-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathcdoc2-key-capsules-openapi.yaml
129 lines (126 loc) · 4.47 KB
/
cdoc2-key-capsules-openapi.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
openapi: 3.0.3
info:
contact:
url: http://ria.ee
title: cdoc2-key-capsules
version: 2.1.0
description: API for exchanging CDOC2 ephemeral key material in key capsules
servers:
- url: 'https://localhost:8443'
description: no auth (for creating key capsules). Regular TLS (no mutual TLS required).
- url: 'https://localhost:8444'
description: mutual TLS authentication (for retrieving key capsules)
paths:
'/key-capsules/{transactionId}':
get:
summary: Get key capsule for transactionId
description: Get key capsule for transactionId
tags:
- cdoc2-key-capsules
parameters:
- name: transactionId
in: path
schema:
type: string
minLength: 18
maxLength: 34
required: true
description: transaction id from recipients.KeyServerCapsule.transaction_id (fbs)
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: '#/components/schemas/Capsule'
headers:
x-expiry-time:
schema:
type: string
format: date-time
description: Key capsule may be deleted by server after expiry time. Format rfc3339#section-5.6
'400':
description: 'Bad request. Client error.'
'401':
description: 'Unauthorized. Client certificate was not presented with the request.'
'404':
description: 'Not Found. 404 is also returned, when recipient id in record does not match with public key in client certificate.'
operationId: getCapsuleByTransactionId
security:
- mutualTLS: []
/key-capsules:
post:
summary: Add Key Capsule
description: Save Capsule and generate transaction id using secure random. Generated transactionId is returned in Location header
operationId: createCapsule
parameters:
- schema:
type: string
format: date-time
in: header
name: x-expiry-time
description: Key capsule may be deleted by server after expiry time. Format rfc3339#section-5.6
required: false
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/Capsule'
responses:
'201':
description: Created
headers:
Location:
schema:
type: string
example: /key-capsules/KC0123456789ABCDEF
description: 'URI of created resource. TransactionId can be extracted from URI as it follows pattern /key-capsules/{transactionId}'
'400':
description: Bad request. Client error.
security: []
tags:
- cdoc2-key-capsules
components:
schemas:
Capsule:
title: Capsule
type: object
properties:
recipient_id:
type: string
format: byte
minLength: 97 # EC public key
maxLength: 2100 # 16 K RSA public key = 2086 bytes
description: 'Binary format is defined by capsule_type'
ephemeral_key_material:
type: string
format: byte
maxLength: 2100
description: 'Binary format is defined by capsule_type'
capsule_type:
type: string
enum:
- ecc_secp384r1
- rsa
description: |
Depending on capsule type, Capsule fields have the following contents:
- ecc_secp384r1:
* recipient_id is EC pub key with secp384r1 curve in TLS format (0x04 + X coord 48 bytes + Y coord 48 bytes) (https://www.rfc-editor.org/rfc/rfc8446#section-4.2.8.2)
* ephemeral_key_material contains sender public EC key (generated) in TLS format.
- rsa:
* recipient_id is DER encoded RSA recipient public key - RsaPublicKey encoding [RFC8017 RSA Public Key Syntax A.1.1](https://www.rfc-editor.org/rfc/rfc8017#page-54)
* ephemeral_key_material contains KEK encrypted with recipient public RSA key
required:
- recipient_id
- ephemeral_key_material
- capsule_type
securitySchemes:
mutualTLS:
# since mutualTLS is not supported by OAS 3.0.x, then define it as http basic auth. MutualTLS must be implemented
# manually anyway
#type: mutualTLS
type: http
scheme: basic
tags:
- name: cdoc2-key-capsules