The BoB Device API provides device key derivation for app backends and serves key derivation keys to trusted validation and inspection clients.

getDeviceKey

getDeviceKey will return a symmetric device key derived from a (secret) shared KDK (Key Derivation Key). The only input parameter is a Device ID, encoded using base64url.

Authorization: App backends are usually the only entities authorized for this call.

References: Key derivation functions are documented in MTS2.

Example request

curl --verbose -X POST --data @- \
     --header "Content-Type: application/json" \
     --header "X-BoB-AuthToken: REDACTED_JWT" \
     https://device.bob.example.com/api/v1/device/key <<JSON
{"did": "QTgyRUQ2RTktNURENi00QkVGLTkzMUQtMkRENkYwRjRDQkJD"}
JSON

Example response

{
 "did": "QTgyRUQ2RTktNURENi00QkVGLTkzMUQtMkRENkYwRjRDQkJD",
 "kid": "1337:20170320",
 "kty": "oct",
 "exp": 1490002591,
 "iat": 1489998991,
 "k": "-m9kaRQMwpp50MKtOUUR2Q"
}

getDeviceKDK

getDeviceKDK will return all current key derivation keys.

Authorization: Validators (and inspectors) are usually the only entities authorized for this call.

Example request

curl --verbose -X GET \
     --header "X-BoB-AuthToken: REDACTED_JWT" \
     https://device.bob.example.com/api/v1/device/kdk

Example response

{
    "keys": [
        {
            "pid": "1",
            "kid": "foo",
            "kty": "oct",
            "kdf": "mts2",
            "k": "SFJDSUMxT0UyVjRVVzIxQk9IMVFTNURCMlEyVDRaM0g"
        },
        {
            "pid": "1",
            "kid": "bar",
            "kty": "oct",
            "kdf": "mts2",
            "k": "MFhTRVNWWTJaNlFBWlE0RDFTOFU0NEtZSDA2U1BMU1c"
        }
    ]
}