Page Comparison

...

The RSA notary public key can be defined in the frigg config.ini using the key value "notary_public_key". If no key is defined a default StepOver key is used. The values format is a RSA certificate in pem format without the START + END CERTIFICATE markers.

Expand

title	example of notary key notary key example

notary key .pem file format example:

Code Block

example notary_public_key config with line break and without start/end marker

Code Block

notary_public_key=MIIGETCCA/mgAwIBAgIJAI7OSzwPq2zbMA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD \
VQQGEwJERTEbMBkGA1UECAwSQmFkZW4tV3VlcnR0ZW1iZXJnMRIwEAYDVQQHDAlT \
dHV0dGdhcnQxEzARBgNVBAoMCk5vdGFyeSBMdGQxDzANBgNVBAsMBk5vdGFyeTEW \
MBQGA1UEAwwNTm90YXJ5IE5vdGFyeTEgMB4GCSqGSIb3DQEJARYRbm90YXJ5QG5v \
dGFyeS5jb20wHhcNMTkwODE2MTU0MzQ1WhcNMjkwODEzMTU0MzQ1WjCBnjELMAkG \
...

Notary key server configuration

...

Singing method

settings

Fallback

Description and additional settings

HTML-Signer

rsa_encryptor_public_key

(fallback: notary_public_key)

notary_public_key

StepOver Standard Key (4096 bit)

rsa_encryptor_public_key

The biometric data is encrypted with the rsa_encryptor_public_key. If the key is not set, notary_public_key will be used.

notary_public_key

Fallback key if rsa_encryptor_public_key is not set.

If notary_public_key is not set, the StepOver standard 4096 bit key is used.

notary_sha1_fingerprint

notary_sha1_fingerprint is optionally set in the braga config.ini. This value is compared with the fingerprint received from the frigg frontend upon signature creation.

App

notary_public_key

StepOver Standard Key (4096 bit)

If notary_public_key is not set, the StepOver standard 4096 bit key is used. It is obtained with the tyrservice method getSettings.

Signature pad

pad_connector_crypto_id_names

Standard key on pad (if pad_connector_crypto_id_abort_message is not set)

The biometric data is encrypted on the pad. A pad contains several keys. Those can only be set with a firmware update.

pad_connector_crypto_id_names

If the config is not set, the standard key of the pad is used.

The config pad_connector_crypto_id_names contains a semicolon-separated list of key name. The first name defined in the list, which is present on the pad, is used for encryption.

pad_connector_crypto_id_abort_message

If no corresponding crypto id name is found on the pad, the abort message is shown and singing is not possible. If the abort message is not set, the standard key of the pad is used.

(see "pad encryption" below for details)

NOTARY INFO

In order to find out which key was used for encryption, a notary info is stored with each signature. This information can be extracted by using StepOver ESO or Baldur. The information is extracted from the certificate:

===( NotaryInfo StepOver GmbH )===

buero@notar-jaumann.de,
Notar Werner Jaumann,
Stuttgart,
Baden-Wuerttemberg,
DE
2048bit
SN:eadc2c14dce0677b
SHA1:fadf592b5cca3e77e0852a36472b0ebbac99cdfd
valid:03/14/78

This information is shown on server startup as an info log entry.

Monitoring

The notary certificate sha1 fingerprint is shown on the monitor endpoint

...

Additional fingerprint check

An additional fingerprint check can be configured in the braga config.ini: notary_sha1_fingerprint

This value is compared with the fingerprint received from the frigg frontend upon signature creation. If the values do not match an error is logged and the signature fails otherwise the signature is successfully created.

The fingerprint can be obtained from the pem file (see above) via openssl:

Code Block
openssl x509 -in certificate.pem -outform DER \| sha1sum c938267a3015450513bcf9a10eb97e982885139c

Alternatively the .pem file can be converted to a .der file and the fingerprint can be obtained from the certificate properties:

Code Block
openssl x509 -outform der -in certificate.pem -out certificate.der

...

Notary key workflow

This is a simplified overview of the bio data encryption with the different singing methods. Only the encryption with the notary key is shown, not the AES encryption.

...

Expand

title	Pad signature signing example with pad_connector_crypto_ids set

See Pad Connector API and Websocket Interface for additional information about the api.

First webso obtains the CryptoIdInfoList with "getDeviceInfo".

Example response:

Code Block

{
    "data": {
        "ret": {
            "deviceType": "duraSign Pad Brilliance",
            "serial": "220161001",
            "openState": "2",
            "cryptoIdInfo": "<?xml version=\"1.0\" encoding=\"UTF-8\"?><CryptoIDInfoList xmlns=\"http://www.stepover.com/CryptoIDContaineInfoXMLSchema\"><CryptoIDInfo><id>0</id><description>StepOver cryptoIdv1</description><padCertLength>256</padCertLength><padNotaryLength>256</padNotaryLength></CryptoIDInfo><CryptoIDInfo><id>1</id><description>StepOver 2048/4096</description><padCertLength>256</padCertLength><padNotaryLength>512</padNotaryLength></CryptoIDInfo><CryptoIDInfo><id>2</id><description>StepOver 3072/4096</description><padCertLength>384</padCertLength><padNotaryLength>512</padNotaryLength></CryptoIDInfo></CryptoIDInfoList>",
            "cryptoIdInfoJson": "[{\"padCertLength\":256,\"description\":\"StepOver cryptoIdv1\",\"padNotaryLength\":256},{\"padCertLength \":256,\"description\":\"StepOver 2048/4096\",\"padNotaryLength\":512},{\"padCertLength\":384,\"description\":\"StepOver 3072/4096\",\"padNotaryLength\":512}]",
            "firmwareVersion": "7.8.0.51",
            "deviceTime": "1690190787000"
        }
    },
    "messageId": "1690196850227-4",
    "type": "response"
}

The response contains three keys:

id (crypto_id)	description (corresponds to pad_connector_crypto_id_names)	padCertLength	padNotaryLength
0	StepOver cryptoIdv1	256	256
1	StepOver 2048/4096	256	512
2	StepOver 3072/4096	384	512

example config

Code Block
pad_connector_crypto_id_names=FooBar;StepOver 3072/4096;StepOver cryptoIdv1

Webso iterates over the pad_connector_crypto_id_names. In the example crypto_id 3 (StepOver 3072/4096) will be used: "FooBar" is not present on the pad. "StepOver cryptoIdv1" is present on the pad, but "StepOver 3072/4096" is before "StepOver cryptoIdv1" in the setting list and will be taken instead. "StartSigning" will then be called with crypto_id=2.

E.g.:

Code Block

language	json

{
    "type": "startSigning",
    "data": {
        "x": 119.99983199999998,
        "y": 132.05207656364587,
        "width": 148.99999999999997,
        "height": 67.02588401047669,
        "resolution": 200,
        "page": 0,
        "withHashDialog": true,
        "signSession": "signSession",
        "signatureTimeout": 5000,
        "config": {
            "signatureImageIntervalMillis": "200",
            "cryptoId": 1,
            "afterSignMode": "customerLogo",
            "signMode": "standard"
        },
        "messageId": "1690197353550-5"
    }
}

NOTARY INFO

In order to find out which key was used for encryption, a notary info is stored with each signature. This information can be extracted by using StepOver ESO or Baldur. The information is extracted from the certificate:

===( NotaryInfo StepOver GmbH )===

buero@notar-jaumann.de,
Notar Werner Jaumann,
Stuttgart,
Baden-Wuerttemberg,
DE
2048bit
SN:eadc2c14dce0677b
SHA1:fadf592b5cca3e77e0852a36472b0ebbac99cdfd
valid:03/14/78

This information is shown on server startup as an info log entry.

Monitoring

The notary certificate sha1 fingerprint is shown on the monitor endpoint

...

Additional fingerprint check

An additional fingerprint check can be configured in the braga config.ini: notary_sha1_fingerprint

...

Versions Compared

Old Version 2

New Version Current

Key

Notary key server configuration

NOTARY INFO

Monitoring

Additional fingerprint check

Notary key workflow

NOTARY INFO

Monitoring

Additional fingerprint check