Versions Compared

Version Old Version 19 New Version Current
Changes made by

Josefin Klang

Ylva Andersson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

This article is valid new for Smart ID Identity Manager 24.R1 or later5.0.1.

The sign and encrypt engine has one configuration file. On Docker docker deployments it is located in docker/compose/identitymanager/config/signencrypt.xml, on WAR deployments it is located in WEB-INF/classes/engineSignEncryptConfig.xml of Identity Manager Admin and Identity Manager Operator. There are also several tools including a similar configuration file.

...

The configuration is divided into entries for descriptors and keys. Each descriptor handles one distinct use case and uses one of the key-entries.

...

Descriptors

Identity Manager references descriptors by their name: for each use case there is a known descriptor name. Most names are fixed (for example, ConfigZipEncrypter is always used for encrypting configuration files) and a few can be named arbitrarily (for example, descriptors for PIN blob decryption).

Descriptor example

Code Block
languagexml
<descriptor name="ObjectHistorySigner" version="1">
    <type algorithm="SHA-256" key="objectHistorySignerCert" />
</descriptor>

...

The ObjectHistorySigner supports multiple versions. You can replace its key by adding a descriptor with the same name and a newer version, and leaving the existing descriptor with the old version configured. This will cause any new signatures to be created with the new key, but you can still verify signatures made with the old one.See the following example:

Expand
titleExample
Code Block
languagexml
<?xml version="1.0" encoding="UTF-8"?>
<engineSignEncrypt>
    <descriptors>
        <descriptor name="ObjectHistorySigner" version="2">
            <type algorithm="SHA-256" key="newKey" />
        </descriptor>
        <descriptor name="ObjectHistorySigner" version="1">
            <type algorithm="SHA-256" key="oldKey" />
        </descriptor>       
        <!-- others descriptors -->
    </descriptors>
    <keys>
        <key name="newKey">
            <type name="pkcs12" locationValue="classpath:sign_new.p12" pin="1234"/>
        </key>
        <key name="oldKey">
            <type name="pkcs12" locationValue="classpath:sign_old.p12" pin="1234"/>
        </key>
        <!-- other keys -->
    </keys>
</engineSignEncrypt>

There are also descriptors which cannot be versioned, for example, EncryptedFields. For those the version always must be set to 1.

...

Key elements are referenced by the descriptors. They describe keys found in HSMs and/or keystores. Each key should be used by only one descriptor.

Key example

Code Block
languagexml
<key name="objectHistorySignerCert">
    <type name="pkcs12" locationValue="classpath:sign.p12" pin="1234"/>
</key>

...

Attribute of the type element inside key

Description

name

Type of storage: pkcs12or HSM.

locationValue

For docker:

  • For a software keystore (pkcs12): place the keystore under docker/compose/certs before creating the container with docker compose. Then set its location as absolute path, prefixed with file: pointing to the mounted file in/certs (inside the container), for example: locationValue="file:/certs/keystore.p12".

Default attestation keys are referenced from the classpath, for example, locationValue="classpath:attKeyMobileDef.p12". Change this only if you need your own keys.

  • For an HSM: ensure the PKCS11 library is mounted into the container, then use the container’s path of the PKCS11 library, without filename extension, for example: locationValue="/usr/local/lib/libpkcs11hsm"

For WAR file deployment: 

  • For a software keystore: place the keystore under WEB-INF/classes and set its location, prefixed with classpath:, for example: locationValue="classpath:keystore.p12"

  • For an HSM: use the path of the PKCS11 library, without filename extension, for example: locationValue="/usr/local/lib/libpkcs11hsm"

pin

PIN for the keystore or HSM.

To avoid having clear text PINs in this file, the pin should be scrambled. That can be achieved by setting it with pin.encrypted="1234" instead of pin="1234".

For WAR deployments the pin will then be scrambled on the next (re-)start of Tomcat.

For Docker docker deployments you need to scramble the pins with a dedicated tool while IDM Identity Manager Admin/ IDM Identity Manager Operator containers are not running.

After scrambling, the PIN will look something like pin="encrypted:someBase64EncodedValue". See Scramble sensitive data in Identity Manager files for detailed instructions.

...

Configuration file example

This is an example .
Expand
titleExample
of a typical configuration file
Code Block
languagexml
<?xml version="1.0" encoding="UTF-8"?>
<engineSignEncrypt>
    <descriptors>
        <descriptor name="EncryptedFields" version="1">
            <type algorithm="AES/CBC/PKCS7Padding" size="256" result="NX02" key="encCert" 
                  asymCipher="RSA/None/OAEPWithSHA384AndMGF1Padding"/>
        </descriptor>
        <descriptor name="ConfigZipEncrypter" version="1">
            <type algorithm="AES/CBC/PKCS7Padding" size="256" key="configZipEncrypterCert"
                  asymCipher="RSA/None/OAEPWithSHA384AndMGF1Padding"/>
        </descriptor>
        <descriptor name="ConfigZipSigner" version="1">
            <type algorithm="SHA-256" key="configZipSignerCert" />
        </descriptor>
        <descriptor name="ObjectHistorySigner" version="1">
            <type algorithm="SHA-256" key="objectHistorySignerCert" />
        </descriptor>
        <descriptor name="ObjectHistorySigner" version="2">
            <type algorithm="SHA-256" key="newObjectHistorySignerCert" />
        </descriptor>
        <descriptor name="SignEmailDescriptor" version="1">
            <type algorithm="SHA256withRSA" key="emailSigningCert" />
        </descriptor>
        <descriptor name="hermodDeviceEnc" version="1">
            <type algorithm="SHA256withRSA" key="serverCert" />
        </descriptor>
        <descriptor name="SelfServiceJWTSigner" version="1">
            <type algorithm="RSA" key="selfServiceJWTSignerCert" />
        </descriptor>
        <descriptor name="ContentProviderJWSSigner" version="1">
            <type algorithm="RSA" key="contentProviderJWSSignerCert" />
        </descriptor>
        <descriptor name="att_external-attestation-1" version="1">
            <type algorithm="SHA256withRSA" key="attestationKey_mobile_1" />
        </descriptor>
        <descriptor name="att_external-attestation-2" version="1">
            <type algorithm="SHA256withRSA" key="attestationKey_mobile_2" />
        </descriptor>
        <descriptor name="att_external-attestation-3" version="1">
            <type algorithm="SHA256withRSA" key="attestationKey_mobile_3" />
        </descriptor>
        <descriptor name="att_external-attestation-4" version="1">
            <type algorithm="SHA256withRSA" key="attestationKey_mobile_4" />
        </descriptor>
        <descriptor name="att_ATTESTATION" version="1">
            <type algorithm="SHA256withRSA" key="attestationKey_mobile_pda_def" />
        </descriptor>
    </descriptors>
    <keys>
        <key name="encCert">
            <type name="pkcs12" locationValue="classpath:hybridEncKeypair.p12" pin="encrypted:UPYN6QD/Vd45fbrQ/QF2DrYlRbaBOvriXkD3OxWLetgiXbQ="/>
        </key>
        <key name="configZipEncrypterCert">
            <type name="pkcs12" locationValue="classpath:encryptConfig.p12" pin="encrypted:waKnF9aR6YCwamkL5/aKfVk3A1YjZbApclCpwmRuScmSfm0="/>
        </key>
        <key name="configZipSignerCert">
            <type name="pkcs12" locationValue="classpath:signConfig.p12" pin="encrypted://1p2CV3vDLvjyCuQKj4Zg2gSJGNhJ3R5qfgPKnqoyVwhGA="/>
        </key>
        <key name="newObjectHistorySignerCert">
            <type name="pkcs12" locationValue="classpath:historySignNew.p12" pin="encrypted:RC1w/BVMH1bwgM4DGKUeMvxIYonTKXrPa/sKr+JFbWgd/4o="/>
        </key>
        <key name="objectHistorySignerCert">
            <type name="pkcs12" locationValue="classpath:historySign.p12" pin="encrypted:nr7t9dSRu21RWpc95C6/JyczKI2wMkOo+93JLy7da/jkg7E="/>
        </key>
        <key name="selfServiceJWTSignerCert">
            <type name="pkcs12" locationValue="classpath:signJWT.p12" pin="encrypted:8ri1LiK3J8Ur8F1wSw0Qa/UYDoaJjo85I4QZC9mX9f/H7zc="/>
        </key>
        <key name="contentProviderJWSSignerCert">
            <type name="pkcs12" locationValue="classpath:signJWS.p12" pin="encrypted:4Kj0VidwLlISBKXAFZ+ZorOjL4HK6c86zESBaeoPWJ6oEcI="/>
        </key>
        <key name="emailSigningCert">
            <type name="pkcs12" locationValue="classpath:emailSigning.p12" pin="encrypted:mwd15YNfR2LyUaLtoCIO9R0fGvd3O2z7kfaYw2ObSqsigtA="/>
        </key>
        <key name="serverCert">
            <type name="pkcs12" locationValue="classpath:deviceEncCA.p12" pin="encrypted:yZJ7NcLs82mSs/nmV0s83c/sjvDA1kXspYWjvD3D7KsAS/c="/>
        </key>
        <key name="attestationKey_mobile_1">
            <type name="pkcs12" locationValue="classpath:attKeyMobile1.p12" pin="936584967"/>
        </key>
        <key name="attestationKey_mobile_2">
            <type name="pkcs12" locationValue="classpath:attKeyMobile2.p12" pin="873145568"/>
        </key>
        <key name="attestationKey_mobile_3">
            <type name="pkcs12" locationValue="classpath:attKeyMobile3.p12" pin="8564789632"/>
        </key>
        <key name="attestationKey_mobile_4">
            <type name="pkcs12" locationValue="classpath:attKeyMobile4.p12" pin="9263564893"/>
        </key>
        <key name="attestationKey_mobile_pda_def">
            <type name="pkcs12" locationValue="classpath:attKeyMobileDef.p12" pin="2586453793"/>
        </key>
    </keys>
</engineSignEncrypt>

...