Add signing of Identifiables #523
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,58 @@ | ||
| //// | ||
| Copyright (c) 2023 Industrial Digital Twin Association | ||
|
|
||
| This work is licensed under a [Creative Commons Attribution 4.0 International License]( | ||
| https://creativecommons.org/licenses/by/4.0/). | ||
|
|
||
| SPDX-License-Identifier: CC-BY-4.0 | ||
|
|
||
| //// | ||
|
|
||
| [#signatures] | ||
| = Signatures | ||
|
||
|
|
||
| Some use cases of the Asset Administration Shell require the proof that data has not been changed and that it is still the original data of the AAS originator. | ||
| An example is a device manufacturer supplying to an integrator supplying to a plant operator. The plant operator wants to check the remained integrity of the device manufacturer's AAS. | ||
|
|
||
| The AASX package format includes the possibility of signing an AASX package, but this is seldomly used. AASX packages can also not be protected by AAS security and access rules. This is why signatures are needed as part of the API. | ||
|
Check warning on line 17 in documentation/IDTA-01002-3/modules/ROOT/pages/signatures.adoc
|
||
github-advanced-security[bot] marked this conversation as resolved.
Fixed
Show fixed
Hide fixed
|
||
|
|
||
| Different levels of API signatures have been investigated by the IDTA TF Security, including JWS (JSON Web Signature) or JAdES (JSON advanced digital signature). | ||
| This version explains and defines new endpoints /$signed for AAS, Submodel and ConceptDescription, which provide a plain text JWS. | ||
|
|
||
| JWS ist defined in RFC 7515 (https://datatracker.ietf.org/doc/html/rfc7515). | ||
|
|
||
| AAS signatures include the AAS JSON content as embedded payload in the JWS. The following header parameters are used: | ||
|
|
||
| - alg: The "alg" (algorithm) Header Parameter identifies the cryptographic algorithm used to secure the JWS (see RFC 7515 4.1.1). Currently only RS256 is used. | ||
| - typ: The "typ" (type) Header Parameter is used by JWS applications to declare the media type [IANA.MediaTypes] of this complete JWS (see RFC 7515 4.1.9). Currently only JWS is used. | ||
| - x5c: The "x5c" (X.509 certificate chain) Header Parameter contains the X.509 public key certificate or certificate chain [RFC5280] corresponding to the key used to digitally sign the JWS (see RFC 7515 4.1.6). This may be a single certificate or certificate chain. The related root certificate must be exchanged by the business partners by an additional secure channel. | ||
| - sigT: The "sigT" (signature timestamp) Header Parameter contains the ISO‑8601 timestamp when the JWS was created. This may be used to check for newer content and if certificates have been valid at signature time. | ||
| - sid: The "sid" (signature identifier) Header Parameter contains a unique GUID to make the storage of JWS easier. | ||
|
|
||
| JWS can be decoded by jwt.io. A JWS example and its decoded content can be seen below. | ||
|
|
||
| JWS: | ||
|
|
||
| eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXUyIsInNpZ1QiOiIyMDI1LTEyLTE4VDA2OjU4OjIwLjA5MjkxMTVaIiwic2lkIjoiMGRhMTAyOTMtOWVmNi00MmEwLWE3NjQtYTI3ZTFmNmZiNWFlIiwieDVjIjpbIk1JSURLakNDQWhLZ0F3SUJBZ0lJUU1tdnNxNEhSQTB3RFFZSktvWklodmNOQVFFTEJRQXdQakVMTUFrR0ExVUVCaE1DUkVVeEVUQVBCZ05WQkFvVENFazBNQ0JVWlhOME1Sd3dHZ1lEVlFRREV4TkpOREFnVUdodlpXNXBlQ0JEYjI1MFlXTjBNQjRYRFRJME1EWXhNREEzTURnd01Gb1hEVEkyTURZeE1EQTNNRGd3TUZvd2JERUxNQWtHQTFVRUJoTUNSRVV4RVRBUEJnTlZCQW9UQ0VrME1DQlVaWE4wTVIwd0d3WURWUVFERXhSSk5EQWdRVzVrY21WaGN5QlBjbnBsYkhOcmFURXJNQ2tHQ1NxR1NJYjNEUUVKQVJZY1lXOXllbVZzYzJ0cFFIQm9iMlZ1YVhoamIyNTBZV04wTG1OdmJUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUpQV3JuZ0Z0eHBKNzVnR0xoTjJuYTRMS3FiZnkycGNoYWV6Y094bDVZaFVEM0xQWFJ1RUJOSmI1YWRhZzJHQW5Sd1VLYlJXSTEwZGloOUdieWVTMzZ0L3Y3TTRKZ243ZWZSOW84Z0NFa2lkRnpaVWZ2L3NoQzlPVzlQZCtUeVVmOVdPbi9pNzgrMkJOeERITGZUR2YzU2FPNFptVWx4NEJOK0lLODBRZ3d1eGI3YjFTSTdMQUVPUU52NlQ3Q2NnQ3FKOUtaamozaVFkVXFGcEhHMmVSSG5jU0IwbGVFa3ZtdGxTM1BDMFY4VVB3L3M5T3lLV056YUtMZTlOUCtaV3FHUmRSeloxc0YrdDIzbnpkVTVhM3l5RGVkVE90MVRuMjFWYVArSXJwS2lKRE1NWXJ0akM2VzFsNkRiaU4yMS9nTFdqR3haS29hd3pJd2V0MkZyaXlkMENBd0VBQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQUJwNit2REhIaCtjVDFEQmE4MHZjaE8wUlg0UUFWWUc4OHBkMEVzRzdtK1k3ZkFPdXMvNlcvZmpHTnZLbDNHKzVzZ1JKeSsvaGdKWHhQajVrUzM4YkxRWGhybWFySGNDSm5Rc1NCNWNTZG02RE5ZQTFQNnlFcmVmREtJdTFtZzN0WHAwUjBsaWcwQzRDbk84bHhVV0c2Z2VhZjdHUGF2Y0pnRXdudjRobWtZaUo5YWpwaXFLbnZFcE1KVlRnVFdHaXJhV2VZN1V0RzNHd0pPeEVmUDF5aUxpU3UxOGtKbVpDa3VOQ21LMm1NUWZNbTd3MDZIa0tNMFVudC9FU1ZDYkdsSmJxODJ4bDZSUytML2ZhaVFmWkZqUHpEWThTK0NNcE1PZ3ZSNTU3TFgraHZFTE1CUFI4VUFmalJoT0Y5QnhxTzJCWnNkRHYzY1pMclk1T3l6NUVjdz09IiwiTUlJRGFqQ0NBbEtnQXdJQkFnSUlZaHM4Uk5uaHBoZ3dEUVlKS29aSWh2Y05BUUVMQlFBd09ERUxNQWtHQTFVRUJoTUNSRVV4RVRBUEJnTlZCQW9UQ0VrME1DQlVaWE4wTVJZd0ZBWURWUVFERXcxSk5EQWdWR1Z6ZENCU2IyOTBNQjRYRFRJd01UQXdNVEE0TlRRd01Gb1hEVE13TVRBd01UQTROVFF3TUZvd1BqRUxNQWtHQTFVRUJoTUNSRVV4RVRBUEJnTlZCQW9UQ0VrME1DQlVaWE4wTVJ3d0dnWURWUVFERXhOSk5EQWdVR2h2Wlc1cGVDQkRiMjUwWVdOME1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBc01kRzNLdE1lMHlEbHJ2a0tMYnpuQ2RKK0hTZEgrRmNZZW5qenlTaDBDdmVsRmplcXkzckVGbHpuOHNnNis3Szg1M1MrNTBMM1RxM0tZOTRxSDVmNnkvakhPcFh4Z2FybXp0TWVBRWxaaCt5bDNhbURCclZ6QW9UTmt1SmxScGNiekVJcmp2T3g4bzNkZjRmOStCUHZENzd0TmdFK1V1RVRoUlFYRmFld0VYWlZjeDNoMmxEeWpxaVJ1eVovS21kOTBPZTBkK0Y5MGlXSFpGdWhGS2RReEFpK0I4aEcrN1dZNnZMMDJCODUyNkpVOHpsMlNudCtTQy8vV1p5Z2VEU29GcEhoeU5PWm04OFRnSmhxbkdoTTM2QjNXL29PQjV4cUdzQWJuOUw5amlha05rVzRMUG1NcHo4SFQ3WGpKWld0RnpaQmswRVVMcWxDR20yeEpJRGF3SURBUUFCbzNJd2NEQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEdBMVVkRGdRV0JCUVQ3bm85SDBQR0ZvVC9qSnl5ODFyK3BtWHZuREFMQmdOVkhROEVCQU1DQVFZd0VRWUpZSVpJQVliNFFnRUJCQVFEQWdBSE1CNEdDV0NHU0FHRytFSUJEUVFSRmc5NFkyRWdZMlZ5ZEdsbWFXTmhkR1V3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUxBVmdzclZISUJ0TmFxSnBkdVQ5b1Bia0ttaVRxcVZXb0pUemdEbGpVVGozOXlTeXFPbytML2RLZ1pxVnkxK2FDUXNnS1d4a014OWx1Nkw1YXgrUDd2dGR0NzVOQ0JnM3JOZndHeGFWeWhOZmtpYW9GT2hGSTFjU3phN3puTlg2L3NKZXlVUkN1OExQazIwL0lDOHY5ZXVLOUZKTWxhQmIrYklSRjZzektvU3JiUWE2bTJDakc0dUJmV3NGbnJKeTBVcmtLa0huS0ZHWDM2SzViS0VxRTIxaHJBUzZqbnJWcVpHZFBZY2lqR0MxMks3clN5K2FMYTkyb1orcnRJbnlGa3RzT01tZERDQk12bFJXTlVtdi9SZEx3SG4zSWEzM3V0R0drNW9hUFkvbitubUtQQm1ERUd0K216T1lpSWxNWGMyQXZyUVllMDBlSFhHK3lFMjhTYz0iLCJNSUlEWkRDQ0FreWdBd0lCQWdJSUhGSDNqeGVHWm5Zd0RRWUpLb1pJaHZjTkFRRUxCUUF3T0RFTE1Ba0dBMVVFQmhNQ1JFVXhFVEFQQmdOVkJBb1RDRWswTUNCVVpYTjBNUll3RkFZRFZRUURFdzFKTkRBZ1ZHVnpkQ0JTYjI5ME1CNFhEVEl3TVRBd01UQTRNemt3TUZvWERUTXdNVEF3TVRBNE16a3dNRm93T0RFTE1Ba0dBMVVFQmhNQ1JFVXhFVEFQQmdOVkJBb1RDRWswTUNCVVpYTjBNUll3RkFZRFZRUURFdzFKTkRBZ1ZHVnpkQ0JTYjI5ME1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBdGhKeElDYml2SmlhUTJDcjRYNS9SWVkxZVk3OTY1Uklad1VUNEpGdnJndnR4Y0tuNzFLUWlybC9qajhsRGtYY2xxbjV4UXZlbW1iQUNyTjAwVzZ1QVZNSTFMbFZYVHU2SU1BeVN5RkMrQkk1TkJYdGdWSGdvM1d1VGVUSWN6UEF2WStmMnQ2ZTBrQm1CRWZSMGpKSEZDL0VGRFo3U1pTZk5KVkhObjhQTVF0Sitid3hUQmp3aGNWaUs3UmxjSmNoMjEzam1Iai9EMXRlZUtiSENZNll3aVlsYk5adVoxSnJtdktZZlR2TTZTRUlmaE9waWRGWFpybXpnUG9pUmVxL3ZJKzc3SFRUaEIzSFJmL1B1OHZNK2pMZjlCRWR5K3NHMm9KRHRqcm1VNTRtbEcvOW5WSVpoTHhpdm82NnViRG8vOWRDdXhzSExTZGVGY2J1UHNxZlVRSURBUUFCbzNJd2NEQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEdBMVVkRGdRV0JCVGF5VkhvRzZ4a29EZ25KWllrem9pZ0FPRm5aekFMQmdOVkhROEVCQU1DQVFZd0VRWUpZSVpJQVliNFFnRUJCQVFEQWdBSE1CNEdDV0NHU0FHRytFSUJEUVFSRmc5NFkyRWdZMlZ5ZEdsbWFXTmhkR1V3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUVoZnJ4cGd5a0ozbWUrVzZqc0dtUElVdnV6ZDlSNnJYRkovRFhUQStnLzQwMmtpTmZWY0ptUmIwbjBEZFpUQm5uWFN0UWN6Zy9LRFBtK3V5S0M1SWtMMm5lUlpXMnN1Mk16UmhwSGFRRUtaeXQvUXlrODJkcEtpcjMySmpnV1ROSTI0MTlLUi84Ykt3Q1duemRieEhBVkd0V2QwS29ZN3dMVFBSQ1gzQno3WURmVHVDMWV4bFNLRkpCOTVoWkVsNWtpREUyK2t1TTRNWmZYZno4bjJMbHk4K2RwV1hWdld0TnNHRWpla09oTWV1Smdyazd4dGlNbkErNlAwRGNyeXFxQUYzWW5INWJxSEJnTndvc3c5b2U5ZzI3YnJnK2paak8wK3JWbVF3bTlrR1hSaTRxMFJYbk1tQTVTWlgvSmM3ZDllLzZBUkNveGpONmwxTTU0UjdwVT0iXX0 | ||
|
|
||
| Decoded JWS: | ||
|
|
||
| { | ||
|
|
||
| "alg": "RS256", | ||
|
|
||
| "typ": "JWS", | ||
|
|
||
| "sigT": "2025-12-18T06:58:20.0929115Z", | ||
|
|
||
| "sid": "0da10293-9ef6-42a0-a764-a27e1f6fb5ae", | ||
|
|
||
| "x5c": [ | ||
| "MIIDKjCCAhKgAwIBAgIIQMmvsq4HRA0wDQYJKoZIhvcNAQELBQAwPjELMAkGA1UEBhMCREUxETAPBgNVBAoTCEk0MCBUZXN0MRwwGgYDVQQDExNJNDAgUGhvZW5peCBDb250YWN0MB4XDTI0MDYxMDA3MDgwMFoXDTI2MDYxMDA3MDgwMFowbDELMAkGA1UEBhMCREUxETAPBgNVBAoTCEk0MCBUZXN0MR0wGwYDVQQDExRJNDAgQW5kcmVhcyBPcnplbHNraTErMCkGCSqGSIb3DQEJARYcYW9yemVsc2tpQHBob2VuaXhjb250YWN0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJPWrngFtxpJ75gGLhN2na4LKqbfy2pchaezcOxl5YhUD3LPXRuEBNJb5adag2GAnRwUKbRWI10dih9GbyeS36t/v7M4Jgn7efR9o8gCEkidFzZUfv/shC9OW9Pd+TyUf9WOn/i78+2BNxDHLfTGf3SaO4ZmUlx4BN+IK80Qgwuxb7b1SI7LAEOQNv6T7CcgCqJ9KZjj3iQdUqFpHG2eRHncSB0leEkvmtlS3PC0V8UPw/s9OyKWNzaKLe9NP+ZWqGRdRzZ1sF+t23nzdU5a3yyDedTOt1Tn21VaP+IrpKiJDMMYrtjC6W1l6DbiN21/gLWjGxZKoawzIwet2Friyd0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEABp6+vDHHh+cT1DBa80vchO0RX4QAVYG88pd0EsG7m+Y7fAOus/6W/fjGNvKl3G+5sgRJy+/hgJXxPj5kS38bLQXhrmarHcCJnQsSB5cSdm6DNYA1P6yErefDKIu1mg3tXp0R0lig0C4CnO8lxUWG6geaf7GPavcJgEwnv4hmkYiJ9ajpiqKnvEpMJVTgTWGiraWeY7UtG3GwJOxEfP1yiLiSu18kJmZCkuNCmK2mMQfMm7w06HkKM0Unt/ESVCbGlJbq82xl6RS+L/faiQfZFjPzDY8S+CMpMOgvR557LX+hvELMBPR8UAfjRhOF9BxqO2BZsdDv3cZLrY5Oyz5Ecw==", | ||
| "MIIDajCCAlKgAwIBAgIIYhs8RNnhphgwDQYJKoZIhvcNAQELBQAwODELMAkGA1UEBhMCREUxETAPBgNVBAoTCEk0MCBUZXN0MRYwFAYDVQQDEw1JNDAgVGVzdCBSb290MB4XDTIwMTAwMTA4NTQwMFoXDTMwMTAwMTA4NTQwMFowPjELMAkGA1UEBhMCREUxETAPBgNVBAoTCEk0MCBUZXN0MRwwGgYDVQQDExNJNDAgUGhvZW5peCBDb250YWN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsMdG3KtMe0yDlrvkKLbznCdJ+HSdH+FcYenjzySh0CvelFjeqy3rEFlzn8sg6+7K853S+50L3Tq3KY94qH5f6y/jHOpXxgarmztMeAElZh+yl3amDBrVzAoTNkuJlRpcbzEIrjvOx8o3df4f9+BPvD77tNgE+UuEThRQXFaewEXZVcx3h2lDyjqiRuyZ/Kmd90Oe0d+F90iWHZFuhFKdQxAi+B8hG+7WY6vL02B8526JU8zl2Snt+SC//WZygeDSoFpHhyNOZm88TgJhqnGhM36B3W/oOB5xqGsAbn9L9jiakNkW4LPmMpz8HT7XjJZWtFzZBk0EULqlCGm2xJIDawIDAQABo3IwcDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQT7no9H0PGFoT/jJyy81r+pmXvnDALBgNVHQ8EBAMCAQYwEQYJYIZIAYb4QgEBBAQDAgAHMB4GCWCGSAGG+EIBDQQRFg94Y2EgY2VydGlmaWNhdGUwDQYJKoZIhvcNAQELBQADggEBALAVgsrVHIBtNaqJpduT9oPbkKmiTqqVWoJTzgDljUTj39ySyqOo+L/dKgZqVy1+aCQsgKWxkMx9lu6L5ax+P7vtdt75NCBg3rNfwGxaVyhNfkiaoFOhFI1cSza7znNX6/sJeyURCu8LPk20/IC8v9euK9FJMlaBb+bIRF6szKoSrbQa6m2CjG4uBfWsFnrJy0UrkKkHnKFGX36K5bKEqE21hrAS6jnrVqZGdPYcijGC12K7rSy+aLa92oZ+rtInyFktsOMmdDCBMvlRWNUmv/RdLwHn3Ia33utGGk5oaPY/n+nmKPBmDEGt+mzOYiIlMXc2AvrQYe00eHXG+yE28Sc=", | ||
| "MIIDZDCCAkygAwIBAgIIHFH3jxeGZnYwDQYJKoZIhvcNAQELBQAwODELMAkGA1UEBhMCREUxETAPBgNVBAoTCEk0MCBUZXN0MRYwFAYDVQQDEw1JNDAgVGVzdCBSb290MB4XDTIwMTAwMTA4MzkwMFoXDTMwMTAwMTA4MzkwMFowODELMAkGA1UEBhMCREUxETAPBgNVBAoTCEk0MCBUZXN0MRYwFAYDVQQDEw1JNDAgVGVzdCBSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAthJxICbivJiaQ2Cr4X5/RYY1eY7965RIZwUT4JFvrgvtxcKn71KQirl/jj8lDkXclqn5xQvemmbACrN00W6uAVMI1LlVXTu6IMAySyFC+BI5NBXtgVHgo3WuTeTIczPAvY+f2t6e0kBmBEfR0jJHFC/EFDZ7SZSfNJVHNn8PMQtJ+bwxTBjwhcViK7RlcJch213jmHj/D1teeKbHCY6YwiYlbNZuZ1JrmvKYfTvM6SEIfhOpidFXZrmzgPoiReq/vI+77HTThB3HRf/Pu8vM+jLf9BEdy+sG2oJDtjrmU54mlG/9nVIZhLxivo66ubDo/9dCuxsHLSdeFcbuPsqfUQIDAQABo3IwcDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTayVHoG6xkoDgnJZYkzoigAOFnZzALBgNVHQ8EBAMCAQYwEQYJYIZIAYb4QgEBBAQDAgAHMB4GCWCGSAGG+EIBDQQRFg94Y2EgY2VydGlmaWNhdGUwDQYJKoZIhvcNAQELBQADggEBAEhfrxpgykJ3me+W6jsGmPIUvuzd9R6rXFJ/DXTA+g/402kiNfVcJmRb0n0DdZTBnnXStQczg/KDPm+uyKC5IkL2neRZW2su2MzRhpHaQEKZyt/Qyk82dpKir32JjgWTNI2419KR/8bKwCWnzdbxHAVGtWd0KoY7wLTPRCX3Bz7YDfTuC1exlSKFJB95hZEl5kiDE2+kuM4MZfXfz8n2Lly8+dpWXVvWtNsGEjekOhMeuJgrk7xtiMnA+6P0DcryqqAF3YnH5bqHBgNwosw9oe9g27brg+jZjO0+rVmQwm9kGXRi4q0RXnMmA5SZX/Jc7d9e/6ARCoxjN6l1M54R7pU=" | ||
| ] | ||
|
|
||
| } | ||
|
|
||
| (JSON Payload of example Submodel) | ||
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.