Skip to main content

Air-Gapped Profile TSB Workflow

Signing Request Workflow

1. Signature Request

A business application requests an approval for a signature with a specific key from the TSB /v1/sign. The "Air-Gapped" Profile TSB records a Signature Request and returns its ID.

2. Fetching Approval Tasks

The approval clients can retrieve their pending approval tasks with all information necessary to authorize them /v1/filteredAllApprovalTask.

3. Authorization of Approval Tasks

The approval client authorizes (either by approving or canceling) the signature request /v1/approval.

4. Fetching the Request ID

The business application fetches the request /v1/request/{id} for the status of the currently completed approvals. At this stage it is not known if the approvals were enough to authorize the signing request.

Example approved, see that the status is still "PENDING" and result is set as Execution shall be made with offline HSM:

{
"id": "9f03da93-2f07-4ca1-a0d1-f41f50f76c25",
"status": "PENDING",
"executionTime": null,
"approvedBy": ["MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5f1iLRw66Bw7sJQ+GwnGsccZygLGpT9wdmx7qyHTHZx1h/c3NtyI3hKvUeOICCWK1MTBWlhTviCavRHLQkM+GI7DZwR4R+GFMLX6R5H7QCp+uPx9R1If4+Au0ae75Laa9UhyaW+6m6xQVa4MB72fYUl+hCUJZwKHVbnQa7synv8RwWo6kNG6ARoZOOpJ2TU8SH3PKEcLRBImSl5G1vvJ9F/VORyXO0d2RermrJ19DFPS/xzDDisV3/uO77Dp+DlT6LIFJ6qzETSwe1cM+uQrqiSlH33pbFJVBf87lMZlgL4EuKJ2aHJhS/DZVZCsKiR5sX5xEk1Jkg3DsVbZKg1rEQIDAQAB"],
"notYetApprovedBy": [],
"rejectedBy": [],
"result": "Execution shall be made with offline HSM",
"inputOfflineHsm": {
  "signRequest": {
  "payload":  "aGFycm8=",
  "payloadType": "UNSPECIFIED",
  "signKeyName": "MSI-OnlineKey",
  "signatureAlgorithm": "SHA224_WITH_RSA_PSS",
  "signedApprovals": ["fAIAAFUQMAAsAAAAOwAEAAEAAAACEBEATVNJLVN0YW5kYWxvbmVLZXkAAABXEAUAaGFycm8AAABWEBgBMIIBFDANBgkqhkiG9w0BAQsFAAOCAQEAcrwMQF4xdnFRjRmgQie229VKQ7Q8nrSTR7c3Lva+4pPK2FMN7+Wz8ig4lRGgeb9XhEj/BWNxV1gDX8w1N5fd//JxR5b8yqCBGYEiSkjx3yOmA29Q8kUVvnbQ3jgVvqWUABOtMzcNC9hQhPPhwtlnpggbq4l2gG9xOUDyXDj+bcZZqVUsc2d7bcldDmI3jpch8YZAv3IH+lkg9R8bmjpCu1KhwD3jGJjXE+lJguvrItmBr0OhJAsfnArJIegqZKEMSjpv3GFlCbbA3jY270AoAj/MYkNzpQ8HMbcqSR/w7RqwaYrvaequLUTbQrZ9qqSDoNVGz2lpJi2K12uRraz04VIQJgEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDl/WItHDroHDuwlD4bCcaxxxnKAsalP3B2bHurIdMdnHWH9zc23IjeEq9R44gIJYrUxMFaWFO+IJq9EctCQz4YjsNnBHhH4YUwtfpHkftAKn64/H1HUh/j4C7Rp7vktpr1SHJpb7qbrFBVrgwHvZ9hSX6EJQlnAodVudBruzKe/xHBajqQ0boBGhk46knZNTxIfc8oRwtEEiZKXkbW+8n0X9U5HJc7R3ZF6uasnX0MU9L/HMMOKxXf+47vsOn4OVPosgUnqrMRNLB7Vwz65CuqJKUffelsUlUF/zuUxmWAvgS4onZocmFL8NlVkKwqJHmxfnESTUmSDcOxVtkqDWsRAgMBAAEAAA=="]
    }
  }
}

5. Transporting the Authorized Request(s)

The approvals from the previous step containing the required authorization data along with the payload must be uploaded to a USB device and physically transported into the air-gapped environment where the Offline TSB and HSM are contained.

6. Signing the Request

The USB device is physically connected to a host computer within the air-gapped environment which has an established connection to the HSM via REST API (TSB). The authorization data and payload are used with the /v1/synchronousSign request to the HSM. The HSM checks the authorization data against the key attributes and the specific payload. If the policy criteria are met, the HSM signs the payload and returns the signature to the host computer and which has to be then moved to the USB device.

7. Transporting Signature

The USB device is transported out of the offline environment and inserted in the machine running the business application to provide the signed payload.

Modify Request Workflow

The "Air-Gapped" Profile TSB also supports requests for modifying keys on the HSM.

1. Modify Request

A business application requests an approval for a modification of a specific key from the TSB /v1/sign. The "Air-Gapped" Profile TSB records a Modify Request and returns its ID.

2. Fetching Approval Tasks

The approval clients (Securosys Authorization App) can retrieve their pending approval tasks with all information necessary to authorize them /v1/filteredAllApprovalTask.

3. Authorization of Approval Tasks

The approval client authorizes (either by approving or canceling) the modify request /v1/approval.

4. Fetching the Request ID

The business application fetches the request /v1/request/{id} for the status of the currently completed approvals. At this stage it is not known if the approvals were enough to authorize the modify request. Same as with the signing request, the request for modify will wait for the HSM with the status as "PENDING" and result is set as Execution shall be made with offline HSM.

5. Transporting the Authorized Request(s)

The approvals from the previous step containing the required authorization data along with the payload must be uploaded to a USB device and physically transported into the offline environment where the "Local" Profile TSB and HSM are contained.

6. Signing the Request

The USB device is physically connected to a host computer within the offline environment which has an established connection to the HSM via REST API (TSB). The authorization data and payload are used with the /v1/synchronousSign request to the HSM. The HSM checks the authorization data against the key attributes and the specific payload. If the policy criteria are met, the HSM signs the payload and returns the signature to the host computer and which has to be then exported to the USB device.

7. Transporting Signature

The USB device is transported out of the offline environment and inserted in the machine running the business application to provide the signed payload.

Last updated on