DRM Symmetric Key REST Design

From Dogtag
Revision as of 17:52, 28 November 2011 by Alee (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Requirements

Design

Archiving a Symmetric Key or Passphrase

POST /pki/keyrequest/archive

Input

  • factory URL to create archival requests
  • input is xml or json containing the following fields:
    • Envelope is SecurityData
    • clientID=<string client id> - client specified string id for this piece of data. The client may end up searching on this string.
    • transWrappedSessionKey=<url encoded wrapped key> - This client generated session key will be wrapped with the DRM's transport cert.
    • wrappedPrivateData=<url encode wrapped key/passphrase> - This is the actual security data encrypted by the created symmetric key.
    • dataType=<type of data> - String representation of the type of data, "symmetricKey", "passPhrase" or "AsymmetricKey" (for client convenience)
    • Question: do we care about ECC here/ or any algorithms?

Output

  • output is xml/json with the following fields:
    • status=201 (Created)
    • ref_id = <serial number of archival request>
    • serialNumber=<serial number of created key record>

Errors

  • status =

Operation:

  • authenticates the agent issuing the request. Agent must provide a client cert.
  • checks authorization of the request based on an acl for this operation "certServer.kra.archive.request (submit)". Submit allowed for DRM agents.
  • Get the KRA request queue and generate a new Request object.
    • req = queue.newRequest(KRAService.ARCHIVAL)  ?
    • using req.setExtData(): set the fields as follows
      • requestType: "Security Data Archival?"
      • extdata-drm_trans_des_key: transWrappedSessionKey
      • extdata-requestid: not set - generated by newRequest() call.
      • ext-data-keyrecord: not set - stored by server when key is stored
      • ext-data-keysize: not set
      • extdata-wrappeduserprivate: wrappedPrivateData
      • dataType: dataType
      • clientID: clientID
  • Get the request ID
    • reqID = req.getRequestID().toString(). This will be returned as self reference.
  • Immediately Process the request
    • queue.processRequest(req)