-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'RM-4211_key-shares-updates' into 'master'
* add `x-cdoc2-auth-x5c` header parameter. * Remove 'format: byte' for `nonce` and `x-auth-ticket` * rename X-Auth-Ticket -\> x-cdoc2-auth-ticket to follow conventions in OAS spec See merge request cdoc2/cdoc2-openapi!5
- Loading branch information
Showing
5 changed files
with
244 additions
and
10 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,169 @@ | ||
openapi: 3.0.3 | ||
info: | ||
contact: | ||
url: http://ria.ee | ||
title: cdoc2-key-shares | ||
version: 1.0.1-draft | ||
description: API for exchanging CDOC2 key material shares | ||
servers: | ||
- url: 'https://localhost:8443' | ||
description: Regular TLS (no mutual TLS required). | ||
|
||
paths: | ||
'/key-shares/{shareId}': | ||
get: | ||
summary: Get key share for shareId | ||
description: Get key share for shareId | ||
tags: | ||
- cdoc2-key-shares | ||
operationId: getKeyShareByShareId | ||
parameters: | ||
- name: shareId | ||
in: path | ||
schema: | ||
type: string | ||
minLength: 18 | ||
maxLength: 34 | ||
required: true | ||
- name: x-cdoc2-auth-ticket | ||
in: header | ||
schema: | ||
type: string | ||
required: true | ||
description: | | ||
SDJWT [Auth ticket WIP](https://gitlab.ext.cyber.ee/cdoc2/cdoc2-documentation/-/blob/RM-2776-authentication-protocol/cdoc2-system-docs/docs/03_system_architecture/ch05_ID_authentication_protocol.md?ref_type=heads#verifying-sd-jwt-verifying-authentication-ticket) | ||
- name: x-cdoc2-auth-x5c | ||
in: header | ||
schema: | ||
type: string | ||
required: true | ||
description: | | ||
PEM encoded X509 certificate (without newlines) that was used to sign X-Cdoc2-Auth-Ticket. | ||
Certificate holders identify is specified in Subject "serialnumber" field. This must match to | ||
"kid" in "x-cdoc2-auth-ticket" header. Example certificate subject: | ||
'serialNumber = PNOEE-30303039914, GN = OK, SN = TESTNUMBER, CN = "TESTNUMBER,OK", C = EE' | ||
Certificate full structure is defined in | ||
[Certificate and OCSP Profile for Smart-ID](https://www.skidsolutions.eu/wp-content/uploads/2024/10/SK-CPR-SMART-ID-EN-v4_7-20241127.pdf) | ||
responses: | ||
'200': | ||
description: OK | ||
content: | ||
application/json: | ||
schema: | ||
$ref: '#/components/schemas/KeyShare' | ||
'400': | ||
description: 'Bad request. Client error.' | ||
'401': | ||
description: 'Unauthorized. No correct auth headers' | ||
'404': | ||
description: 'Not Found. 404 is also returned, when recipient id in record does not match user id in auth-ticket' | ||
|
||
|
||
'/key-shares': | ||
post: | ||
summary: Add Key Share | ||
description: Save a key share and generate share id using secure random. Generated share is returned in Location header | ||
operationId: createKeyShare | ||
responses: | ||
'201': | ||
description: Created | ||
headers: | ||
Location: | ||
schema: | ||
type: string | ||
example: /key-shares/9a7c3717d21f5cf19d18fa4fa5adee21 | ||
description: 'URI of created resource. ShareId can be extracted from URI as it follows pattern /key-shares/{shareId}' | ||
'400': | ||
description: 'Bad request. Client error.' | ||
requestBody: | ||
required: true | ||
content: | ||
application/json: | ||
schema: | ||
$ref: '#/components/schemas/KeyShare' | ||
tags: | ||
- cdoc2-key-shares | ||
|
||
'/key-shares/{shareId}/nonce': | ||
post: | ||
description: | | ||
Create server nonce for authentication signature. | ||
operationId: createNonce | ||
parameters: | ||
- name: shareId | ||
in: path | ||
schema: | ||
type: string | ||
minLength: 18 | ||
maxLength: 34 | ||
required: true | ||
responses: | ||
'200': | ||
description: Created | ||
content: | ||
application/json: | ||
schema: | ||
$ref: '#/components/schemas/NonceResponse' | ||
'400': | ||
description: 'Bad request. Client error.' | ||
'403': | ||
description: 'Authentication failed' | ||
'404': | ||
description: 'Not Found. (shareId)' | ||
requestBody: | ||
required: false | ||
description: Always empty (OAS doesn't allow post without body, so optional body is defined here) | ||
content: | ||
application/json: | ||
schema: #empty request body | ||
type: object | ||
nullable: true | ||
tags: | ||
- cdoc2-key-shares | ||
|
||
components: | ||
schemas: | ||
KeyShare: | ||
title: Key Share | ||
type: object | ||
properties: | ||
share: | ||
type: string | ||
format: byte | ||
minLength: 32 | ||
maxLength: 128 | ||
description: Key Share. Binary format is yet to be defined [#RM-55912](https://rm-int.cyber.ee/ito/issues/55912) | ||
recipient: | ||
type: string | ||
minLength: 12 | ||
maxLength: 32 | ||
description: | | ||
Recipient who can download this share. ETSI319412-1. Example "etsi/PNOEE-48010010101". | ||
In future might support other formats | ||
[etsi/:semantics-identifier](https://github.com/SK-EID/smart-id-documentation/blob/v2/README.md#2322-etsisemantics-identifier) | ||
required: | ||
- share | ||
- recipient | ||
|
||
NonceResponse: | ||
title: Nonce response | ||
type: object | ||
properties: | ||
nonce: | ||
type: string | ||
minLength: 12 | ||
maxLength: 16 | ||
description: 'server nonce for subsequent authentication' | ||
required: | ||
- nonce | ||
|
||
securitySchemes: | ||
bearerAuth: # for /key-shares endpoints, long-term token | ||
type: http | ||
scheme: bearer | ||
basicAuth: # temporary solution for initial functionality of /key-shares endpoints | ||
type: http | ||
scheme: basic | ||
|
||
tags: | ||
- name: cdoc2-key-shares |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,10 @@ | ||
import org.yaml.snakeyaml.Yaml | ||
println 'buildbasedir: ' + properties['buildbasedir'] | ||
def yaml = new Yaml() | ||
def openapi = yaml.load(new File(properties['buildbasedir'] + File.separator + 'cdoc2-key-capsules-openapi.yaml').text) | ||
println "cdoc2-key-capsules-openapi.version: ${openapi.info.version}" | ||
project.getProperties().setProperty('cdoc2-key-capsules-openapi.version', openapi.info.version) | ||
def keyCapsuleOpenapi = yaml.load(new File(properties['buildbasedir'] + File.separator + 'cdoc2-key-capsules-openapi.yaml').text) | ||
println "cdoc2-key-capsules-openapi.version: ${keyCapsuleOpenapi.info.version}" | ||
project.getProperties().setProperty('cdoc2-key-capsules-openapi.version', keyCapsuleOpenapi.info.version) | ||
|
||
def keySharesOpenapi = yaml.load(new File(properties['buildbasedir'] + File.separator + 'cdoc2-key-shares-openapi.yaml').text) | ||
println "cdoc2-key-shares-openapi.version: ${keySharesOpenapi.info.version}" | ||
project.getProperties().setProperty('cdoc2-key-shares-openapi.version', keySharesOpenapi.info.version) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters