Schema

JSON schema for SkyTrust requests
JSON Schema for SkyTrust responses

Key types

The following key types are used within the SkyTrust operations.

KeyHandle: This key type represents the unique id, subId combination of an internal SkyTrust key.

{
  "type" : "keyHandle",
  "id" : "keyslot-name",
  "subId" : "34"
}

InternalCertificate: This key type is extension of the KeyHandle type and in addition to the id values stores the X509 certificate (encodedCertificate).

{
  "type" : "internalCertificate",
  "id" : "keyslot-name",
  "subId" : "34",
  "encodedCertificate" : "CROPPED-BASE64-DATA"
}

WrappedKey: The wrapped key contains a private/public key pair that can only be unwrapped and used by SkyTrust (encodedWrappedKey).

{
  "type" : "wrappedKey",
  "encodedWrappedKey" : "CROPPED-BASE64-DATA"
}

ExternalCertificate: This key type represents an X509 certificate that is not linked to an internal SkyTrust key (encodedCertificate). Those certificates are typically used when SkyTrust is used to encrypt data for external recipients.

{
  "type" : "externalCertificate",
  "encodedCertificate" : "CROPPED-BASE64-DATA"
}

SkyTrust Operations

discoverKeys-certificate

  • Protocol version: since V1.0

discoverKeys-handle

  • Protocol version: since V1.0

getKey

  • Protocol version: since V1.0

encryptRequest

  • Protocol version: since V1.4
  • Algorithms:
    • RSAES-PKCS1-v1_5 (since V1.0)
    • RSA-OAEP (since V1.4)
    • RSAES-RAW (since V1.0)

decryptRequest

  • Protocol version: since V1.4
  • Algorithms:
    • RSAES-PKCS1-v1_5 (since V1.0)
    • RSA-OAEP (since V1.4)
    • RSAES-RAW (since V1.0)

encryptCMSRequest

  • Protocol version: since V2.0
  • Algorithms:
    • CMS-AES-128-CBC (since V2.0)
    • CMS-AES-192-CBC (since V2.0)
    • CMS-AES-256-CBC (since V2.0)
    • CMS-AES-128-GCM (since V2.0)
    • CMS-AES-192-GCM (since V2.0)
    • CMS-AES-256-GCM (since V2.0)
    • CMS-AES-128-CCM (since V2.0)
    • CMS-AES-192-CCM (since V2.0)
    • CMS-AES-256-CCM (since V2.0)

decryptCMSRequest

  • Protocol version: since V2.0
  • Algorithms:
    • CMS-AES-128-CBC (since V2.0)
    • CMS-AES-192-CBC (since V2.0)
    • CMS-AES-256-CBC (since V2.0)
    • CMS-AES-128-GCM (since V2.0)
    • CMS-AES-192-GCM (since V2.0)
    • CMS-AES-256-GCM (since V2.0)
    • CMS-AES-128-CCM (since V2.0)
    • CMS-AES-192-CCM (since V2.0)
    • CMS-AES-256-CCM (since V2.0)

signRequest

  • Protocol version: since V1.4
  • Algorithms:
    • RSASSA-PKCS1-v1_5-SHA-1 (since V1.4)
    • RSASSA-PKCS1-v1_5-SHA-224 (since V1.4)
    • RSASSA-PKCS1-v1_5-SHA-256 (since V1.4)
    • RSASSA-PKCS1-v1_5-SHA-512 (since V1.4)

generateWrappedKeyRequest

  • Protocol version: since V2.0

decryptRequest-wrappedKey

  • Protocol version: since V2.0
  • Algorithms:
    • RSAES-PKCS1-v1_5 (since V1.0)
    • RSA-OAEP (since V1.4)
    • RSAES-RAW (since V1.0)

decryptCMSRequest-wrappedKey

  • Protocol version: since V2.0

modifyWrappedKeyRequest

  • Protocol version: since V2.0

exportWrappedKeyRequest

  • Protocol version: since V2.0

discoverKeys-certificate

The discoverKeys request retrieves the available keys from the server. The following properties are relevant:

  • The representation property determines the type of the returned key. The value certificate instructs SkyTrust to return the key identification numbers as well as the certificates associated with the keys. The value handle instructs SkyTrust to return the key identifiers without the certificates.

In this example the certificate representation is used. The returned certificates are BASE64-encoded and are included in an array that is stored in the key property.

Request

{
  "header" : {
    "type" : "standardSkyTrustHeader",
    "commandId" : "",
    "sessionId" : "",
    "path" : [ "java-api-instance" ],
    "protocolVersion" : "2.0"
  },
  "payload" : {
    "type" : "discoverKeysRequest",
    "representation" : "certificate"
  }
}

Response

{
  "header" : {
    "type" : "standardSkyTrustHeader",
    "commandId" : "",
    "sessionId" : "5869931a-6fd5-46ee-b988-860dd99953ed",
    "path" : [ ],
    "protocolVersion" : "2.0"
  },
  "payload" : {
    "type" : "discoverKeysResponse",
    "key" : [ {
      "type" : "internalCertificate",
      "id" : "leaf",
      "subId" : "122",
      "encodedCertificate" : "CROPPED-BASE64-DATA"
    }, {
      "type" : "internalCertificate",
      "id" : "leaf",
      "subId" : "121",
      "encodedCertificate" : "CROPPED-BASE64-DATA"
    }, {
      "type" : "internalCertificate",
      "id" : "leaf",
      "subId" : "222",
      "encodedCertificate" : "CROPPED-BASE64-DATA"
    }, {
      "type" : "internalCertificate",
      "id" : "leaf",
      "subId" : "221",
      "encodedCertificate" : "CROPPED-BASE64-DATA"
    }, {
      "type" : "internalCertificate",
      "id" : "leaf",
      "subId" : "112",
      "encodedCertificate" : "CROPPED-BASE64-DATA"
    }, {
      "type" : "internalCertificate",
      "id" : "leaf",
      "subId" : "111",
      "encodedCertificate" : "CROPPED-BASE64-DATA"
    }, {
      "type" : "internalCertificate",
      "id" : "leaf",
      "subId" : "212",
      "encodedCertificate" : "CROPPED-BASE64-DATA"
    }, {
      "type" : "internalCertificate",
      "id" : "leaf",
      "subId" : "211",
      "encodedCertificate" : "CROPPED-BASE64-DATA"
    }, {
      "type" : "internalCertificate",
      "id" : "leaf",
      "subId" : "132",
      "encodedCertificate" : "CROPPED-BASE64-DATA"
    }, {
      "type" : "internalCertificate",
      "id" : "leaf",
      "subId" : "131",
      "encodedCertificate" : "CROPPED-BASE64-DATA"
    }, {
      "type" : "internalCertificate",
      "id" : "leaf",
      "subId" : "232",
      "encodedCertificate" : "CROPPED-BASE64-DATA"
    }, {
      "type" : "internalCertificate",
      "id" : "leaf",
      "subId" : "231",
      "encodedCertificate" : "CROPPED-BASE64-DATA"
    } ]
  }
}

discoverKeys-handle

This example shows the discoverKeys request when handle is used for the representation property. The response contains the key property that contains an array of the available key handles.

Request

{
  "header" : {
    "type" : "standardSkyTrustHeader",
    "commandId" : "",
    "sessionId" : "",
    "path" : [ "java-api-instance" ],
    "protocolVersion" : "2.0"
  },
  "payload" : {
    "type" : "discoverKeysRequest",
    "representation" : "handle"
  }
}

Response

{
  "header" : {
    "type" : "standardSkyTrustHeader",
    "commandId" : "",
    "sessionId" : "dfa0a90a-1bf5-43fd-80cd-3961c61e9df5",
    "path" : [ ],
    "protocolVersion" : "2.0"
  },
  "payload" : {
    "type" : "discoverKeysResponse",
    "key" : [ {
      "type" : "handle",
      "id" : "leaf",
      "subId" : "122"
    }, {
      "type" : "handle",
      "id" : "leaf",
      "subId" : "121"
    }, {
      "type" : "handle",
      "id" : "leaf",
      "subId" : "222"
    }, {
      "type" : "handle",
      "id" : "leaf",
      "subId" : "221"
    }, {
      "type" : "handle",
      "id" : "leaf",
      "subId" : "112"
    }, {
      "type" : "handle",
      "id" : "leaf",
      "subId" : "111"
    }, {
      "type" : "handle",
      "id" : "leaf",
      "subId" : "212"
    }, {
      "type" : "handle",
      "id" : "leaf",
      "subId" : "211"
    }, {
      "type" : "handle",
      "id" : "leaf",
      "subId" : "132"
    }, {
      "type" : "handle",
      "id" : "leaf",
      "subId" : "131"
    }, {
      "type" : "handle",
      "id" : "leaf",
      "subId" : "232"
    }, {
      "type" : "handle",
      "id" : "leaf",
      "subId" : "231"
    } ]
  }
}

getKey

The getKey request retrieves certificate for a given key handle that is handed over in the key property. A key is uniquely identified by the id and subId properties. The response contains the key identifiers and the certificate stored in the key property.

Request

{
  "header" : {
    "type" : "standardSkyTrustHeader",
    "commandId" : "",
    "sessionId" : "",
    "path" : [ "java-api-instance" ],
    "protocolVersion" : "2.0"
  },
  "payload" : {
    "type" : "getKeyRequest",
    "key" : {
      "type" : "handle",
      "id" : "leaf",
      "subId" : "122"
    },
    "representation" : "certificate"
  }
}

Response

{
  "header" : {
    "type" : "standardSkyTrustHeader",
    "commandId" : "",
    "sessionId" : "5a046973-0589-43d6-9bd6-b0afc7da788f",
    "path" : [ ],
    "protocolVersion" : "2.0"
  },
  "payload" : {
    "type" : "getKeyResponse",
    "key" : {
      "type" : "internalCertificate",
      "id" : "leaf",
      "subId" : "122",
      "encodedCertificate" : "CROPPED-BASE64-DATA"
    }
  }
}

encryptRequest

The encrypt request encrypts the given data with an asymmetric algorithm for the given keys. The keys are handed over as array in the encryptionKeys property and can either be from external sources (e.g., external encryption certificates that are not associated with SkyTrust) or from SkyTrust internal sources.

  • Request:
    • encryptionKeys: This property consists of an array capable of carrying multiple key types. In the example below four encryption keys are used: The first two keys are SkyTrust internal keys (type handle) whereas the last two keys are represented by X509 certificates (type externalCertificate).
    • algorithm: This property is used to specify the desired encryption algorithm.
    • plainData: This property contains an array of the data that should be encrypted. The array elements are encoded as BASE64 string.
  • Response:
    • encryptedData: This property contains a matrix of the encrypted data. Thereby the row index determines the corresponding encryption key that was handed over in the request, while the column index identifies the encrypted plain text which is returned in the same order as given in the request.

Request

{
  "header" : {
    "type" : "standardSkyTrustHeader",
    "commandId" : "",
    "sessionId" : "",
    "path" : [ "java-api-instance" ],
    "protocolVersion" : "2.0"
  },
  "payload" : {
    "type" : "encryptRequest",
    "encryptionKeys" : [ {
      "type" : "handle",
      "id" : "leaf",
      "subId" : "122"
    }, {
      "type" : "handle",
      "id" : "leaf",
      "subId" : "121"
    }, {
      "type" : "externalCertificate",
      "encodedCertificate" : "CROPPED-BASE64-DATA"
    }, {
      "type" : "externalCertificate",
      "encodedCertificate" : "CROPPED-BASE64-DATA"
    } ],
    "algorithm" : "RSAES-PKCS1-v1_5",
    "plainData" : [ "SGVsbG8gYmx1ZSBTa3kh", "SGVsbG8gbmlnaHQgU2t5IQ==", "SGVsbG8gdHJ1c3RlZCBTa3kh" ]
  }
}

Response

{
  "header" : {
    "type" : "standardSkyTrustHeader",
    "commandId" : "",
    "sessionId" : "a12dd0ae-3272-4dad-83e6-7f910813243f",
    "path" : [ ],
    "protocolVersion" : "2.0"
  },
  "payload" : {
    "type" : "encryptResponse",
    "encryptedData" : [ [ "CROPPED-BASE64-DATA", "CROPPED-BASE64-DATA", "CROPPED-BASE64-DATA" ], [ "CROPPED-BASE64-DATA", "CROPPED-BASE64-DATA", "CROPPED-BASE64-DATA" ], [ "CROPPED-BASE64-DATA", "CROPPED-BASE64-DATA", "CROPPED-BASE64-DATA" ], [ "CROPPED-BASE64-DATA", "CROPPED-BASE64-DATA", "CROPPED-BASE64-DATA" ] ]
  }
}

decryptRequest

The decrypt request decrypts the given data with an asymmetric algorithm for the given key.

  • Request:
    • decryptionKey: The desired SkyTrust key is handed over in the decryptionKey property of the request (types: handleinternalCertificate or wrappedCMSKey).
    • algorithm: This property is used to specify the desired encryption algorithm.
    • encryptedData: This property contains an array of the data that should be decrypted with the given key. The array elements are encoded as BASE64 string.
  • Response:
    • plainData: The decrypted data is returned in an array.

Request

{
  "header" : {
    "type" : "standardSkyTrustHeader",
    "commandId" : "",
    "sessionId" : "",
    "path" : [ "java-api-instance" ],
    "protocolVersion" : "2.0"
  },
  "payload" : {
    "type" : "decryptRequest",
    "decryptionKey" : {
      "type" : "handle",
      "id" : "leaf",
      "subId" : "122"
    },
    "algorithm" : "RSAES-PKCS1-v1_5",
    "encryptedData" : [ "CROPPED-BASE64-DATA", "CROPPED-BASE64-DATA", "CROPPED-BASE64-DATA" ]
  }
}

Response

{
  "header" : {
    "type" : "standardSkyTrustHeader",
    "commandId" : "",
    "sessionId" : "f049781d-695d-4355-9dfa-9190dd7a21a9",
    "path" : [ ],
    "protocolVersion" : "2.0"
  },
  "payload" : {
    "type" : "decryptResponse",
    "plainData" : [ "SGVsbG8gYmx1ZSBTa3kh", "SGVsbG8gbmlnaHQgU2t5IQ==", "SGVsbG8gdHJ1c3RlZCBTa3kh" ]
  }
}

encryptCMSRequest

The encryptCMS request encrypts the given data according to the CMS standard.

  • Request:
    • encryptionKeys: This property consists of an array capable of carrying multiple key types. In the example below four encryption keys are used: The first two keys are SkyTrust internal keys (type handle) whereas the last two keys are represented by X509 certificates (type externalCertificate).
    • algorithm: This property is used to specify the desired encryption algorithm (starting with „CMS“).
    • plainData: This property contains an array of the data that should be encrypted. The array elements are encoded as BASE64 string.
  • Response:
    • encryptedData: This property contains a list of the encrypted CMS containers. It is important to note that the encryptCMS request does not return a matrix (as it is the case for the encrypt request). The reason is that a CMS container can be encrypted for multiple recipients. Therefore, for each given plain text (property plainData in the request) a CMS container is created that is encrypted for the recipients (encryption keys), which are handed over in the property encryptionKeys of the request.

Request

{
  "header" : {
    "type" : "standardSkyTrustHeader",
    "commandId" : "",
    "sessionId" : "",
    "path" : [ "java-api-instance" ],
    "protocolVersion" : "2.0"
  },
  "payload" : {
    "type" : "encryptCMSRequest",
    "encryptionKeys" : [ {
      "type" : "handle",
      "id" : "leaf",
      "subId" : "122"
    }, {
      "type" : "handle",
      "id" : "leaf",
      "subId" : "121"
    }, {
      "type" : "externalCertificate",
      "encodedCertificate" : "CROPPED-BASE64-DATA"
    }, {
      "type" : "externalCertificate",
      "encodedCertificate" : "CROPPED-BASE64-DATA"
    } ],
    "algorithm" : "CMS-AES-192-CBC",
    "plainData" : [ "SGVsbG8gYmx1ZSBTa3kh", "SGVsbG8gbmlnaHQgU2t5IQ==", "SGVsbG8gdHJ1c3RlZCBTa3kh" ]
  }
}

Response

{
  "header" : {
    "type" : "standardSkyTrustHeader",
    "commandId" : "",
    "sessionId" : "6e0e1d0e-4b23-4d83-ae3b-f1c77eb87f26",
    "path" : [ ],
    "protocolVersion" : "2.0"
  },
  "payload" : {
    "type" : "encryptCMSResponse",
    "encryptedCMSData" : [ "CROPPED-BASE64-DATA", "CROPPED-BASE64-DATA", "CROPPED-BASE64-DATA" ]
  }
}

decryptCMSRequest

The decryptCMS request encrypts the given data according to the CMS standard. It is not necessary to specify an algorithm that is used for the decryption process, since this information is already contained in the CMS container.

  • Request:
    • decryptionKey: The desired SkyTrust key is handed over in the decryptionKey property of the request (types: handleinternalCertificate or wrappedCMSKey).
    • encryptedCMSData: This property contains an array of CMS containers that should be decrypted with the given key. The array elements are encoded as BASE64 string.
  • Response:
    • plainData: The decrypted data is returned in an array.

Request

{
  "header" : {
    "type" : "standardSkyTrustHeader",
    "commandId" : "",
    "sessionId" : "",
    "path" : [ "java-api-instance" ],
    "protocolVersion" : "2.0"
  },
  "payload" : {
    "type" : "decryptCMSRequest",
    "decryptionKey" : {
      "type" : "handle",
      "id" : "leaf",
      "subId" : "122"
    },
    "encryptedCMSData" : [ "CROPPED-BASE64-DATA", "CROPPED-BASE64-DATA", "CROPPED-BASE64-DATA" ]
  }
}

Response

{
  "header" : {
    "type" : "standardSkyTrustHeader",
    "commandId" : "",
    "sessionId" : "39fde6fe-5028-407d-876b-564f39fa4778",
    "path" : [ ],
    "protocolVersion" : "2.0"
  },
  "payload" : {
    "type" : "decryptCMSResponse",
    "plainData" : [ "SGVsbG8gYmx1ZSBTa3kh", "SGVsbG8gbmlnaHQgU2t5IQ==", "SGVsbG8gdHJ1c3RlZCBTa3kh" ]
  }
}

signRequest

The sign request signs the given hash values for the given key. It is important to note that this request already expects a hash value for creating the signature.

  • Request:
    • signingKey: The desired SkyTrust key is handed over in the signingKey property of the request (types: handleinternalCertificate or wrappedCMSKey).
    • algorithm: This property is used to specify the desired signature algorithm. This algorithm must correspond to the hash algorithm used to compute the supplied hash value.
    • hashesToBeSigned: This property contains an array of the hashes that should be signed with the given key. The array elements are encoded as BASE64 string.
  • Response:
    • signedHashes: The signed hashes are returned in an array.

Request

{
  "header" : {
    "type" : "standardSkyTrustHeader",
    "commandId" : "",
    "sessionId" : "",
    "path" : [ "java-api-instance" ],
    "protocolVersion" : "2.0"
  },
  "payload" : {
    "type" : "signRequest",
    "signatureKey" : {
      "type" : "handle",
      "id" : "leaf",
      "subId" : "122"
    },
    "algorithm" : "RSASSA-PKCS1-v1_5-SHA-256",
    "hashesToBeSigned" : [ "SGVsbG8gYmx1ZSBTa3kh", "SGVsbG8gbmlnaHQgU2t5IQ==", "SGVsbG8gdHJ1c3RlZCBTa3kh" ]
  }
}

Response

{
  "header" : {
    "type" : "standardSkyTrustHeader",
    "commandId" : "",
    "sessionId" : "e3104366-c841-46ee-93de-6c6f2a770d7d",
    "path" : [ ],
    "protocolVersion" : "2.0"
  },
  "payload" : {
    "type" : "signResponse",
    "signedHashes" : [ "CROPPED-BASE64-DATA", "CROPPED-BASE64-DATA", "CROPPED-BASE64-DATA" ]
  }
}

generateWrappedKeyRequest

This request is used to generate an asymmetric key pair and an associated X509 certificate. The keypair is protected/wrapped/encrypted via the CMS format for the supplied encryptionKeys.

  • Request:
    • keyType: The type of key of key that should be generated (either "RSA-2048" or "RSA-4096"). If left undefined, a 2048-bit RSA key is generated.
    • encryptionKeys: This property contains an array of the encryption keys that are used to encrypt the generated key pair.
    • signingKey (optional): This property defines the key to be used for signing the wrapped key
    • certificateSubject:  The subject name encoded according to http://tools.ietf.org/html/rfc4514.  e.g., CN=My Subject name/O=IAIK
  • Response:
    • encodedWrappedKey: This property contains the CMS container which is encrypted with the certificates handed over in the encryptionKeys property and signed with the key specified in the signingKey (not yet available, the signinkey which is defined in the configuration file is used) property. Since the generated certificate must be publicly available it is returned in the encodedX509Certificate property of the response.

Request

{
  "header" : {
    "type" : "standardSkyTrustHeader",
    "commandId" : "",
    "sessionId" : "",
    "path" : [ "java-api-instance" ],
    "protocolVersion" : "2.0"
  },
  "payload" : {
    "type" : "generateWrappedKeyRequest",
    "keyType" : "RSA-2048",
    "encryptionKeys" : [ {
      "type" : "handle",
      "id" : "leaf",
      "subId" : "122"
    }, {
      "type" : "handle",
      "id" : "leaf",
      "subId" : "121"
    }, {
      "type" : "externalCertificate",
      "encodedCertificate" : "CROPPED-BASE64-DATA"
    }, {
      "type" : "externalCertificate",
      "encodedCertificate" : "CROPPED-BASE64-DATA"
    } ],
    "signingKey" : {
      "type" : "handle",
      "id" : "leaf",
      "subId" : "122"
    },
    "certificateSubject" : "CN=Wonderful"
  }
}

Response

{
  "header" : {
    "type" : "standardSkyTrustHeader",
    "commandId" : "",
    "sessionId" : "c584f58d-1ac6-4e88-9bb0-e8fe84098bb9",
    "path" : [ ],
    "protocolVersion" : "2.0"
  },
  "payload" : {
    "type" : "generateWrappedKeyResponse",
    "encodedWrappedKey" : "CROPPED-BASE64-DATA",
    "encodedX509Certificate" : "CROPPED-BASE64-DATA"
  }
}

decryptRequest-wrappedKey

This example shows how the decrypt request is carried out with a wrapped key. In this example the encrypted data handed over in the encryptedData property is decrypted with the key that is stored in the CMS container, which is handed over in the encodedWrappedKey property. Thereby,

  1. SkyTrust decrypts the CMS container with the matching internal key (this corresponds to the signingKey that is handed over to the generateWrappedKey request, or the key that is defined in the configuration file).
  2. SkyTrust then decrypts the data supplied in the encryptedData property with the unwrapped key according to the algorithm specified in the algorithm property.

Request

{
  "header" : {
    "type" : "standardSkyTrustHeader",
    "commandId" : "",
    "sessionId" : "",
    "path" : [ "java-api-instance" ],
    "protocolVersion" : "2.0"
  },
  "payload" : {
    "type" : "decryptRequest",
    "decryptionKey" : {
      "type" : "wrappedKey",
      "encodedWrappedKey" : "CROPPED-BASE64-DATA"
    },
    "algorithm" : "RSAES-PKCS1-v1_5",
    "encryptedData" : [ "CROPPED-BASE64-DATA", "CROPPED-BASE64-DATA", "CROPPED-BASE64-DATA" ]
  }
}

Response

{
  "header" : {
    "type" : "standardSkyTrustHeader",
    "commandId" : "",
    "sessionId" : "0a029dd7-943c-46a8-911b-89b77422ba63",
    "path" : [ ],
    "protocolVersion" : "2.0"
  },
  "payload" : {
    "type" : "decryptResponse",
    "plainData" : [ "SGVsbG8gYmx1ZSBTa3kh", "SGVsbG8gbmlnaHQgU2t5IQ==", "SGVsbG8gdHJ1c3RlZCBTa3kh" ]
  }
}

decryptCMSRequest-wrappedKey

This example shows how a wrapped key is used to decrypt a CMS container. This is handled in the same way as described in the decryptRequest-wrappedKey example. Since the CMS format is used, it is not necessary to specify the algorithm property as it is for the decrypt request.

Request

{
  "header" : {
    "type" : "standardSkyTrustHeader",
    "commandId" : "",
    "sessionId" : "",
    "path" : [ "java-api-instance" ],
    "protocolVersion" : "2.0"
  },
  "payload" : {
    "type" : "decryptCMSRequest",
    "decryptionKey" : {
      "type" : "wrappedKey",
      "encodedWrappedKey" : "CROPPED-BASE64-DATA"
    },
    "encryptedCMSData" : [ "CROPPED-BASE64-DATA", "CROPPED-BASE64-DATA", "CROPPED-BASE64-DATA" ]
  }
}

Response

{
  "header" : {
    "type" : "standardSkyTrustHeader",
    "commandId" : "",
    "sessionId" : "b42a46bf-e7f2-4b42-ae56-1633807c9869",
    "path" : [ ],
    "protocolVersion" : "2.0"
  },
  "payload" : {
    "type" : "decryptCMSResponse",
    "plainData" : [ "SGVsbG8gYmx1ZSBTa3kh", "SGVsbG8gbmlnaHQgU2t5IQ==", "SGVsbG8gdHJ1c3RlZCBTa3kh" ]
  }
}

modifyWrappedKeyRequest

The modifyWrappedKeyRequest modifies the access rights of a given wrapped key according to the given encryption keys.

  • Request:
    • encryptionKeys: This property contains an array of the new encryption keys that are used to encrypt the existing wrapped key.
    • decryptionKey (optional): The decryption key used to decrypt the wrapped key CMS container. If not provided, a predefined key is used.
    • signingKey (optional): This property defines the key to be used for signing the wrapped key
  • Response:
    • encodedWrappedKey: This property contains the wrapped key which is encrypted with the certificates handed over in the encryptionKeys property and signed with the key specified in the signingKey property. Since the generated certificate must be publicly available it is returned in the encodedX509Certificate property of the response.

Request

{
  "header" : {
    "type" : "standardSkyTrustHeader",
    "commandId" : "",
    "sessionId" : "",
    "path" : [ "java-api-instance" ],
    "protocolVersion" : "2.0"
  },
  "payload" : {
    "type" : "modifyWrappedKeyRequest",
    "encryptionKeys" : [ {
      "type" : "handle",
      "id" : "leaf",
      "subId" : "122"
    }, {
      "type" : "handle",
      "id" : "leaf",
      "subId" : "121"
    }, {
      "type" : "externalCertificate",
      "encodedCertificate" : "CROPPED-BASE64-DATA"
    }, {
      "type" : "externalCertificate",
      "encodedCertificate" : "CROPPED-BASE64-DATA"
    } ],
    "signingKey" : {
      "type" : "handle",
      "id" : "leaf",
      "subId" : "122"
    },
    "encodedWrappedKey" : "CROPPED-BASE64-DATA",
    "decryptionKey" : {
      "type" : "handle",
      "id" : "leaf",
      "subId" : "122"
    }
  }
}

Response

{
  "header" : {
    "type" : "standardSkyTrustHeader",
    "commandId" : "",
    "sessionId" : "bd88005b-9037-49d7-b43c-38e4849b76ef",
    "path" : [ ],
    "protocolVersion" : "2.0"
  },
  "payload" : {
    "type" : "modifyWrappedKeyResponse",
    "encodedWrappedKey" : "CROPPED-BASE64-DATA",
    "encodedX509Certificate" : "CROPPED-BASE64-DATA"
  }
}

exportWrappedKeyRequest

The exportWrappedKeyRequest decrypts the given wrapped key and returns the plain private key encoded in the PKCS8 format, as well as the associated X509 certificate.

  • Request:
    • encodedWrappedKey: The wrapped key that needs to be exported.
  • Response:
    • encodedPrivateKey: This property contains the plain private key, which was stored in the wrapped key data structure. The returned key is encoded in PKCS8 format as BASE64 string.
    • encodedX509Certificate: This property contains the X509 certificate that is also contained in the wrapped key data structure associated with the private key.

Request

{
  "header" : {
    "type" : "standardSkyTrustHeader",
    "commandId" : "",
    "sessionId" : "",
    "path" : [ "java-api-instance" ],
    "protocolVersion" : "2.0"
  },
  "payload" : {
    "type" : "exportWrappedKeyRequest",
    "encodedWrappedKey" : "CROPPED-BASE64-DATA",
    "decryptionKey" : {
      "type" : "handle",
      "id" : "leaf",
      "subId" : "122"
    }
  }
}

Response

{
  "header" : {
    "type" : "standardSkyTrustHeader",
    "commandId" : "",
    "sessionId" : "3fa39088-9017-437d-9535-fc31491d2780",
    "path" : [ ],
    "protocolVersion" : "2.0"
  },
  "payload" : {
    "type" : "exportWrappedKeyResponse",
    "encodedPrivateKey" : "CROPPED-BASE64-DATA",
    "encodedX509Certificate" : "CROPPED-BASE64-DATA"
  }
}