Creating an Approver for SKA
Securosys Smart Key Attributes (SKAs) allow you to build multi-authorization schemes. Multi-authorization works by having multiple approvers each sign an approval before the SKA key usage is authorized. For that, each approver requries a public-private key pair. As described in the SKA docs, there are multiple options for this:
- Manually (for example, with
openssl). - With an HSM
- With the TSB and its Approver Management API. This is what the Authorization App uses.
Creating Approver
With OpenSSL
To generate a key pair for a fictional "Finance Officer 1" approver using OpenSSL:
openssl req -new -x509 -nodes -sha256 -newkey ec -days 3650 \
-subj '/CN=FinanceOfficer1' -keyout finance-officer-1.key -out finance-officer-1.crt
This command generated two files:
finance-officer-1.key: The private key. Keep this secure!finance-officer-1.crt: The certificate. It pnly contains non-sensitive information, including the public key.
To extract the public key (for adding it to the SKA policy):
openssl x509 -pubkey -noout -in finance-officer-1.crt
With TSB Key Generation REST API
You can use the TSB's REST API to directly create a key pair on the HSM. In this case, the TSB functions as a simple translation layer for the HSM's JCE API.
POST: /v1/key
{
"label": "finance-officer-1",
"password": null,
"algorithm": "EC",
"curveOid": "1.2.840.10045.3.1.7",
"attributes": {
"decrypt": false,
"sign": true,
"unwrap": false,
"extractable": false,
"modifiable": true,
"destroyable": true,
"copyable": false
},
"policy": null
}
Response:
{
"label": "finance-officer-1",
"publicKey": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBSBisLXR8Lsdpsc9JFeFYzMegPqufyNjk6ncWOFbb9bPMuM3I6SSDzwFNX+XvVO1EkfavxaXQcH43sEuKeYGKw==",
"addressTruncated": null,
"attributes": {}
}
Then add the publicKey value to the SKA key policy.
With TSB Approver Management API
See the Approver Management API page.
Use Approvers
Now that you have created some approvers, you can reference their public keys in the approvals object
when creating an SKA key.