DRM Symmetric Key REST Design

From Dogtag
Revision as of 18:46, 28 November 2011 by Alee (talk | contribs)

Jump to: navigation, search

Requirements

Design

Archiving a Symmetric Key or Passphrase

POST /pki/keyrequest/archive

Input

  • factory URL to create archival requests
  • input is xml or json containing the following fields:
    • Envelope is SecurityData
    • clientID=<string client id> - client specified string id for this piece of data. The client may end up searching on this string.
    • transWrappedSessionKey=<url encoded wrapped key> - This client generated session key will be wrapped with the DRM's transport cert.
    • wrappedPrivateData=<url encode wrapped key/passphrase> - This is the actual security data encrypted by the created symmetric key.
    • dataType=<type of data> - String representation of the type of data, "symmetricKey", "passPhrase" or "AsymmetricKey" (for client convenience)
    • Question: do we care about ECC here/ or any algorithms?

Output

Errors

  • status = 307 - Temporary Redirect to authentication page if no client cert provided.
  • status = 401 - Unauthorized (if authorization fails
  • status = 500 - server errors
    • include an error string (error="") for error conditions as needed, such as processing errors in creating request, errors in processing request

Operation:

  • authenticates the agent issuing the request. Agent must provide a client cert.
  • checks authorization of the request based on an acl for this operation "certServer.kra.archive.request (submit)". Submit allowed for DRM agents.
  • Get the KRA request queue and generate a new Request object.
    • req = queue.newRequest(KRAService.ARCHIVAL)  ?
    • using req.setExtData(): set the fields as follows
      • requestType: "Security Data Archival?"
      • extdata-drm_trans_des_key: transWrappedSessionKey
      • extdata-requestid: not set - generated by newRequest() call.
      • ext-data-keyrecord: not set - stored by server when key is stored
      • ext-data-keysize: not set
      • extdata-wrappeduserprivate: wrappedPrivateData
      • dataType: dataType
      • clientID: clientID
  • Get the request ID
    • reqID = req.getRequestID().toString(). This will be returned as self reference.
  • Immediately Process the request
    • queue.processRequest(req)
    • The relevant serviceRequest() method will be called (where will this be?), the key will be archived and the key_id will be updated in the request record.
  • Get the key_id from the request record:
    • keyId = req.getExtData(key_id)
  • construct the urls to be returned - and return relevant status.