<?xml version="1.0" encoding="UTF-8"?>
KeyGen2 XML schema. The primary purpose of KeyGen2 is usage as a
browser-based protocol for on-line Provisioning and Management of
PKI-based user-keys stored in containers compatible with the SKS
(Secure Key Store) specification.
In addition to PKI, KeyGen2 also supports OTP (One Time Password) "seeds"
and similar symmetric keys. By "piggybacking" symmetric keys on PKI, the
management operations work identical for PKI and symmetric keys.
Utilizing the KeyGen2 generic extension mechanism, "alien" objects like
downloadable code and InformationCards tied to specific keys can be
issued and maintained without changing the protocol engine.
Historical note: KeyGen2 started its life as a 4-pass stand-alone
key-provisioning protocol back in 2007 but ended up as a KeyGen2/SKS
10-pass "combo" three years later. Properly implemented the current
incarnation provides E2ES (End-to-End Security).
Perfection is achieved, not when there is nothing more to add, but when
there is nothing left to take away [Antoine de Saint-Exupery]
Version: BETA
Revised: 20-August-2010
Author: Anders Rundgren
Copyright 2006-2010 WebPKI.org (http://webpki.org).
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License. |
| <xs:schema | targetNamespace="http://xmlns.webpki.org/keygen2/beta/20100820#" |
| xmlns:xs="http://www.w3.org/2001/XMLSchema" |
| xmlns:ds="http://www.w3.org/2000/09/xmldsig#" |
| xmlns:ds11="http://www.w3.org/2009/xmldsig11#" |
| xmlns:kgen="http://xmlns.webpki.org/keygen2/beta/20100820#" |
| elementFormDefault="qualified" attributeFormDefault="unqualified"> |
<xs:import namespace="http://www.w3.org/2000/09/xmldsig#"/>
<xs:import namespace="http://www.w3.org/2009/xmldsig11#"/>
| The primary (top-level) platform negotiation request object |
|
<xs:element name="PlatformNegotiationRequest">
<xs:complexType>
<xs:sequence>
| Issuer logotypes that SHOULD be shown in the provisioning GUI
as "branding" and hint. See the "Logotype" element for
general recommendations regarding images. An issuer SHOULD
provide a selection of images so that the client software
can use one which fits the screen of the provisioning device |
<xs:element name="IssuerLogotype" maxOccurs="unbounded">
<xs:complexType>
<xs:complexContent>
<xs:extension base="kgen:imageData">
| Where to get the logotype. |
<xs:attribute name="LogotypeURL" type="kgen:httpURI" use="required"/>
| ImageFingerprint using SHA256. |
<xs:attribute name="ImageFingerprint" type="xs:base64Binary" use="required"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
| The requesting issuer SHOULD enquire about capabilities that are
not default or even may be unavailable due to export restrictions.
An omission performing a proper capability negotiation could in
fact lead to run-time errors in the client implementation! |
<xs:element ref="kgen:BasicCapabilities"/>
| See "ServerCookie" definition |
<xs:element ref="kgen:ServerCookie" minOccurs="0"/>
| A request MAY also include an enveloped XML signature
covering the entire request object (which MUST be done
through an explicit reference to the request's top-level
"ID" attribute). The client software MUST verify such a
signature before proceeding with the process. The requester
is RECOMMENDED to sign using a certificate which already has
a trust anchor installed in the potential users' browsers.
If the trust anchor is not known, the client software SHOULD
warn the user before proceeding. The user SHOULD be able to
abort the operation in case of an unknown issuer. A broken
signature MUST abort the entire process |
<xs:element ref="ds:Signature" minOccurs="0"/>
</xs:sequence>
| GUI language in preference order. Primarily for public computers |
<xs:attribute name="Languages" type="kgen:languageList" use="optional"/>
| Key container constraints in preference order |
<xs:attribute name="KeyContainers" type="kgen:containerList" use="optional"/>
| This mandatory server-generated item MUST be unique between
key provisioning sessions but MUST remain constant among
requests within a specific session |
<xs:attribute name="ID" type="kgen:sksID" use="required"/>
| Where to HTTP POST the platform negotiation response.
Note that applicable session cookies MUST be submitted
in the request as well |
<xs:attribute name="SubmitURL" type="kgen:httpURI" use="required"/>
</xs:complexType>
</xs:element>
| End of platform negotiation request object definition |
|
| The primary (top-level) platform negotiation response object |
|
<xs:element name="PlatformNegotiationResponse">
<xs:complexType>
<xs:sequence>
A conforming client MUST respond to special requirements
by indicating its matching capabilities. A client MAY also
in the case the default (mandatory) is unavailable due to
export restrictions or marginal implementations, output
its reduced capability in order for the issuer to either
deny credentials (with an appropriate message to user...),
or issue credentials with a possibly more limited scope.
In the case a capability is secret, a client MAY not
return a capability except for signed requests from a
known (pre-configured) party |
<xs:element ref="kgen:BasicCapabilities"/>
| Optional hints for the "CertificatePath/Logotype" extension |
<xs:element name="ImagePreference" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:complexContent>
<xs:extension base="kgen:imageData">
<xs:attribute name="Type" type="xs:anyURI" use="required"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
| See "ServerCookie" definition |
<xs:element ref="kgen:ServerCookie" minOccurs="0"/>
</xs:sequence>
| MUST be equal to "PlatformNegotiationRequest/@ID"
within a specific session |
<xs:attribute name="ServerSessionID" type="kgen:sksNCName" use="required"/>
</xs:complexType>
</xs:element>
| End of platform negotiation response object definition |
|
| The primary (top-level) provisioning session request object |
|
<xs:element name="ProvisioningSessionRequest">
<xs:complexType>
<xs:sequence>
| "ServerEphemeralKey" holds a server-generated ephemeral key
for creating an SKS "SessionKey" (shared session key) |
<xs:element name="ServerEphemeralKey">
<xs:complexType>
<xs:sequence>
| MUST contain an ECDH public key |
<xs:element ref="ds11:ECKeyValue"/>
</xs:sequence>
</xs:complexType>
</xs:element>
| See "ServerCookie" definition |
<xs:element ref="kgen:ServerCookie" minOccurs="0"/>
| See "PlatformNegotiationRequest/Signature" |
<xs:element ref="ds:Signature" minOccurs="0"/>
</xs:sequence>
| MUST be equal to "PlatformNegotiationRequest/@ID"
within a specific session |
<xs:attribute name="ID" type="kgen:sksID" use="required"/>
| Mandatory time-stamp indicating when the request was issued.
The provisioning middleware MAY check it for "sanity" |
<xs:attribute name="ServerTime" type="xs:dateTime" use="required"/>
| "SessionLifeTime" specifies the lifetime of the SKS
provisioning session in seconds |
<xs:attribute name="SessionLifeTime" use="required">
<xs:simpleType>
<xs:restriction base="xs:positiveInteger">
<xs:minInclusive value="10"/>
<xs:maxInclusive value="10000000"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
| "SessionKeyLimit" specifies how many "SessionKey"
operations the SKS should permit |
<xs:attribute name="SessionKeyLimit" use="required">
<xs:simpleType>
<xs:restriction base="xs:positiveInteger">
<xs:minInclusive value="1"/>
<xs:maxInclusive value="65535"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
"SessionKeyAlgorithm" specifies the algorithm to use for
creating an SKS "SessionKey". Currently the only known URI is:
"http://xmlns.webpki.org/keygen2/1.0#algorithm.sk1" |
<xs:attribute name="SessionKeyAlgorithm" type="xs:anyURI" use="required"/>
| "Updatable" tells SKS if the provisioning session may
be referred to in post-provisioning sessions or not.
Default: false |
<xs:attribute name="Updatable" type="xs:boolean" use="optional"/>
Where to HTTP POST the provisioning session response.
Note that applicable session cookies MUST be submitted
in the request as well.
This instance of "SubmitURL" is equivalent to SKS' "IssuerURI". |
<xs:attribute name="SubmitURL" type="kgen:httpURI" use="required"/>
</xs:complexType>
</xs:element>
| End of provisioning session request object definition |
|
| The primary (top-level) provisioning session response object |
|
<xs:element name="ProvisioningSessionResponse">
<xs:complexType>
<xs:sequence>
| "ClientEphemeralKey" holds an SKS-generated ephemeral key
for creating an SKS "SessionKey" (shared session key) |
<xs:element name="ClientEphemeralKey">
<xs:complexType>
<xs:sequence>
| MUST contain an ECDH public key using the same
elliptic curve as "ServerEphemeralKey" |
<xs:element ref="ds11:ECKeyValue"/>
</xs:sequence>
</xs:complexType>
</xs:element>
| "DeviceCertificatePath" holds the SKS device certificate path |
<xs:element name="DeviceCertificatePath">
<xs:complexType>
<xs:sequence>
| MUST contain a valid X509 certificate path[1..n] |
<xs:element ref="ds:X509Data"/>
</xs:sequence>
</xs:complexType>
</xs:element>
| See "ServerCookie" definition |
<xs:element ref="kgen:ServerCookie" minOccurs="0"/>
| MUST hold an enveloped XML symmetric-key signature created
by the SKS "signProvisioningSessionData" method and use "ID"
as the "Reference" URI attribute |
<xs:element ref="ds:Signature"/>
</xs:sequence>
| "ID" holds the SKS-generated ClientSessionID |
<xs:attribute name="ID" type="kgen:sksID" use="required"/>
| MUST be equal to "ProvisioningSessionRequest/@ID" |
<xs:attribute name="ServerSessionID" type="kgen:sksNCName" use="required"/>
| Copy of "ProvisioningSessionRequest/@ServerTime" |
<xs:attribute name="ServerTime" type="xs:dateTime" use="required"/>
| The provisioning client's local clock is a mandatory item |
<xs:attribute name="ClientTime" type="xs:dateTime" use="required"/>
| The "SessionAttestation" attribute holds the output from
the SKS "createProvisioningSession" method |
<xs:attribute name="SessionAttestation" type="xs:base64Binary" use="required"/>
| The "ServerCertificateFingerprint" attribute MUST be populated with
the SHA256 hash of the associated server certificate if the
"ProvisioningSessionResponse" was invoked over HTTPS |
<xs:attribute name="ServerCertificateFingerprint" type="xs:base64Binary" use="optional"/>
</xs:complexType>
</xs:element>
| End of provisioning session response object definition |
|
| The primary (top-level) [optional] credential discovery request object |
|
<xs:element name="CredentialDiscoveryRequest">
<xs:complexType>
<xs:sequence>
| "LookupSpecifier" holds an issuer-signed search object |
<xs:element name="LookupSpecifier" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element ref="kgen:SearchFilter" minOccurs="0"/>
| MUST contain the issuer (CA) certificate/signature |
<xs:element ref="ds:Signature"/>
</xs:sequence>
| MUST be be linked to by the enveloped signature element |
<xs:attribute name="ID" type="kgen:sksID" use="required"/>
</xs:complexType>
</xs:element>
| See "ServerCookie" definition |
<xs:element ref="kgen:ServerCookie" minOccurs="0"/>
| See "PlatformNegotiationRequest/Signature" |
<xs:element ref="ds:Signature" minOccurs="0"/>
</xs:sequence>
| MUST be equal to "PlatformNegotiationRequest/@ID"
within a specific session |
<xs:attribute name="ID" type="kgen:sksID" use="required"/>
| MUST be equal to"ProvisioningSessionResponse/@ID"
within a specific session |
<xs:attribute name="ClientSessionID" type="kgen:sksNCName" use="required"/>
| Where to HTTP POST the credential discovery response. Note that
applicable session cookies MUST be submitted in the request
as well |
<xs:attribute name="SubmitURL" type="kgen:httpURI" use="required"/>
</xs:complexType>
</xs:element>
| End of [optional] credential discovery request object definition |
|
| The primary (top-level) [optional] credential discovery response object |
|
<xs:element name="CredentialDiscoveryResponse">
<xs:complexType>
<xs:sequence>
| The number of "LookupResult" objects MUST match the number
of "LookupSpecifier" objects |
<xs:element name="LookupResult" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element ref="kgen:MatchingCredential" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
| MUST match with "LookupSpecifier@ID" |
<xs:attribute name="ID" type="kgen:sksID" use="required"/>
</xs:complexType>
</xs:element>
| See "ServerCookie" definition |
<xs:element ref="kgen:ServerCookie" minOccurs="0"/>
</xs:sequence>
| "ID" holds the SKS-generated ClientSessionID |
<xs:attribute name="ID" type="kgen:sksID" use="required"/>
| MUST be equal to "ProvisioningSessionRequest/@ID" |
<xs:attribute name="ServerSessionID" type="kgen:sksNCName" use="required"/>
</xs:complexType>
</xs:element>
| End of [optional] credential discovery response object definition |
|
| The primary (top-level) key initialization request object |
|
<xs:element name="KeyInitializationRequest">
<xs:complexType>
<xs:sequence>
<xs:choice maxOccurs="unbounded">
| A key that requires no PIN code |
<xs:element ref="kgen:KeyPair"/>
| One or more keys that are protected by a specific PIN policy.
In addition to the PIN there is a master PUK code that can
unlock keys that have been locked due to the use of erroneous
PIN codes |
<xs:element ref="kgen:PUKPolicy"/>
| One or more keys that are protected by a specific PIN policy |
<xs:element ref="kgen:PINPolicy"/>
| A key that is protected by the same PIN as the device.
This option (which MAY be supported by the device), is
mainly intended for keys belonging to an organization
that manages the device |
<xs:element ref="kgen:DevicePIN"/>
</xs:choice>
| See "ServerCookie" definition |
<xs:element ref="kgen:ServerCookie" minOccurs="0"/>
| See "PlatformNegotiationRequest/Signature" |
<xs:element ref="ds:Signature" minOccurs="0"/>
</xs:sequence>
| A KeyGen2 provisioning process MAY [in a controlled way] be
temporarily interrupted and then be resumed at a later stage
like required by some certification schemes. The attribute
below informs the client software if the current process is
to be terminated after the "KeyInitializationResponse" message
has been sent. Default: false |
<xs:attribute name="DeferredCertification" type="xs:boolean" use="optional"/>
| MUST be equal to "PlatformNegotiationRequest/@ID"
within a specific session |
<xs:attribute name="ID" type="kgen:sksID" use="required"/>
| MUST be equal to"ProvisioningSessionResponse/@ID"
within a specific session |
<xs:attribute name="ClientSessionID" type="kgen:sksNCName" use="required"/>
| Where to HTTP POST the key operation response. Note that
applicable session cookies MUST be submitted in the request
as well |
<xs:attribute name="SubmitURL" type="kgen:httpURI" use="required"/>
| "KeyAttestationAlgorithm" is mandatory. Currently the only known is:
"http://xmlns.webpki.org/keygen2/1.0#algorithm.ka1" |
<xs:attribute name="KeyAttestationAlgorithm" type="xs:anyURI" use="required"/>
</xs:complexType>
</xs:element>
| End of key initialization request object definition |
|
| The primary (top-level) key initialization response object |
|
<xs:element name="KeyInitializationResponse">
<xs:complexType>
<xs:sequence>
<xs:element ref="kgen:PublicKey" maxOccurs="unbounded"/>
| See "ServerCookie" definition |
<xs:element ref="kgen:ServerCookie" minOccurs="0"/>
</xs:sequence>
| MUST be equal to "PlatformNegotiationResponse/@ID"
within a specific session |
<xs:attribute name="ID" type="kgen:sksID" use="required"/>
| MUST be equal to "PlatformNegotiationRequest/@ID"
within a specific session |
<xs:attribute name="ServerSessionID" type="kgen:sksNCName" use="required"/>
</xs:complexType>
</xs:element>
| End of key initialization response object definition |
|
| The primary (top-level) credential deployment request object |
|
<xs:element name="CredentialDeploymentRequest">
<xs:complexType>
<xs:sequence>
<xs:element ref="kgen:CertificatePath" maxOccurs="unbounded"/>
| SKS Reference: pp_deleteKey |
<xs:element name="DeleteKey" type="kgen:targetKey" minOccurs="0" maxOccurs="unbounded"/>
| See "ServerCookie" definition |
<xs:element ref="kgen:ServerCookie" minOccurs="0"/>
| See "PlatformNegotiationRequest/Signature" |
<xs:element ref="ds:Signature" minOccurs="0"/>
</xs:sequence>
| MUST be equal to "ProvisioningSessionResponse/@ID"
within a specific session |
<xs:attribute name="ClientSessionID" type="kgen:sksNCName" use="required"/>
| MUST be equal to "PlatformNegotiationRequest/@ID"
within a specific session |
<xs:attribute name="ID" type="kgen:sksID" use="required"/>
| Where to POST the response |
<xs:attribute name="SubmitURL" type="kgen:httpURI" use="required"/>
| SKS Reference: closeProvisioningSession |
<xs:attribute name="CloseSessionMAC" type="xs:base64Binary" use="required"/>
</xs:complexType>
</xs:element>
| End of credential deployment request object definition |
|
| The primary (top-level) credential deployment response object |
|
<xs:element name="CredentialDeploymentResponse">
<xs:complexType>
<xs:sequence>
| See "ServerCookie" definition |
<xs:element ref="kgen:ServerCookie" minOccurs="0"/>
</xs:sequence>
| MUST be equal to "PlatformNegotiationResponse/@ID"
within a specific session |
<xs:attribute name="ID" type="kgen:sksID" use="required"/>
| MUST be equal to "PlatformNegotiationRequest/@ID"
within a specific session |
<xs:attribute name="ServerSessionID" type="kgen:sksNCName" use="required"/>
| SKS Reference: closeProvisioningSession |
<xs:attribute name="CloseSessionAttestation" type="xs:base64Binary" use="required"/>
</xs:complexType>
</xs:element>
| End of credential deployment response object definition |
|
| The primary (top-level) client error response object |
|
<xs:element name="ClientErrorResponse">
<xs:complexType>
<xs:attribute name="Error" use="required">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="not-implemented"/>
<xs:enumeration value="unexpected-client-exception"/>
<xs:enumeration value="negotiation-failure"/>
<xs:enumeration value="keystore-overflow"/>
<xs:enumeration value="unsupported-feature-requested"/>
<xs:enumeration value="non-matching-requests"/>
<xs:enumeration value="no-such-key"/>
<xs:enumeration value="missing-provisioning-data"/>
<xs:enumeration value="general-error"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
| String associated with the "Error" code |
<xs:attribute name="Argument" type="xs:string" use="required"/>
| MUST be equal to "PlatformNegotiationRequest/@ID"
within a specific session |
<xs:attribute name="ServerSessionID" type="kgen:sksNCName" use="required"/>
</xs:complexType>
</xs:element>
| End of client error response object definition |
|
| Object representing basic algorithm/capability requirements/support |
<xs:element name="BasicCapabilities">
<xs:complexType>
<xs:sequence>
| If this element is not specified during the request phase,
the client SHOULD anyway return its capability if it differs
(presumably due to export issues) from the mandatory
RSA 1024 and 2048 key-sizes or is unable to set exponents |
<xs:element name="RSASupport" minOccurs="0">
<xs:complexType>
<xs:attribute name="KeySizes" use="required">
<xs:simpleType>
<xs:restriction>
<xs:simpleType>
<xs:list itemType="xs:positiveInteger"/>
</xs:simpleType>
<xs:minLength value="1"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
| Optional attribute: Can the exponent be set? Default: false |
<xs:attribute name="SettableExponent" type="xs:boolean" use="optional"/>
</xs:complexType>
</xs:element>
</xs:sequence>
| If non-mandatory algorithms are preferred, the following attribute
can host a list of such. If the response does not contain a requested
algorithm it means that it is not supported |
<xs:attribute name="Algorithms" type="kgen:uriList" use="optional"/>
| Features are things that are supported by the SKS or the platform
the SKS is running in |
<xs:attribute name="Features" type="kgen:uriList" use="optional"/>
| Arbitrary extension objects MAY be requested. Although most
clients are likely to for example support HOTP
("http://xmlns.webpki.org/keygen2/1.0#provider.ietf-hotp"),
application support is outside of the core SKS specification
and SHOULD be requested rather than taken for granted.
A provisioning client MAY dynamically check for application
availability |
<xs:attribute name="Extensions" type="kgen:uriList" use="optional"/>
</xs:complexType>
</xs:element>
| Base-object for representing a certified public key, path, and other key entry data |
<xs:element name="CertificatePath">
<xs:complexType>
<xs:sequence>
| The package MAY contain additional certificates belonging
to the same certificate-path. There MUST NOT be any "holes"
or "extras" in the path but it does not need to go up to the
root. The actual order of certificates is insignificant.
NOTE: Unlike TLS server-certificates, the KeyGen2 scheme
does not put any constraints on issued certificates with
respect to being known or trusted by the client platform.
That is, all technically valid certificates MUST be accepted
without warnings. Certificates in excess of 50KB MAY though
be rejected |
<xs:element ref="ds:X509Data"/>
<xs:choice minOccurs="0">
SKS Reference: setSymmetricKey
Optional "piggybacked" symmetric key |
<xs:element name="SymmetricKey">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:base64Binary">
| "EndorsedAlgorithms" holds a non-empty list of
algorithms endorsed by the issuer for usage with
the provisioned symmetric key |
<xs:attribute name="EndorsedAlgorithms" type="kgen:uriList" use="required"/>
| Mandatory MAC (Message Authentication Code) |
<xs:attribute name="MAC" type="xs:base64Binary" use="required"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
SKS Reference: restorePrivateKey
Optional restored private key |
<xs:element name="PrivateKey">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:base64Binary">
| Mandatory MAC (Message Authentication Code) |
<xs:attribute name="MAC" type="xs:base64Binary" use="required"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
</xs:choice>
<xs:choice minOccurs="0" maxOccurs="unbounded">
SKS Reference: addExtension
Some credentials like OTP seeds need additional attributes
to work. These are supplied as typed "PropertyBags" holding
"Property" name-value elements |
<xs:element ref="kgen:PropertyBag"/>
SKS Reference: addExtension
Optional logotypes that can be used in various GUIs.
The "Type" URI indicates a logotype's usage and SHOULD
be communicated during the platform negotiation phase.
Logotypes MAY be ignored by the client software. Currently
KeyGen2 supports the following predefined type URIs:
- "http://xmlns.webpki.org/keygen2/1.0#logotype.icon"
- "http://xmlns.webpki.org/keygen2/1.0#logotype.card"
- "http://xmlns.webpki.org/keygen2/1.0#logotype.list"
- "http://xmlns.webpki.org/keygen2/1.0#logotype.application"
"Icon" is intended to be useful in a selection window
where multiple credentials are featured as a map of
icons. "Card" is the shape needed by for example
Microsoft's InformationCards. "List" is meant to be
used in credential listings where you need a minute
image together with explanatory text. "Application"
is a shape that could be used in applications where the
logotype is useful for branding/recognition purposes
like in OTP systems.
Logotype recommendations:
Logotypes should not have framing borders or extra margins
unless these are integral parts of the actual logotype image.
Logotypes should render nicely on light backgrounds.
Logotype "surroundings" should preferably be transparent to
accommodate white to light grey backgrounds. If there are
shadows that should migrate with the background, PNG files
with alpha channels are recommended |
<xs:element name="Logotype">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="kgen:imageType">
| Mandatory extension type attribute |
<xs:attributeGroup ref="kgen:extensionAttrs"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
| SKS Reference: addExtension |
<xs:element name="Extension">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:base64Binary">
| Mandatory extension type attribute |
<xs:attributeGroup ref="kgen:extensionAttrs"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
| SKS Reference: addExtension |
<xs:element name="EncryptedExtension">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:base64Binary">
| Mandatory extension type attribute |
<xs:attributeGroup ref="kgen:extensionAttrs"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
</xs:choice>
<xs:choice minOccurs="0">
| SKS Reference: pp_updateKey |
<xs:element name="UpdateKey" type="kgen:targetKey"/>
| SKS Reference: pp_cloneKeyProtection |
<xs:element name="CloneKeyProtection" type="kgen:targetKey"/>
</xs:choice>
</xs:sequence>
| A unique key-ID which MUST match the corresponding
"KeyInitializationResponse/PublicKey/@ID" |
<xs:attribute name="ID" type="kgen:sksID" use="required"/>
<xs:attribute name="MAC" type="xs:base64Binary" use="required"/>
</xs:complexType>
| Constraints (that can be enforced by schema-directed validation) |
| All Extension type URIs for a key MUST be a unique |
<xs:unique name="ExtensionTypeUnique">
<xs:selector xpath="*"/>
<xs:field xpath="@Type"/>
</xs:unique>
</xs:element>
| Object for representing properties |
<xs:element name="PropertyBag">
<xs:complexType>
<xs:sequence>
<xs:element name="Property" maxOccurs="unbounded">
<xs:complexType>
| The unique name of the property |
<xs:attribute name="Name" use="required">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:minLength value="1"/>
<xs:maxLength value="100"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
| The value of the property |
<xs:attribute name="Value" type="xs:string" use="required"/>
| By default values are read-only but they may be
declared as read/writable as well |
<xs:attribute name="Writable" type="xs:boolean" use="optional"/>
</xs:complexType>
</xs:element>
</xs:sequence>
| Mandatory extension attributes |
<xs:attributeGroup ref="kgen:extensionAttrs"/>
</xs:complexType>
| Property names within a PropertyBag MUST be unique |
<xs:unique name="Unique.Property">
<xs:selector xpath="kgen:Property"/>
<xs:field xpath="@Name"/>
</xs:unique>
</xs:element>
| Base-object for representing a created public key |
<xs:element name="PublicKey">
<xs:complexType>
<xs:sequence>
| MUST contain a public key element |
<xs:choice>
<xs:element ref="ds11:ECKeyValue"/>
<xs:element ref="ds:RSAKeyValue"/>
</xs:choice>
| SKS Reference: createKeyPair.PrivateKeyBackup |
<xs:element name="PrivateKey" type="xs:base64Binary" minOccurs="0"/>
</xs:sequence>
SKS attestation vouching for the public key as being generated in
a specific environment together with its private key counterpart.
Also see: "KeyAttestationAlgorithm" |
<xs:attribute name="KeyAttestation" type="xs:base64Binary" use="optional"/>
| A unique key-ID which MUST match a "KeyPair/@ID"
in the corresponding "KeyInitializationRequest" |
<xs:attribute name="ID" type="kgen:sksID" use="required"/>
</xs:complexType>
</xs:element>
| Base-object for requesting the creation of a key (pair) |
<xs:element name="KeyPair">
<xs:complexType>
<xs:sequence>
| SKS Specification: createKeyPair.KeyAlgorithmType |
<xs:choice>
<xs:element name="RSA">
<xs:complexType>
| SKS Reference: createKeyPair.RSAKeySize |
<xs:attribute name="KeySize" type="xs:positiveInteger" use="required"/>
SKS Reference: createKeyPair.RSAExponent
Default: 0 => Use SKS default |
<xs:attribute name="Exponent" type="xs:positiveInteger" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="EC">
<xs:complexType>
| SKS Reference: createKeyPair.NamedCurve |
<xs:attribute name="NamedCurve" type="xs:anyURI" use="required"/>
</xs:complexType>
</xs:element>
<xs:element name="DSA">
<xs:complexType>
<xs:attribute name="KeySize" type="xs:integer" use="required"/>
</xs:complexType>
</xs:element>
</xs:choice>
</xs:sequence>
| SKS Reference: createKeyPair.ID |
<xs:attribute name="ID" type="kgen:sksID" use="required"/>
SKS Reference: createKeyPair.ServerSeed
Default: 32 zero bytes |
<xs:attribute name="ServerSeed" type="xs:base64Binary" use="optional"/>
SKS Reference: createKeyPair.BiometricProtection
Default: "none" |
<xs:attribute name="BiometricProtection" type="kgen:biomProtTypes" use="optional"/>
SKS Reference: createKeyPair.PrivateKeyBackup
Default: false |
<xs:attribute name="PrivateKeyBackup" type="xs:boolean" use="optional"/>
SKS Reference: createKeyPair.ExportPolicy
Default: "non-exportable" |
<xs:attribute name="ExportPolicy" type="kgen:expPolicyTypes" use="optional"/>
SKS Reference: createKeyPair.DeletePolicy
Default: "none" |
<xs:attribute name="DeletePolicy" type="kgen:delPolicyTypes" use="optional"/>
SKS Reference: createKeyPair.EnablePINCaching
Default: false |
<xs:attribute name="EnablePINCaching" type="xs:boolean" use="optional"/>
| SKS Reference: createKeyPair.KeyUsage |
<xs:attribute name="KeyUsage" type="kgen:keyUsageTypes" use="required"/>
SKS Reference: createKeyPair.FriendlyName
Default: "" |
<xs:attribute name="FriendlyName" type="xs:string" use="optional"/>
| SKS Reference: createKeyPair.MAC |
<xs:attribute name="MAC" type="xs:base64Binary" use="required"/>
</xs:complexType>
</xs:element>
<xs:attributeGroup name="extensionAttrs">
| SKS Reference: addExtensionData.ExtensionType |
<xs:attribute name="Type" type="xs:anyURI" use="required"/>
| SKS Reference: addExtensionData.MAC |
<xs:attribute name="MAC" type="xs:base64Binary" use="required"/>
</xs:attributeGroup>
| Request sub-object for creating a set of PIN-protected keys associated with a
a common master PUK code |
<xs:element name="PUKPolicy">
<xs:complexType>
<xs:sequence>
| The PIN-protected key groups |
<xs:element ref="kgen:PINPolicy" maxOccurs="unbounded"/>
</xs:sequence>
| SKS Reference: createPUKPolicy.ID |
<xs:attribute name="ID" type="kgen:sksID" use="required"/>
| SKS Reference: createPUKPolicy.PUKValue |
<xs:attribute name="Value" type="xs:base64Binary" use="required"/>
| SKS Reference: createPUKPolicy.Format |
<xs:attribute name="Format" type="kgen:pinFormats" use="required"/>
| SKS Reference: createPUKPolicy.RetryLimit |
<xs:attribute name="RetryLimit" type="xs:unsignedShort" use="required"/>
| SKS Reference: createPUKPolicy.MAC |
<xs:attribute name="MAC" type="xs:base64Binary" use="required"/>
</xs:complexType>
</xs:element>
| Request sub-object for creating a set of keys associated with a user PIN policy |
<xs:element name="PINPolicy">
<xs:complexType>
<xs:sequence>
<xs:choice>
| One or more keys protected by user-defined PINs governed by
a common PIN policy |
<xs:element ref="kgen:KeyPair" maxOccurs="unbounded"/>
| One or more keys protected by issuer-defined PINs |
<xs:element name="PresetPIN" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element ref="kgen:KeyPair"/>
</xs:sequence>
| SKS Reference: createKeyPair.PINValue |
<xs:attribute name="Value" type="xs:base64Binary" use="required"/>
</xs:complexType>
</xs:element>
</xs:choice>
</xs:sequence>
| SKS Reference: createPINPolicy.ID |
<xs:attribute name="ID" type="kgen:sksID" use="required"/>
SKS Reference: createPINPolicy.PUKPolicyHandle
"PUKPolicyHandle" is an implicit and implementation-dependent
PUK reference object which is defined by the presence of an
enclosing "PUKPolicy" object |
SKS Reference: createPINPolicy.UserDefined
"UserDefined" is an implicit variable which is true unless
there is a "PresetPIN" object enclosing the "KeyPair" object |
SKS Reference: createPINPolicy.UserModifiable
Default: false for preset PINs, true for user-defined PINs |
<xs:attribute name="UserModifiable" type="xs:boolean" use="optional"/>
| SKS Reference: createPINPolicy.Format |
<xs:attribute name="Format" type="kgen:pinFormats" use="required"/>
| SKS Reference: createPINPolicy.RetryLimit |
<xs:attribute name="RetryLimit" type="xs:unsignedShort" use="required"/>
SKS Reference: createPINPolicy.Grouping
Default: "none" |
<xs:attribute name="Grouping" type="kgen:pinGrouping" use="optional"/>
SKS Reference: createPINPolicy.PatternRestrictions
Default: none |
<xs:attribute name="PatternRestrictions" type="kgen:pinPatternList" use="optional"/>
| SKS Reference: createPINPolicy.MinLength |
<xs:attribute name="MinLength" type="kgen:pinLength" use="required"/>
| SKS Reference: createPINPolicy.MaxLength |
<xs:attribute name="MaxLength" type="kgen:pinLength" use="required"/>
SKS Reference: createPINPolicy.InputMethod
Default: "any" |
<xs:attribute name="InputMethod" type="kgen:pinInput" use="optional"/>
| SKS Reference: createPINPolicy.MAC |
<xs:attribute name="MAC" type="xs:base64Binary" use="required"/>
</xs:complexType>
</xs:element>
| Request sub-object for creating a key protected by the key "host" device PIN-code |
<xs:element name="DevicePIN">
<xs:complexType>
<xs:sequence>
<xs:element ref="kgen:KeyPair"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:complexType name="imageData">
<xs:attribute name="MimeType" type="kgen:mimeType" use="required"/>
| Width in pixels. For SVG it holds the "ideal" width |
<xs:attribute name="Width" type="xs:positiveInteger" use="required"/>
| Height in pixels. For SVG it holds the "ideal" height |
<xs:attribute name="Height" type="xs:positiveInteger" use="required"/>
</xs:complexType>
<xs:complexType name="keyID">
| One of the two IDs identifying a provisioning session |
<xs:attribute name="ClientSessionID" type="kgen:sksNCName" use="required"/>
| The other ID identifying a provisioning session |
<xs:attribute name="ServerSessionID" type="kgen:sksNCName" use="required"/>
| Handle to the certificate (key ID) |
<xs:attribute name="CertificateFingerprint" type="xs:base64Binary" use="required"/>
</xs:complexType>
<xs:complexType name="targetKey">
<xs:complexContent>
<xs:extension base="kgen:keyID">
| Mandatory MAC (Message Authentication Code) |
<xs:attribute name="MAC" type="xs:base64Binary" use="required"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
<xs:element name="MatchingCredential">
<xs:complexType>
<xs:complexContent>
<xs:extension base="kgen:keyID"/>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="SearchFilter">
<xs:complexType>
| Qualifiers. At least one MUST be defined. Note that "IssuedBefore"
and "IssuedAfter" can be used to create a region that should either
be included or excluded depending on which one is biggest. The "Subject"
attribute is a regular expression matching RFC 2253 names. "Email"
attributes MUST be searched for in both the subject DN and in
subject alt name extensions |
<xs:attribute name="Subject" type="kgen:distinguishedNameExpr" use="optional"/>
<xs:attribute name="Serial" type="xs:integer" use="optional"/>
<xs:attribute name="Email" type="xs:string" use="optional"/>
<xs:attribute name="Policy" type="kgen:oidValue" use="optional"/>
<xs:attribute name="ExcludedPolicies" type="kgen:oidValueList" use="optional"/>
<xs:attribute name="IssuedBefore" type="xs:dateTime" use="optional"/>
<xs:attribute name="IssuedAfter" type="xs:dateTime" use="optional"/>
</xs:complexType>
</xs:element>
| IDs flowing between the SKS and the issuers MUST be 1-32 bytes |
<xs:simpleType name="sksID">
<xs:restriction base="xs:ID">
<xs:pattern value="[0-9,a-z,A-Z,_,\-,\.]*"/>
<xs:maxLength value="32"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="sksNCName">
<xs:restriction base="xs:NCName">
<xs:pattern value="[0-9,a-z,A-Z,_,\-,\.]*"/>
<xs:maxLength value="32"/>
</xs:restriction>
</xs:simpleType>
| The "ServerCookie" object is intended for passing arbitrary data between a
request and a response. It can be used to enable "statelessness" between
requests and responses, by for example holding a HMAC authentication of the
request and a time stamp. The format of ServerCookie data is out of scope
for the KeyGen2 specification. If a ServerCookie is specified in a request
it MUST be copied verbatim to the associated response object by the client
software |
<xs:element name="ServerCookie">
<xs:complexType mixed="true">
<xs:sequence>
<xs:any namespace="##any" processContents="lax" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
| Image definition. An image SHOULD consist of a size-wise device-adapted
GIF or PNG picture |
<xs:complexType name="imageType">
<xs:simpleContent>
<xs:extension base="xs:base64Binary">
<xs:attribute name="MimeType" type="kgen:mimeType" use="required"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
<xs:simpleType name="keyUsageTypes">
<xs:restriction base="xs:string">
<xs:enumeration value="signature"/>
<xs:enumeration value="authentication"/>
<xs:enumeration value="encryption"/>
<xs:enumeration value="universal"/>
<xs:enumeration value="transport"/>
<xs:enumeration value="symmetric-key"/>
</xs:restriction>
</xs:simpleType>
| Biometric protection definitions |
<xs:simpleType name="biomProtTypes">
<xs:restriction base="xs:string">
<xs:enumeration value="none"/>
<xs:enumeration value="alternative"/>
<xs:enumeration value="combined"/>
<xs:enumeration value="exclusive"/>
</xs:restriction>
</xs:simpleType>
| Delete policy definitions |
<xs:simpleType name="delPolicyTypes">
<xs:restriction base="xs:string">
<xs:enumeration value="none"/>
<xs:enumeration value="pin"/>
<xs:enumeration value="puk"/>
</xs:restriction>
</xs:simpleType>
| Export policy definitions |
<xs:simpleType name="expPolicyTypes">
<xs:restriction base="xs:string">
<xs:enumeration value="none"/>
<xs:enumeration value="pin"/>
<xs:enumeration value="puk"/>
<xs:enumeration value="non-exportable"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="pinLength">
<xs:restriction base="xs:positiveInteger">
<xs:maxInclusive value="100"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="pinFormats">
<xs:restriction base="xs:string">
<xs:enumeration value="numeric"/>
<xs:enumeration value="alphanumeric"/>
<xs:enumeration value="string"/>
<xs:enumeration value="binary"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="pinGrouping">
<xs:restriction base="xs:string">
<xs:enumeration value="none"/>
<xs:enumeration value="shared"/>
<xs:enumeration value="signature+standard"/>
<xs:enumeration value="unique"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="pinInput">
<xs:restriction base="xs:string">
<xs:enumeration value="any"/>
<xs:enumeration value="programmatic"/>
<xs:enumeration value="trusted-gui"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="pinPatternList">
<xs:restriction>
<xs:simpleType>
<xs:list>
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="two-in-a-row"/>
<xs:enumeration value="three-in-a-row"/>
<xs:enumeration value="sequence"/>
<xs:enumeration value="repeated"/>
<xs:enumeration value="missing-group"/>
</xs:restriction>
</xs:simpleType>
</xs:list>
</xs:simpleType>
<xs:minLength value="1"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="oidValue">
<xs:restriction base="xs:string">
<xs:pattern value="[1-9][0-9]*(\.[1-9][0-9]*)*"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="oidValueList">
<xs:restriction>
<xs:simpleType>
<xs:list itemType="kgen:oidValue"/>
</xs:simpleType>
<xs:minLength value="1"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="httpURI">
<xs:restriction base="xs:anyURI">
<xs:pattern value="https?://.*"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="uriList">
<xs:restriction>
<xs:simpleType>
<xs:list itemType="xs:anyURI"/>
</xs:simpleType>
<xs:minLength value="1"/>
</xs:restriction>
</xs:simpleType>
| Language list definitions |
<xs:simpleType name="languageList">
<xs:restriction>
<xs:simpleType>
<xs:list itemType="xs:language"/>
</xs:simpleType>
<xs:minLength value="1"/>
</xs:restriction>
</xs:simpleType>
| MIME type definition (MUST NOT contain character encoding) |
<xs:simpleType name="mimeType">
<xs:restriction base="xs:string">
<xs:pattern value="[^;]+"/>
</xs:restriction>
</xs:simpleType>
| Key container definitions |
<xs:simpleType name="containerList">
<xs:restriction>
<xs:simpleType>
<xs:list>
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="File"/>
<xs:enumeration value="TPM"/>
<xs:enumeration value="SIM"/>
<xs:enumeration value="External"/>
</xs:restriction>
</xs:simpleType>
</xs:list>
</xs:simpleType>
<xs:minLength value="1"/>
</xs:restriction>
</xs:simpleType>
| Subject" attributes MUST be represented as regular expressions compatible with
the XML Schema "pattern" facet. Note that the regular expressions MUST be
targeted for RFC 2253 encoded data |
<xs:simpleType name="distinguishedNameExpr">
<xs:restriction base="xs:string">
<xs:pattern value="\S.*"/>
</xs:restriction>
</xs:simpleType>
</xs:schema>