Comment: Potentially a new article?
Remember to update the release version number before publishing externally.
| Info |
|---|
This article includes is new for Smart ID Identity Manager 245.0.R11. |
The sign and encrypt engine has one configuration file. On docker deployments it is located in docker/compose/identitymanager/config/signencrypt.xml, on WAR deployments it is located in WEB-INF/classes/engineSignEncryptConfig.xml of Identity Manager Admin and Identity Manager Operator. There are also several tools including a similar configuration file.
...
The ObjectHistorySigner supports multiple versions. You can replace its key by adding a descriptor with the same name and a newer version, and leaving the existing descriptor with the old version configured. This will cause any new signatures to be created with the new key, but you can still verify signatures made with the old one.
| Expand |
|---|
| See the following example: |
| Code Block |
|---|
| <?xml version="1.0" encoding="UTF-8"?>
<engineSignEncrypt>
<descriptors>
<descriptor name="ObjectHistorySigner" version="2">
<type algorithm="SHA-256" key="newKey" />
</descriptor>
<descriptor name="ObjectHistorySigner" version="1">
<type algorithm="SHA-256" key="oldKey" />
</descriptor>
<!-- others descriptors -->
</descriptors>
<keys>
<key name="newKey">
<type name="pkcs12" locationValue="classpath:sign_new.p12" pin="1234"/>
</key>
<key name="oldKey">
<type name="pkcs12" locationValue="classpath:sign_old.p12" pin="1234"/>
</key>
<!-- other keys -->
</keys>
</engineSignEncrypt> |
|
...
Configuration file example
...
| Expand |
|---|
| title | Example of a typical configuration file |
|---|
|
...
|
| Code Block |
|---|
| <?xml version="1.0" encoding="UTF-8"?>
<engineSignEncrypt>
<descriptors>
<descriptor name="EncryptedFields" version="1">
<type algorithm="AES/CBC/PKCS7Padding" size="256" result="NX02" key="encCert"
asymCipher="RSA/None/OAEPWithSHA384AndMGF1Padding"/>
</descriptor>
<descriptor name="ConfigZipEncrypter" version="1">
<type algorithm="AES/CBC/PKCS7Padding" size="256" key="configZipEncrypterCert"
asymCipher="RSA/None/OAEPWithSHA384AndMGF1Padding"/>
</descriptor>
<descriptor name="ConfigZipSigner" version="1">
<type algorithm="SHA-256" key="configZipSignerCert" />
</descriptor>
<descriptor name="ObjectHistorySigner" version="1">
<type algorithm="SHA-256" key="objectHistorySignerCert" />
</descriptor>
<descriptor name="ObjectHistorySigner" version="2">
<type algorithm="SHA-256" key="newObjectHistorySignerCert" />
</descriptor>
<descriptor name="SignEmailDescriptor" version="1">
<type algorithm="SHA256withRSA" key="emailSigningCert" />
</descriptor>
<descriptor name="hermodDeviceEnc" version="1">
<type algorithm="SHA256withRSA" key="serverCert" />
</descriptor>
<descriptor name="SelfServiceJWTSigner" version="1">
<type algorithm="RSA" key="selfServiceJWTSignerCert" />
</descriptor>
<descriptor name="ContentProviderJWSSigner" version="1">
<type algorithm="RSA" key="contentProviderJWSSignerCert" />
</descriptor>
<descriptor name="att_external-attestation-1" version="1">
<type algorithm="SHA256withRSA" key="attestationKey_mobile_1" />
</descriptor>
<descriptor name="att_external-attestation-2" version="1">
<type algorithm="SHA256withRSA" key="attestationKey_mobile_2" />
</descriptor>
<descriptor name="att_external-attestation-3" version="1">
<type algorithm="SHA256withRSA" key="attestationKey_mobile_3" />
</descriptor>
<descriptor name="att_external-attestation-4" version="1">
<type algorithm="SHA256withRSA" key="attestationKey_mobile_4" />
</descriptor>
<descriptor name="att_ATTESTATION" version="1">
<type algorithm="SHA256withRSA" key="attestationKey_mobile_pda_def" />
</descriptor>
</descriptors>
<keys>
<key name="encCert">
<type name="pkcs12" locationValue="classpath:hybridEncKeypair.p12" pin="encrypted:UPYN6QD/Vd45fbrQ/QF2DrYlRbaBOvriXkD3OxWLetgiXbQ="/>
</key>
<key name="configZipEncrypterCert">
<type name="pkcs12" locationValue="classpath:encryptConfig.p12" pin="encrypted:waKnF9aR6YCwamkL5/aKfVk3A1YjZbApclCpwmRuScmSfm0="/>
</key>
<key name="configZipSignerCert">
<type name="pkcs12" locationValue="classpath:signConfig.p12" pin="encrypted://1p2CV3vDLvjyCuQKj4Zg2gSJGNhJ3R5qfgPKnqoyVwhGA="/>
</key>
<key name="newObjectHistorySignerCert">
<type name="pkcs12" locationValue="classpath:historySignNew.p12" pin="encrypted:RC1w/BVMH1bwgM4DGKUeMvxIYonTKXrPa/sKr+JFbWgd/4o="/>
</key>
<key name="objectHistorySignerCert">
<type name="pkcs12" locationValue="classpath:historySign.p12" pin="encrypted:nr7t9dSRu21RWpc95C6/JyczKI2wMkOo+93JLy7da/jkg7E="/>
</key>
<key name="selfServiceJWTSignerCert">
<type name="pkcs12" locationValue="classpath:signJWT.p12" pin="encrypted:8ri1LiK3J8Ur8F1wSw0Qa/UYDoaJjo85I4QZC9mX9f/H7zc="/>
</key>
<key name="contentProviderJWSSignerCert">
<type name="pkcs12" locationValue="classpath:signJWS.p12" pin="encrypted:4Kj0VidwLlISBKXAFZ+ZorOjL4HK6c86zESBaeoPWJ6oEcI="/>
</key>
<key name="emailSigningCert">
<type name="pkcs12" locationValue="classpath:emailSigning.p12" pin="encrypted:mwd15YNfR2LyUaLtoCIO9R0fGvd3O2z7kfaYw2ObSqsigtA="/>
</key>
<key name="serverCert">
<type name="pkcs12" locationValue="classpath:deviceEncCA.p12" pin="encrypted:yZJ7NcLs82mSs/nmV0s83c/sjvDA1kXspYWjvD3D7KsAS/c="/>
</key>
<key name="attestationKey_mobile_1">
<type name="pkcs12" locationValue="classpath:attKeyMobile1.p12" pin="936584967"/>
</key>
<key name="attestationKey_mobile_2">
<type name="pkcs12" locationValue="classpath:attKeyMobile2.p12" pin="873145568"/>
</key>
<key name="attestationKey_mobile_3">
<type name="pkcs12" locationValue="classpath:attKeyMobile3.p12" pin="8564789632"/>
</key>
<key name="attestationKey_mobile_4">
<type name="pkcs12" locationValue="classpath:attKeyMobile4.p12" pin="9263564893"/>
</key>
<key name="attestationKey_mobile_pda_def">
<type name="pkcs12" locationValue="classpath:attKeyMobileDef.p12" pin="2586453793"/>
</key>
</keys>
</engineSignEncrypt> |
|
