| Info |
|---|
This article is valid for Smart ID Identity Manager 24.R1 or later. |
...
default descriptor names:
att_external-attestation-1 (mobile only)
att_external-attestation-2 (mobile only)
att_external-attestation-3 (mobile only)
att_external-attestation-4 (mobile only)
att_ATTESTATION (mobile+desktop, default)
use-case:
limit profile provisioning with Smart ID Mobile / Smart ID Desktop App to devices with certain keys (by default IDM includes certificates for the built-in keys of any Mobile and Desktop App installation)
configured in these applications:
Identity Manager Operator
Identity Manager Admin (technically not used here, but required for startup due to bean requirements - subject to change in future releases)
versioning: supported
storage: pkcs12, HSM (recommended)
general requirements:
default certificates do not need to be changed, unless you want to limit profile provisioning to certain devices
no private keys is configured for IDM, only each public key inside a certificate
key requirements:
supported types:
RSA 2048
RSA 3072
RSA 4096 (recommended)
certificate requirements:
only public part with dummy certificate generated via tooling shown here: https://doc.nexusgroup.com/pub/configure-custom-attestation-keys
verification only uses the key, no part of the certificate is considered
key usage is not checked (recommended for informational purposes: set digitalSignature)
validity is ignored
######### initial cleanup done above ##############
Descriptors not included by default
this section is not done, yet - some investigation and tests pending (but since the descriptors are not included by default, they are not needed for initial bootstrapping)
idopteAuthentication
use-case: initial handshake with Idopte client-side middleware, see Encoding using Idopte middleware in Identity Manager
configured in this application:
Identity Manager Operator
storage: pkcs12
versioning: not supported (always uses the default (i.e. highest) version
supported algorithm value: NONEwithRSA
general requirements:
descriptor can be omitted entirely (not even a placeholder
needed) if Idopte middleware is not used, otherwise correct
certificate and keypair is required
PKI card encoding via the Idopte middleware will fail if missing or configured incorrectly
key requirements:
supported type:
RSA 2048
certificate requirements:
Idopte webapp cert, issued by Idopte based on CSR for a customer-generated keypair
CSR extensions: at least one placeholder SAN URI (which PDA will send as Origin headerone customer-specific SAN URI (does not have to point to an existing website), e.g. https://
idoptewebappidopte.
mycompanycustomer.com (using hosts like localhost or 127.x.y.z is discouraged, as it severely restricts the maximum validity period of the certificate Idopte can issue)
validity
key type: RSA-2048, feedback from Idopte what else they would support pending....
algorithm: NONEwithRSA
(assuming no ECC support, otherwise it could also be NONEwithECDSA - required for correct signing of the challenge)
storage: pkcs12
IdopteMiddleware.signEnvChallenge() always uses BC provider, probably should use IKeyDescriptor.getProviderForPrivateKey() instead
versioning not needed (always uses the default (i.e. highest) version)
insideClientAuth
: defined by the Idopte CA
insideClientAuth
use-case: authenticate to the IN Groupe Inside Server, which performs certain cryptographic operations on behalf of IDM when using the Idopte middleware (see Encoding using Idopte middleware in Identity Manager)
configured in this application:
Identity Manager Operator
see Encoding using Idopte middleware in Identity Manager general requirements:
descriptor can be omitted entirely (not even a placeholder
needed) if Idopte middleware is not used, otherwise correct
certificate and keypair is required
PKI card encoding via the Idopte middleware will fail if missing or configured incorrectly
algorithm attribute not used
(we only use certificate and private key from the descriptor)
versioning: not needed
storage: pkcs12
not clear if HSM is supported or not (see SSL.java)
key type: RSA-2048 and up (4096 recommended)
unsure if ECC support or not...key requirements:
supported types:
RSA 2048
RSA 3072
RSA 4096 (recommended)
certificate requirements:
validity DOES matter, connection to Inside server will fail when expired
unsure if self-signed certs would work (recommend to use CA)
must be trusted by Inside server
key usage: digitalSignature
Pin-Blob Decryption Descriptors
These do not have a specific name, but can be any descriptors listed in the pinBlobDecryptor.keyDescriptorNames property of system.properties (or its Docker counterpart).
use-case: decrypting pin-blobs from pre-personalized cards to e.g. print pin letters for them (see Encodings using Personal Desktop Client middleware in Identity Manager (section "Read encrypted PINs")
configured in this application:
Identity Manager Operator
supported algorithm value: RSA
storage: pkcs12, HSM (recommended)
versioning: not needed
general requirements:
by default the property is empty, hence no descriptors
are needed, unless the feature is required
see Encodings using Personal Desktop Client middleware in Identity Manager (section "Read encrypted PINs")
keypairs of pin-encryption certificate for decrypting pin-blobs from pre-personalized cards to e.g. print pin letters for them
algorithm: RSA
key type: RSA-2048 (unsure if larger ones work), no ECC support!
issued by CM
storage: pkcs12, HSM (recommended)
validity does not matter to IDM
trust does not matter to IDM
key usage: recommend keyEncipherment + dataEncipherment for information, but technically does not matter (IDM just needs the private key)
we only use the private key
versioning not needed (always uses the default (i.e. highest) versionkey requirements:
supported types:
RSA 2048 (others?)
certificate requirements:
issued by Nexus Certificate Manager
validity ignored by IDM
does not need to be trusted by IDM
key usage is not checked (recommended for informational purposes: set dataEncipherment + keyEncipherment)