Disclaimer: This is a system in development. That is, the specification may change without notice. |
Appendix A: | Sample Run |
Appendix B: | Acknowledgements |
Appendix C: | References |
Appendix D: | Document History |
Appendix E: | Author |
"Perfection is achieved, not when there is nothing more to add, but when there is nothing left to take away" |
Antoine de Saint-Exupéry |
Invocation | Protocol invocation. During this step the user should be alerted by a browser defined dialog telling what is supposed to happen giving as well as providing an option aborting the process. In addition, the issuer may perform a client platform capability query. |
ProvisioningInitialization | Creation of a shared session key securing the rest of the interactions between the issuer and the SKS. To support future updates of provisioned credentials, the issuer may also provide a keyManagementKey. |
CredentialDiscovery | Optional: Issuer lookup of already provisioned SKS credentials. This is primarily used when keys need to be updated or unlocked. |
KeyCreation | Creation of asymmetric key pairs in the SKS. If user-defined PINs are to be set, this is carried out during KeyCreationRequest. After key pairs have been created the public keys are sent to the issuer for certification. |
ProvisioningFinalization | Deployment of credentials and associated attributes as well as key management operations are performed in this step. Finally the session is terminated. If the operation is successful, a cryptographic proof is returned to the issuer. |
application/json
.Since KeyGen2 is to be regarded as an intrinsic part of the browser, HTTP cookies must be handled as for other HTTP requests.abortProvisioningSession
).postUnlockKey
, postDeleteKey
, postUpdateKey
and postCloneKeyProtection
.In the case the exact key is not known in advance, you must include a key discovery sequence as described in [SKS] Appendix D, Remote Key Lookup.window
object which was used during invocation.Property selection 1 | Type selection 1 | Req | Comment selection 1 |
Property selection 2 | Type selection 2 | Comment selection 2 |
Type | Mapping | Description |
---|---|---|
bool | true|false | Boolean |
ushort | number | Unsigned two-byte integer |
uint | number | Unsigned four-byte integer |
bigint | string | Base10-encoded integer with arbitrary precision |
string | string | Arbitrary string |
uri | string | URI [RFC3986] |
id | string | Identifier which must consist of 1-32 characters, where each character is in the range '!' - '~' (0x21 - 0x7e). |
byte[] | string | Base64URL-encoded [RFC4648] binary data |
time | string | Date-time string in ISO format YYYY-MM-DDThh:mm:ss{ms}tz where ms is an optional field consisting of '.' followed by 1-3 digits, while tz is either 'Z' or ±hh:mm . |
object | {} | JSON object |
InvocationRequest | |||
Property | Type | Req | Comment |
---|---|---|---|
"@context": "https://webpki.github.io/keygen2#20190318" | uri | M | KeyGen2 name space/version indicator. |
"@qualifier": "InvocationRequest" | string | M | Actual KeyGen2 message type. |
"serverSessionId": " serverSessionId" | id | M | The serverSessionId must remain constant for the entire session. |
"action": " action" | string | M | The action property gives (through a suitable GUI dialog) the user a hint of what the session in progress is about to perform. The valid constants are:
|
"privacyEnabled": " privacyEnabled" | bool | O | Optional: The "privacyEnabled" flag is used to set mode during ProvisioningInitializationRequest.See SKS:createProvisioningSession.privacyEnabled .Note: The default value is false . |
"preferredLanguages": [" preferredLanguages" ] 1-n | string | O | Optional: List of preferred languages using ISO 639-1 two-character notation. |
"targetKeyContainers": [" targetKeyContainers" ] 1-n | string | O | Optional: List of target key container types. The elements may be:
targetKeyContainers is undefined the provisioning client is supposed to use the system's 'native' keystore. |
"clientCapabilityQuery": [" List of URIs" ] 1-n | uri | O | Optional: List of URIs signifying client (platform) capabilities. The response (clientCapabilities) must contain the same URIs (in any order). Note that capabilities may refer to algorithms or specific extensions (see SKS:addExtension ), as well as to non-SKS items.Another possible use of this feature is for signaling support for extensions in the protocol itself while keeping the name-space etc. intact.If requested capabilities are considered as privacy sensitive, a conforming implementation should ask for the user's permission to disclose them.Device-specific data like IMEI numbers must not be requested in the privacyEnabled mode.The following client attribute URIs are pre-defined:
|
InvocationResponse | |||
Property | Type | Req | Comment |
"@context": "https://webpki.github.io/keygen2#20190318" | uri | M | KeyGen2 name space/version indicator. |
"@qualifier": "InvocationResponse" | string | M | Actual KeyGen2 message type. |
"serverSessionId": " serverSessionId" | string | M | Copy of serverSessionId from InvocationRequest. |
"clientCapabilities": [clientCapability] 1-n | object | O | List of capabilities including algorithms, specific features, dynamic or static data, and preferred image sizes. |
ProvisioningInitializationRequest | |||
Property | Type | Req | Comment |
"@context": "https://webpki.github.io/keygen2#20190318" | uri | M | KeyGen2 name space/version indicator. |
"@qualifier": "ProvisioningInitializationRequest" | string | M | Actual KeyGen2 message type. |
"serverSessionId": " serverSessionId" | id | M | See SKS:createProvisioningSession.serverSessionId and InvocationRequest. |
"serverTime": " serverTime" | time | M | Server time which the client should verify as a "sanity" check. |
"sessionKeyAlgorithm": "https://webpki.github.io/sks/algorithm#session.1" | uri | M | See SKS:createProvisioningSession.sessionKeyAlgorithm . |
"sessionKeyLimit": sessionKeyLimit | ushort | M | See SKS:createProvisioningSession.sessionKeyLimit . |
"sessionLifeTime": sessionLifeTime | uint | M | See SKS:createProvisioningSession.sessionLifeTime . |
"serverEphemeralKey": " serverEphemeralKey" | object | M | EC public key in JSF [JSF] "publicKey" format.See SKS:createProvisioningSession.serverEphemeralKey .For EC curve support see Elliptic Curve Support. |
"keyManagementKey": " keyManagementKey" | object | O | Optional: RSA or EC public key in JSF [JSF] "publicKey" format, dedicated for key management.See SKS:createProvisioningSession.keyManagementKey .For EC curve support see Elliptic Curve Support. |
"updatableKeyManagementKeys": [updatableKeyManagementKey] 1-n | object | O | Optional: List of the previous generation of key management keys. |
ProvisioningInitializationResponse | |||
Property | Type | Req | Comment |
"@context": "https://webpki.github.io/keygen2#20190318" | uri | M | KeyGen2 name space/version indicator. |
"@qualifier": "ProvisioningInitializationResponse" | string | M | Actual KeyGen2 message type. |
"serverSessionId": " serverSessionId" | id | M | See SKS:createProvisioningSession.serverSessionId and InvocationRequest. |
"clientSessionId": " clientSessionId" | id | M | See SKS:createProvisioningSession.clientSessionId . |
"serverTime": " serverTime" | time | M | Server time transferred verbatim from ProvisioningInitializationRequest. |
"clientTime": " clientTime" | time | M | See SKS:createProvisioningSession.clientTime . |
"clientEphemeralKey": " clientEphemeralKey" | object | M | EC public key in JSF [JSF] "publicKey" format, using an identical curve to serverEphemeralKey.See SKS:createProvisioningSession.clientEphemeralKey .For EC curve support see Elliptic Curve Support. |
"deviceId": deviceId | object | O | See SKS:createProvisioningSession . Note that this property is either required or forbidden depending on the value of privacyEnabled. |
"attestation": " attestation" | byte[] | M | See SKS:createProvisioningSession.attestation . |
CredentialDiscoveryRequest | |||
Property | Type | Req | Comment |
"@context": "https://webpki.github.io/keygen2#20190318" | uri | M | KeyGen2 name space/version indicator. |
"@qualifier": "CredentialDiscoveryRequest" | string | M | Actual KeyGen2 message type. |
"serverSessionId": " serverSessionId" | id | M | See SKS:createProvisioningSession.serverSessionId and InvocationRequest. |
"clientSessionId": " clientSessionId" | id | M | See SKS:createProvisioningSession.clientSessionId . |
"lookupSpecifiers": [lookupSpecifier] 1-n | object | M | List of signed credential lookup specifiers. See SKS appendix "Remote Key Lookup" for details. |
CredentialDiscoveryResponse | |||
Property | Type | Req | Comment |
"@context": "https://webpki.github.io/keygen2#20190318" | uri | M | KeyGen2 name space/version indicator. |
"@qualifier": "CredentialDiscoveryResponse" | string | M | Actual KeyGen2 message type. |
"serverSessionId": " serverSessionId" | id | M | See SKS:createProvisioningSession.serverSessionId and InvocationRequest. |
"clientSessionId": " clientSessionId" | id | M | See SKS:createProvisioningSession.clientSessionId . |
"lookupResults": [lookupResult] 1-n | object | M | List of credential lookup results. See SKS appendix "Remote Key Lookup" for details. |
KeyCreationRequest | |||
Property | Type | Req | Comment |
"@context": "https://webpki.github.io/keygen2#20190318" | uri | M | KeyGen2 name space/version indicator. |
"@qualifier": "KeyCreationRequest" | string | M | Actual KeyGen2 message type. |
"serverSessionId": " serverSessionId" | id | M | See SKS:createProvisioningSession.serverSessionId and InvocationRequest. |
"clientSessionId": " clientSessionId" | id | M | See SKS:createProvisioningSession.clientSessionId . |
"keyEntryAlgorithm": "https://webpki.github.io/sks/algorithm#key.1" | uri | M | See SKS:createKeyEntry.keyEntryAlgorithm . |
"deferredIssuance": deferredIssuance | bool | O | Flag telling if the process should be suspended after KeyCreationResponse. Default value: false . See the action property in InvocationRequest. |
"pukPolicySpecifiers": [pukPolicySpecifier] 1-n | object | O | List of PUK policy objects to be created. See SKS:createPukPolicy . |
"pinPolicySpecifiers": [pinPolicySpecifier] 1-n | object | O | List of PIN policy objects to be created. See SKS:createPinPolicy . |
"keyEntrySpecifiers": [keyEntrySpecifier] 1-n | object | O | List of key entries to be created. See SKS:createKeyEntry . |
Due to the stateful MAC scheme featured in SKS, the properties beginning with pukPolicySpecifiers and ending with keyEntrySpecifiers , must be generated (by the issuer) and executed (by the SKS) in exactly the order they are declared in this table as well as in associated object arrays. | |||
KeyCreationResponse | |||
Property | Type | Req | Comment |
"@context": "https://webpki.github.io/keygen2#20190318" | uri | M | KeyGen2 name space/version indicator. |
"@qualifier": "KeyCreationResponse" | string | M | Actual KeyGen2 message type. |
"serverSessionId": " serverSessionId" | id | M | See SKS:createProvisioningSession.serverSessionId and InvocationRequest. |
"clientSessionId": " clientSessionId" | id | M | See SKS:createProvisioningSession.clientSessionId . |
"generatedKeys": [generatedKey] 1-n | object | M | List of generated keys. See SKS:createKeyEntry . |
Due to the stateful MAC scheme featured in SKS, generatedKey must be encoded (by the SKS) and decoded (by the issuer) in exactly the same order (message wise) as they are encountered in the associated keyEntrySpecifiers (including those embedded by pinPolicySpecifiers). | |||
ProvisioningFinalizationRequest | |||
Property | Type | Req | Comment |
"@context": "https://webpki.github.io/keygen2#20190318" | uri | M | KeyGen2 name space/version indicator. |
"@qualifier": "ProvisioningFinalizationRequest" | string | M | Actual KeyGen2 message type. |
"serverSessionId": " serverSessionId" | id | M | See SKS:createProvisioningSession.serverSessionId and InvocationRequest. |
"clientSessionId": " clientSessionId" | id | M | See SKS:createProvisioningSession.clientSessionId . |
"issuedCredentials": [issuedCredential] 1-n | object | O | Optional: List of issued credentials. See SKS:setCertificatePath . |
"unlockKeys": [unlockKey] 1-n | object | O | Optional: List of keys to be unlocked. See SKS:postUnlockKey . |
"deleteKeys": [deleteKey] 1-n | object | O | Optional: List of keys to be deleted. See SKS:postDeleteKey . |
"nonce": " nonce" | byte[] | M | See SKS:closeProvisioningSession . |
"mac": " mac" | byte[] | M | Caller authentication. See SKS:closeProvisioningSession.mac .Due to the stateful MAC scheme featured in SKS, this mac must be the final of a provisioning session both during encoding and decoding. |
Due to the stateful MAC scheme featured in SKS, the properties beginning with issuedCredentials and ending with deleteKeys , must be generated (by the issuer) and executed (by the SKS) in exactly the order they are declared in this table as well as in associated object arrays. | |||
ProvisioningFinalizationResponse | |||
Property | Type | Req | Comment |
"@context": "https://webpki.github.io/keygen2#20190318" | uri | M | KeyGen2 name space/version indicator. |
"@qualifier": "ProvisioningFinalizationResponse" | string | M | Actual KeyGen2 message type. |
"serverSessionId": " serverSessionId" | id | M | See SKS:createProvisioningSession.serverSessionId and InvocationRequest. |
"clientSessionId": " clientSessionId" | id | M | See SKS:createProvisioningSession.clientSessionId . |
"attestation": " attestation" | byte[] | M | See SKS:closeProvisioningSession . |
updatableKeyManagementKey | |||
Property | Type | Req | Comment |
"publicKey": " publicKey" | object | M | RSA or EC public key in JSF [JSF] "publicKey" format, containing a previous generation key management key.Note that SKS:updateKeyManagementKey.keyManagementKey refers to the new key management key specified in the object immediately above this updatableKeyManagementKey object.For EC curve support see Elliptic Curve Support. |
"authorization": " authorization" | byte[] | M | Authorization of the new key management key. See SKS:updateKeyManagementKey.authorization . |
"updatableKeyManagementKeys": [updatableKeyManagementKey] 1-n | object | O | Optional: List of the previous generation of key management keys. |
lookupSpecifier | |||
Property | Type | Req | Comment |
"id": " id" | id | M | Each specifier must have a unique "id" . |
"nonce": " nonce" | byte[] | M | Property holding a "nonce" object. See SKS appendix "Remote Key Lookup" for details. |
"searchFilter": searchFilter | object | O | Optional additional search conditions.Note that at least one search condition must be specified if this option is used. The result of each condition is combined through a logical AND operation. |
"signature": " signature" | object | M | JSF [JSF] "signature" object using a key management key signature covering the lookup specifier. Note that the "publicKey" property must be present. See SKS appendix "Remote Key Lookup" for more details.For maximum interoperability, RSA 2048-bit or EC P-256 signature keys should be used with SHA256 as the recommended hash method. |
searchFilter | |||
Property | Type | Req | Comment |
"fingerPrint": " fingerPrint" | byte[] | O | SHA256 fingerprint matching any certificate in the certificate path. |
"issuerRegEx": " issuerRegEx" | string | O | Regular expression matching any issuer in the certificate path. Issuer names are assumed to be expressed in LDAP [RFC4514] notation. |
"serialNumber": " serialNumber" | bigint | O | Serial number matching that of the end entity certificate. |
"subjectRegEx": " subjectRegEx" | string | O | Regular expression matching the subject in the end entity certificate. Subject names are assumed to be expressed in LDAP [RFC4514] notation. |
"emailRegEx": " emailRegEx" | string | O | Regular expression matching any of the e-mail addresses in the end entity certificate.Note that both RFC 822 subject attributes and subjectAltName fields are in scope. |
"policyRules": [" policyRules" ] 1-n | string | O | List of X.509 policy extension OIDs using the notation "1.4.3" and "-1.4.7" for a required and forbidden policy OID respectively.Policy OIDs encountered in end entity certificates that are not specified in policyRules must be ignored. |
"keyUsageRules": [" keyUsageRules" ] 1-n | string | O | List of X.509 key usage flags using the notation "digitalSignature" and "-dataEncipherment" for a required and forbidden key usage respectively.Key usage flags encountered in end entity certificates that are not specified in keyUsageRules must be ignored. The set of permitted flags include:
|
"extendedKeyUsageRules": [" extendedKeyUsageRules" ] 1-n | string | O | List of X.509 extended key usage extension OIDs using the notation "1.4.3" and "-1.4.7" for a required and forbidden extended key usage respectively.Extended key usage OIDs encountered in end entity certificates that are not specified in extendedKeyUsageRules must be ignored. |
"issuedBefore": " issuedBefore" | time | O | Matching end entity certificates issued before this date.Note that you can combine this condition with an issuedAfter condition using an earlier date, effectively creating a time window. |
"issuedAfter": " issuedAfter" | time | O | Matching end entity certificates issued after this date. |
"grouping": " grouping" | string | O | Matching keys based on the SKS:createPinPolicy.grouping attribute.Note that keys that are not PIN-protected must always fail to match. |
"appUsage": " appUsage" | string | O | Matching keys based on the SKS:createKeyEntry.appUsage attribute. |
lookupResult | |||
Property | Type | Req | Comment |
"id": " id" | id | M | Each result must have a unique "id" matching the request. |
"matchingCredentials": [matchingCredential] 0-n | object | M | List of matching credentials. |
matchingCredential | |||
Property | Type | Req | Comment |
"serverSessionId": " serverSessionId" | string | M | serverSessionId of matching credential. |
"clientSessionId": " clientSessionId" | string | M | clientSessionId of matching credential. |
"certificatePath": [" Certificate Path" ] 1-n | byte[] | M | Certificate path having identical representation to "certificatePath" in JSF [JSF]. |
"locked": locked | bool | O | If this property is true the key associated with the credential is locked due to multiple PIN errors. The default value is false . See unlockKeys. |
pukPolicySpecifier | |||
Property | Type | Req | Comment |
"id": " id" | id | M | See SKS:createPukPolicy.id . |
"encryptedPuk": " encryptedPuk" | byte[] | M | See SKS:createPukPolicy.encryptedPuk . |
"retryLimit": retryLimit | ushort | M | See SKS:createPukPolicy.retryLimit . |
"format": " format" | string | M | See SKS:createPukPolicy.format . |
"mac": " mac" | byte[] | M | Caller authentication. See SKS:createPukPolicy.mac . |
"pinPolicySpecifiers": [pinPolicySpecifier] 1-n | object | M | List of PIN policy objects to be created and controlled by this PUK policy. See SKS:createPinPolicy . |
pinPolicySpecifier | |||
Property | Type | Req | Comment |
"id": " id" | id | M | See SKS:createPinPolicy.id . |
"minLength": minLength | ushort | M | See SKS:createPinPolicy.minLength . |
"maxLength": maxLength | ushort | M | See SKS:createPinPolicy.maxLength . |
"retryLimit": retryLimit | ushort | M | See SKS:createPinPolicy.retryLimit . |
"format": " format" | string | M | See SKS:createPinPolicy.format . |
"userModifiable": userModifiable | bool | O | Flag with the default value true .See SKS:createPinPolicy.userModifiable . |
"grouping": " grouping" | string | O | Grouping specifier with the default value none .See SKS:createPINPolicy.grouping . |
"inputMethod": " inputMethod" | string | O | Input method specifier with the default value any .See SKS:createPinPolicy.inputMethod . |
"patternRestrictions": [" patternRestrictions" ] 1-n | string | O | List of pattern restrictions. See SKS:createPinPolicy.patternRestrictions .If this property is undefined, there are no PIN pattern restrictions. |
"mac": " mac" | byte[] | M | Caller authentication. See SKS:createPinPolicy.mac . |
"keyEntrySpecifiers": [keyEntrySpecifier] 1-n | object | M | List of key entries to be created and controlled by this PIN policy. See SKS:createKeyEntry . |
keyEntrySpecifier | |||
Property | Type | Req | Comment |
"id": " id" | id | M | See SKS:createKeyEntry.id . |
"encryptedPin": " encryptedPin" | byte[] | O | See SKS:createKeyEntry.pinValue .Note that if this property is defined, the SKS:createPinPolicy.userDefined flag of the required embedding PIN policy is set to false else it is set to true .Keys associated with a specific PIN policy must not mix user-defined and preset PINs. |
"enablePinCaching": enablePinCaching | bool | O | Flag with the default value false .See SKS:createKeyEntry.enablePinCaching . |
"devicePinProtection": devicePinProtection | bool | O | Flag with the default value false .See SKS:createKeyEntry.devicePinProtection . Note that this flag (if true) cannot be combined with PIN policy settings. |
"appUsage": " appUsage" | string | M | See SKS:createKeyEntry.appUsage . |
"keyAlgorithm": " keyAlgorithm" | uri | M | See SKS:createKeyEntry.keyAlgorithm . See also SKS "Algorithm Support".The currently recognized key algorithms include:
|
"keyParameters": " keyParameters" | byte[] | O | See SKS:createKeyEntry.keyParameters . |
"endorsedAlgorithms": [" List of URIs" ] 1-n | uri | O | See SKS:createKeyEntry.endorsedAlgorithms . See also SKS "Algorithm Support".Note that endorsed algorithm URIs must be specified in strict lexical order.The currently recognized algorithms include:
|
"serverSeed": " serverSeed" | byte[] | O | See SKS:createKeyEntry.serverSeed . If this property is undefined, it is assumed to be a zero-length array. |
"biometricProtection": " biometricProtection" | string | O | See SKS:createKeyEntry.biometricProtection . The default value is none . |
"deleteProtection": " deleteProtection" | string | O | See SKS:createKeyEntry.deleteProtection . The default value is none . |
"exportProtection": " exportProtection" | string | O | See SKS:createKeyEntry.exportProtection . The default value is non-exportable . |
"friendlyName": " friendlyName" | string | O | See SKS:createKeyEntry.friendlyName . |
"mac": " mac" | byte[] | M | Caller authentication. See SKS:createKeyEntry.mac . |
generatedKey | |||
Property | Type | Req | Comment |
"id": " id" | id | M | The "id" property must match the identifier used in KeyCreationRequest for a specific key. |
"publicKey": " publicKey" | object | M | RSA or EC public key in JSF [JSF] "publicKey" format.See SKS:createKeyEntry.publicKey .For EC curve support see Elliptic Curve Support. |
"attestation": " attestation" | byte[] | M | See SKS:createKeyEntry.attestation . |
issuedCredential | |||
Property | Type | Req | Comment |
"id": " id" | id | M | See SKS:setCertificatePath.id .The "id" property must match the identifier used in KeyCreationRequest for a specific key. |
"certificatePath": [" Certificate Path" ] 1-n | byte[] | M | Certificate path having identical representation to "certificatePath" in JSF [JSF].See SKS:setCertificatePath.certificate . |
"mac": " mac" | byte[] | M | Caller authentication. See SKS:setCertificatePath.mac . |
"trustAnchor": trustAnchor | bool | O | Optional: Flag (with the default value false ), which tells if certificatePath contains a user-installable trust anchor as well.Trust anchor installation is meant to be independent of SKS provisioning. |
"importSymmetricKey": importSymmetricKey | object | O | Optional: Import of raw symmetric key. See SKS:importSymmetricKey . |
"importPrivateKey": importPrivateKey | object | Optional: Import of private key in PKCS #8 [RFC5208] format. See SKS:importPrivateKey . | |
"updateKey": updateKey | object | O | Optional: See SKS:postUpdateKey . |
"cloneKeyProtection": cloneKeyProtection | object | Optional: See SKS:postCloneKeyProtection . | |
"extensions": [extension] 1-n | object | O | Optional: List of extension objects. See SKS:addExtension . |
"encryptedExtensions": [encryptedExtension] 1-n | object | O | Optional: List of encrypted extension objects. See SKS:addExtension . |
"propertyBags": [propertyBag] 1-n | object | O | Optional: List of property objects. See SKS:addExtension . |
"logotypes": [logotype] 1-n | object | O | Optional: List of logotype objects. See SKS:addExtension . |
Due to the stateful MAC scheme featured in SKS, the properties beginning with importSymmetricKey and ending with logotypes , must be generated (by the issuer) and executed (by the SKS) in exactly the order they are declared in this table as well as in associated object arrays.Note that that credential id s are not guaranteed to be supplied in the same order as during the associated KeyCreationRequest. | |||
cloneKeyProtection, deleteKey, unlockKey, updateKey | |||
Property | Type | Req | Comment |
"fingerPrint": " fingerPrint" | byte[] | M | SHA256 fingerprint of target certificate. |
"serverSessionId": " serverSessionId" | string | M | For locating the target key. |
"clientSessionId": " clientSessionId" | string | M | For locating the target key. |
"authorization": " authorization" | byte[] | M | See "Target Key Reference" in the SKS reference. |
"mac": " mac" | byte[] | M | Caller authentication. See SKS:post* methods.mac . |
encryptedExtension, extension | |||
Property | Type | Req | Comment |
"type": " type" | uri | M | Extension type URI. |
"extensionData": " extensionData" | byte[] | M | Extension data. |
"mac": " mac" | byte[] | M | Caller authentication. See SKS:addExtension.mac . |
logotype | |||
Property | Type | Req | Comment |
"type": " type" | uri | M | Logotype type URI. |
"mimeType": " mimeType" | string | M | Logotype MIME type. |
"extensionData": " extensionData" | byte[] | M | Logotype image data. |
"mac": " mac" | byte[] | M | Caller authentication. See SKS:addExtension.mac . |
propertyBag | |||
Property | Type | Req | Comment |
"type": " type" | uri | M | Property bag type URI. See SKS:addExtension . |
"properties": [property] 1-n | object | M | List of property values. See SKS:addExtension . |
"mac": " mac" | byte[] | M | Caller authentication. See SKS:addExtension.mac . |
property | |||
Property | Type | Req | Comment |
"name": " name" | string | M | Property name. |
"value": " value" | string | M | Property value. |
"writable": writable | bool | O | Writable flag. Default is false . See SKS:setProperty . |
importPrivateKey, importSymmetricKey | |||
Property | Type | Req | Comment |
"encryptedKey": " encryptedKey" | byte[] | M | Encrypted key material. See SKS:import* methods.encryptedKey . |
"mac": " mac" | byte[] | M | Caller authentication. See SKS:import* methods.mac . |
clientCapability | |||
Property | Type | Req | Comment |
"type": " type" | uri | M | Client capability type URI. |
"supported": " supported" | bool | M | For non-parametric queries like algorithms this property tells if the type is supported or not. Unknown or unsupported query types must always return this attribute with the argument false . |
"values": [" values" ] 1-n | string | List of attribute data associated with type . | |
"imageAttributes": imageAttributes | object | List of client image preferences that the issuer may use for creating suitable logotype objects. Known logotypes include:
| |
imageAttributes | |||
Property | Type | Req | Comment |
"mimeType": " mimeType" | string | M | Image MIME type. |
"width": " width" | uint | M | Image width. |
"height": " height" | uint | M | Image height. |
deviceId | |||
Property | Type | Req | Comment |
"certificatePath": [" Certificate Path" ] 1-n | byte[] | M | Device certificate path having identical representation to "certificatePath" in JSF [JSF]. |
SKS Name | JWA Name |
---|---|
https://webpki.github.io/sks/algorithm#ec.nist.p256 | P-256 |
https://webpki.github.io/sks/algorithm#ec.nist.p384 | P-384 |
https://webpki.github.io/sks/algorithm#ec.nist.p521 | P-521 |
https://webpki.github.io/sks/algorithm#ec.secg.p256k1 | - |
https://webpki.github.io/sks/algorithm#ec.brainpool.p256r1 | - |
InvocationRequest | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
{ | ||||||||||||
After a compatible browser has received this message, a dialog like the following is shown to user:
| ||||||||||||
InvocationResponse | ||||||||||||
{ | ||||||||||||
When the server has received the response above, it creates an ephemeral EC key pair and returns the public part to the client together with other session parameters: | ||||||||||||
ProvisioningInitializationRequest | ||||||||||||
{ | ||||||||||||
Next the client generates a matching ephemeral EC key pair and sends the public part back to the server including a client session-ID, key attestation, device-certificate, etc.: | ||||||||||||
ProvisioningInitializationResponse | ||||||||||||
{ | ||||||||||||
After these message exchanges, the SKS and server (issuer) have established a shared session-key, which is used for securing the rest of the session through MAC and encryption operations. SKS API Reference: createProvisioningSession .In the sample a request for creating a key is subsequently returned to the client: | ||||||||||||
KeyCreationRequest | ||||||||||||
{ | ||||||||||||
After the browser has received this message, a dialog like the following is shown to user:
key pair is sent to the server for certification as shown in the response below. SKS API References: createPinPolicy , createKeyEntry . | ||||||||||||
KeyCreationResponse | ||||||||||||
{ | ||||||||||||
The server responds by issuing a matching certificate including an associated logotype. SKS API References: setCertificatePath , addExtension . | ||||||||||||
ProvisioningFinalizationRequest | ||||||||||||
{ | ||||||||||||
The finalization message which will only be sent to the server if the previous steps were successful. SKS API Reference: closeProvisioningSession . | ||||||||||||
ProvisioningFinalizationResponse | ||||||||||||
{ | ||||||||||||
Here the user is supposed to receive an issuer-specific web-page telling what to do next. See Termination Message. |
Reference | Description |
---|---|
[JSF] | A. Rundgren, "JSF - JSON Signature Format", Work in progress, V0.82, October 2020. https://cyberphone.github.io/doc/security/jsf.html |
[OPENKEY] | "OpenKeyStore Project", https://github.com/cyberphone/openkeystore |
[RFC3986] | T. Berners-Lee, R. Fielding, L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", RFC 3986, January 2005. https://tools.ietf.org/html/rfc3986 |
[RFC4210] | C. Adams, S. Farrell, T. Kause, T. Mononen, "Internet X.509 Public Key Infrastructure Certificate Management Protocol (CMP)", RFC 4210, September 2005. https://tools.ietf.org/html/rfc4210 |
[RFC4514] | K. Zeilenga, "Lightweight Directory Access Protocol (LDAP): String Representation of Distinguished Names", RFC 4514, June 2006. https://tools.ietf.org/html/rfc4514 |
[RFC4648] | S. Josefsson, "The Base16, Base32, and Base64 Data Encodings", RFC 4648, October 2006. https://tools.ietf.org/html/rfc4648 |
[RFC5208] | B. Kaliski, "Public-Key Cryptography Standards (PKCS) #8: Private-Key Information Syntax Specification Version 1.2", RFC 5208, May 2008. https://tools.ietf.org/html/rfc5208 |
[RFC5280] | D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, May 2008. https://tools.ietf.org/html/rfc5280 |
[RFC6063] | A. Doherty, M. Pei, S. Machani, M. Nystrom, "Dynamic Symmetric Key Provisioning Protocol (DSKPP)", RFC 6063, December 2010. https://tools.ietf.org/html/rfc6063 |
[RFC7518] | M. Jones, "JSON Web Algorithms (JWA)", RFC 7518, May 2015. https://tools.ietf.org/html/rfc7518 |
[RFC8259] | T. Bray, "The JavaScript Object Notation (JSON) Data Interchange Format", RFC 8259, December 2017. https://tools.ietf.org/html/rfc8259 |
[SKS] | A. Rundgren, "Secure Key Store (SKS) - API and Architecture", Work in progress, V1.05, April 2019. https://cyberphone.github.io/doc/security/sks-api-arch.pdf |
Date | Ver | Comment |
---|---|---|
2014-08-08 | 0.7 | First official release |
2014-12-08 | 0.71 | Aligned KeyGen2 with the updated [SKS] and [JSF] specifications |
2015-01-12 | 0.72 | Updated version to match ECDSA signature encoding change |
2016-01-25 | 0.73 | Added JOSE algorithm support |
2017-05-26 | 0.80 | Removed unessesary bloat from the protocol |
2019-08-01 | 0.85 | Updated to reflect the 1.05 verson of [SKS] |
2020-03-13 | 0.86 | Updated to reflect the 1.06 verson of [SKS] |
anders.rundgren.net@gmail.com
) as a part of the OpenKeyStore project [OPENKEY].