Versions Compared

Version Old Version 14 New Version 15
Changes made by

David Banz

David Banz

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Attribute of the type element inside descriptor

Description

algorithm

For EncryptedFields/ConfigZipEncrypter: symmetric algorithm to be used, usually AES/CBC/PKCS7Padding.

For SelfServiceJWTSigner/ContentProviderJWSSigner: always RSA.

For ConfigZipSigner/ObjectHistorySigner: hashing algorithm to be used (for example, SHA-256).

For SignEmailDescriptor/hermodDeviceEnc/att_* and pin-blob decryption descriptors:
signature algorithm to be used (for example, SHA256withRSA).

For idopteAuthentication: always NoneWithRSA.

size

For EncryptedFields/ConfigZipEncrypter only.
Size of the symmetric key, either 128or 256 (recommended).

result

For EncryptedFields only.
Output format, currently always NX02.

key

The descriptor’s key. Refers to a key defined in the same document.

asymCipher

For EncryptedFields/ConfigZipEncrypter only.
Cipher definition, e.g. RSA/None/OAEPWithSHA384AndMGF1Padding.

When used with an HSM, you need to adjust the cipher format to be compatible with the JCE provider
used for HSM access. 
For example, instead of the above cipher definition, specify RSA/ECB/OAEPWithSHA-384AndMGF1Padding
(ECBinstead of Noneand SHA-384 instead of SHA384).

initVector

Only needed for migrating EncryptedFields from SmartAct or ProAct: a fixed Initialization Vector (IV).

For other descriptors, omit this attribute in order to use randomly generated IVs.

Descriptor versioning

Some descriptors support The ObjectHistorySigner supports multiple versions. For example, you You can replace the its key of the ObjectHistorySigner by adding a descriptor with the same name and a newer version, and leaving the existing descriptor with the old version configured. This will cause any new signatures to be created with the new key, but you can still verify signatures made with the old one.

...

There are also descriptors which cannot be versioned, e.g. EncryptedFields. For those the version always needs to be set to 1.

Currently most descriptors either do not support versioning at all or do not benefit from defining multiple versions.

Key

Key elements are referenced by the descriptors. They describe keys found in HSMs and/or keystores. Each key should be used by only one descriptor.

...