External Operations

This section describes how to use external operations to add functionality to a Credential Provider. ActivID CMS provides the following external operations which provide a base set of functionality that is common to most Certificate Authorities.

generateKeyPair

Generates a key pair in the security module and returns the public key.

Type:

Copy 
securitymodule

Script:

Copy 
generateKeyPair

The following table lists and describes the generateKeyPair input parameters.

Input Parameters for generateKeyPair

Parameter Key

Value Source

Format/Values

Description

algorithm

Credential Provider (from Profile)

RSA

Algorithm of the key.

keySize

Credential Provider (from Profile)

1024, 2048, 3072

Key size.

publicExponent

(Optional) From Credential Provider or workflow where it is not provided by provider

A hex string representation of a byte array that matches the following regular expression:

([0-9A-F][0-9A-F])*

 

For example, an even number of characters in the hex range of 0-9 or A-F.

A hex representation of an RSA public exponent (for example, C3948F3...).

The following table lists and describes the output parameters for generateKeyPair.

Output Parameter for generateKeyPair

Parameter Key

Format/Values

Description

publicKey

PEM/Base64 encoded byte array

Public key from the key pair generation.

injectData

Performs injection of data into the relevant application using secure channel, PIN, or potentially other authentication mechanism supported by ActivID CMS. This external operation is intended to service all types of data. The parameters convey typing information that to determines how they external operation is to be used by ActivID CMS in the context of a specific application and security module.

Note: Where data is encrypted, its type and encoding must indicate this, and the transport key used to wrap any encrypted data should match the certificate that is supplied by ActivID CMS at provider initialization time.

Type:

Copy 
securitymodule

Script:

Copy 
injectData

The following table lists and describes the input parameter for injectData.

Input Parameter for injectData

ID

Type

Encoding Format or Values

Description

See Data Types Table.

See Data Types Table.

See Data Types Table.

A piece of data that indicates a type that can be used to determine where the data is to be personalized in an application.

There are no output parameters for injectData.

The supported types and encoding are listed and described in the following data types table.

Supported Data Types and Encoding

ID

Type

Encoding Format or Values

Description

PKI Data Types

privateKey

pki.privateKey

CRMF.EncryptedValue

A private key of a PKI key pair where the private key is doubly-wrapped by PKI using a CRMF EncryptedValue ASN.1 encoding of the CBC symmetric session key wrapped private key and public key wrapped symmetric session key.

certificate

pki.certificate

1.2.840.113549.1.9.22

A PKI certificate. For example, an encoding of 1.2.840.113549.1.9.22 indicates X.509 as a base64 string.

Generic Container Data Types

Generic Container Tag ID

byte[]

base64Binary

Opaque data that is natively an array of bytes.

Generic Container Tag ID

byte[]

CRMF.EncryptedValue

A CBC symmetric session key wrapped opaque byte array and public key wrapped symmetric session key. This value will be decrypted and decoded by ActivID CMS before injection.

Generic Container Tag ID

String

NONE

Opaque data that is natively a character string.

Generic Container Tag ID

String

CRMF.EncryptedValue

A CBC symmetric session key wrapped opaque string and public key wrapped symmetric session key. This value will be decrypted by ActivID CMS before injection.

signData

Performs signing of data for use in Proof of Possession (POP) signatures.

Type:

Copy 
securitymodule

Script:

Copy 
signData

The following table lists and describes the input parameter for signData.

Input Parameters for signData

Parameter Key

Value Source

Format/Values

Description

signAlgorithm

Credential Provider (from Profile)

RSA

Signing algorithm

hashAlgorithm

Credential Provider

SHA1

Hashing algorithm

padAlgorithm

Credential Provider

PKCS1

Adding algorithm

keySize

Credential Provider

1024, 2048, 3072

Key size

data

Credential Provider

Base64-encoded byte array

Data to be signed

The following table lists and describes the output parameter for signData.

Output Parameters for signData

Parameter Key

Format/Values

Description

signedData

Base64-encoded byte array

Signed data