility bills to online purchases.

The ability to make payments lies with the AvangardPlat service. This is a state structure, the only provider of such services in the Republic of Kazakhstan. The keyword is the state structure.

Twelve developers and two managers began work on the project, part of the team temporarily moved to work in Kazakhstan.
Since the project to develop the banking system is quite large, and in this article, we will talk about the introduction of the electronic digital signature in the project.

So, the team arrived in Almaty ...
Vadim Glebov
In 2016, he was the project manager for Tengri Bank.
Currently, he is a Teamlead for the mobile back-end team of the project.
Andrei Shmelev
Middle Full Stack Developer at Attractor Software
Vadim Glebov introduced the Tengri Bank development team before the first meeting, and then we started planning tasks. During the planning, he noted that very soon, we are going to integrate with AvangardPlat, for which it is time to prepare and about the moment the introduction of the digital signature in the project will come. Here I was wary. Vadim said, "Andrey will probably take care of this," and my evil forebodings intensified.

At first, the task looked exciting and straightforward. I had to find specifications on the use of digital signature in XML, understand this process, and make a prototype. I have been doing this for a while. In the course of the work, two things became clear - the signature gives the legal file force (this was understandable before), the second - since the project is for the Republic of Kazakhstan, the name and all accompanying procedures must be carried out in accordance with local laws. It was time for chaos ...
The legislation of the Republic of Kazakhstan defines the criteria for digital signatures in the form of GOSTs, and one of the mandatory standards was the use of a certified "cryptographic provider." This is a program that can encrypt information in accordance with GOSTs, and passed the test in the National Security Service. That would not be a problem, but ...

The desired archive was received only after a while. Getting it is not an easy task. Library folders for Java, PHP, and something similar to Linux libraries finally fell into the hands of developers. As it turned out later, there were examples of using code for Java and PHP in the archive, but there were no examples of using libraries for some reason.

The study of the information that the team received did not bring useful and impressive results. In the source codes,
there were references to the desired encryption algorithms, but these libraries did not provide the necessary functionality. The team had to research libraries under Linux "by touch" and independently find solutions.

Judging by the name, it was clear that these libraries belong to OpenSSL. And OpenSSL is a guarantee of modern security on the Internet, with a long history, and a large community. However, to ensure it, the knowledge of a couple of teams is usually enough, immediately they had to dive deeper.

Andrei Shmelev
Middle Full Stack Developer at Attractor Software
It's fun to read the OpenSSL code. It looks like a device from the USSR - monumental, sometimes frightening, but reliable and doing its job at all costs.

Studies found that I got into the hands of some modules that extend the original OpenSSL functionality, but with one "but" - while OpenSSL did not start. The developers of this product were silent. Then it was decided to use the libraries as is, that is, to recreate the reduced initialization mechanism used in OpenSSL, albeit with truncated functionality. It was relatively difficult, but it was worth it - we got a prototype with essential functions, using the right libraries, and able to encrypt information with the right algorithm.
The solution was quite complicated, and it came down to using the C language construct in conjunction with Ruby, and where C there are specific problems and development features in this language. It was an exciting experience for the team because before that, they did not have to dive so deeply into the low-level layers of such a familiar Ruby language.
As you dive into the code, the amount of documentation available decreases.

A fascinating procedure followed this for checking algorithms - the correctness of creating a digest, the process for working with keys and modifying XML documents in accordance with the established standard, and much more - there is nothing to list. Having checked everything yourself, it's time to review the work done on the AvangardPlat test server.
Andrei Shmelev
Middle Full Stack Developer at Attractor Software
It was a very long process, as one extra or missing character led to errors due to non-compliance with standards. During this period, we worked together with the developers of AvangardPlat. Along the way, I tried to run OpenSSL in the usual way, then to reuse the functions of certificate verification (yes, certificates also required a particular algorithm). One night it succeeded, and a new prototype was written, which is much easier to maintain than a hybrid of C and Ruby. Of course, the task would not have been solved without the help of the team, and it was an enjoyable experience working with such developers.
After this improvement, the integration process went almost lightning fast. Our messages now met all criteria, and responses from AvangardPlat were also carefully checked according to standards. Tengri got the opportunity to make payments for all kinds of services, utilities, and dozens of others. The project went on alert.
Andrei Shmelev
Middle Full Stack Developer at Attractor Software
Unfortunately, the need to work with the developers of the state crypto provider was a source of stress and the cause of the problem for the entire Tengri project. Perhaps this structure did not rely on people.

I want to note that the main thing in any project is people. Plans, procedures, standards, and technologies are all secondary. People should always come first. And if good people surround you, you can solve any problem. This was indicative if you take the Tengri development team.
In April 2017, the application became available for all customers of the bank.

Tengri wallet is a bank payment system that is integrated with the national payment system, the interaction with which is carried out using an electronic digital signature.

Now users of the system are paying with electronic currency, which is backed by the issuer's bank money. The system allows you to keep track of purchases and sales of electronic cash by individuals, suppliers, and sellers of electronic money. One of the strengths of the system is its ability to answer questions: how much electronic money is in the order and how much you need to keep in an individual account to the issuing bank of real money. As part of the project, a "continuous delivery" process was set up.

"Tengri wallet" is one of the most advanced payment systems in Kazakhstan.

Did you like this article?
Share article on social networks
Worked on the article:
Middle Full Stack Developer
Maria Ilchenko
PR and Event Manager
Made on
Tilda