The BoB Device API provides device key derivation for app backends and serves key derivation keys to trusted validation and inspection clients.
getDeviceKey will return a symmetric device key derived from a (secret) shared KDK (Key Derivation Key). The only input parameter is a Device ID, encoded using base64url.
Authorization: App backends are usually the only entities authorized for this call.
References: Key derivation functions are documented in MTS2.
curl --verbose -X POST --data @- \ --header "Content-Type: application/json" \ --header "X-BoB-AuthToken: REDACTED_JWT" \ https://device.bob.example.com/api/v1/device/key <<JSON {"did": "QTgyRUQ2RTktNURENi00QkVGLTkzMUQtMkRENkYwRjRDQkJD"} JSON |
{ "did": "QTgyRUQ2RTktNURENi00QkVGLTkzMUQtMkRENkYwRjRDQkJD", "kid": "1337:20170320", "kty": "oct", "exp": 1490002591, "iat": 1489998991, "k": "-m9kaRQMwpp50MKtOUUR2Q" } |
getDeviceKDK will return all current key derivation keys.
Authorization: Validators (and inspectors) are usually the only entities authorized for this call.
curl --verbose -X GET \ --header "X-BoB-AuthToken: REDACTED_JWT" \ https://device.bob.example.com/api/v1/device/kdk |
{ "keys": [ { "pid": "1", "kid": "foo", "kty": "oct", "kdf": "mts2", "k": "SFJDSUMxT0UyVjRVVzIxQk9IMVFTNURCMlEyVDRaM0g" }, { "pid": "1", "kid": "bar", "kty": "oct", "kdf": "mts2", "k": "MFhTRVNWWTJaNlFBWlE0RDFTOFU0NEtZSDA2U1BMU1c" } ] } |