forked from open-eid/cdoc2-openapi
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcdoc2-key-capsules-openapi.yaml
126 lines (126 loc) · 4.43 KB
/
cdoc2-key-capsules-openapi.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
openapi: 3.0.3
info:
contact:
url: http://ria.ee
title: cdoc2-key-capsules
version: 2.1.0
description: API for exchanging CDOC2 ephemeral key material in key capsules
servers:
- url: 'https://localhost:8443'
description: no auth (for creating key capsules)
- url: 'https://localhost:8444'
description: mutual TLS authentication (for retrieving key capsules)
paths:
'/key-capsules/{transactionId}':
get:
summary: Get key capsule for transactionId
description: Get key capsule for transactionId
tags:
- cdoc2-key-capsules
parameters:
- name: transactionId
in: path
schema:
type: string
minLength: 18
maxLength: 34
required: true
description: transaction id from recipients.KeyServerCapsule.transaction_id (fbs)
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: '#/components/schemas/Capsule'
headers:
x-expiry-time:
schema:
type: string
format: date-time
description: Key capsule may be deleted by server after expiry time. Format rfc3339#section-5.6
'400':
description: 'Bad request. Client error.'
'401':
description: 'Unauthorized. Client certificate was not presented with the request.'
'404':
description: 'Not Found. 404 is also returned, when recipient id in record does not match with public key in client certificate.'
operationId: getCapsuleByTransactionId
security:
- mutualTLS: []
/key-capsules:
post:
summary: Add Key Capsule
description: Save Capsule and generate transaction id using secure random. Generated transactionId is returned in Location header
operationId: createCapsule
parameters:
- schema:
type: string
format: date-time
in: header
name: x-expiry-time
description: Key capsule may be deleted by server after expiry time. Format rfc3339#section-5.6
required: false
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/Capsule'
responses:
'201':
description: Created
headers:
Location:
schema:
type: string
example: /key-capsules/KC0123456789ABCDEF
description: 'URI of created resource. TransactionId can be extracted from URI as it follows pattern /key-capsules/{transactionId}'
'400':
description: Bad request. Client error.
security: []
tags:
- cdoc2-key-capsules
components:
schemas:
Capsule:
title: Capsule
type: object
properties:
recipient_id:
type: string
format: byte
minLength: 97 # EC public key
maxLength: 2100 # 16 K RSA public key = 2086 bytes
description: 'Binary format is defined by capsule_type'
ephemeral_key_material:
type: string
format: byte
maxLength: 2100
description: 'Binary format is defined by capsule_type'
capsule_type:
type: string
enum:
- ecc_secp384r1
- rsa
description: |
Depending on capsule type, Capsule fields have the following contents:
- ecc_secp384r1:
* recipient_id is EC pub key with secp384r1 curve in TLS format (0x04 + X coord 48 bytes + Y coord 48 bytes) (https://www.rfc-editor.org/rfc/rfc8446#section-4.2.8.2)
* ephemeral_key_material contains sender public EC key (generated) in TLS format.
- rsa:
* recipient_id is DER encoded RSA recipient public key - RsaPublicKey encoding [RFC8017 RSA Public Key Syntax A.1.1](https://www.rfc-editor.org/rfc/rfc8017#page-54)
* ephemeral_key_material contains KEK encrypted with recipient public RSA key
required:
- recipient_id
- ephemeral_key_material
- capsule_type
securitySchemes:
mutualTLS:
# since mutualTLS is not supported by OAS 3.0.x, then define it as http basic auth. MutualTLS must be implemented
# manually anyway
#type: mutualTLS
type: http
scheme: basic
tags:
- name: cdoc2-key-capsules