...
The RSA notary public key can be defined in the frigg config.ini using the key value "notary_public_key". If no key is defined a default StepOver key is used. The values format is a RSA certificate in pem format without the START + END CERTIFICATE markers.
Expand | ||||
---|---|---|---|---|
| ||||
notary key .pem file format example:
example notary_public_key config with line break and without start/end marker
|
Notary key server configuration
...
Singing method | settings | Fallback | Description and additional settings |
---|---|---|---|
HTML-Signer | rsa_encryptor_public_key (fallback: notary_public_key) | notary_public_key StepOver Standard Key (4096 bit) | rsa_encryptor_public_key The biometric data is encrypted with the rsa_encryptor_public_key. If the key is not set, notary_public_key will be used. notary_public_key Fallback key if rsa_encryptor_public_key is not set. If notary_public_key is not set, the StepOver standard 4096 bit key is used. notary_sha1_fingerprint notary_sha1_fingerprint is optionally set in the braga config.ini. This value is compared with the fingerprint received from the frigg frontend upon signature creation. |
App | notary_public_key | StepOver Standard Key (4096 bit) | If notary_public_key is not set, the StepOver standard 4096 bit key is used. It is obtained with the tyrservice method getSettings. |
Signature pad | pad_connector_crypto_id_names | Standard key on pad (if pad_connector_crypto_id_abort_message is not set) | The biometric data is encrypted on the pad. A pad contains several keys. Those can only be set with a firmware update. pad_connector_crypto_id_names If the config is not set, the standard key of the pad is used. The config pad_connector_crypto_id_names contains a semicolon-separated list of key name. The first name defined in the list, which is present on the pad, is used for encryption. pad_connector_crypto_id_abort_message If no corresponding crypto id name is found on the pad, the abort message is shown and singing is not possible. If the abort message is not set, the standard key of the pad is used. (see "pad encryption" below for details) |
NOTARY INFO
In order to find out which key was used for encryption, a notary info is stored with each signature. This information can be extracted by using StepOver ESO or Baldur. The information is extracted from the certificate:
===( NotaryInfo StepOver GmbH )===
buero@notar-jaumann.de,
Notar Werner Jaumann,
Stuttgart,
Baden-Wuerttemberg,
DE
2048bit
SN:eadc2c14dce0677b
SHA1:fadf592b5cca3e77e0852a36472b0ebbac99cdfd
valid:03/14/78
This information is shown on server startup as an info log entry.
Monitoring
The notary certificate sha1 fingerprint is shown on the monitor endpoint
...
Additional fingerprint check
An additional fingerprint check can be configured in the braga config.ini: notary_sha1_fingerprint
This value is compared with the fingerprint received from the frigg frontend upon signature creation. If the values do not match an error is logged and the signature fails otherwise the signature is successfully created.
The fingerprint can be obtained from the pem file (see above) via openssl:
Code Block |
---|
openssl x509 -in certificate.pem -outform DER | sha1sum
c938267a3015450513bcf9a10eb97e982885139c |
Alternatively the .pem file can be converted to a .der file and the fingerprint can be obtained from the certificate properties:
Code Block |
---|
openssl x509 -outform der -in certificate.pem -out certificate.der |
...
Notary key workflow
This is a simplified overview of the bio data encryption with the different singing methods. Only the encryption with the notary key is shown, not the AES encryption.
...
Expand | ||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||
See Pad Connector API and Websocket Interface for additional information about the api. First webso obtains the CryptoIdInfoList with "getDeviceInfo". Example response:
The response contains three keys:
example config
Webso iterates over the pad_connector_crypto_id_names. In the example crypto_id 3 (StepOver 3072/4096) will be used: "FooBar" is not present on the pad. "StepOver cryptoIdv1" is present on the pad, but "StepOver 3072/4096" is before "StepOver cryptoIdv1" in the setting list and will be taken instead. "StartSigning" will then be called with crypto_id=2. E.g.:
|
NOTARY INFO
In order to find out which key was used for encryption, a notary info is stored with each signature. This information can be extracted by using StepOver ESO or Baldur. The information is extracted from the certificate:
===( NotaryInfo StepOver GmbH )===
buero@notar-jaumann.de,
Notar Werner Jaumann,
Stuttgart,
Baden-Wuerttemberg,
DE
2048bit
SN:eadc2c14dce0677b
SHA1:fadf592b5cca3e77e0852a36472b0ebbac99cdfd
valid:03/14/78
This information is shown on server startup as an info log entry.
Monitoring
The notary certificate sha1 fingerprint is shown on the monitor endpoint
...
Additional fingerprint check
An additional fingerprint check can be configured in the braga config.ini: notary_sha1_fingerprint
...