CZERTAINLY CSC API (1.0.0)

The unique identifier associated to the credential. At least one of the two values credentialID and signatureQualifier SHALL be present. Both values MAY be present.

The type of operation mode requested. Only the following is implemented:

• S: a synchronous operation mode is requested.
• A: an asynchronous operation mode is requested.

Arbitrary data from the client. It is used to handle a application-specific data that may be useful for debugging purposes.

An array containing the Base64-encoded raw message digest(s).

Hashing algorithm OID used to calculate the hash value(s). This parameter will be ignored if the hash algorithm is implicitly specified by the signAlgo algorithm.

The OID of the algorithm to use for signing. If the parameter hashAlgorithmOID defined in is passed, it must use the same algorithms as this parameter.

The Base64-encoded DER-encoded ASN.1 signature parameters, if required by the signAlgo.

Maximum period of time, expressed in milliseconds, until which the server keeps the request outcome(s) available for retrieval. This parameter is for future updates and currently ignored in synchronous mode.

The unique identifier associated to the credential. At least one of the two values credentialID and signatureQualifier SHALL be present. Both values MAY be present.

The type of operation mode requested. Only the following is implemented:

• S: a synchronous operation mode is requested.
• A: an asynchronous operation mode is requested.

Arbitrary data from the client. It is used to handle a application-specific data that may be useful for debugging purposes.

Identifier of the signature type to be created. At least one of the two values credentialID and signatureQualifier SHALL be present. Both values MAY be present.

An array containing document digest objects. This parameter or the parameter documents MUST be present in a request.

An array containing document objects. This parameter or the parameter documentDigests MUST be present in a request.

If this parameter is present and set to true the server will return validation information in the response.

Maximum period of time, expressed in milliseconds, until which the server keeps the request outcome(s) available for retrieval. This parameter is for future updates and currently ignored in synchronous mode.

Unique identifier of the credential to rekey.

A name of the of the credential profile to use when generating the certificate.

A name of the crypto token which will hold the generated private key for the credential.

A name of the credential profile to use when generating the certificate.

Identifier of the user the credential will belong to. This identifier must be unique within the identity provider.

Identifier qualifying the type of signature this credential is suitable for. See the list of supported signature qualifiers in the CSC API specification.

Maximum number of signatures that can be created with this credential with a single authorization request.

Specifies if the credential should generate a signature activation data (SAD) or an access token with scope credential that contains a link to the hash to-be-signed:

• 1: The hash to-be-signed is not linked to the signature activation data.
• 2: The hash to-be-signed is linked to the signature activation data.

A subject distinguished name (DN) of the credential for the certificate. The format of the DN must be according to the X.500 standard. This field should contain comma-separated key-value pairs, where the key is the type of the DN and the value is the value of the DN.

A subject alternative name (SAN) of the credential for the certificate. The format of the SAN must be according to the X.500 standard. This field should contain comma-separated key-value pairs, where the key is the type of the SAN and the value is the value of the SAN.

The identifier associated to the identity of the credential owner. This parameter SHALL NOT be present if the service authorization is user-specific (see NOTE below). In that case the userID is already implicit in the service access token passed in the Authorization header. If a user-specific service authorization is present, it SHALL NOT be allowed to use this parameter to obtain the list of credentials associated to a different user. The remote service SHALL return an error in such case.

Request to return the main information included in the public key certificate and the public key certificate itself or the certificate chain associated to the credentials. The default value is “false”, so if the parameter is omitted then the information will not be returned.

Specifies which certificates from the certificate chain SHALL be returned in certs/certificates.

• “none”: No certificate SHALL be returned.
• “single”: Only the end entity certificate SHALL be returned.
• “chain”: The full certificate chain SHALL be returned. The default value is “single”, so if the parameter is omitted then the method will only return the end entity certificate(s). This parameter MAY be specified only if the parameter credentialInfo is “true”. If the parameter credentialInfo is not “true” and this parameter is specified its value SHALL be ignored.

Request to return various parameters containing information from the end entity certificate(s). This is useful in case the signature application wants to retrieve some details of the certificate(s) without having to decode it first. The default value is “false”, so if the parameter is omitted then the information will not be returned. This parameter MAY be specified only if the parameter credentialInfo is “true”. If the parameter credentialInfo is not “true” and this parameter is specified its value SHALL be ignored.

Request to return various parameters containing information on the authorization mechanisms supported by the corresponding credential (auth group). The default value is “false”, so if the parameter is omitted then the information will not be returned. This parameter MAY be specified only if the parameter credentialInfo is “true”. If the parameter credentialInfo is not “true” and this parameter is specified its value SHALL be ignored.

Arbitrary data from the signature application. It can be used to handle a transaction identifier or other application-specific data that may be useful for debugging purposes. WARNING: this parameter MAY expose sensitive data to the remote service. Therefore it SHOULD be used carefully.

The unique identifier associated to the credential.

Specifies which certificates from the certificate chain SHALL be returned in certs/certificates.

• “none”: No certificate SHALL be returned.
• “single”: Only the end entity certificate SHALL be returned.
• “chain”: The full certificate chain SHALL be returned. The default value is “single”, so if the parameter is omitted then the method will only return the end entity certificate(s). This parameter MAY be specified only if the parameter credentialInfo is “true”. If the parameter credentialInfo is not “true” and this parameter is specified its value SHALL be ignored.

Request to return various parameters containing information from the end entity certificate(s). This is useful in case the signature application wants to retrieve some details of the certificate(s) without having to decode it first. The default value is “false”, so if the parameter is omitted then the information will not be returned. This parameter MAY be specified only if the parameter credentialInfo is “true”. If the parameter credentialInfo is not “true” and this parameter is specified its value SHALL be ignored.

Request to return various parameters containing information on the authorization mechanisms supported by the corresponding credential (auth group). The default value is “false”, so if the parameter is omitted then the information will not be returned. This parameter MAY be specified only if the parameter credentialInfo is “true”. If the parameter credentialInfo is not “true” and this parameter is specified its value SHALL be ignored.