Commit 0e4dbb1a authored by Tobias Assmann's avatar Tobias Assmann
Browse files

update README.md for client, update javadocs of rest endpoints

parent d7b84933
...@@ -52,17 +52,18 @@ docker exec reqesidta_ejbca /usr/local/bin/ejbca-config.sh && \ ...@@ -52,17 +52,18 @@ docker exec reqesidta_ejbca /usr/local/bin/ejbca-config.sh && \
``` ```
### POSeIDAS Database ### POSeIDAS Database
To make changes in the database, the docker container first must be stopped. To make changes in the database, the docker container `reqesidta_poseidas` first must be stopped.
The Database can be edited for example with [DBeaver](https://dbeaver.io/). The Database can be edited for example with [DBeaver](https://dbeaver.io/).
If the preconfigured database is used please look up the credentials for openingn in the file `/poseidas/config/application.properties`. If the database is configured by yourself, you have set the credentials via the [configuration-wizard](#use-the-configuration-wizard). If the preconfigured database is used please look up the credentials for opening in the file `/poseidas/config/application.properties`.
If the database is configured by yourself, you have set the credentials via the [configuration-wizard](#use-the-configuration-wizard).
You need to add the following data into the database: The following data needs to be present in the database:
* terminal certificate * terminal certificate
* private-key * private-key
* sector-id (only relevant if the client is using PersoSim) * sector-id (only relevant if the client is using PersoSim)
* certificate-chain * certificate-chain
This data must be inserted using the key _REFID_. The value of _REFID_ must match the value in the poseidas config file under the key _CVCRefID_.
Use the following tables for adding the data: Use the following tables for adding the data:
* TERMINALPERMISSION * TERMINALPERMISSION
...@@ -74,3 +75,6 @@ Use the following tables for adding the data: ...@@ -74,3 +75,6 @@ Use the following tables for adding the data:
* every certificate of the certificate-chain * every certificate of the certificate-chain
* starting with the root certitifcate use the value '0' for _POSINCHAIN_ and put the certificate in _DATA_ * starting with the root certitifcate use the value '0' for _POSINCHAIN_ and put the certificate in _DATA_
* if intermediate certificates exist, increase the value for _POSINCHAIN_ and put the certificate in _DATA_ * if intermediate certificates exist, increase the value for _POSINCHAIN_ and put the certificate in _DATA_
This data must be inserted using a key in _REFID_.
The value of _REFID_ must match the value in the poseidas config file under the key _CVCRefID_.
...@@ -51,6 +51,13 @@ public class CertEndpoint { ...@@ -51,6 +51,13 @@ public class CertEndpoint {
@Inject private SessionStore sessionStore; @Inject private SessionStore sessionStore;
@Inject private SAMConfig config; @Inject private SAMConfig config;
/**
* The getCSR function is called by the SSA and expects the session-id has created by SAM before.
* It returns the CSR, which is used with the CA later on.
*
* @param sessionId
* @throws IOException
*/
@GET @GET
@Path("getcsr/{sessionId}") @Path("getcsr/{sessionId}")
@Produces("application/json") @Produces("application/json")
...@@ -94,6 +101,13 @@ public class CertEndpoint { ...@@ -94,6 +101,13 @@ public class CertEndpoint {
return new CSRData(csr); return new CSRData(csr);
} }
/**
* The sign function is called by the SSA and expects the sessionId, the identifier of the algorithm used for creating the signature and the hash of the document to be signed.
* It returns the data of the signature.
*
* @param sessionId
* @param data
*/
@POST @POST
@Path("sign/{sessionId}") @Path("sign/{sessionId}")
@Produces("application/json") @Produces("application/json")
......
...@@ -53,6 +53,10 @@ public class EACEndpoint { ...@@ -53,6 +53,10 @@ public class EACEndpoint {
@Inject @Inject
private SessionStore sessionStore; private SessionStore sessionStore;
/**
* The initSession function is called by the eID-Server in the useIDRequest procedure.
* This is used to setup a session between the eID-Server and SAM.
*/
@POST @POST
@Path("initSession") @Path("initSession")
@Produces("text/plain") @Produces("text/plain")
...@@ -67,6 +71,9 @@ public class EACEndpoint { ...@@ -67,6 +71,9 @@ public class EACEndpoint {
return newSession.getId(); return newSession.getId();
} }
/**
* The startEAC function is called from the eID-Server during the initial EAC-Process to receive the truncated hash of the document to be signed for the AuthenticatedAuxiliaryData structure.
*/
@POST @POST
@Path("startEAC/{sid}") @Path("startEAC/{sid}")
@Produces("application/json") @Produces("application/json")
...@@ -90,6 +97,9 @@ public class EACEndpoint { ...@@ -90,6 +97,9 @@ public class EACEndpoint {
} }
} }
/**
* The processEAC1 function is called by the eID-Server to sign the EAC-Message.
*/
@POST @POST
@Path("processEAC1/{sid}") @Path("processEAC1/{sid}")
@Produces("application/json") @Produces("application/json")
...@@ -108,6 +118,11 @@ public class EACEndpoint { ...@@ -108,6 +118,11 @@ public class EACEndpoint {
return signer.sign(); return signer.sign();
} }
/**
* The processEAC2 function is called by the eID-Server.
* The SAM calculates the keys for secure messages.
* This way the derived keys do not leave the SAM.
*/
@POST @POST
@Path("processEAC2/{sid}") @Path("processEAC2/{sid}")
public Response proessEAC2(@PathParam("sid") String sessionId, EAC2Data data) { public Response proessEAC2(@PathParam("sid") String sessionId, EAC2Data data) {
...@@ -129,6 +144,10 @@ public class EACEndpoint { ...@@ -129,6 +144,10 @@ public class EACEndpoint {
return Response.ok().entity(new EAC2ResponseData(success)).build(); return Response.ok().entity(new EAC2ResponseData(success)).build();
} }
/**
* The SAM is responsible for the APDU secure messaging.
* It uses the prior generated keys to encrypt the APDUs.
*/
@POST @POST
@Path("encryptAPDU/{sid}") @Path("encryptAPDU/{sid}")
public APDU encryptAPDU(@PathParam("sid") String sessionId, APDU apdu) { public APDU encryptAPDU(@PathParam("sid") String sessionId, APDU apdu) {
...@@ -149,6 +168,12 @@ public class EACEndpoint { ...@@ -149,6 +168,12 @@ public class EACEndpoint {
} }
} }
/**
* The SAM is responsible for the APDU secure messaging.
* It uses the prior generated keys to decrypt the APDUs.
* The decrypted APDUs are analyzed to extract the User-Data.
* The GivenNames, LastNames, DateOfBirth and BirthName are then used for creating the CSR.
*/
@POST @POST
@Path("decryptAPDU/{sid}") @Path("decryptAPDU/{sid}")
public APDU decryptAPDU(@PathParam("sid") String sessionId, APDU apdu) { public APDU decryptAPDU(@PathParam("sid") String sessionId, APDU apdu) {
......
...@@ -76,12 +76,10 @@ public class SSAEndpoint { ...@@ -76,12 +76,10 @@ public class SSAEndpoint {
@Inject private SSAConfig config; @Inject private SSAConfig config;
@Inject private SessionStore sessionStore; @Inject private SessionStore sessionStore;
// @Inject private CertificateAuthorityClient caClient;
/** /**
* curl -L -k -X POST -H "Content-Type: application/json" --data '{"sig-alg":"SHA256WITHDSA","doc-hash":"SGVsbG8gV29ybGQK"}' http://docker.reqesidta.de/ssa-server/ssa/init * The startSession function is called by the eID-Client and expects the hash of the document to be signed and the algorithm to be used for creating the signature.
* @param reqAsJson * It triggers the start of the auth flow on the server side and returns the activation address of the eID-Server.
* @return
*/ */
@POST @POST
@Consumes(MediaType.APPLICATION_JSON) @Consumes(MediaType.APPLICATION_JSON)
...@@ -102,9 +100,8 @@ public class SSAEndpoint { ...@@ -102,9 +100,8 @@ public class SSAEndpoint {
} }
/** /**
* curl -L -k -X POST -H "Content-Type: application/json" --data '{"session":"YOUR_SESSION_ID"}' http://docker.reqesidta.de/ssa-server/ssa/certs * The getCertificates function is called by the eID-Client and expects the sessionId which has been issued to the eID-Client by the eID-Server before.
* @param req * It returns the certificates issued by the CA on behalf of SAM.
* @return
*/ */
@POST @POST
@Consumes(MediaType.APPLICATION_JSON) @Consumes(MediaType.APPLICATION_JSON)
...@@ -154,6 +151,13 @@ public class SSAEndpoint { ...@@ -154,6 +151,13 @@ public class SSAEndpoint {
return resp; return resp;
} }
/**
* The sign function is called by the eID-Client and expects the SignerInfo as specified by (IETF RFC2315), which has been created in the SCA based on the recived certificates and the document to be signed.
* It returns the signature value.
*
* @throws CMSException
* @throws IOException
*/
@POST @POST
@Produces(MediaType.APPLICATION_JSON) @Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON) @Consumes(MediaType.APPLICATION_JSON)
...@@ -219,8 +223,10 @@ public class SSAEndpoint { ...@@ -219,8 +223,10 @@ public class SSAEndpoint {
/** /**
* Get the user Session. * Get the user Session.
*
* @param sessionId * @param sessionId
* @return * @return The user Session
* @throws NotFoundException
*/ */
private Session readSession(String sessionId) throws NotFoundException { private Session readSession(String sessionId) throws NotFoundException {
Session session = sessionStore.getSession(sessionId) Session session = sessionStore.getSession(sessionId)
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment