Skip to main content

Use an SKA Key

This tutorial gives a brief overview of the types of operations that you can do with an SKA key, and how to do them using the Transaction Security Broker (TSB) as the workflow engine.

For a detailed step-by-step walk-through, please see the Sign with an SKA Key tutorial.

Prerequisites

This tutorial assumes that you have already created an SKA key.

You should have specified the approvers who can use the SKA key. In particular:

  • In ruleUse you can specify who can sign, decrypt, and unwrap with the SKA key.
  • In ruleBlock and ruleUnblock, you can specify who can block/unblock the SKA key. A blocked key cannot be used for signing/decrypting/unwrapping until it is unblocked again.
  • In ruleModify, you can specify who can do key management by modifying the key's attributes.

Overview

All of the requests shown on this page are a request to perform an operation with the SKA key. The TSB will create pendings tasks for every request. Once the request is approved by enough approvers, the business application can query the result.

Sign

POST: /v1/sign

{
  "signRequest": {
    "payload": "ewogICJ0cmFuc2FjdGlvbl9pZCI6ICIzZjJjNGUwN2JjNGY4YjAwZThlNzMxOWUzMDdmZmIwNGQzZTRjM2U5IiwKICAiYmxvY2tfbnVtYmVyIjogNzM1ODQyLAogICJ0aW1lc3RhbXAiOiAiMjAyNC0wOS0xNVQxNDoyODozMFoiLAogICJmcm9tX2FkZHJlc3MiOiAiMHhBN0Q2YzNFM0U1QTQ0QzlhOTc4M0M0RjdmNkM2M0EzNDdGMWFCMWQxIiwKICAidG9fYWRkcmVzcyI6ICIweEU0RjIzQzk1QTE2QTk4MzcyRkNkMmIyMzNEOUU5NDVCN0E3RTU2MjUiLAogICJ2YWx1ZSI6IDEuNSwKICAiY3VycmVuY3kiOiAiRVRIIiwKICAiZ2FzX2xpbWl0IjogMjEwMDAsCiAgImdhc19wcmljZSI6ICIxMDAgZ3dlaSIsCiAgInRyYW5zYWN0aW9uX2ZlZSI6ICIwLjAwMjEgRVRIIiwKICAic3RhdHVzIjogIk5vdFlldEFwcHJvdmVkIiwKICAic2lnbmF0dXJlIjogIm51bGwiCn0K",
    "payloadType": "UNSPECIFIED",
    "signKeyName": "rsa_authorization_app_signing",
    "metaData": "ewogICJ0cmFuc2FjdGlvbl9pZCI6ICIzZjJjNGUwN2JjNGY4YjAwZThlNzMxOWUzMDdmZmIwNGQzZTRjM2U5IiwKICAiYmxvY2tfbnVtYmVyIjogNzM1ODQyLAogICJ0aW1lc3RhbXAiOiAiMjAyNC0wOS0xNVQxNDoyODozMFoiLAogICJmcm9tX2FkZHJlc3MiOiAiMHhBN0Q2YzNFM0U1QTQ0QzlhOTc4M0M0RjdmNkM2M0EzNDdGMWFCMWQxIiwKICAidG9fYWRkcmVzcyI6ICIweEU0RjIzQzk1QTE2QTk4MzcyRkNkMmIyMzNEOUU5NDVCN0E3RTU2MjUiLAogICJ2YWx1ZSI6IDEuNSwKICAiY3VycmVuY3kiOiAiRVRIIiwKICAiZ2FzX2xpbWl0IjogMjEwMDAsCiAgImdhc19wcmljZSI6ICIxMDAgZ3dlaSIsCiAgInRyYW5zYWN0aW9uX2ZlZSI6ICIwLjAwMjEgRVRIIiwKICAic3RhdHVzIjogIk5vdFlldEFwcHJvdmVkIiwKICAic2lnbmF0dXJlIjogIm51bGwiCn0K",
    "signatureAlgorithm": "SHA256_WITH_RSA_PSS",
    "signatureType": "DER"
  }
}

Encrypt/Decrypt

POST: /v1/encrypt

{
  "encryptRequest": {
    "payload": "YXNk",
    "encryptKeyName": "rsa_authorization_app_signing",
    "cipherAlgorithm": "RSA_PADDING_OAEP_WITH_SHA512"
  }
}

Response:

{
  "encryptedPayload": "SQWjvZObJcfzThb590e/wpk0fMj/lWAnu+eyh9XxPmeBp8p1+GdntV3hRl9u5A/jbHxuzcbN8qYHq0tHnznnUeIbzK8Qq+sk8izul5B/pZwVhlI3ABvlOpPgRSFv22adSlihPrEMXeqWWoaCoDOK8oabztt5uT77+NrNka66GQjTrrR87KjgwLfr0IFldGwX0g2iacTyyUAdLNCT0X6jmWUJvb+eq0i+FpgsjnNKVYPwvM0l1MF9Q9GO0ijmQ+m7VCP4UTwHvuN1cYXGp8tXmWCXSICLZQD7ccR5syUyiHlvwzpuP4oUhARd3TOz+bfyTdS04bBRDwEZ2N+wVQOjQQ==",
  "encryptedPayloadWithoutMessageAuthenticationCode": null,
  "initializationVector": null,
  "messageAuthenticationCode": null
}

POST: /v1/decrypt

{
  "decryptRequest": {
    "encryptedPayload": "SQWjvZObJcfzThb590e/wpk0fMj/lWAnu+eyh9XxPmeBp8p1+GdntV3hRl9u5A/jbHxuzcbN8qYHq0tHnznnUeIbzK8Qq+sk8izul5B/pZwVhlI3ABvlOpPgRSFv22adSlihPrEMXeqWWoaCoDOK8oabztt5uT77+NrNka66GQjTrrR87KjgwLfr0IFldGwX0g2iacTyyUAdLNCT0X6jmWUJvb+eq0i+FpgsjnNKVYPwvM0l1MF9Q9GO0ijmQ+m7VCP4UTwHvuN1cYXGp8tXmWCXSICLZQD7ccR5syUyiHlvwzpuP4oUhARd3TOz+bfyTdS04bBRDwEZ2N+wVQOjQQ==",
    "decryptKeyName": "rsa_authorization_app_signing",
    "cipherAlgorithm": "RSA_PADDING_OAEP_WITH_SHA512",
"metaData": "RmluYW5jZSBPZmZpY2VyICJIYW5zIE11c3RlciIgcmVxdWVzdHMgdG8gZGVjcnlwdCBGaWxlICdzYWxhcnkuZG9jeCcgZm9yIHByb2Nlc3NpbmcgYW5kIGZ1cnRoZXIgYW5hbHlzaXMgaW4gY29tcGxpYW5jZSB3aXRoIGNvbXBhbnkgZGF0YSBzZWN1cml0eSBwcm90b2NvbHMu"
}
}

Self-Signed Certificate

POST: /v1/certificate/selfsign

{
  "selfSignCertificateRequest": {
    "signKeyName": "rsa_authorization_app_signing",
    "validity": 365,
    "signatureAlgorithm": "SHA256_WITH_RSA",
    "commonName": "securosys.com",
    "keyUsage": [
      "DIGITAL_SIGNATURE"
    ],
    "extendedKeyUsage": [
      "ANY_EXTENDED_KEY_USAGE"
    ],
    "metaData": "ewogICJjZXJ0aWZpY2F0ZVJlcXVlc3QiOiB7CiAgICAiY29tbW9uTmFtZSI6ICJleGFtcGxlLmNvbSIKICB9Cn0=",
    "certificateAuthority": true
  }
}

Block/Unblock

POST: /v1/block

{
  "blockRequest": {
    "blockKeyName": "rsa_authorization_app_signing",
    "metaData": "WW91ciBDRU8gcmVxdWVzdGVkIHRvIGJsb2NrIHRoZSBrZXkgJ3JzYV9hdXRob3JpemF0aW9uX2FwcF9zaWduaW5nJyBmb3IgZnVydGhlciB1c2FnZQ=="
  }
}

POST: /v1/unblock

{
  "unblockRequest": {
    "unblockKeyName": "rsa_authorization_app_signing",
    "metaData": "WW91ciBDRU8gcmVxdWVzdGVkIHRvIHVuYmxvY2sgdGhlIGtleSAncnNhX2F1dGhvcml6YXRpb25fYXBwX3NpZ25pbmcnIGZvciBmdXJ0aGVyIHVzYWdl"
  }
}

Wrap/Unwrap

POST: /v1/wrap

{
  "wrapKeyRequest": {
    "keyToBeWrapped": "tsb-demo-aes-extractable",
    "wrapKeyName": "rsa_authorization_app_signing",
    "wrapMethod": "RSA_WRAP_OAEP"
  }
}

Response:

{
  "wrappedKey": "jfU9mbgZAasjLqhvULUWr2x+iN1U6a5Sm6Otj3ANEZPcGyph5bDF3vCPPVrzlMIbZtzUQH5O1Vcvla8DISKbzn3LqpXhVshHFmDibOD7nA3a5PegjMUfTo+/YHLA/AZtGOpoZEJhuoI4UThfXdXs0wvoim245q+Gf/GDUCLZdGD0VFyiiPZ8RBiEhDMt1AL5vUBclBiqvTn0ci/ElGjIZewxtEDz3ixqxoku7oChST1SCypWhkcbiTV8Sv8R4UjDxELqM1pcC65tMR0nS+YGuehX08KhHprOiCsg1DXuFqjqfdKPB8wOVbgkZlFx24G+5aSTPogk91rPD6h0qu4sxw=="
}

POST: /v1/unwrap

{
  "unwrapKeyRequest": {
    "wrappedKey": "jfU9mbgZAasjLqhvULUWr2x+iN1U6a5Sm6Otj3ANEZPcGyph5bDF3vCPPVrzlMIbZtzUQH5O1Vcvla8DISKbzn3LqpXhVshHFmDibOD7nA3a5PegjMUfTo+/YHLA/AZtGOpoZEJhuoI4UThfXdXs0wvoim245q+Gf/GDUCLZdGD0VFyiiPZ8RBiEhDMt1AL5vUBclBiqvTn0ci/ElGjIZewxtEDz3ixqxoku7oChST1SCypWhkcbiTV8Sv8R4UjDxELqM1pcC65tMR0nS+YGuehX08KhHprOiCsg1DXuFqjqfdKPB8wOVbgkZlFx24G+5aSTPogk91rPD6h0qu4sxw==",
    "label": "tsb-demo-extracted",
    "attributes": {
      "encrypt": true,
      "decrypt": true,
      "verify": true,
      "sign": true,
      "wrap": true,
      "unwrap": true,
      "derive": false,
      "bip32": false,
      "slip10": false,
      "extractable": false,
      "modifiable": true,
      "destroyable": false,
      "sensitive": true,
      "copyable": false
    },
    "unwrapKeyName": "rsa_authorization_app_signing",
    "metaData": "VW53cmFwIEtleSAndHNiLWRlbW8tZXh0cmFjdGVkJyB3aXRoICd0c2ItZGVtby1za2EnIFJTQV9XUkFQX09BRVA=",
    "wrapMethod": "RSA_WRAP_OAEP"
  }
}
Get started withCloudHSM for free.
Other questions?Ask Sales.
Last updated on
Feedback
Need help?