Skip to main content

Air-Gapped Profile TSB Workflow

Signing Request Workflow

"Air-Gapped" Profile TSB Detailed Workflow Diagram

1. Signature Request

A business application requests an approval for a signature with a specific key from the TSB POST /v1/sign. The "Air-Gapped" Profile TSB records a Signature Request and returns its ID.

2. Fetching Approval Tasks

The approval clients can retrieve their pending approval tasks with all information necessary to authorize them POST /v1/filteredAllApprovalTask.

3. Authorization of Approval Tasks

The approval client authorizes (either by approving or canceling) the signature request POST /v1/approval.

4. Fetching the Request ID

The business application fetches the request GET /v1/request/{id} for the status of the currently completed approvals. At this stage it is not known if the approvals were enough to authorize the signing request.

Optionally it's possible to output the request to print out as a QR code. The GET /v1/request/qrCode/{id} command will return a QR code either as a single .png file or if too large split into multiple QR codes and returning a .json file with base64 images.

Example approved, see that the status is still "PENDING" and result is set as Execution shall be made with offline HSM:

{
"id": "9f03da93-2f07-4ca1-a0d1-f41f50f76c25",
"status": "PENDING",
"executionTime": null,
"approvedBy": ["MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5f1iLRw66Bw7sJQ+GwnGsccZygLGpT9wdmx7qyHTHZx1h/c3NtyI3hKvUeOICCWK1MTBWlhTviCavRHLQkM+GI7DZwR4R+GFMLX6R5H7QCp+uPx9R1If4+Au0ae75Laa9UhyaW+6m6xQVa4MB72fYUl+hCUJZwKHVbnQa7synv8RwWo6kNG6ARoZOOpJ2TU8SH3PKEcLRBImSl5G1vvJ9F/VORyXO0d2RermrJ19DFPS/xzDDisV3/uO77Dp+DlT6LIFJ6qzETSwe1cM+uQrqiSlH33pbFJVBf87lMZlgL4EuKJ2aHJhS/DZVZCsKiR5sX5xEk1Jkg3DsVbZKg1rEQIDAQAB"],
"notYetApprovedBy": [],
"rejectedBy": [],
"result": "Execution shall be made with offline HSM",
"inputOfflineHsm": {
  "signRequest": {
  "payload":  "aGFycm8=",
  "payloadType": "UNSPECIFIED",
  "signKeyName": "MSI-OnlineKey",
  "signatureAlgorithm": "SHA224_WITH_RSA_PSS",
  "signedApprovals": ["fAIAAFUQMAAsAAAAOwAEAAEAAAACEBEATVNJLVN0YW5kYWxvbmVLZXkAAABXEAUAaGFycm8AAABWEBgBMIIBFDANBgkqhkiG9w0BAQsFAAOCAQEAcrwMQF4xdnFRjRmgQie229VKQ7Q8nrSTR7c3Lva+4pPK2FMN7+Wz8ig4lRGgeb9XhEj/BWNxV1gDX8w1N5fd//JxR5b8yqCBGYEiSkjx3yOmA29Q8kUVvnbQ3jgVvqWUABOtMzcNC9hQhPPhwtlnpggbq4l2gG9xOUDyXDj+bcZZqVUsc2d7bcldDmI3jpch8YZAv3IH+lkg9R8bmjpCu1KhwD3jGJjXE+lJguvrItmBr0OhJAsfnArJIegqZKEMSjpv3GFlCbbA3jY270AoAj/MYkNzpQ8HMbcqSR/w7RqwaYrvaequLUTbQrZ9qqSDoNVGz2lpJi2K12uRraz04VIQJgEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDl/WItHDroHDuwlD4bCcaxxxnKAsalP3B2bHurIdMdnHWH9zc23IjeEq9R44gIJYrUxMFaWFO+IJq9EctCQz4YjsNnBHhH4YUwtfpHkftAKn64/H1HUh/j4C7Rp7vktpr1SHJpb7qbrFBVrgwHvZ9hSX6EJQlnAodVudBruzKe/xHBajqQ0boBGhk46knZNTxIfc8oRwtEEiZKXkbW+8n0X9U5HJc7R3ZF6uasnX0MU9L/HMMOKxXf+47vsOn4OVPosgUnqrMRNLB7Vwz65CuqJKUffelsUlUF/zuUxmWAvgS4onZocmFL8NlVkKwqJHmxfnESTUmSDcOxVtkqDWsRAgMBAAEAAA=="]
    }
  }
}

5. Transporting the Authorized Request(s)

The approvals from the previous step containing the required authorization data along with the payload can be uploaded to a USB device or through a QR code and physically transported into the air-gapped environment where the Offline TSB and HSM are contained.

6. Signing the Request

The USB device is physically connected to a host computer within the air-gapped environment which has an established connection to the HSM via REST API (TSB). The authorization data and payload are used with the POST /v1/synchronousSign request to the HSM. The HSM checks the authorization data against the key attributes and the specific payload. If the policy criteria are met, the HSM signs the payload and returns the signature to the host computer and which has to be then moved to the USB device or printed out as a QR code.

7. Transporting Signature

The USB device or the QR code is transported out of the offline environment and inserted in the machine running the business application to provide the signed payload.

Optionally it's possible to insert the results back into the Air-gapped Profile TSB with the PUT /v1/resultFromOfflineHsm command. This will provide the information back into the TSB workflow, allowing to complete the approval request with the signed payload and eventually for the TSB to provide the results of the approval task to the business application.

Modify Request Workflow

The "Air-Gapped" Profile TSB also supports requests for modifying keys on the HSM.

1. Modify Request

A business application requests an approval for a modification of a specific key from the TSB POST /v1/sign. The "Air-Gapped" Profile TSB records a Modify Request and returns its ID.

2. Fetching Approval Tasks

The approval clients (Securosys Authorization App) can retrieve their pending approval tasks with all information necessary to authorize them POST /v1/filteredAllApprovalTask.

3. Authorization of Approval Tasks

The approval client authorizes (either by approving or canceling) the modify request POST /v1/approval.

4. Fetching the Request ID

The business application fetches the request GET /v1/request/{id} for the status of the currently completed approvals. At this stage it is not known if the approvals were enough to authorize the modify request. Same as with the signing request, the request for modify will wait for the HSM with the status as "PENDING" and result is set as Execution shall be made with offline HSM.

Optionally it's possible to output the request to print out as a QR code. The GET /v1/request/qrCode/{id} command will return a QR code either as a single .png file or if too large split into multiple QR codes and returning a .json file with base64 images.

5. Transporting the Authorized Request(s)

The approvals from the previous step containing the required authorization data along with the payload must be uploaded to a USB device or printed out as a QR code and physically transported into the offline environment where the "Local" Profile TSB and HSM are contained.

6. Signing the Request

The USB device is physically connected to a host computer within the offline environment which has an established connection to the HSM via REST API (TSB). The authorization data and payload are used with the POST /v1/synchronousSign request to the HSM.

The HSM checks the authorization data against the key attributes and the specific payload. If the policy criteria are met, the HSM signs the payload and returns the signature to the host computer and which has to be then exported to the USB device or printed out as a QR code.

7. Transporting Signature

The USB device or QR code is transported out of the offline environment and inserted in the machine running the business application to provide the signed payload.

Optionally it's possible to insert the results back into the Air-gapped Profile TSB with the PUT /v1/resultFromOfflineHsm command. This will provide the information back into the TSB workflow, allowing to complete the approval request with the signed payload and eventually for the TSB to provide the results of the approval task to the business application.

Get started withCloudHSM for free.
Other questions?Ask Sales.
Last updated on
Feedback
Need help?