{"openapi":"3.1.0","info":{"title":"Securosys PrimusHSM - REST API | Swagger UI","description":"- [REST-API Documentation](https://docs.securosys.com/tsb/overview)\n- [Tutorials](https://docs.securosys.com/tsb/Tutorials/Encryption/EncryptDecrypt)\n- [Transaction Security Broker Documentation](https://docs.securosys.com/tsb/category/transaction-security-broker) & [Authorization App Documentation](https://docs.securosys.com/AuthorizationApp/overview)\n\n[Securosys End-User License Agreement (EULA)](https://www.securosys.com/eula) \n","contact":{"name":"Securosys SA","url":"https://www.securosys.com/en/contactus","email":"info@securosys.com"},"license":{"name":"Securosys License","url":"https://www.securosys.com/en/about/securosys-general-terms-and-conditions"},"version":"v2.2.0"},"servers":[{"url":"https://sbx-rest-api.cloudshsm.com","description":"Generated server url"}],"tags":[{"name":"Requests","description":"Operations for sign/block/unblock/modify/decrypt/unwrap requests. The TsbEngine licence is necessary to execute these operations."},{"name":"Certificate","description":"Access to Certificate store"},{"name":"Service Information","description":"Information about the service"},{"name":"Blockchain Helper","description":"Helper functions for the blockchain"},{"name":"Synchronous Key Operations","description":"Synchronous operations that are directly forwarded to the HSM. For certain operations with SKA keys the signed approvals may be included in the request. The RestApi licence is necessary to execute these operations."},{"name":"Approval Tasks","description":"Operations on the approval tasks"},{"name":"Approver Management","description":"Access the Approver Management functionality for secure Approver-Key generation and streamlining SKA-Onboarding processes."},{"name":"Keys","description":"Access to key store"}],"paths":{"/v1/approverManagement/create":{"put":{"tags":["Approver Management"],"summary":"Create Approver","description":"The Approver Manager creates an approver key-pair and self-signed certificate","operationId":"create","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/ApproverCreateDto"}}},"required":true},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"201":{"description":"Successful Operation","content":{"application/json":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/ApproverCreateResponseDto"}}}}}},"security":[{"bearerAuth":[]}]}},"/v1/xpub/import":{"post":{"tags":["Blockchain Helper"],"summary":"Import public key from an xpub","description":"Import public key and chaincode from an xpub (base58) as an EC public-key, secp256k1. \n\n- Bip32 - Xpub structure is specified by https://docs.rs/bitcoin/latest/bitcoin/bip32/struct.Xpub.html","operationId":"importXpub","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/ImportXpubDto"}}},"required":true},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"201":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ImportXpubResponseDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/xpub/export":{"post":{"tags":["Blockchain Helper"],"summary":"Export xpub from public key","description":"Export xpub based on a EC public-key (secp256k1) with chaincode, network, depth, parentFingerprint and childnumber. \n\nYou can derive the public-key directly by specifying a derivation-path in the 'label' like: key-name/1/2/3 \n\nNote: Hardened derivation paths (noted by the ' symbol) require access to the private key. This is by design in the BIP-32 specification for hierarchical deterministic (HD) wallets.\n\n- Normal (non-hardened) derivation: You can derive child public keys from an xpub.\n\n- Hardened derivation: You must use the private key (i.e., xprv) to derive these child keys.","operationId":"exportXpub","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/ExportXpubDto"}}},"required":true},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"201":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ExportXpubResponseDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/wrap":{"post":{"tags":["Synchronous Key Operations"],"summary":"Wrap key","operationId":"wrap","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SignedWrapKeyRequestDto"}}}},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/WrapKeyRequestResponseDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/verify":{"post":{"tags":["Synchronous Key Operations"],"summary":"Verify signature","operationId":"verifySignature","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SignedVerifySignatureRequestDto"}}}},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/VerifySignatureRequestResponseDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/unwrap":{"post":{"tags":["Requests"],"summary":"Create unwrap request","operationId":"unwrap","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SignedUnwrapKeyRequestDto"}}}},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"201":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/UnwrapKeyRequestResponseDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/unblock":{"post":{"tags":["Requests"],"summary":"Unblock key request","description":"Create an unblock request. Unblocking a key is only supported if the key has smart key attributes.","operationId":"unblock","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SignedUnblockKeyRequestDto"}}}},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"201":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/UnblockKeyRequestResponseDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/synchronousUnwrap":{"post":{"tags":["Synchronous Key Operations"],"summary":"Unwrap a wrapped key","description":"Create a synchronous (non-SKA) unwrap request","operationId":"synchronousUnwrap","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SignedSynchronousUnwrapKeyRequestDto"}}}},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"201":{"description":"Successful Operation"}},"security":[{"bearerAuth":[]}]}},"/v1/synchronousUnblock":{"post":{"tags":["Synchronous Key Operations"],"summary":"Unblock a key","description":"Create a synchronous (ska) unblock request. Unblocking a key is only supported if the key has smart key attributes.","operationId":"synchronousUnblock","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SignedSynchronousUnblockKeyRequestDto"}}}},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation"}},"security":[{"bearerAuth":[]}]}},"/v1/synchronousSign":{"post":{"tags":["Synchronous Key Operations"],"summary":"Sign a payload","description":"Create a synchronous (non-SKA) sign request","operationId":"synchronousSign","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SignedSynchronousSignRequestDto"}}}},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"201":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/SynchronousSignRequestResponseDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/synchronousModify":{"post":{"tags":["Synchronous Key Operations"],"summary":"Modify key policy","description":"Create a synchronous (ska) modify policy request. Modifying a key is only supported if the key has smart key attributes.","operationId":"synchronousModify","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SignedSynchronousModifyKeyRequestDto"}}}},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation"}},"security":[{"bearerAuth":[]}]}},"/v1/synchronousHmac":{"post":{"tags":["Synchronous Key Operations"],"summary":"Create keyed hash","operationId":"hmac","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SignedHmacRequestDto"}}}},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HmacRequestResponseDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/synchronousFileVerifyDecrypt":{"post":{"tags":["Synchronous Key Operations"],"summary":"Verify and decrypt a file","description":"The API client receives the structured file and begins by unwrapping the symmetric key using the asymmetric private key stored on the HSM. With the unwrapped symmetric key, the client decrypts the encrypted payload to retrieve the original content. Finally, the digital signature is verified against the decrypted file-content to ensure its authenticity and integrity.","operationId":"synchronousFileVerifyDecrypt","requestBody":{"content":{"multipart/form-data":{"schema":{"type":"object","properties":{"SignedSynchronousFileVerifyDecryptRequestDto":{"$ref":"#/components/schemas/SignedSynchronousFileVerifyDecryptRequestDto"},"file":{"type":"string","format":"binary","description":"The file to be decrypted and verified."}},"required":["SignedSynchronousFileVerifyDecryptRequestDto","file"]}}},"required":true},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation","content":{"application/octet-stream":{"schema":{"$ref":"#/components/schemas/StreamingResponseBody"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/synchronousFileSignEncrypt":{"post":{"tags":["Synchronous Key Operations"],"summary":"Sign and encrypt a file","description":"The file content is first signed, then encrypted using a symmetric key. This symmetric key is subsequently wrapped with an asymmetric key. The encrypted payload, the wrapped symmetric key and the signature are then structured into a file that can be consumed by the API client.","operationId":"synchronousFileSignEncrypt","requestBody":{"content":{"multipart/form-data":{"schema":{"type":"object","properties":{"SignedSynchronousFileSignEncryptRequestDto":{"$ref":"#/components/schemas/SignedSynchronousFileSignEncryptRequestDto"},"file":{"type":"string","format":"binary","description":"The file to be signed and encrypted."}},"required":["SignedSynchronousFileSignEncryptRequestDto","file"]}}},"required":true},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation","content":{"application/octet-stream":{"schema":{"$ref":"#/components/schemas/StreamingResponseBody"}},"application/json":{"schema":{"$ref":"#/components/schemas/StreamingResponseBody"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/synchronousFileDecrypt":{"post":{"tags":["Synchronous Key Operations"],"summary":"Decrypt a file","description":"Returns application/octet-stream or application/json of the decrypted file","operationId":"fileDecryption","requestBody":{"content":{"multipart/form-data":{"schema":{"type":"object","properties":{"SignedFileDecryptRequestDto":{"$ref":"#/components/schemas/SignedFileDecryptRequestDto"},"file":{"type":"string","format":"binary"}},"required":["SignedFileDecryptRequestDto","file"]}}},"required":true},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation","content":{"application/octet-stream":{"schema":{"$ref":"#/components/schemas/StreamingResponseBody"}},"application/json":{"schema":{"$ref":"#/components/schemas/StreamingResponseBody"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/synchronousDecrypt":{"post":{"tags":["Synchronous Key Operations"],"summary":"Decrypt a ciphertext","description":"Create a synchronous (non-SKA) decrypt request","operationId":"synchronousDecrypt","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SignedSynchronousDecryptRequestDto"}}}},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/SynchronousDecryptRequestResponseDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/synchronousBlock":{"post":{"tags":["Synchronous Key Operations"],"summary":"Block a key","description":"Create a synchronous (non-SKA) block request. Blocking a key is only supported if the key has smart key attributes.","operationId":"synchronousBlock","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SignedSynchronousBlockKeyRequestDto"}}}},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation"}},"security":[{"bearerAuth":[]}]}},"/v1/synchronous/hash":{"post":{"tags":["Synchronous Key Operations"],"summary":"Create hash","description":"This API-Endpoint can be used to sign large payloads that exceed the current HSM limits of 20kb, v2.8 & 500kb, v3.0","operationId":"hash","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/HashRequestDto"}}}},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HashResponseDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/sign":{"post":{"tags":["Requests"],"summary":"Create a sign request","operationId":"sign","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SignedSignRequestDto"}}}},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"201":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/SignRequestResponseDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/modify":{"post":{"tags":["Requests"],"summary":"Modify key request","description":"Create a modify request. Modifying a key is only supported if the key has smart key attributes.","operationId":"modify","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SignedModifyKeyRequestDto"}}}},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"201":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ModifyKeyRequestResponseDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/key":{"get":{"tags":["Keys"],"summary":"Get all keys","description":"Returns a list containing the names of all keys currently stored on the HSM","operationId":"enumerateKeys","responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation","content":{"application/json":{"schema":{"type":"array","items":{"type":"string"}}}}}},"security":[{"bearerAuth":[]}]},"post":{"tags":["Keys"],"summary":"Create a key","description":"Create a asymmetric or symmetric key.","operationId":"createKey","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/CreateKeyDto"}}},"required":true},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"201":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/SignedKeyAttributesDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/key/rotate":{"post":{"tags":["Keys"],"summary":"Rotate a key","description":"Rotates a (symmetric or asymmetric) key","operationId":"rotateKey","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/RotateKeyWithPasswordDto"}}}},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/SignedKeyAttributesDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/key/keyAttestation":{"post":{"tags":["Keys"],"summary":"Generate key attestation files","description":"Returns the attestation of a key","operationId":"getKeyAttestationAsFileDownload","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/KeyLabelWithPasswordDto"}}},"required":true},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/StreamingResponseBody"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/key/import/plain":{"post":{"tags":["Keys"],"summary":"Import a key","description":"The private key must be a valid PKCS#8 key: openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:secp256k1 -outform PEM -out secp256k1_private_key.pem","operationId":"importPlainKey","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/KeyImportDto"}}}},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"201":{"description":"Successful Operation"}},"security":[{"bearerAuth":[]}]}},"/v1/key/export/plain":{"post":{"tags":["Keys"],"summary":"Export a key","description":"Get the public and private key or secret key exported from the HSM (extractable & sensitive must be 'true')","operationId":"exportKeyDto","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/RequestKeyExportDto"}}},"required":true},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/KeyExportDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/key/deleteKey":{"post":{"tags":["Keys"],"summary":"Delete a key","description":"Deletes the key identified by the keyName","operationId":"deleteKey","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/KeyLabelWithPasswordDto"}}}},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation"}},"security":[{"bearerAuth":[]}]}},"/v1/key/changePassword":{"post":{"tags":["Keys"],"summary":"Change key password","description":"Changes the password of a key.","operationId":"changeKeyPassword","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/ChangeKeyPasswordDto"}}},"required":true},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation"}},"security":[{"bearerAuth":[]}]}},"/v1/key/attributes":{"post":{"tags":["Keys"],"summary":"Get key attributes","description":"Returns the attributes of a key","operationId":"getKeyAttributesWithKeyPassword","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/KeyLabelWithPasswordDto"}}},"required":true},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/SignedKeyAttributesDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/key/address":{"post":{"tags":["Keys"],"summary":"Get crypto address","description":"Returns the crypto currency address base (without checksum or network prefix) of a key in base64 format","operationId":"getKeyAddressWithKeyPassword","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/KeyLabelWithPasswordDto"}}},"required":true},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/KeyAddressDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/importedKey":{"post":{"tags":["Keys"],"summary":"Import a key from a seed","description":"Generate a key from a given seed.","operationId":"importKey","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/ImportKeyDto"}}},"required":true},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"201":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/SignedKeyAttributesDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/filteredUnwrapKeyApprovalTask":{"post":{"tags":["Approval Tasks"],"summary":"Get unwrap task","description":"Returns all pending unwrap tasks for a given approval client (identified by public key)","operationId":"filterUnwrapTasks","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/FilteredTasksRequestDto"}}},"required":true},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/GetTasksResponseDto"}}}}}}},"/v1/filteredUnblockKeyApprovalTask":{"post":{"tags":["Approval Tasks"],"summary":"Get unblock key task","description":"Returns all pending unblock key tasks for a given approval client (identified by public key)","operationId":"filterUnblockKeyTasks","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/FilteredTasksRequestDto"}}},"required":true},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/GetTasksResponseDto"}}}}}}},"/v1/filteredSignApprovalTask":{"post":{"tags":["Approval Tasks"],"summary":"Get sign task","description":"Returns all pending sign tasks for a given approval client (identified by public key)","operationId":"filterSignTasks","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/FilteredTasksRequestDto"}}},"required":true},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/GetTasksResponseDto"}}}}}}},"/v1/filteredSelfSignCertificateApprovalTask":{"post":{"tags":["Approval Tasks"],"summary":"Get self-signed task","description":"Returns all pending self-sign tasks for a given approval client (identified by public key)","operationId":"filterSelfSignTasks","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/FilteredTasksRequestDto"}}},"required":true},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/GetTasksResponseDto"}}}}}}},"/v1/filteredRequests":{"post":{"tags":["Requests"],"summary":"Get requests status","description":"Returns a list of all requests filtered by its status","operationId":"getRequestStatus","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/RequestIdsByStatusRequestDto"}}}},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/RequestIdsByStatusDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/filteredModifyKeyApprovalTask":{"post":{"tags":["Approval Tasks"],"summary":"Get modify key task","description":"Returns all pending modify key tasks for a given approval client (identified by public key)","operationId":"filterModifyKeyTasks","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/FilteredTasksRequestDto"}}},"required":true},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/GetTasksResponseDto"}}}}}}},"/v1/filteredDecryptApprovalTask":{"post":{"tags":["Approval Tasks"],"summary":"Get decrypt task","description":"Returns all pending decrypt tasks for a given approval client (identified by public key)","operationId":"filterDecryptTasks","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/FilteredTasksRequestDto"}}},"required":true},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/GetTasksResponseDto"}}}}}}},"/v1/filteredCsrSignApprovalTask":{"post":{"tags":["Approval Tasks"],"summary":"Get CSR task","description":"Returns all pending CSR sign tasks for a given approval client (identified by public key)","operationId":"filterCsrSignTasks","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/FilteredTasksRequestDto"}}},"required":true},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/GetTasksResponseDto"}}}}}}},"/v1/filteredCertificateSigningRequestApprovalTask":{"post":{"tags":["Approval Tasks"],"summary":"Get CSR task","description":"Returns all pending CSR sign tasks for a given approval client (identified by public key)","operationId":"filterCsrSignTasks_1","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/FilteredTasksRequestDto"}}},"required":true},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/GetTasksResponseDto"}}}}}}},"/v1/filteredCertificateApprovalTask":{"post":{"tags":["Approval Tasks"],"summary":"Get certificate task","description":"Returns all pending certificate sign tasks (including self-signed) for a given approval client (identified by public key)","operationId":"filterCertificateSignTasks","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/FilteredTasksRequestDto"}}},"required":true},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/GetTasksResponseDto"}}}}}}},"/v1/filteredBlockKeyApprovalTask":{"post":{"tags":["Approval Tasks"],"summary":"Get block key task","description":"Returns all pending block key tasks for a given approval client (identified by public key)","operationId":"filterBlockKeyTasks","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/FilteredTasksRequestDto"}}},"required":true},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/GetTasksResponseDto"}}}}}}},"/v1/filteredAllApprovalTask":{"post":{"tags":["Approval Tasks"],"summary":"Get all tasks","description":"Returns all pending tasks for a given approval client (identified by public key)","operationId":"filteredAllApprovalTask","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/FilteredTasksRequestDto"}}},"required":true},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/GetTasksResponseDto"}}}}}}},"/v1/fileEncrypt":{"post":{"tags":["Synchronous Key Operations"],"summary":"Encrypt a file","description":"Returns application/octet-stream or application/json of the encrypted file, key must be of type: EC, curveOid: 1.3.132.0.34 and derive attribute set on 'true'","operationId":"fileEncryption","requestBody":{"content":{"multipart/form-data":{"schema":{"type":"object","properties":{"SignedFileEncryptRequestDto":{"$ref":"#/components/schemas/SignedFileEncryptRequestDto"},"file":{"type":"string","format":"binary"}},"required":["SignedFileEncryptRequestDto","file"]}}},"required":true},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation","content":{"application/octet-stream":{"schema":{"$ref":"#/components/schemas/StreamingResponseBody"}},"application/json":{"schema":{"$ref":"#/components/schemas/StreamingResponseBody"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/encrypt":{"post":{"tags":["Synchronous Key Operations"],"summary":"Encrypt a payload","operationId":"encrypt","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SignedEncryptRequestDto"}}}},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/EncryptRequestResponseDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/encapsulate":{"post":{"tags":["Synchronous Key Operations"],"summary":"Encapsulation using ML‑KEM","description":"Generate an ephemeral key pair and perform a key‑encapsulation using the ML‑KEM algorithm. The operation takes the public key, generates and encapsulates a shared secret, and returns the ciphertext along with the secret.","operationId":"encapsulate","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/EncapsulationRequestDto"}}}},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/EncapsulationResponseDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/derivedKey":{"post":{"tags":["Keys"],"summary":"Derive a key","description":"Derive a key based on a BIP32 / SLIP10 master key (Attention: The derived key will be stored on the HSM memory).Use KeyOperations with derivation path to temporarily derive an ephemeral key from base key","operationId":"deriveKey","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/DeriveKeyDto"}}},"required":true},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"201":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/SignedKeyAttributesDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/decrypt":{"post":{"tags":["Requests"],"summary":"Create decrypt request","operationId":"decrypt","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SignedDecryptRequestDto"}}}},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"201":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/DecryptRequestResponseDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/decapsulate":{"post":{"tags":["Synchronous Key Operations"],"summary":"Decapsulation using ML‑KEM","description":"Perform a key‑decapsulation using the ML‑KEM algorithm. The operation takes the encapsulated ciphertext (produced by ML‑KEM), performs with the private key the decapsulation, and returns the recovered shared secret. ","operationId":"decapsulate","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/DecapsulateRequestDto"}}}},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/DecapsulationResponseDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/dataObject":{"post":{"tags":["Keys"],"summary":"Create data object","description":"Save a data object on the HSM","operationId":"saveDataObject","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/DataObjectDto"}}},"required":true},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"201":{"description":"Successful Operation"}},"security":[{"bearerAuth":[]}]}},"/v1/createRfcTimestamp":{"post":{"tags":["Synchronous Key Operations"],"summary":"Create a RFC3161 timestamp","operationId":"createRfcTimestamp","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/CreateRfcTimestampDto"}}},"required":true},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/RfcTimestampDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/certificate/synchronous/sign":{"post":{"tags":["Certificate"],"summary":"Create certificate","description":"Signs a CSR with a key. Output is a valid x509 Certificate. (Rest-API License)","operationId":"signCertificate","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SynchronousSignCertificateRequestDto"}}},"required":true},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"201":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/CertificateResponseDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/certificate/synchronous/selfsign":{"post":{"tags":["Certificate"],"summary":"Create self-signed certificate","description":"Creates and attaches a self-signed certificate to the keypair. For example, this can be used to create a Certificate Authority. (Rest-API License)","operationId":"selfSignCertificate","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SelfSignCertificateRequestDto"}}}},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"201":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/CertificateResponseDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/certificate/synchronous/rolloverSelfsign":{"post":{"tags":["Certificate"],"summary":"Rollover self-signed certificate","description":"Rollover and attaches a self-signed certificate to the keypair. For example, this can be used to create a Certificate Authority. (Rest-API License)","operationId":"rolloverSelfSignCertificate","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SynchronousRolloverSelfSignCertificateRequestDto"}}}},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"201":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/CertificateResponseDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/certificate/synchronous/rolloverCsr":{"post":{"tags":["Certificate"],"summary":"Rollover CSR","description":"Rollover certificate signing request (CSR) for provided key.","operationId":"rolloverCsr","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SynchronousRolloverCertificateSigningRequestDto"}}}},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"201":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/RolloverCsrResponseDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/certificate/synchronous/request":{"post":{"tags":["Certificate"],"summary":"Create a CSR","description":"Creates a certificate signing request (CSR) (as Json) to be signed by a Root or Intermediate-CA. (Rest-API License)","operationId":"signCsr","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SynchronousCertificateRequestRequestDto"}}},"required":true},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"201":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/CertificateRequestResponseDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/certificate/synchronous/request/download":{"post":{"tags":["Certificate"],"summary":"Create CSR files","description":"Creates a certificate signing request (CSR) (as file download) to be signed by a Root or Intermediate-CA.(Rest-API License)","operationId":"signCsrForFileDownload","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SynchronousCertificateRequestRequestDto"}}},"required":true},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"201":{"description":"Successful Operation","content":{"application/octet-stream":{"schema":{"$ref":"#/components/schemas/StreamingResponseBody"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/certificate/sign":{"post":{"tags":["Certificate"],"summary":"Create certificate (SKA)","description":"Signs a CSR with a ska-key to generate a valid x509 certificate. (TsbEngine License)","operationId":"signCertificateWithSkaKey","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SignedSignCertificateRequestDto"}}}},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"201":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/SignRequestResponseDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/certificate/selfsign":{"post":{"tags":["Certificate"],"summary":"Create self-signed certificate (SKA)","description":"Creates and attaches a self-signed certificate to the keypair. For example, this can be used to create a Certificate Authority. (TsbEngine License)","operationId":"selfSignCertificateWithSkaKey","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SignedSelfSignCertificateRequestDto"}}}},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"201":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/SignRequestResponseDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/certificate/rolloverSelfsign":{"post":{"tags":["Certificate"],"summary":"Rollover self-signed certificate (SKA)","description":"Rollover and attaches a self-signed certificate to the keypair. For example, this can be used to create a Certificate Authority. (TsbEngine License)","operationId":"rolloverSelfSignCertificateWithSkaKey","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SignedRolloverSelfSignCertificateRequestDto"}}}},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"201":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/SignRequestResponseDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/certificate/rolloverImportCert":{"post":{"tags":["Certificate"],"summary":"Rollover and import new certificate","description":"Rollover and import new certificate for provided key.","operationId":"rolloverImportCert","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/RolloverImportCertificateRequestDto"}}}},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"201":{"description":"Successful Operation"}},"security":[{"bearerAuth":[]}]}},"/v1/certificate/rolloverCsr":{"post":{"tags":["Certificate"],"summary":"Rollover CSR (SKA)","description":"Rollover certificate signing request (CSR) for provided ska-key.","operationId":"rolloverCsrWithSkaKey","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SignedRolloverCertificateSigningRequestDto"}}}},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"201":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/SignRequestResponseDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/certificate/request":{"post":{"tags":["Certificate"],"summary":"Create a CSR (SKA)","description":"Creates a request for certificate signing request (CSR) to be signed by a Root or Intermediate-CA. (TsbEngine License)","operationId":"signCsrWithSkaKey","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SignedCertificateRequestRequestDto"}}}},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"201":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/SignRequestResponseDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/certificate/list":{"post":{"tags":["Certificate"],"summary":"List all certificates","description":"List all certificates in the keystore, in human-readable format.","operationId":"listCertificates","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/CertificateListDto"}}}},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"201":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/CertificateListResponseDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/certificate/import/plain":{"post":{"tags":["Certificate"],"summary":"Import a certificate.","description":"Import a certificate to a given key. The certificate must be base64 encoded.","operationId":"importPlainCertificate","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/CertificateImportDto"}}}},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"201":{"description":"Successful Operation"}},"security":[{"bearerAuth":[]}]}},"/v1/block":{"post":{"tags":["Requests"],"summary":"Block key request","description":"Create a block request. Blocking a key is only supported if the key has smart key attributes.","operationId":"block","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SignedBlockKeyRequestDto"}}}},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"201":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/BlockKeyRequestResponseDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/approverManagement/restoreFromBackup":{"post":{"tags":["Approver Management"],"summary":"Restore approver","description":"The Approver Manager restores the approver by name. Important: The approver remembers the backup password.","operationId":"restoreFromBackup","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/ApproverRestoreWithPasswordKnownDto"}}},"required":true},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ApproverRestoreWithPasswordKnownResponseDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/approverManagement/restoreFromBackup/forgotPassword":{"post":{"tags":["Approver Management"],"summary":"Reset approver pw","description":"The Approver Manager restores the approver by name and a new backup password if the old backupPassword has been forgotten.","operationId":"restoreFromBackupForgotPkcs12Password","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/ApproverRestoreWithPasswordUnknownDto"}}}},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/UnwrapKeyRequestResponseDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/approverManagement/renewOneTimeCode":{"post":{"tags":["Approver Management"],"summary":"Renew OneTimeCode","description":"The Approver Manager renews the one time code.","operationId":"renewOneTimeCode","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/ApproverRenewOneTimePasswordDto"}}},"required":true},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation"}},"security":[{"bearerAuth":[]}]}},"/v1/approver/onboard":{"post":{"tags":["Approver Management"],"summary":"Onboard approver","description":"The approver who fetches a pkcs12-container which has (private-key, public-key & certificate) included. The `transportPassword` is the pkcs12 password.","operationId":"onboard","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/ApproverOnboardDto"}}},"required":true},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ApproverOnboardResponseDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/approval":{"post":{"tags":["Approval Tasks"],"summary":"Send an approval","description":"Send an approval for an existing approval task","operationId":"approveTask","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SendApprovalDto"}}},"required":true},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation"}}}},"/v1/task":{"patch":{"tags":["Approval Tasks"],"summary":"Delete single task","description":"Send a delete request for an existing approval task. <br> If a key policy is defined consisting to be approved by 2 out of 3 people, one of the three people can reject his task and the Sign request is still possible.<br>\nThe endpoint GET v1/request/{id} indicate whether a request (Sign, Decrypt...) is still possible (status == PENDING), you may want to watch out for the three properties (approvedBy, notYetApprovedBy, rejectedBy).","operationId":"deleteTask","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/DeleteTaskRequestDto"}}},"required":true},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation"}}}},"/v1/key/changeAttributes":{"patch":{"tags":["Keys"],"summary":"Modify key","description":"Modifies key name, password or attributes","operationId":"modifyKey","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/ModifyKeyDto"}}},"required":true},"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/SignedKeyAttributesDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/versionInfo":{"get":{"tags":["Service Information"],"summary":"Get REST-API version","description":"Returns information of the currently deployed service version","operationId":"getVersionInfo","responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation","content":{"application/json":{"schema":{"type":"object","additionalProperties":{"type":"string"}}}}}},"security":[{"bearerAuth":[]}]}},"/v1/systemTime/{payload}":{"get":{"tags":["Service Information"],"summary":"Get System time","description":"Returns the current system time information about the first connected HSM, including a SHA256withECDSA signature with optional payload (base64) and the timestamp of the Host TSB is operating in.","operationId":"getSystemTime","parameters":[{"name":"payload","in":"query","description":"Optional payload parameter","required":false,"schema":{"type":"string"}}],"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/SystemTimeInformationDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/request/{id}":{"get":{"tags":["Requests"],"summary":"Get request by id","description":"Returns the status of a request","operationId":"getRequestStatus_1","parameters":[{"name":"id","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/RequestStatusDto"}}}}},"security":[{"bearerAuth":[]}]},"delete":{"tags":["Requests"],"summary":"Cancel request by id","description":"Cancel a request by the id generated during request creation. All associated tasks are deleted.","operationId":"cancelRequest","parameters":[{"name":"id","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation"}},"security":[{"bearerAuth":[]}]}},"/v1/licenseInfo":{"get":{"tags":["Service Information"],"summary":"Get license","description":"Returns information about the flags activated for the license of the client","operationId":"getLicenseInfo","responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/LicenseInformationDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/keystore/statistics":{"get":{"tags":["Service Information"],"summary":"Get key store statistics","operationId":"getKeyStoreStatistics","responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/KeyStoreStatisticsDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/hsmInfo":{"get":{"tags":["Service Information"],"summary":"Get HSM Firmware version","description":"Returns information about the HSM that the REST API is connected to.","operationId":"getHsmInfo","responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation","content":{"application/json":{"schema":{"type":"object","additionalProperties":{"type":"string"}}}}}},"security":[{"bearerAuth":[]}]}},"/v1/hsm/log":{"get":{"tags":["Service Information"],"summary":"Get HSM logs","operationId":"getHsmLog","responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HsmLogDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/hsm/log/{time}":{"get":{"tags":["Service Information"],"summary":"Get HSM logs by time","description":"Returns the HSM log from a specific time. The time must be in milliseconds (unix time)","operationId":"getHsmLogFromTime","parameters":[{"name":"time","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HsmLogDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/generateRandom/{length}":{"get":{"tags":["Synchronous Key Operations"],"summary":"Get random bytes","description":"Returns random bytes with the provided length as an base64 encoded string","operationId":"generateRandom","parameters":[{"name":"length","in":"path","required":true,"schema":{"type":"integer","format":"int32"}}],"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/GenerateRandomDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/dataObject/{dataObjectName}":{"get":{"tags":["Keys"],"summary":"Get data object","description":"Retrieve a data object saved on the HSM","operationId":"retrieveDataObject","parameters":[{"name":"dataObjectName","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/DataObjectDto"}}}}},"security":[{"bearerAuth":[]}]},"delete":{"tags":["Keys"],"summary":"Delete data object","description":"Deletes the data object identified by the dataObjectName from the HSM","operationId":"deleteDataObject","parameters":[{"name":"dataObjectName","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation"}},"security":[{"bearerAuth":[]}]}},"/v1/certificate/{keyName}":{"get":{"tags":["Certificate"],"summary":"Get certificate","description":"Returns the certificate of a key","operationId":"getCertificate","parameters":[{"name":"keyName","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/CertificateDetailLevel1"}}}}},"security":[{"bearerAuth":[]}]},"delete":{"tags":["Certificate"],"summary":"Delete certificate","description":"Deletes the certificate identified by the keyName from the HSM","operationId":"deleteCertificate","parameters":[{"name":"keyName","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation"}},"security":[{"bearerAuth":[]}]}},"/v1/attestation/certificate":{"get":{"tags":["Keys"],"summary":"Get attestation certificate","description":"Returns certificate of attestation key as an base64 encoded string","operationId":"getAttestationCertificate","responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/AttestationCertificateDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/approverManagement/onboarding/status":{"get":{"tags":["Approver Management"],"summary":"Get approver status","description":"Returns a list of onboarded approvers and a list of pending onboardings","operationId":"onboardingStatus","responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ApproverOnboardingStatusResponseDto"}}}}},"security":[{"bearerAuth":[]}]}},"/v1/key/{keyName}":{"delete":{"tags":["Keys"],"summary":"Delete a key","description":"Deletes the key identified by the keyName from the HSM, the keyPassword is used when working with external storage.","operationId":"deleteKey_1","parameters":[{"name":"keyName","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation"}},"security":[{"bearerAuth":[]}]}},"/v1/approverManagement/delete/{approverName}":{"delete":{"tags":["Approver Management"],"summary":"Delete approver","description":"Deletes the certificate and backup identified by the approver name.","operationId":"delete","parameters":[{"name":"approverName","in":"path","required":true,"schema":{"type":"string"}}],"responses":{"400":{"description":"Client Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"403":{"description":"Request refused","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"404":{"description":"Resource not found","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"500":{"description":"Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"501":{"description":"Implementation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReasonBasedExceptionDto"}}}},"200":{"description":"Successful Operation"}},"security":[{"bearerAuth":[]}]}}},"components":{"schemas":{"ReasonBasedExceptionDto":{"type":"object","description":"Response for a specific error when an operation can not be completed successfully.","properties":{"errorCode":{"type":"integer","format":"int32","description":"The code of the error."},"reason":{"type":"string","description":"The reason for the error."},"message":{"type":"string","description":"The message containing why the error was returned by the application."}}},"ApproverCreateDto":{"type":"object","description":"Creating an approver key-pair, based on approver name (key-name) and backup password.","properties":{"approverName":{"type":"string","description":"The name of the approver e.g. the e-mail address","minLength":1},"algorithm":{"type":"string","description":"The algorithm with which the key should be created.","enum":["RSA"],"example":"RSA","minLength":1},"keySize":{"type":"integer","format":"int32","description":"The length of the key. Only applicable for RSA.","example":2048},"backupPassword":{"type":"array","items":{"type":"string"},"minItems":1},"validity":{"type":"integer","format":"int32","description":"The days from today after which the certificate is not valid. e.g. 3650 //valid for 10 years.","example":3650},"qrCode":{"type":"boolean","description":"If true, a QR code will be generated and returned instead of OTP.","example":false}},"required":["algorithm","approverName","backupPassword"]},"ApproverCreateResponseDto":{"type":"object","description":"Response containing the OneTimeCode or QR Code image.","properties":{"oneTimeCode":{"type":"array","items":{"pattern":"^.{1}$"}},"qrCodeImage":{"type":"string","format":"byte","description":"PNG-encoded QR Code image with encrypted data."}}},"ImportXpubDto":{"type":"object","description":"Request body for importing an XPUB (extended public-key) with chaincode.","properties":{"label":{"type":"string","default":"keyname","description":"The name of associated public-key.","minLength":1},"xpub":{"type":"string","default":"xpub661MyMwAqRbcFPsThmBgvXxDexELiPi6kQxfBb3piHRY3Mem2N1i1ZZCHECVaJJ1oALTVHFk4LinJLqC61ySRZNTLfoY92RRUuJpcffA8Ci","description":"The extended public key (xpub, base58) to be imported into the HSM as public key with chaincode.","minLength":1}},"required":["label","xpub"]},"ImportXpubResponseDto":{"type":"object","description":"The base58 encoded Xpub.","properties":{"publicKey":{"type":"string","format":"base64","description":"The base64 DER encoded public-key of a xpub structure","minLength":1},"compressedPublicKey":{"type":"string","format":"base64","description":"The compressed DER encoded public-key (base64) of a xpub structure","minLength":1},"chainCode":{"type":"string","description":"The base64 encoded chaincode","minLength":1}},"required":["chainCode","compressedPublicKey","publicKey"]},"ExportXpubDto":{"type":"object","properties":{"label":{"type":"string","default":"keyname","description":"The name of the public-key, for derivation specify a derivation-path like: key-name/1/2/3","minLength":1},"network":{"type":"string","default":"0x0488b21e","description":"The network kind this key is to be used on, 0x0488b21e (Bitcoin Mainnet public key), 0x043587cf (Bitcoin Testnet public key)"}},"required":["label"]},"ExportXpubResponseDto":{"type":"object","properties":{"xpub":{"type":"string","format":"base58","description":"The base58 encoded xpub of a DER encoded public key with network_kind, depth, parent_finderprint, child_number, chain_code","minLength":1},"publicKey":{"type":"string","format":"base64","description":"The base64 encoded public-key (DER)","minLength":1},"compressedPublicKey":{"type":"string","format":"base64","description":"The compressed base64 encoded public-key (DER)","minLength":1},"parentFingerprint":{"type":"string","format":"hex","description":"The hex encoded first four bytes (fingerprint) of the hashed parents public-key. The first 4-bytes of the hex(RIPEMD160(SHA256(compressed public-key, 33-bytes))). // 0 is the master key."},"depth":{"type":"integer","format":"int32","default":0,"description":"How many derivations this key is from the master (which is 0)"},"childNumber":{"type":"integer","format":"int32","default":0,"description":"Child number of the key used to derive from parent (0 for master)"},"chainCode":{"type":"string","description":"The base64 encoded chaincode of the public-key","minLength":1}},"required":["chainCode","compressedPublicKey","publicKey","xpub"]},"SignatureDto":{"type":"object","description":"Contains the signature and information how the signature was calculated.","properties":{"signature":{"type":"string","format":"base64","description":"Signature for a JSON object (base64 encoded).<br>Format of the signature is depending on the algorithm used and as returned when using a JDK's native Signature.sign() method.<br>Example (EC key):<br>echo \"MEUCIDOsDySFOWOcMKulHmR3uB8YCF7oX+vQ4dU8ooYC1OCvAiEApwMbu7nF19woZhO/KCIRV1api8oa/QCV2M2pcINAnEQ=\" | base64 -D | openssl asn1parse -inform DER<br>    0:d=0  hl=2 l=  69 cons: SEQUENCE<br>\"\n    2:d=1  hl=2 l=  32 prim: INTEGER           :33AC0F248539639C30ABA51E6477B81F18085EE85FEBD0E1D53CA28602D4E0AF<br>   36:d=1  hl=2 l=  33 prim: INTEGER           :A7031BBBB9C5D7DC286613BF2822115756A98BCA1AFD0095D8CDA97083409C44","minLength":1},"digestAlgorithm":{"type":"string","description":"The message digest algorithm that was used for computing the request signature.","enum":["SHA-224","SHA-256","SHA-384","SHA-512","SHA3-224","SHA3-256","SHA3-384","SHA3-512"],"example":"SHA-256","minLength":1},"publicKey":{"type":"string","format":"base64","description":"The public key (base64 encoded) that belongs to the private key used to calculate the signature."},"allowedRequestCertificate":{"type":"string","description":"The PEM encoded certificate in the format (-----BEGIN CERTIFICATE-----\nMII....\n-----END CERTIFICATE-----), that is onboarded in the 'allowedRequestSignatureCertificates' that belongs to the private key used to calculate the signature. If the certificate is not specified in the list, the request will be rejected."}},"required":["digestAlgorithm","signature"]},"SignedWrapKeyRequestDto":{"type":"object","description":"Contains an wrap key request and optionally the requests signature.","properties":{"wrapKeyRequest":{"$ref":"#/components/schemas/WrapKeyRequestDto"},"requestSignature":{"$ref":"#/components/schemas/SignatureDto"}},"required":["wrapKeyRequest"]},"WrapKeyRequestDto":{"type":"object","description":"Wrap key request.","properties":{"keyToBeWrapped":{"type":"string","default":"keyname","description":"Name of the key that shall be wrapped","minLength":1},"keyToBeWrappedPassword":{"type":"array","items":{"pattern":"^.{1}$"}},"wrapKeyName":{"type":"string","description":"Name of the key with which the key shall be wrapped.","minLength":1},"wrapKeyPassword":{"type":"array","items":{"pattern":"^.{1}$"}},"wrapMethod":{"type":"string","description":"The wrap method to be used. The chosen method has to be compatible with the types of the referenced keys","enum":["AES_WRAP","AES_WRAP_DSA","AES_WRAP_EC","AES_WRAP_ED","AES_WRAP_RSA","AES_WRAP_BLS","AES_WRAP_PAD","AES_WRAP_PAD_DSA","AES_WRAP_PAD_EC","AES_WRAP_PAD_ED","AES_WRAP_PAD_RSA","AES_WRAP_PAD_BLS","RSA_WRAP_PAD","RSA_WRAP_OAEP"]}},"required":["keyToBeWrapped","wrapKeyName","wrapMethod"]},"WrapKeyRequestResponseDto":{"type":"object","description":"Response for an wrap key request.","properties":{"wrappedKey":{"type":"string","format":"byte","description":"The wrapped key (base64 encoded)."}}},"SignedVerifySignatureRequestDto":{"type":"object","description":"Contains a verify signature request and optionally the requests signature.","properties":{"verifySignatureRequest":{"$ref":"#/components/schemas/VerifySignatureRequestDto"},"requestSignature":{"$ref":"#/components/schemas/SignatureDto"}},"required":["verifySignatureRequest"]},"VerifySignatureRequestDto":{"type":"object","description":"Verify signature request.","properties":{"signKeyName":{"type":"string","default":"keyname","description":"Name of the key with which the payload was signed. For signature verification of a derived key, append the full derivation path to the key name, e.g. MyKey/1/2/3.","minLength":1},"signKeyObject":{"type":"string","format":"base64","description":"External key object with which the request shall be verified. Subscription for External Keystore required."},"masterKeyPassword":{"type":"array","items":{"pattern":"^.{1}$"}},"signatureAlgorithm":{"type":"string","description":"The signature algorithm that was used to sign the payload.","enum":["SHA224_WITH_RSA_PSS","SHA256_WITH_RSA_PSS","SHA384_WITH_RSA_PSS","SHA512_WITH_RSA_PSS","NONE_WITH_DSA","SHA224_WITH_DSA","SHA256_WITH_DSA","SHA384_WITH_DSA","SHA512_WITH_DSA","NONE_WITH_RSA","SHA224_WITH_RSA","SHA256_WITH_RSA","SHA384_WITH_RSA","SHA512_WITH_RSA","NONESHA224_WITH_RSA","NONESHA256_WITH_RSA","NONESHA384_WITH_RSA","NONESHA512_WITH_RSA","NONE_WITH_ECDSA","SHA1_WITH_ECDSA","SHA224_WITH_ECDSA","SHA256_WITH_ECDSA","DOUBLE_SHA256_WITH_ECDSA","SHA384_WITH_ECDSA","SHA512_WITH_ECDSA","SHA3224_WITH_ECDSA","SHA3256_WITH_ECDSA","SHA3384_WITH_ECDSA","SHA3512_WITH_ECDSA","SHA256_WITH_ECDSA_DETERMINISTIC","EDDSA","KECCAK224_WITH_ECDSA","KECCAK256_WITH_ECDSA","KECCAK384_WITH_ECDSA","KECCAK512_WITH_ECDSA","ISS_KERL","SHA1_WITH_RSA","SHA1_WITH_DSA","NONESHA1_WITH_RSA","SHA1_WITH_RSA_PSS","BLS","LMS","HMAC_SHA256","NONE_WITH_EC_SCHNORR_BIP0340","ML_DSA","ML_DSA_M","SLH_DSA","SHA2_224_WITH_ML_DSA","SHA2_256_WITH_ML_DSA","SHA2_384_WITH_ML_DSA","SHA2_512_WITH_ML_DSA","SHA3_224_WITH_ML_DSA","SHA3_256_WITH_ML_DSA","SHA3_384_WITH_ML_DSA","SHA3_512_WITH_ML_DSA","SHAKE_128_WITH_ML_DSA","SHAKE_256_WITH_ML_DSA","SHA2_224_WITH_SLH_DSA","SHA2_256_WITH_SLH_DSA","SHA2_384_WITH_SLH_DSA","SHA2_512_WITH_SLH_DSA","SHA3_224_WITH_SLH_DSA","SHA3_256_WITH_SLH_DSA","SHA3_384_WITH_SLH_DSA","SHA3_512_WITH_SLH_DSA","SHAKE_128_WITH_SLH_DSA","SHAKE_256_WITH_SLH_DSA"]},"payload":{"type":"string","format":"base64","description":"Payload (base64 encoded) for which the signature was created.","minLength":1},"payloadType":{"type":"string","default":"UNSPECIFIED","description":"The type of the payload used to decode the payload, default is base64.","enum":["UNSPECIFIED","ISO_20022","PDF","BTC","ETH","HEX"]},"context":{"type":"string","format":"base64","description":"(Optional) Base64 encoded context bytes for ML-DSA & SLH-DSA, which is included in the message hash computation, provides domain seperation, binds signature to a specific use case (e.g., different protocols or applications, prevents cross-protocol attacks."},"taprootTweakData":{"type":"string","format":"base64","description":"(Optional) NONE_WITH_EC_SCHNORR_BIP0340 only, specify 'taprootTweakData' (base64, 32 raw bytes), used in signing with key-path, if specified 'merkleRootData' must be empty."},"merkleRootData":{"type":"string","format":"base64","description":"(Optional) NONE_WITH_EC_SCHNORR_BIP0340  only, specify 'merkleRootData', used in signing with script-path (multi-sig), if specified 'taprootTweakData' must be empty."},"signature":{"type":"string","format":"base64","description":"The signature to be verified.","minLength":1}},"required":["payload","signKeyName","signature","signatureAlgorithm"]},"VerifySignatureRequestResponseDto":{"type":"object","description":"Response for a verify signature request.","properties":{"signatureValid":{"type":"boolean","description":"Response if the signature is valid or not."}}},"CreateKeyAttributes":{"type":"object","description":"The attributes of the key that should be created. At least one operation (decrypt, sign, unwrap) must be allowed (true).","properties":{"encrypt":{"type":"boolean","description":"If true the key can be used to encrypt data. This attribute is only supported for symmetric keys."},"decrypt":{"type":"boolean","description":"If true the key can be used to decrypt data."},"verify":{"type":"boolean","description":"This attribute is only supported for symmetric keys."},"sign":{"type":"boolean","description":"If true the key can sign."},"wrap":{"type":"boolean","description":"If true the key can be used to wrap another key. This attribute is only supported for symmetric keys."},"unwrap":{"type":"boolean","description":"If true the key can be used to unwrap keys."},"derive":{"type":"boolean","default":false,"description":"If true it is possible to derive from this key."},"bip32":{"type":"boolean","default":false,"description":"If true the key derivation is done using BIP32 / SLIP10. This option can only be true if the key's algorithm is EC or ED and the derive attribute is true."},"slip10":{"type":"boolean","default":false,"description":"If true the key derivation is done using SLIP-0010. This option can only be true if the key's algorithm is EC or ED and the derive attribute is true."},"extractable":{"type":"boolean","default":false,"description":"If true the key is extractable. This option can only be true for keys without smart key attributes."},"modifiable":{"type":"boolean","default":true,"description":"If true the key can be modified. The 'modifiable' attribute applies exclusively to the key attribute and not to SKA-Policy."},"destroyable":{"type":"boolean","default":false,"description":"If true the key can be deleted."},"sensitive":{"type":"boolean","description":"If true the key is sensitive. To export a key sensitive must be false"},"copyable":{"type":"boolean","default":false,"description":"If true the encrypted key can be stored in an external memory"},"rollover":{"type":"boolean","default":false,"description":"If true the key can be used for rollover."}},"required":["decrypt","sign","unwrap"]},"SignedUnwrapKeyRequestDto":{"type":"object","description":"Contains an unwrap request and optionally the requests signature.","properties":{"unwrapKeyRequest":{"$ref":"#/components/schemas/UnwrapKeyRequestDto"},"requestSignature":{"$ref":"#/components/schemas/SignatureDto"}},"required":["unwrapKeyRequest"]},"UnwrapKeyRequestDto":{"type":"object","description":"Unwrap key request.","properties":{"wrappedKey":{"type":"string","format":"base64","description":"The key (base64 encoded) that shall be unwrapped","minLength":1},"label":{"type":"string","default":"keyname","description":"The name of the key with which the unwrapped key shall be saved on the HSM","minLength":1},"attributes":{"$ref":"#/components/schemas/CreateKeyAttributes"},"unwrapKeyName":{"type":"string","description":"Name of the key with which the key shall be unwrapped.","minLength":1},"unwrapKeyPassword":{"type":"array","items":{"pattern":"^.{1}$"}},"metaData":{"type":"string","format":"base64","description":"Additional meta data that will be provided to the approval client"},"metaDataSignature":{"type":"string","format":"base64","description":"Signature for the meta data."},"wrapMethod":{"type":"string","description":"The wrap method to be used. The chosen method has to be compatible with the types of the referenced keys","enum":["AES_WRAP","AES_WRAP_DSA","AES_WRAP_EC","AES_WRAP_ED","AES_WRAP_RSA","AES_WRAP_BLS","AES_WRAP_PAD","AES_WRAP_PAD_DSA","AES_WRAP_PAD_EC","AES_WRAP_PAD_ED","AES_WRAP_PAD_RSA","AES_WRAP_PAD_BLS","RSA_WRAP_PAD","RSA_WRAP_OAEP"]}},"required":["attributes","label","unwrapKeyName","wrapMethod","wrappedKey"]},"UnwrapKeyRequestResponseDto":{"type":"object","description":"Response for an unwrap request.","properties":{"unwrapRequestId":{"type":"string","description":"The id that has been assigned to the unwrap request."}}},"SignedUnblockKeyRequestDto":{"type":"object","description":"Contains an unblock key request and optionally the requests signature.","properties":{"unblockRequest":{"$ref":"#/components/schemas/UnblockKeyRequestDto"},"requestSignature":{"$ref":"#/components/schemas/SignatureDto"}},"required":["unblockRequest"]},"UnblockKeyRequestDto":{"type":"object","description":"Unblock key request.","properties":{"unblockKeyName":{"type":"string","default":"keyname","description":"Name of the key which shall be unblocked.","minLength":1},"keyPassword":{"type":"array","items":{"pattern":"^.{1}$"}},"metaData":{"type":"string","format":"base64","description":"Additional meta data that will be provided to the approval client."},"metaDataSignature":{"type":"string","format":"base64","description":"Signature for the meta data."}},"required":["unblockKeyName"]},"UnblockKeyRequestResponseDto":{"type":"object","description":"Response for an unblock key request","properties":{"unblockKeyRequestId":{"type":"string","description":"The id that has been assigned to the unblock key request"}}},"Approval":{"type":"object","description":"Contains information about the approval client that can send an approval (EC, RSA, ED).","properties":{"type":{"type":"string","description":"The type of the approval.","enum":["certificate","public_key","onboarded_approver_certificate"]},"name":{"type":"string","description":"The name of the approval. Only supported if type is 'public_key' or 'onboarded_approver_certificate'. If type is 'certificate' the common name in the certificate is used as name."},"value":{"type":"string","description":"Either the public key if the type of the approval is public_key or a certificate (base64 encoded) if the type is certificate, leave empty or remove if type 'onboarded_approver_certificate' is used."}},"required":["type"]},"Group":{"type":"object","description":"Contains a list of approvals. Approval clients in this list can approve the request to reach the quorum of the group.","properties":{"name":{"type":"string","description":"The name of the group."},"quorum":{"type":"integer","format":"int32","description":"The quorum of the group."},"approvals":{"type":"array","description":"The list of approval clients that can send an approval.","items":{"$ref":"#/components/schemas/Approval"}}},"required":["approvals","quorum"]},"KeyStatus":{"type":"object","description":"The status of a key.","properties":{"blocked":{"type":"boolean","description":"If true the key is blocked.","example":false}},"required":["blocked"]},"PolicyDto":{"type":"object","description":"The policy of a key. Only Asymmetric keys can have a policy (EC, ED, RSA,...). It contains the rules to use this key for signing a payload in a sign request, the rules to block and unblock this key, and the rules to modify the policy of this key. If a rule is empty the associated operation can be performed without any approvals. If the policy is empty the key does not use smart key attributes and it is not possible to add them later. If a policy is used with the key, the key cannot be exported.","properties":{"ruleUse":{"$ref":"#/components/schemas/Rule"},"ruleBlock":{"$ref":"#/components/schemas/Rule"},"ruleUnblock":{"$ref":"#/components/schemas/Rule"},"ruleModify":{"$ref":"#/components/schemas/Rule"},"keyStatus":{"$ref":"#/components/schemas/KeyStatus"}},"required":["keyStatus"]},"Rule":{"type":"object","description":"A rule contains multiple tokens. If all groups in a token reach their quorum of approvals the rule is fulfilled and the associated operation is performed on the HSM.","properties":{"tokens":{"type":"array","description":"The list of tokens in the rule.","items":{"$ref":"#/components/schemas/Token"}}}},"SignedSynchronousUnwrapKeyRequestDto":{"type":"object","description":"Contains an unwrap request and optionally the requests signature.","properties":{"unwrapKeyRequest":{"$ref":"#/components/schemas/SynchronousUnwrapKeyRequestDto"},"requestSignature":{"$ref":"#/components/schemas/SignatureDto"}},"required":["unwrapKeyRequest"]},"SynchronousUnwrapKeyRequestDto":{"type":"object","description":"Synchronous unwrap key request.","properties":{"wrappedKey":{"type":"string","format":"base64","description":"The key (base64 encoded) that shall be unwrapped","minLength":1},"label":{"type":"string","default":"keyname","description":"The name of the key with which the unwrapped key shall be saved on the HSM","minLength":1},"attributes":{"$ref":"#/components/schemas/CreateKeyAttributes"},"unwrapKeyName":{"type":"string","description":"Name of the key with which the key shall be unwrapped.","minLength":1},"unwrapKeyPassword":{"type":"array","items":{"pattern":"^.{1}$"}},"wrapMethod":{"type":"string","description":"The wrap method to be used. The chosen method has to be compatible with the types of the referenced keys","enum":["AES_WRAP","AES_WRAP_DSA","AES_WRAP_EC","AES_WRAP_ED","AES_WRAP_RSA","AES_WRAP_BLS","AES_WRAP_PAD","AES_WRAP_PAD_DSA","AES_WRAP_PAD_EC","AES_WRAP_PAD_ED","AES_WRAP_PAD_RSA","AES_WRAP_PAD_BLS","RSA_WRAP_PAD","RSA_WRAP_OAEP"]},"signedApprovals":{"type":"array","items":{"format":"base64","description":"Signed approvals that are used to synchronously unwrap with a SKA key. A single signed approval is a base64 encoded value that consists of the following components:\n1. The header containing the total size.\n2. The approvalToBeSigned which is the approval token that was signed by the approval client.\n3. The DER encoded signature of the token done by the approval client.\n4. The DER encoded public key of the approval client."}},"policy":{"$ref":"#/components/schemas/PolicyDto"}},"required":["attributes","label","unwrapKeyName","wrapMethod","wrappedKey"]},"Token":{"type":"object","description":"Contains multiple groups of approvals. A token is only valid for a specified time window. The time windows can be disabled by setting timelock and timeout to 0 which makes the token immediately active and never expiring.","properties":{"name":{"type":"string","description":"The name of the token."},"timelock":{"type":"integer","format":"int32","description":"The amount of time in seconds after which the token is valid starting from the creation time of the request. The value must be a multiple of 60 as the seconds must represent full minutes. When the timelock is set to 0 the token is immediately active."},"timeout":{"type":"integer","format":"int32","description":"The amount of time in seconds after which the token is no longer valid starting from the creation time of the request. The value must be a multiple of 60 as the seconds must represent full minutes. When the timeout is set to 0 the token is forever valid."},"groups":{"type":"array","description":"The list of groups in the token.","items":{"$ref":"#/components/schemas/Group"}}},"required":["timelock","timeout"]},"SignedSynchronousUnblockKeyRequestDto":{"type":"object","description":"Contains a synchronous unblock key request and optionally the requests signature.","properties":{"unblockRequest":{"$ref":"#/components/schemas/SynchronousUnblockKeyRequestDto"},"requestSignature":{"$ref":"#/components/schemas/SignatureDto"}},"required":["unblockRequest"]},"SynchronousUnblockKeyRequestDto":{"type":"object","description":"Synchronous unblock key request. Only supports SKA keys.","properties":{"unblockKeyName":{"type":"string","default":"keyname","description":"Name of the key which shall be unblocked.","minLength":1},"keyPassword":{"type":"array","items":{"pattern":"^.{1}$"}},"signedApprovals":{"type":"array","items":{"format":"base64","description":"Signed approvals that are used to synchronously unblock with a SKA key. A single signed approval is a base64 encoded value that consists of the following components:\n1. The header containing the total size.\n2. The approvalToBeSigned which is the approval token that was signed by the approval client.\n3. The DER encoded signature of the token done by the approval client.\n4. The DER encoded public key of the approval client."}}},"required":["unblockKeyName"]},"SignedSynchronousSignRequestDto":{"type":"object","description":"Contains a synchronous sign request and optionally the requests signature. Character '/' is used for key-derivation and should be avoided using in keyName, encode the keyname contains '/'.","properties":{"signRequest":{"$ref":"#/components/schemas/SynchronousSignRequestDto"},"requestSignature":{"$ref":"#/components/schemas/SignatureDto"}},"required":["signRequest"]},"SynchronousSignRequestDto":{"type":"object","description":"Synchronous sign request.","properties":{"payload":{"type":"string","format":"base64, hex","description":"Payload that shall be signed.","minLength":1},"payloadType":{"type":"string","default":"UNSPECIFIED","description":"The type of the payload used to decode the payload, default is base64.","enum":["UNSPECIFIED","ISO_20022","PDF","BTC","ETH","HEX"]},"signKeyName":{"type":"string","default":"keyname","description":"Name of the key with which the request shall be signed. Note: to create a sign request for a BIP32 / SLIP10 derived key, make sure you have already created a master key that is BIP32 / SLIP10 capable. Then use the master key name and add the derivation path (e.g. \"TESTKEY/0'/1'/2\").","minLength":1},"signKeyObject":{"type":"string","format":"base64","description":"External key object with which the request shall be signed. Subscription for External Keystore required."},"keyPassword":{"type":"array","items":{"pattern":"^.{1}$"}},"metaData":{"type":"string","format":"base64","description":"Additional meta data that will be provided to the approval client."},"metaDataSignature":{"type":"string","format":"base64","description":"Signature for the meta data."},"signatureAlgorithm":{"type":"string","description":"The signature algorithm to be used. The chosen algorithm has to be compatible with the type of the key referenced by the signKeyName param.","enum":["SHA224_WITH_RSA_PSS","SHA256_WITH_RSA_PSS","SHA384_WITH_RSA_PSS","SHA512_WITH_RSA_PSS","NONE_WITH_DSA","SHA224_WITH_DSA","SHA256_WITH_DSA","SHA384_WITH_DSA","SHA512_WITH_DSA","NONE_WITH_RSA","SHA224_WITH_RSA","SHA256_WITH_RSA","SHA384_WITH_RSA","SHA512_WITH_RSA","NONESHA224_WITH_RSA","NONESHA256_WITH_RSA","NONESHA384_WITH_RSA","NONESHA512_WITH_RSA","NONE_WITH_ECDSA","SHA1_WITH_ECDSA","SHA224_WITH_ECDSA","SHA256_WITH_ECDSA","DOUBLE_SHA256_WITH_ECDSA","SHA384_WITH_ECDSA","SHA512_WITH_ECDSA","SHA3224_WITH_ECDSA","SHA3256_WITH_ECDSA","SHA3384_WITH_ECDSA","SHA3512_WITH_ECDSA","SHA256_WITH_ECDSA_DETERMINISTIC","EDDSA","KECCAK224_WITH_ECDSA","KECCAK256_WITH_ECDSA","KECCAK384_WITH_ECDSA","KECCAK512_WITH_ECDSA","ISS_KERL","SHA1_WITH_RSA","SHA1_WITH_DSA","NONESHA1_WITH_RSA","SHA1_WITH_RSA_PSS","BLS","LMS","HMAC_SHA256","NONE_WITH_EC_SCHNORR_BIP0340","ML_DSA","ML_DSA_M","SLH_DSA","SHA2_224_WITH_ML_DSA","SHA2_256_WITH_ML_DSA","SHA2_384_WITH_ML_DSA","SHA2_512_WITH_ML_DSA","SHA3_224_WITH_ML_DSA","SHA3_256_WITH_ML_DSA","SHA3_384_WITH_ML_DSA","SHA3_512_WITH_ML_DSA","SHAKE_128_WITH_ML_DSA","SHAKE_256_WITH_ML_DSA","SHA2_224_WITH_SLH_DSA","SHA2_256_WITH_SLH_DSA","SHA2_384_WITH_SLH_DSA","SHA2_512_WITH_SLH_DSA","SHA3_224_WITH_SLH_DSA","SHA3_256_WITH_SLH_DSA","SHA3_384_WITH_SLH_DSA","SHA3_512_WITH_SLH_DSA","SHAKE_128_WITH_SLH_DSA","SHAKE_256_WITH_SLH_DSA"]},"signatureType":{"type":"string","description":"The type of the signature result (default is DER). \nDER: ASN.1 DER-encoded signature (default). \nETH: Ethereum-compatible signature with R,S,V components. \nRAW (for EC-Keys only): Concatenated R and S values without encoding (R||S). \nAll results are base64-encoded.","enum":["ETH","DER","RAW"],"example":"DER"},"context":{"type":"string","format":"base64","description":"(Optional) Base64 encoded context bytes for ML-DSA & SLH-DSA, which is included in the message hash computation, provides domain seperation, binds signature to a specific use case (e.g., different protocols or applications, prevents cross-protocol attacks."},"auxiliaryRandomData":{"type":"string","format":"base64","description":"(Optional) NONE_WITH_EC_SCHNORR_BIP0340 only, specify 'auxiliaryRandomData' (base64, 32 raw bytes), if not specified, the HSM generates random aux_data"},"taprootTweakData":{"type":"string","format":"base64","description":"(Optional) NONE_WITH_EC_SCHNORR_BIP0340 only, specify 'taprootTweakData' (base64, 32 raw bytes), used in signing with key-path, if specified 'merkleRootData' must be empty."},"merkleRootData":{"type":"string","format":"base64","description":"(Optional) NONE_WITH_EC_SCHNORR_BIP0340  only, specify 'merkleRootData', used in signing with script-path (multi-sig), if specified 'taprootTweakData' must be empty."},"signedApprovals":{"type":"array","items":{"format":"base64","description":"Signed approvals that are used to synchronously sign with a SKA key. A single signed approval is a base64 encoded value that consists of the following components:\n1. The header containing the total size.\n2. The approvalToBeSigned which is the approval token that was signed by the approval client.\n3. The DER encoded signature of the token done by the approval client.\n4. The DER encoded public key of the approval client."}}},"required":["payload","signKeyName","signatureAlgorithm"]},"SynchronousSignRequestResponseDto":{"type":"object","description":"Response to a synchronous sign request.","properties":{"signature":{"type":"string","description":"The signature that has been created."},"publicNonce":{"type":"string","description":"In BIP-0340, the Public Nonce (denoted as point R) is a component of Schnorr signatures that ensures security by introducing randomness into the signing process"}}},"ModifyPolicyDto":{"type":"object","description":"The new policy that shall be applied to a key. Contains the rules to use this key for signing a payloadin a sign request, the rules to block and unblock this key, and the rules to modify the policy of this key. If a rule is empty the associated operation can be performed without any approvals.","properties":{"ruleUse":{"$ref":"#/components/schemas/Rule"},"ruleBlock":{"$ref":"#/components/schemas/Rule"},"ruleUnblock":{"$ref":"#/components/schemas/Rule"},"ruleModify":{"$ref":"#/components/schemas/Rule"}}},"SignedSynchronousModifyKeyRequestDto":{"type":"object","description":"Contains a synchronous modify key request and optionally the requests signature.","properties":{"modifyRequest":{"$ref":"#/components/schemas/SynchronousModifyKeyRequestDto"},"requestSignature":{"$ref":"#/components/schemas/SignatureDto"}},"required":["modifyRequest"]},"SynchronousModifyKeyRequestDto":{"type":"object","description":"Synchronous modify key request. Only supports SKA keys.","properties":{"modifyKeyName":{"type":"string","default":"keyname","description":"Name of the key which shall be modified.","minLength":1},"keyPassword":{"type":"array","items":{"pattern":"^.{1}$"}},"policy":{"$ref":"#/components/schemas/ModifyPolicyDto"},"signedApprovals":{"type":"array","items":{"format":"base64","description":"Signed approvals that are used to synchronously modify with an SKA key. A single signed approval is a base64 encoded value that consists of the following components:\n1. The header containing the total size.\n2. The approvalToBeSigned which is the approval token that was signed by the approval client.\n3. The DER encoded signature of the token done by the approval client.\n4. The DER encoded public key of the approval client."}}},"required":["modifyKeyName","policy"]},"HmacRequestDto":{"type":"object","description":"HMAC request.","properties":{"keyName":{"type":"string","default":"keyname","description":"Name of the key with which the payload shall be hashed.","minLength":1},"keyPassword":{"type":"array","items":{"pattern":"^.{1}$"}},"payload":{"type":"string","format":"byte","description":"Payload (base64 encoded) that shall be hased.","minLength":1}},"required":["keyName","payload"]},"SignedHmacRequestDto":{"type":"object","description":"Contains an HMAC request and optionally the requests signature.","properties":{"hmacRequest":{"$ref":"#/components/schemas/HmacRequestDto"},"requestSignature":{"$ref":"#/components/schemas/SignatureDto"}},"required":["hmacRequest"]},"HmacRequestResponseDto":{"type":"object","description":"Response for an hmac request.","properties":{"keyedHash":{"type":"string","description":"The base64-encoded keyed-hash."}}},"FileVerifyDecryptRequestDto":{"type":"object","description":"Request DTO for verifying the digital signature and decrypting an encrypted file. Contains the key identifiers and password required to perform decryption and signature verification.","properties":{"signKeyName":{"type":"string","default":"keyname","description":"Identifier for the signature verification key. This value specifies the public key that corresponds to the private key used for signing the file.","minLength":1},"encryptionKeyName":{"type":"string","default":"keyname","description":"Identifier for the encryption key used to decrypt the file. This key can be either symmetric (e.g., AES) or, if the encryption key is wrapped, asymmetric (e.g., RSA)."},"encryptKeyPassword":{"type":"array","items":{"default":"a","pattern":"^.{1,}$"}}},"required":["signKeyName"]},"SignedSynchronousFileVerifyDecryptRequestDto":{"type":"object","description":"Request metadata and decryption parameters.","properties":{"fileVerifyDecryptRequestDto":{"$ref":"#/components/schemas/FileVerifyDecryptRequestDto"}}},"StreamingResponseBody":{},"EncryptionKeyWrappingRequestDto":{"type":"object","properties":{"wrapKeyName":{"type":"string","default":"keyname","description":"Name of the key with which the key shall be wrapped."},"wrapMethod":{"type":"string","default":"RSA_WRAP_OAEP","description":"The wrap method to be used. The chosen method has to be compatible with the types of the referenced keys (RSA_WRAP_PAD, RSA_WRAP_OAEP)","enum":["AES_WRAP","AES_WRAP_DSA","AES_WRAP_EC","AES_WRAP_ED","AES_WRAP_RSA","AES_WRAP_BLS","AES_WRAP_PAD","AES_WRAP_PAD_DSA","AES_WRAP_PAD_EC","AES_WRAP_PAD_ED","AES_WRAP_PAD_RSA","AES_WRAP_PAD_BLS","RSA_WRAP_PAD","RSA_WRAP_OAEP"]},"wrapKeyPassword":{"type":"array","items":{"default":"a","pattern":"^.{1}$"}}}},"FileSignEncryptRequestDto":{"type":"object","properties":{"signKeyName":{"type":"string","default":"keyname","description":"The identifier of the key used for digital signing. This key must be available on the signing server and corresponds to the private key used to create the signature.","minLength":1},"signKeyPassword":{"type":"array","items":{"default":"a","pattern":"^.{1,}$"}},"signatureAlgorithm":{"type":"string","default":"SHA256_WITH_RSA","description":"The signature algorithm to be used for signing the file. This algorithm must be compatible with the key referenced by the 'signKeyName' parameter.","enum":["SHA224_WITH_RSA_PSS","SHA256_WITH_RSA_PSS","SHA384_WITH_RSA_PSS","SHA512_WITH_RSA_PSS","NONE_WITH_DSA","SHA224_WITH_DSA","SHA256_WITH_DSA","SHA384_WITH_DSA","SHA512_WITH_DSA","NONE_WITH_RSA","SHA224_WITH_RSA","SHA256_WITH_RSA","SHA384_WITH_RSA","SHA512_WITH_RSA","NONESHA224_WITH_RSA","NONESHA256_WITH_RSA","NONESHA384_WITH_RSA","NONESHA512_WITH_RSA","NONE_WITH_ECDSA","SHA1_WITH_ECDSA","SHA224_WITH_ECDSA","SHA256_WITH_ECDSA","DOUBLE_SHA256_WITH_ECDSA","SHA384_WITH_ECDSA","SHA512_WITH_ECDSA","SHA3224_WITH_ECDSA","SHA3256_WITH_ECDSA","SHA3384_WITH_ECDSA","SHA3512_WITH_ECDSA","SHA256_WITH_ECDSA_DETERMINISTIC","EDDSA","KECCAK224_WITH_ECDSA","KECCAK256_WITH_ECDSA","KECCAK384_WITH_ECDSA","KECCAK512_WITH_ECDSA","ISS_KERL","SHA1_WITH_RSA","SHA1_WITH_DSA","NONESHA1_WITH_RSA","SHA1_WITH_RSA_PSS","BLS","LMS","HMAC_SHA256","NONE_WITH_EC_SCHNORR_BIP0340","ML_DSA","ML_DSA_M","SLH_DSA","SHA2_224_WITH_ML_DSA","SHA2_256_WITH_ML_DSA","SHA2_384_WITH_ML_DSA","SHA2_512_WITH_ML_DSA","SHA3_224_WITH_ML_DSA","SHA3_256_WITH_ML_DSA","SHA3_384_WITH_ML_DSA","SHA3_512_WITH_ML_DSA","SHAKE_128_WITH_ML_DSA","SHAKE_256_WITH_ML_DSA","SHA2_224_WITH_SLH_DSA","SHA2_256_WITH_SLH_DSA","SHA2_384_WITH_SLH_DSA","SHA2_512_WITH_SLH_DSA","SHA3_224_WITH_SLH_DSA","SHA3_256_WITH_SLH_DSA","SHA3_384_WITH_SLH_DSA","SHA3_512_WITH_SLH_DSA","SHAKE_128_WITH_SLH_DSA","SHAKE_256_WITH_SLH_DSA"]},"encryptionKeyName":{"type":"string","default":"keyname","description":"The identifier of the symmetric encryption key (e.g., AES) used for encrypting the file."},"encryptKeyPassword":{"type":"array","items":{"default":"a","pattern":"^.{1,}$"}},"cipherAlgorithm":{"type":"string","default":"AES_GCM","description":"The cipher algorithm to be used for file encryption.","enum":["RSA_PADDING_OAEP_WITH_SHA512","RSA","RSA_PADDING_OAEP_WITH_SHA224","RSA_PADDING_OAEP_WITH_SHA256","RSA_PADDING_OAEP_WITH_SHA1","RSA_PADDING_OAEP","RSA_PADDING_OAEP_WITH_SHA384","RSA_PADDING_PKCS","RSA_NO_PADDING","AES_GCM","AES_CTR","AES_ECB","AES_CBC_NO_PADDING","AES","CHACHA20","CHACHA20_AEAD","CAMELLIA","CAMELLIA_CBC_NO_PADDING","CAMELLIA_ECB","TDEA_CBC","TDEA_ECB","TDEA_CBC_NO_PADDING"]},"encryptionKeyWrappingRequestDto":{"$ref":"#/components/schemas/EncryptionKeyWrappingRequestDto","description":"(Optional) Wrapping instructions for the encryption key. Used if the symmetric encryption key is wrapped with an RSA or EC key."},"additionalAuthenticationData":{"type":"string","format":"base64","description":"Additional authentication data (AAD) used with encryption algorithms that support AAD (e.g., AES-GCM). This value must be provided as a Base64-encoded string."},"tagLength":{"type":"integer","format":"int","description":"The length (in bits) of the Message Authentication Code (MAC) used in AES-GCM encryption. This tag authenticates the integrity of the data and the sender. Supported tag lengths: 0, 64, 96, 104, 112, 120, 128."}},"required":["cipherAlgorithm","encryptionKeyName","signKeyName","signatureAlgorithm"]},"SignedSynchronousFileSignEncryptRequestDto":{"type":"object","description":"Request metadata and encryption parameters.","properties":{"fileSignAndEncryptRequestDto":{"$ref":"#/components/schemas/FileSignEncryptRequestDto","description":"Request DTO that contains the signing and encryption parameters."}}},"SignedFileDecryptRequestDto":{"type":"object","description":"Contains a file decrypt request.","properties":{"fileDecryptRequest":{"$ref":"#/components/schemas/SynchronousFileDecryptRequestDto"}},"required":["fileDecryptRequest"]},"SynchronousFileDecryptRequestDto":{"type":"object","description":"File decrypt request. Only supported by EC keys.","properties":{"decryptKeyName":{"type":"string","default":"keyname","description":"Name of the key with which the payload shall be decrypted.","minLength":1},"keyPassword":{"type":"array","items":{"pattern":"^.{1}$"}}},"required":["decryptKeyName"]},"SignedSynchronousDecryptRequestDto":{"type":"object","description":"Contains a synchronous decrypt request and optionally the requests signature.","properties":{"decryptRequest":{"$ref":"#/components/schemas/SynchronousDecryptRequestDto"},"requestSignature":{"$ref":"#/components/schemas/SignatureDto"}},"required":["decryptRequest"]},"SynchronousDecryptRequestDto":{"type":"object","description":"Synchronous decrypt request. Only supported by RSA keys.","properties":{"encryptedPayload":{"type":"string","format":"byte","description":"Encrypted payload (base64 encoded) that shall be decrypted.","minLength":1},"decryptKeyName":{"type":"string","default":"keyname","description":"Name of the key with which the payload shall be decrypted.","minLength":1},"keyPassword":{"type":"array","items":{"pattern":"^.{1}$"}},"cipherAlgorithm":{"type":"string","description":"The cipher algorithm to be used.","enum":["RSA_PADDING_OAEP_WITH_SHA512","RSA","RSA_PADDING_OAEP_WITH_SHA224","RSA_PADDING_OAEP_WITH_SHA256","RSA_PADDING_OAEP_WITH_SHA1","RSA_PADDING_OAEP","RSA_PADDING_OAEP_WITH_SHA384","RSA_PADDING_PKCS","RSA_NO_PADDING","AES_GCM","AES_CTR","AES_ECB","AES_CBC_NO_PADDING","AES","CHACHA20","CHACHA20_AEAD","CAMELLIA","CAMELLIA_CBC_NO_PADDING","CAMELLIA_ECB","TDEA_CBC","TDEA_ECB","TDEA_CBC_NO_PADDING"]},"initializationVector":{"type":"string","description":"The initialization vector (base64 encoded) used to encrypt the payload. Can be empty if the cipher algorithm used does not require an initialization vector."},"additionalAuthenticationData":{"type":"string","format":"base64","description":"Additional authentication data (aad) used when decrypting payload. Can be empty if none were used when encrypting the payload"},"signedApprovals":{"type":"array","items":{"format":"base64","description":"Signed approvals that are used to synchronously decrypt with a SKA key. A single signed approval is a base64 encoded value that consists of the following components:\n1. The header containing the total size.\n2. The approvalToBeSigned which is the approval token that was signed by the approval client.\n3. The DER encoded signature of the token done by the approval client.\n4. The DER encoded public key of the approval client."}},"tagLength":{"type":"integer","format":"int","description":"The MAC (Message Authentication Tag) is a fixed-length value that is included in the ciphertext and used to authenticatethe integrity of the data and the authenticity of the sender. \nSupported tag_length: 0, 64, 96, 104, 112, 120, 128"},"derivationValue":{"type":"integer","format":"int64","description":"(optional) If the key supports rollover, the derivation index (salt) for the kdf, if not specified it takes the latest derivation index."}},"required":["cipherAlgorithm","decryptKeyName","encryptedPayload"]},"SynchronousDecryptRequestResponseDto":{"type":"object","description":"Response to a synchronous decrypt request.","properties":{"payload":{"type":"string","description":"The payload that has been decrypted."}}},"SignedSynchronousBlockKeyRequestDto":{"type":"object","description":"Contains a synchronous block key request and optionally the requests signature.","properties":{"blockRequest":{"$ref":"#/components/schemas/SynchronousBlockKeyRequestDto"},"requestSignature":{"$ref":"#/components/schemas/SignatureDto"}},"required":["blockRequest"]},"SynchronousBlockKeyRequestDto":{"type":"object","description":"Synchronous block key request. Only supports SKA keys.","properties":{"blockKeyName":{"type":"string","default":"keyname","description":"Name of the key which shall be blocked.","minLength":1},"keyPassword":{"type":"array","items":{"pattern":"^.{1}$"}},"signedApprovals":{"type":"array","items":{"format":"base64","description":"Signed approvals that are used to synchronously block with a SKA key. A single signed approval is a base64 encoded value that consists of the following components:\n1. The header containing the total size.\n2. The approvalToBeSigned which is the approval token that was signed by the approval client.\n3. The DER encoded signature of the token done by the approval client.\n4. The DER encoded public key of the approval client."}}},"required":["blockKeyName"]},"HashRequestDto":{"type":"object","description":"Hash request","properties":{"payload":{"type":"string","description":"The payload that shall be hashed.","minLength":1},"algorithm":{"type":"string","description":"The hash algorithm.","enum":["SHA1","SHA256","SHA3_256","SHA3_512"]}},"required":["algorithm","payload"]},"HashResponseDto":{"type":"object","description":"Hash response","properties":{"hash":{"type":"string","description":"The hash output (base64)","minLength":1}},"required":["hash"]},"SignRequestDto":{"type":"object","description":"Sign request.","properties":{"payload":{"type":"string","format":"base64","description":"Payload that shall be signed.","minLength":1},"payloadType":{"type":"string","default":"UNSPECIFIED","description":"The type of the payload.","enum":["UNSPECIFIED","ISO_20022","PDF","BTC","ETH","HEX"]},"signKeyName":{"type":"string","description":"Name of the key with which the request shall be signed. Note: to create a sign request for a BIP32 / SLIP10 derived key, make sure you have already created a master key that is BIP32 / SLIP10 capable. Then use the master key name and add the derivation path (e.g. \"TESTKEY/0'/1'/2\").","minLength":1},"keyPassword":{"type":"array","items":{"pattern":"^.{1}$"}},"metaData":{"type":"string","format":"base64","description":"Additional meta data that will be provided to the approval client."},"metaDataSignature":{"type":"string","format":"base64","description":"Signature for the meta data."},"signatureAlgorithm":{"type":"string","description":"The signature algorithm to be used. The chosen algorithm has to be compatible with the type of the key referenced by the signKeyName param.","enum":["SHA224_WITH_RSA_PSS","SHA256_WITH_RSA_PSS","SHA384_WITH_RSA_PSS","SHA512_WITH_RSA_PSS","NONE_WITH_DSA","SHA224_WITH_DSA","SHA256_WITH_DSA","SHA384_WITH_DSA","SHA512_WITH_DSA","NONE_WITH_RSA","SHA224_WITH_RSA","SHA256_WITH_RSA","SHA384_WITH_RSA","SHA512_WITH_RSA","NONESHA224_WITH_RSA","NONESHA256_WITH_RSA","NONESHA384_WITH_RSA","NONESHA512_WITH_RSA","NONE_WITH_ECDSA","SHA1_WITH_ECDSA","SHA224_WITH_ECDSA","SHA256_WITH_ECDSA","DOUBLE_SHA256_WITH_ECDSA","SHA384_WITH_ECDSA","SHA512_WITH_ECDSA","SHA3224_WITH_ECDSA","SHA3256_WITH_ECDSA","SHA3384_WITH_ECDSA","SHA3512_WITH_ECDSA","SHA256_WITH_ECDSA_DETERMINISTIC","EDDSA","KECCAK224_WITH_ECDSA","KECCAK256_WITH_ECDSA","KECCAK384_WITH_ECDSA","KECCAK512_WITH_ECDSA","ISS_KERL","SHA1_WITH_RSA","SHA1_WITH_DSA","NONESHA1_WITH_RSA","SHA1_WITH_RSA_PSS","BLS","LMS","HMAC_SHA256","NONE_WITH_EC_SCHNORR_BIP0340","ML_DSA","ML_DSA_M","SLH_DSA","SHA2_224_WITH_ML_DSA","SHA2_256_WITH_ML_DSA","SHA2_384_WITH_ML_DSA","SHA2_512_WITH_ML_DSA","SHA3_224_WITH_ML_DSA","SHA3_256_WITH_ML_DSA","SHA3_384_WITH_ML_DSA","SHA3_512_WITH_ML_DSA","SHAKE_128_WITH_ML_DSA","SHAKE_256_WITH_ML_DSA","SHA2_224_WITH_SLH_DSA","SHA2_256_WITH_SLH_DSA","SHA2_384_WITH_SLH_DSA","SHA2_512_WITH_SLH_DSA","SHA3_224_WITH_SLH_DSA","SHA3_256_WITH_SLH_DSA","SHA3_384_WITH_SLH_DSA","SHA3_512_WITH_SLH_DSA","SHAKE_128_WITH_SLH_DSA","SHAKE_256_WITH_SLH_DSA"]},"signatureType":{"type":"string","description":"The type of the signature result (default is DER). \nDER: ASN.1 DER-encoded signature (default). \nETH: Ethereum-compatible signature with R,S,V components. \nRAW (for EC-Keys only): Concatenated R and S values without encoding (R||S). \nAll results are base64-encoded.","enum":["ETH","DER","RAW"],"example":"DER"},"context":{"type":"string","format":"base64","description":"(Optional) Base64 encoded context bytes for ML-DSA & SLH-DSA, which is included in the message hash computation, provides domain seperation, binds signature to a specific use case (e.g., different protocols or applications, prevents cross-protocol attacks."},"auxiliaryRandomData":{"type":"string","format":"base64","description":"(Optional) NONE_WITH_EC_SCHNORR_BIP0340 only, specify 'auxiliaryRandomData' (base64, 32 raw bytes), if not specified, the HSM generates random aux_data"},"taprootTweakData":{"type":"string","format":"base64","description":"(Optional) NONE_WITH_EC_SCHNORR_BIP0340 only, specify 'taprootTweakData' (base64, 32 raw bytes), used in signing with key-path, if specified 'merkleRootData' must be empty."},"merkleRootData":{"type":"string","format":"base64","description":"(Optional) NONE_WITH_EC_SCHNORR_BIP0340  only, specify 'merkleRootData', used in signing with script-path (multi-sig), if specified 'taprootTweakData' must be empty."}},"required":["payload","signKeyName","signatureAlgorithm"]},"SignedSignRequestDto":{"type":"object","description":"Contains a sign request and optionally the requests signature.","properties":{"signRequest":{"$ref":"#/components/schemas/SignRequestDto"},"requestSignature":{"$ref":"#/components/schemas/SignatureDto"}},"required":["signRequest"]},"SignRequestResponseDto":{"type":"object","description":"Response for a sign request.","properties":{"signRequestId":{"type":"string","description":"The id that has been assigned to the signing request."}}},"ModifyKeyRequestDto":{"type":"object","description":"Modify key request","properties":{"modifyKeyName":{"type":"string","default":"keyname","description":"Name of the key which shall be modified.","minLength":1},"keyPassword":{"type":"array","items":{"pattern":"^.{1}$"}},"metaData":{"type":"string","format":"base64","description":"Additional meta data that will be provided to the approval client."},"metaDataSignature":{"type":"string","format":"base64","description":"Signature for the meta data."},"policy":{"$ref":"#/components/schemas/ModifyPolicyDto"}},"required":["modifyKeyName","policy"]},"SignedModifyKeyRequestDto":{"type":"object","description":"Contains a modify key request and optionally the requests signature.","properties":{"modifyRequest":{"$ref":"#/components/schemas/ModifyKeyRequestDto"},"requestSignature":{"$ref":"#/components/schemas/SignatureDto"}},"required":["modifyRequest"]},"ModifyKeyRequestResponseDto":{"type":"object","description":"Response for a modify key request.","properties":{"modifyKeyRequestId":{"type":"string","description":"The id that has been assigned to the modify key request."}}},"AddressFormatDto":{"type":"object","description":"Contains the crypto currency for which an address should be created. An address can only be created for keys with smart key attributes.","properties":{"format":{"type":"string","description":"The crypto currency for which an address should be created.","enum":["BTC","ETH","XLM","XRP","IOTA"],"minLength":1}},"required":["format"]},"CreateKeyDto":{"type":"object","description":"Create key request.","properties":{"label":{"type":"string","default":"keyname","description":"The name of the key.","minLength":1},"password":{"type":"array","items":{"pattern":"^.{1}$"}},"id":{"type":"string","description":"The id of the key, used if working with keys generated on TSB and used with PKCS#11 provider"},"algorithm":{"type":"string","description":"The algorithm with which the key should be created. Either the algorithm or the algorithm_oid must be set.","enum":["HMACSHA256","EC","ED","RSA","DSA","ISS","BLS","AES","ChaCha20","Camellia","TDEA","ML-DSA-44","ML-DSA-65","ML-DSA-87","SLH-DSA-SHA2-128s","SLH-DSA-SHA2-128f","SLH-DSA-SHA2-192s","SLH-DSA-SHA2-192f","SLH-DSA-SHA2-256s","SLH-DSA-SHA2-256f","SLH-DSA-SHAKE-128s","SLH-DSA-SHAKE-128f","SLH-DSA-SHAKE-192s","SLH-DSA-SHAKE-192f","SLH-DSA-SHAKE-256s","SLH-DSA-SHAKE-256f","ML-KEM-512","ML-KEM-768","ML-KEM-1024","LMS"],"example":"EC"},"algorithmOid":{"type":"string","description":"The oid of the algorithm with which the key should be created. Either the algorithm or the algorithm_oid must be set.","example":"1.2.840.10045.2.1"},"curveOid":{"type":"string","description":"The oid of the curve used for the EC or ED algorithm. Mandatory if chosen algorithm is set to EC or ED. secp224k1: 1.3.132.0.32\nsecp224r1: 1.3.132.0.33\nsecp256k1: 1.3.132.0.10\nsecp256r1 (also known as P-256 or prime256v1): 1.2.840.10045.3.1.7\nsecp384r1 (also known as P-384): 1.3.132.0.34\nsecp521r1 (also known as P-521): 1.3.132.0.35\nx962p239v1: 1.2.840.10045.3.1.1\nx962p239v2: 1.2.840.10045.3.1.2\nx962p239v3: 1.2.840.10045.3.1.3\nbrainpool224r1: 1.3.36.3.3.2.8.1.1.1\nbrainpool256r1: 1.3.36.3.3.2.8.1.1.7\nbrainpool320r1: 1.3.36.3.3.2.8.1.1.9\nbrainpool384r1: 1.3.36.3.3.2.8.1.1.11\nbrainpool512r1: 1.3.36.3.3.2.8.1.1.13\nfrp256v1: 1.2.250.1.223.101.256.1\nEd25519: 1.3.101.112","example":"1.3.132.0.10"},"keySize":{"type":"integer","format":"int32","description":"The length of the key. Only applicable for RSA , DSA and ISS. For ISS this attribute sets the security level (1, 2 or 3)."},"lmsTreeHeight":{"type":"integer","format":"int32","description":"The LMS tree height. Only applicable for LMS. Allowed values: 5, 10, 15"},"addressFormat":{"$ref":"#/components/schemas/AddressFormatDto"},"attributes":{"$ref":"#/components/schemas/CreateKeyAttributes"},"policy":{"$ref":"#/components/schemas/PolicyDto"}},"required":["attributes","label"]},"AddressTruncatedDto":{"type":"object","description":"The generated crypto currency address.","properties":{"address":{"type":"string","description":"The address generated for the specified crypto currency."},"format":{"type":"string","description":"The crypto currency for which an address was created.","example":"BTC"}}},"Attributes":{"type":"object","description":"The attributes of a key.","properties":{"decrypt":{"type":"boolean","description":"If true the key can be used to decrypt data."},"sign":{"type":"boolean","description":"If true the key can sign."},"ekaSign":{"type":"boolean"},"unwrap":{"type":"boolean","description":"If true the key can be used to unwrap keys."},"derive":{"type":"boolean","description":"If true it is possible to derive from this key."},"sensitive":{"type":"boolean","description":"If true the key is sensitive."},"alwaysSensitive":{"type":"boolean","description":"Is true if the key was always sensitive since its creation."},"extractable":{"type":"boolean","description":"If true the key is extractable. Keys with smart key attributes are never extractable."},"neverExtractable":{"type":"boolean","description":"Is true if the key was never extractable since its creation."},"modifiable":{"type":"boolean","description":"If true the key can be modified."},"copyable":{"type":"boolean","description":"If true the encrypted key is stored in an external memory"},"destroyable":{"type":"boolean","description":"If true the key can be deleted."},"rollover":{"type":"boolean","description":"If true the key can be used with the key-rollover endpoints."}}},"DerivedKeyAttributesDto":{"type":"object","description":"Response containing information about the derived key.","properties":{"derivationType":{"type":"string","description":"The chaincode","example":"BIP32 / SLIP10 / KdfSp80056aSha256 (AES)"},"derivationValue":{"type":"string","description":"The derivation value, If the key supports rollover, it is the derivation index (salt) for the kdf function used to generate the symmetric key.","example":"273C08290FA1734D77C5C1D9BDA9B123F5DA38C060AE5D64D5BE987377E71E63"}}},"KeyAttributesDto":{"type":"object","description":"Response containing information about the key.","properties":{"label":{"type":"string","description":"The name of the key."},"id":{"type":"string","description":"The id of the key."},"uuid":{"type":"string","description":"The id of the external key."},"algorithm":{"type":"string","description":"The algorithm with which the key was created.","example":"EC"},"algorithmOid":{"type":"string","description":"The oid of the algorithm with which the key was created.","example":"1.2.840.10045.2.1"},"curveOid":{"type":"string","description":"The oid of the curve used for the EC algorithm (only set if the algorithm is EC).","example":"1.3.132.0.34"},"derivedAttributes":{"$ref":"#/components/schemas/DerivedKeyAttributesDto","description":"The derived key attributes"},"keySize":{"type":"integer","format":"int32","description":"The length of the key. Only set if the algorithm is RSA, DSA or ISS. For ISS this attribute represents the security level."},"keyUsageCount":{"type":"integer","format":"int32","description":"The number of times a key is used in cryptographic operations."},"createTime":{"type":"string","description":"The time at which the key was created on the HSM."},"attestTime":{"type":"string","description":"The time at which the key was attested on the HSM."},"publicKey":{"type":"string","description":"The public key from the created private key.\nThe public key is base64(DER/ASN.1) encoded, as supported by e.g. OpenSSL, Java and many other languages/tools.\nDecode using OpenSSL:\necho -n $EXAMPLE | base64 -D | openssl asn1parse -inform DER -dump"},"addressTruncated":{"$ref":"#/components/schemas/AddressTruncatedDto"},"attributes":{"$ref":"#/components/schemas/Attributes"},"policy":{"$ref":"#/components/schemas/PolicyDto"}}},"SignedKeyAttributesDto":{"type":"object","description":"Response containing the signed key attributes.","properties":{"xml":{"type":"string","description":"The xml representation of the key attributes."},"json":{"$ref":"#/components/schemas/KeyAttributesDto"},"xmlSignature":{"type":"string","description":"The signature of the xml."},"attestationKeyName":{"type":"string","description":"The name of the attestation key used to sign the attributes."}}},"RotateKeyWithPasswordDto":{"type":"object","description":"Rotate key Label with password.","properties":{"label":{"type":"string","default":"keyname","description":"The name of the key to be rotated.","minLength":1},"password":{"type":"array","items":{"pattern":"^.{1}$"}}},"required":["label"]},"KeyLabelWithPasswordDto":{"type":"object","description":"Key Label with password.","properties":{"label":{"type":"string","default":"keyname","description":"The name of the key. For derived keys (persisted in the HSM or only temporarily derived), append the full derivation path to the key name, e.g. MyKey/1/2/3.","minLength":1},"password":{"type":"array","items":{"pattern":"^.{1}$"}}},"required":["label"]},"KeyImportDto":{"type":"object","description":"Key import request. For a symmetric key the privateKey and publicKey must be empty. For an asymmetric key the secretKey must be empty","properties":{"label":{"type":"string","default":"keyname","description":"The name of the key.","minLength":1},"algorithm":{"type":"string","description":"The key algorithm."},"addressFormat":{"$ref":"#/components/schemas/AddressFormatDto"},"privateKey":{"type":"string","format":"base64","description":"The private key to be imported. The key must be encoded in the DER format including information like the algorithm or the curve OID."},"publicKey":{"type":"string","format":"base64","description":"The public key to be imported. The key must be encoded in the DER format including information like the algorithm or the curve OID."},"secretKey":{"type":"string","format":"base64","description":"The secret key to be imported"},"certificate":{"type":"string","format":"base64","description":"Certificate that should be set to the imported key"},"pkcs12":{"type":"string","format":"base64","description":"The pkcs12 container to import the private key and certificate. (base64)"},"pkcs12KeyName":{"type":"string","description":"The alias of the key in the PKCS#12 container."},"pkcs12KeyPassword":{"type":"array","items":{"pattern":"^.{1}$"}},"pkcs12KeystorePassword":{"type":"array","items":{"pattern":"^.{1}$"}},"attributes":{"$ref":"#/components/schemas/CreateKeyAttributes"},"policy":{"$ref":"#/components/schemas/PolicyDto"}},"required":["attributes","label"]},"RequestKeyExportDto":{"type":"object","description":"Key Label with password and export type. (extractable must be 'true' & sensitive must be 'false')","properties":{"label":{"type":"string","default":"keyname","description":"The name of the key. For derived keys (persisted in the HSM or only temporarily derived), append the full derivation path to the key name, e.g. MyKey/1/2/3.","minLength":1},"password":{"type":"array","items":{"pattern":"^.{1}$"}},"type":{"type":"string","description":"The format how the key shall be exported.","enum":["PLAIN","PKCS12"]},"pkcs12ContainerPassword":{"type":"array","items":{"pattern":"^.{1}$"}}},"required":["label"]},"KeyExportDto":{"type":"object","description":"Key export response","properties":{"privateKey":{"type":"string","format":"base64","description":"The exported private key. Is only available if the export is from an asymmetric key."},"publicKey":{"type":"string","format":"base64","description":"The exported public key. Is only available if the export is from an asymmetric key."},"secretKey":{"type":"string","format":"base64","description":"The exported secret key. Is only available if the export is from a symmetric key."},"pkcs12container":{"type":"string","format":"base64","description":"The pkcs12 formated key (symmetric or asymmetric) protected by the pkcs12 key-password."}}},"ChangeKeyPasswordDto":{"type":"object","description":"Change Key password. (The following key-attribute must be set: \"modifiable\": true)","properties":{"label":{"type":"string","default":"keyname","description":"The name of the key.","minLength":1},"password":{"type":"array","items":{"pattern":"^.{1}$"}},"newPassword":{"type":"array","items":{"pattern":"^.{1}$"}}},"required":["label"]},"KeyAddressDto":{"type":"object","properties":{"address":{"type":"string","format":"base64","description":"The crypto currency address generated for the specified key (base64 encoded)."}}},"ImportKeyDto":{"type":"object","description":"Import key request.","properties":{"label":{"type":"string","default":"keyname","description":"The name of the key.","minLength":1},"algorithm":{"type":"string","description":"The algorithm with which the key should be created. Either the algorithm or the algorithm_oid must be set.","enum":["EC","ED","ML-DSA-44","ML-DSA-65","ML-DSA-87","SLH-DSA-SHA2-128s","SLH-DSA-SHA2-128f","SLH-DSA-SHA2-192s","SLH-DSA-SHA2-192f","SLH-DSA-SHA2-256s","SLH-DSA-SHA2-256f","SLH-DSA-SHAKE-128s","SLH-DSA-SHAKE-128f","SLH-DSA-SHAKE-192s","SLH-DSA-SHAKE-192f","SLH-DSA-SHAKE-256s","SLH-DSA-SHAKE-256f"],"example":"EC"},"seed":{"type":"string","format":"byte","description":"Seed from which the key is imported must be base64 encoded. Bits can be represented by a mnemonic phrase to write down. EC, ED: 'seed' must be 128, 256 or 512 bits long, SLH-DSA-SHAx-128: 'seed' must be 48 (3x16) bytes long, SLH-DSA-SHAx-192: 'seed' must be 72 (3x24) bytes long, SLH-DSA-SHAx-256: 'seed' must be 96 (3x32) bytes long. "},"addressFormat":{"$ref":"#/components/schemas/AddressFormatDto"},"curveOid":{"type":"string","description":"The oid of the curve required with use for the EC or ED algorithm.","example":"1.3.132.0.10"},"attributes":{"$ref":"#/components/schemas/CreateKeyAttributes"},"policy":{"$ref":"#/components/schemas/PolicyDto"}},"required":["attributes","label"]},"FilteredTasksRequestDto":{"type":"object","description":"Request to filter the tasks.","properties":{"timestamp":{"type":"string","format":"date-time","description":"The ISO-8601 formatted timestamp that has been signed by the approval client.","minLength":1},"timestampSignature":{"type":"string","format":"base64","description":"Signature(base64 encoded)  for the timestamp (ISO-8601) that was done using the key of the approver. Format of the signature is depending on the algorithm used and as returned when using a JDK's native Signature.sign() method.<br>Example (EC key):<br>echo \"MEUCIDOsDySFOWOcMKulHmR3uB8YCF7oX+vQ4dU8ooYC1OCvAiEApwMbu7nF19woZhO/KCIRV1api8oa/QCV2M2pcINAnEQ=\" | base64 -D | openssl asn1parse -inform DER<br>    0:d=0  hl=2 l=  69 cons: SEQUENCE<br>    2:d=1  hl=2 l=  32 prim: INTEGER           :33AC0F248539639C30ABA51E6477B81F18085EE85FEBD0E1D53CA28602D4E0AF<br>   36:d=1  hl=2 l=  33 prim: INTEGER           :A7031BBBB9C5D7DC286613BF2822115756A98BCA1AFD0095D8CDA97083409C44","minLength":1},"timestampSigningCertificate":{"type":"string","format":"base64","description":"Certificate used for the timestampSignature. Use when tasks for all approvers or a specific approver shall be fetched, but without access to the approver's private key. To load all tasks neither the approverPublicKey nor the approverCertificate may be set. If either one is set only the tasks for this specific approver is loaded."},"approverPublicKey":{"type":"string","format":"base64","description":"Public key of the approver (base64 encoded). Either the approverPublicKey or the approverCertificate has to be provided if the timestampSigningCertificate is not set."},"approverCertificate":{"type":"string","format":"base64","description":"Certificate of the approver in DER format (base64 encoded). Either the approverPublicKey or the approverCertificate has to be provided if the timestampSigningCertificate is not set."},"timestampDigestAlgorithm":{"type":"string","description":"The message digest algorithm that was used for computing the timestamp signature.","enum":["SHA-224","SHA-256","SHA-384","SHA-512","SHA3-224","SHA3-256","SHA3-384","SHA3-512","EdDSA"],"example":"SHA-256","minLength":1},"id":{"type":"string","description":"If specified filters for a specific task id"},"requestId":{"type":"string","description":"If specified filters for a specific request id by approver Public Key. Request ID is ignored if task ID is set."},"detailLevel":{"type":"string","default":"level1","description":"The detail level of the response.","enum":["level1","level2","level3","level4","level5"]},"paging":{"$ref":"#/components/schemas/PagingDto"}},"required":["timestamp","timestampDigestAlgorithm","timestampSignature"]},"PagingDto":{"type":"object","description":"Metadata for enabling result paging","properties":{"pageNumber":{"type":"integer","format":"int32","description":"The number of the page of results to be returned.","minimum":0},"pageSize":{"type":"integer","format":"int32","description":"The number of results to be returned per page","minimum":1},"sortOrder":{"type":"string","description":"Sort order of the results. Note: initial value for LAST_FETCHED_DATE is the creation date of the task. LAST_FETCHED_DATE is updated every time a task is returned to the client using the appropriate REST service.","enum":["CREATION_DATE_ASC","CREATION_DATE_DESC","LAST_FETCHED_DATE_ASC","LAST_FETCHED_DATE_DESC"]}},"required":["sortOrder"]},"BlockKeyRequestDto":{"type":"object","description":"Block key request.","properties":{"blockKeyName":{"type":"string","description":"Name of the key which shall be blocked.","minLength":1},"keyPassword":{"type":"array","items":{"pattern":"^.{1}$"}},"metaData":{"type":"string","format":"byte","description":"Additional meta data (base64 encoded) that will be provided to the approval client."},"metaDataSignature":{"type":"string","format":"byte","description":"Signature for the meta data (base64 encoded)."}},"required":["blockKeyName"]},"CertificateAttributesDto":{"type":"object","description":"The standard attributes of X.500 series the key that should be created. At least one operation (decrypt, sign, unwrap) must be allowed (true).","properties":{"commonName":{"type":"string","description":"Common Name (e.g. server FQDN or YOUR name) []"},"country":{"type":"string","description":"Country Name (2 letter code) [CH]"},"stateOrProvinceName":{"type":"string","description":"State or Province Name (full name) [Some-State]"},"locality":{"type":"string","description":"Locality Name (eg, city) []"},"organizationName":{"type":"string","description":"Organization Name (eg, company) [Securosys SA]"},"organizationIdentifier":{"type":"string","description":"Organization Identifier []"},"organizationUnitName":{"type":"string","description":"Organizational Unit Name (eg, section) []"},"email":{"type":"string","description":"Email Address []"},"title":{"type":"string","description":"Title []"},"surname":{"type":"string","description":"Surname []"},"givenName":{"type":"string","description":"Given name []"},"initials":{"type":"string","description":"initials []"},"pseudonym":{"type":"string","description":"Pseudonym []"},"generationQualifier":{"type":"string","description":"Generation qualifier [Jr., 3rd, or IV]"}}},"CsrSignRequestDto":{"type":"object","description":"CSR request with Smart Key Attributes.","properties":{"signKeyName":{"type":"string","default":"keyname","description":"The name of the key used to sign the certificate request.","minLength":1},"keyPassword":{"type":"array","items":{"pattern":"^.{1}$"}},"signatureAlgorithm":{"type":"string","description":"The signature algorithm to be used. The chosen algorithm has to be compatible with the type of the key referenced by the signKeyName.","enum":["SHA224_WITH_RSA","SHA256_WITH_RSA","SHA384_WITH_RSA","SHA512_WITH_RSA","SHA256_WITH_ECDSA","SHA384_WITH_ECDSA","SHA512_WITH_ECDSA"]},"standardCertificateAttributes":{"$ref":"#/components/schemas/CertificateAttributesDto","description":"The standard certificate request attributes for X.500 series"},"keyUsage":{"type":"array","description":"The key usage extension defines the purpose (for example, encipherment, signature, or certificate signing) of the key contained in the certificate. If the public key is used for entity authentication, then the certificate extension should have the key usage Digital signature.","items":{"type":"string","enum":["DIGITAL_SIGNATURE","CONTENT_COMMITMENT","KEY_ENCIPHERMENT","DATA_ENCIPHERMENT","KEY_AGREEMENT","KEY_CERT_SIGN","CRL_SIGN","ENCIPHER_ONLY","DECIPHER_ONLY"]}},"extendedKeyUsage":{"type":"array","description":"This extension indicates one or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension. In general, this extension will appear only in end entity certificates.","items":{"type":"string","enum":["ANY_EXTENDED_KEY_USAGE","SERVER_AUTH","CLIENT_AUTH","CODE_SIGNING","EMAIL_PROTECTION","TIME_STAMPING","OCSP_SIGNING"]}},"subjectAlternativeNames":{"type":"array","description":"The Subject Alternative Name (SAN) is an extension to the X.509 standard that allows a single certificate to secure multiple hostnames, IP addresses, or other identifiers. It is used by clients to verify that the presented certificate is valid for the server they are connecting to. Sample: SAN=dns:my-primary-host.example.com,dns:*.api.example.com,dns:localhost,ip:192.168.1.10,ip:127.0.0.1,ip:::1,uri:https://service.example.com/endpoint,email:admin@example.com,rid:1.2.3.4","items":{"$ref":"#/components/schemas/SubjectAlternativeName"}},"metaData":{"type":"string","format":"base64","description":"Additional meta data that will be provided to the approval client."},"metaDataSignature":{"type":"string","format":"base64","description":"Signature for the meta data."}},"required":["signKeyName","signatureAlgorithm","standardCertificateAttributes"]},"DecryptRequestDto":{"type":"object","description":"Decrypt request. Only supported by RSA keys.","properties":{"encryptedPayload":{"type":"string","format":"byte","description":"Encrypted payload (base64 encoded) that shall be decrypted.","minLength":1},"decryptKeyName":{"type":"string","default":"keyname","description":"Name of the key with which the payload shall be decrypted.","minLength":1},"keyPassword":{"type":"array","items":{"pattern":"^.{1}$"}},"metaData":{"type":"string","format":"base64","description":"Additional meta data that will be provided to the approval client"},"metaDataSignature":{"type":"string","format":"base64","description":"Signature for the meta data."},"cipherAlgorithm":{"type":"string","description":"The cipher algorithm to be used.","enum":["RSA_PADDING_OAEP_WITH_SHA512","RSA","RSA_PADDING_OAEP_WITH_SHA224","RSA_PADDING_OAEP_WITH_SHA256","RSA_PADDING_OAEP_WITH_SHA1","RSA_PADDING_OAEP","RSA_PADDING_OAEP_WITH_SHA384","RSA_PADDING_PKCS","RSA_NO_PADDING","AES_GCM","AES_CTR","AES_ECB","AES_CBC_NO_PADDING","AES","CHACHA20","CHACHA20_AEAD","CAMELLIA","CAMELLIA_CBC_NO_PADDING","CAMELLIA_ECB","TDEA_CBC","TDEA_ECB","TDEA_CBC_NO_PADDING"]},"initializationVector":{"type":"string","description":"The initialization vector (base64 encoded) used to encrypt the payload. Can be empty if the cipher algorithm used does not require an initialization vector."},"additionalAuthenticationData":{"type":"string","format":"base64","description":"Additional authentication data (aad, base64) used when decrypting payload. Can be empty if none were used when encrypting the payload"},"tagLength":{"type":"integer","format":"int","description":"The MAC (Message Authentication Tag) is a fixed-length value that is INCLUDED in the ciphertext and used to authenticatethe integrity of the data and the authenticity of the sender. Supported tag_length: 0, 64, 96, 104, 112, 120, 128"}},"required":["cipherAlgorithm","decryptKeyName","encryptedPayload"]},"GetTasksResponseDto":{"type":"object","description":"Response containing the requested tasks with the specified detail level.","properties":{"tasks":{"type":"array","items":{"description":"The requested tasks."}}}},"OfflineHsmDto":{},"RequestStatusDto":{"type":"object","description":"Response containing information about the status of a request.","properties":{"id":{"type":"string","description":"The id of the request."},"status":{"type":"string","description":"The current status of the request.","enum":["PENDING","APPROVED","EXECUTED","FAILED","EXPIRED","REJECTED","CANCELLED"]},"executionTime":{"type":"string","description":"Date and time when the request is sent to the hsm in ISO-8601 format."},"approvedBy":{"type":"array","items":{"description":"Public keys of approvers that have approved the request."}},"notYetApprovedBy":{"type":"array","items":{"description":"Public keys of approvers that have not yet approved the request but still could approve."}},"rejectedBy":{"type":"array","items":{"description":"Public keys from approvers that have rejected to approve the request (i.e. they deleted the task related to this request."}},"result":{"type":"string","description":"The result of the request after the request was executed on the hsm. In case of a sign request this field contains the signature. In case of a decrypt request it contains the decrypted payload. Otherwise this field is empty."},"inputOfflineHsm":{"$ref":"#/components/schemas/OfflineHsmDto","description":"The input for synchronous sign request in case of using air gapped TSB, otherwise field is empty."}}},"SelfSignCertificateRequestDto":{"type":"object","description":"Self-Signed Certificate request with Smart Key Attributes.","properties":{"signKeyName":{"type":"string","default":"keyname","description":"The name of the key","minLength":1},"keyPassword":{"type":"array","items":{"pattern":"^.{1}$"}},"validity":{"type":"integer","format":"int32","description":"The days from today after which the certificate is not valid. e.g. 365 //valid for 1 year."},"signatureAlgorithm":{"type":"string","description":"The signature algorithm to be used. The chosen algorithm has to be compatible with the type of the key referenced by the signKeyName.","enum":["SHA224_WITH_RSA","SHA256_WITH_RSA","SHA384_WITH_RSA","SHA512_WITH_RSA","SHA256_WITH_ECDSA","SHA384_WITH_ECDSA","SHA512_WITH_ECDSA"]},"standardCertificateAttributes":{"$ref":"#/components/schemas/CertificateAttributesDto","description":"The standard certificate request attributes for X.500 series"},"keyUsage":{"type":"array","description":"The key usage extension defines the purpose (for example, encipherment, signature, or certificate signing) of the key contained in the certificate. If the public key is used for entity authentication, then the certificate extension should have the key usage Digital signature.","items":{"type":"string","enum":["DIGITAL_SIGNATURE","CONTENT_COMMITMENT","KEY_ENCIPHERMENT","DATA_ENCIPHERMENT","KEY_AGREEMENT","KEY_CERT_SIGN","CRL_SIGN","ENCIPHER_ONLY","DECIPHER_ONLY"]}},"extendedKeyUsage":{"type":"array","description":"This extension indicates one or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension. In general, this extension will appear only in end entity certificates.","items":{"type":"string","enum":["ANY_EXTENDED_KEY_USAGE","SERVER_AUTH","CLIENT_AUTH","CODE_SIGNING","EMAIL_PROTECTION","TIME_STAMPING","OCSP_SIGNING"]}},"subjectAlternativeNames":{"type":"array","description":"The Subject Alternative Name (SAN) is an extension to the X.509 standard that allows a single certificate to secure multiple hostnames, IP addresses, or other identifiers. It is used by clients to verify that the presented certificate is valid for the server they are connecting to. Sample: SAN=dns:my-primary-host.example.com,dns:*.api.example.com,dns:localhost,ip:192.168.1.10,ip:127.0.0.1,ip:::1,uri:https://service.example.com/endpoint,email:admin@example.com,rid:1.2.3.4","items":{"$ref":"#/components/schemas/SubjectAlternativeName"}},"metaData":{"type":"string","format":"base64","description":"Additional meta data that will be provided to the approval client."},"metaDataSignature":{"type":"string","format":"base64","description":"Signature for the meta data."},"certificateAuthority":{"type":"boolean"}},"required":["signKeyName","signatureAlgorithm","validity"]},"SignCertificateRequestDto":{"type":"object","description":"Certificate request with Smart Key Attributes.","properties":{"signKeyName":{"type":"string","default":"keyname","description":"The name of the key","minLength":1},"keyPassword":{"type":"array","items":{"pattern":"^.{1}$"}},"signatureAlgorithm":{"type":"string","description":"The signature algorithm to be used. The chosen algorithm has to be compatible with the type of the key referenced by the signKeyName.","enum":["SHA224_WITH_RSA","SHA256_WITH_RSA","SHA384_WITH_RSA","SHA512_WITH_RSA","SHA256_WITH_ECDSA","SHA384_WITH_ECDSA","SHA512_WITH_ECDSA"]},"standardCertificateAttributes":{"$ref":"#/components/schemas/CertificateAttributesDto","description":"The standard certificate request attributes for X.500 series"},"validity":{"type":"integer","format":"int32","description":"The days from today after which the certificate is not valid. e.g. 365 //valid for 1 year."},"copyExtensions":{"type":"string","default":"no_copy","description":"The copyExtensions option should be used with caution. If care is not taken then it can be a security risk. COPY copies extensions without basicConstraints, this because for example if a certificate request contains a basicConstraints extension with CA:TRUE and the user does not spot this when the certificate is displayed then this will hand the requester a valid CA certificate. NO_COPY request does not copy the extensions from the CSR.","enum":["NO_COPY","COPY"]},"certificateSigningRequest":{"type":"string","description":"The certificate signing request (csr)."},"keyUsage":{"type":"array","description":"KeyUsage is set if copyExtensions = NO_COPY.The key usage extension defines the purpose (for example, encipherment, signature, or certificate signing) of the key contained in the certificate. If the public key is used for entity authentication, then the certificate extension should have the key usage Digital signature.","items":{"type":"string","enum":["DIGITAL_SIGNATURE","CONTENT_COMMITMENT","KEY_ENCIPHERMENT","DATA_ENCIPHERMENT","KEY_AGREEMENT","KEY_CERT_SIGN","CRL_SIGN","ENCIPHER_ONLY","DECIPHER_ONLY"]}},"extendedKeyUsage":{"type":"array","description":"ExtendedKeyUsage is set if copyExtensions = NO_COPY. This extension indicates one or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension. In general, this extension will appear only in end entity certificates.","items":{"type":"string","enum":["ANY_EXTENDED_KEY_USAGE","SERVER_AUTH","CLIENT_AUTH","CODE_SIGNING","EMAIL_PROTECTION","TIME_STAMPING","OCSP_SIGNING"]}},"subjectAlternativeNames":{"type":"array","description":"Subject Alternative Name (SAN) is set if copyExtensions = NO_COPY.The Subject Alternative Name (SAN) is an extension to the X.509 standard that allows a single certificate to secure multiple hostnames, IP addresses, or other identifiers. It is used by clients to verify that the presented certificate is valid for the server they are connecting to. Sample: SAN=dns:my-primary-host.example.com,dns:*.api.example.com,dns:localhost,ip:192.168.1.10,ip:127.0.0.1,ip:::1,uri:https://service.example.com/endpoint,email:admin@example.com,rid:1.2.3.4","items":{"$ref":"#/components/schemas/SubjectAlternativeName"}},"metaData":{"type":"string","format":"base64","description":"Additional meta data that will be provided to the approval client."},"metaDataSignature":{"type":"string","format":"base64","description":"Signature for the meta data."},"certificateAuthority":{"type":"boolean"}},"required":["certificateSigningRequest","signKeyName","signatureAlgorithm","validity"]},"SignedBlockKeyRequestDto":{"type":"object","description":"Contains a block key request and optionally the requests signature.","properties":{"blockRequest":{"$ref":"#/components/schemas/BlockKeyRequestDto"},"requestSignature":{"$ref":"#/components/schemas/SignatureDto"}},"required":["blockRequest"]},"SignedCertificateRequestRequestDto":{"type":"object","description":"Create a signed CSR request (asynchronous). After the request was approved the CSR can be obtained with GET /v1/request/{id}","properties":{"csrSignRequest":{"$ref":"#/components/schemas/CsrSignRequestDto"},"requestSignature":{"$ref":"#/components/schemas/SignatureDto"}},"required":["csrSignRequest"]},"SignedDecryptRequestDto":{"type":"object","description":"Contains a decrypt request and optionally the requests signature.","properties":{"decryptRequest":{"$ref":"#/components/schemas/DecryptRequestDto"},"requestSignature":{"$ref":"#/components/schemas/SignatureDto"}},"required":["decryptRequest"]},"SignedSelfSignCertificateRequestDto":{"type":"object","description":"Generate a self-signed x509 certificate (asynchronous). After the request was approved the x509 can be obtained with GET /v1/request/{id}","properties":{"selfSignCertificateRequest":{"$ref":"#/components/schemas/SelfSignCertificateRequestDto"},"requestSignature":{"$ref":"#/components/schemas/SignatureDto"}},"required":["selfSignCertificateRequest"]},"SignedSignCertificateRequestDto":{"type":"object","description":"Generate a valid x509 certificate (asynchronous). After the request was approved the x509 can be obtained with GET /v1/request/{id}","properties":{"signCertificateRequest":{"$ref":"#/components/schemas/SignCertificateRequestDto"},"requestSignature":{"$ref":"#/components/schemas/SignatureDto"}},"required":["signCertificateRequest"]},"SubjectAlternativeName":{"type":"object","description":"Subject Alternative Name Object","properties":{"sanType":{"type":"string","enum":["DNS","IP","URI","EMAIL","OTHERNAME"]},"sanValue":{"type":"string"}}},"RequestIdsByStatusRequestDto":{"type":"object","description":"Filter Requests by Status","properties":{"requestStatusList":{"type":"array","items":{"default":"PENDING","description":"The requests to be filtered by Request Status"}}}},"RequestIdsByStatusDto":{"type":"object","description":"Response containing information about the filtered request status.","properties":{"requests":{"type":"array","items":{"description":"The pending requests"}}}},"FileEncryptRequestDto":{"type":"object","description":"File Encrypt request. Only supported by EC keys with curveOid: 1.3.132.0.34 and key-attribute: derive.","properties":{"encryptKeyName":{"type":"string","default":"keyname","description":"Name of the key with which the file shall be encrypted.","minLength":1}},"required":["encryptKeyName"]},"SignedFileEncryptRequestDto":{"type":"object","description":"Contains a file encryption request.","properties":{"fileEncryptRequest":{"$ref":"#/components/schemas/FileEncryptRequestDto"}},"required":["fileEncryptRequest"]},"EncryptRequestDto":{"type":"object","description":"Encrypt request.","properties":{"payload":{"type":"string","format":"byte","description":"Payload (base64 encoded) that shall be encrypted.","minLength":1},"encryptKeyName":{"type":"string","default":"keyname","description":"Name of the key with which the payload shall be encrypted.","minLength":1},"keyPassword":{"type":"array","items":{"pattern":"^.{1}$"}},"cipherAlgorithm":{"type":"string","description":"The cipher algorithm to be used.","enum":["RSA_PADDING_OAEP_WITH_SHA512","RSA","RSA_PADDING_OAEP_WITH_SHA224","RSA_PADDING_OAEP_WITH_SHA256","RSA_PADDING_OAEP_WITH_SHA1","RSA_PADDING_OAEP","RSA_PADDING_OAEP_WITH_SHA384","RSA_PADDING_PKCS","RSA_NO_PADDING","AES_GCM","AES_CTR","AES_ECB","AES_CBC_NO_PADDING","AES","CHACHA20","CHACHA20_AEAD","CAMELLIA","CAMELLIA_CBC_NO_PADDING","CAMELLIA_ECB","TDEA_CBC","TDEA_ECB","TDEA_CBC_NO_PADDING"]},"additionalAuthenticationData":{"type":"string","format":"base64","description":"Additional authentication data (aad, base64 encoded) used for encryption with algorithm that support them."},"tagLength":{"type":"integer","format":"int","description":"The MAC (Message Authentication Tag) is a fixed-length value as part of the AES-GCM encryption process, that is INCLUDED in the ciphertext and used to authenticatethe integrity of the data and the authenticity of the sender. \nSupported tag_length: 0, 64, 96, 104, 112, 120, 128"}},"required":["cipherAlgorithm","encryptKeyName","payload"]},"SignedEncryptRequestDto":{"type":"object","description":"Contains an encrypt request and optionally the requests signature.","properties":{"encryptRequest":{"$ref":"#/components/schemas/EncryptRequestDto"},"requestSignature":{"$ref":"#/components/schemas/SignatureDto"}},"required":["encryptRequest"]},"EncryptRequestResponseDto":{"type":"object","description":"Response for an encrypt request.","properties":{"encryptedPayload":{"type":"string","description":"The encrypted payload."},"encryptedPayloadWithoutMessageAuthenticationCode":{"type":"string","description":"The encrypted payload without message authentication code (MAC) as part of the AES-GCM encryption process."},"initializationVector":{"type":"string","description":"The initialization vector (base64 encoded) used to encrypt the payload. Is empty if the algorithm used does not require an initialization vector."},"messageAuthenticationCode":{"type":"string","format":"base64","description":"The authenticationTag is a message authentication code (MAC) as part of the AES-GCM encryption process. It is used to ensure the integrity of the ciphertext and the additional authenticated data (AAD) passed to the encrypt operation. The MAC is part of the cipher text and is additionally returned here. The cipher text contains the MAC and must be truncated depending on the framework used."},"derivationValue":{"type":"integer","format":"int64","description":"If the key supports rollover, this is the latest derivation value (used as salt) for the KDF used to encrypt the payload."}}},"EncapsulationRequestDto":{"type":"object","properties":{"publicKey":{"type":"string","description":"The ML-KEM PublicKey used for encapsulating the generated shared-secret.","minLength":1}},"required":["publicKey"]},"EncapsulationResponseDto":{"type":"object","description":"Response payload for a key‑encapsulation operation.","properties":{"sharedSecret":{"type":"string","description":"Base64‑encoded shared secret."},"ciphertext":{"type":"string","description":"The encapsulated key."}}},"DeriveKeyAttributes":{"type":"object","description":"The attributes of the derived key. The attributes from the base key are fetched and applied if no attributes are specified.","properties":{"decrypt":{"type":"boolean","description":"If true the key can be used to decrypt data."},"sign":{"type":"boolean","description":"If true the key can sign."},"unwrap":{"type":"boolean","description":"If true the key can be used to unwrap keys."},"derive":{"type":"boolean","default":false,"description":"If true it is possible to derive from this key."},"extractable":{"type":"boolean","default":false,"description":"If true the key is extractable. This option can only be true for keys without smart key attributes."},"modifiable":{"type":"boolean","default":true,"description":"If true the key can be modified. The derived key can not be modifiable if the base key is not modifiable"},"destroyable":{"type":"boolean","default":false,"description":"If true the key can be deleted."},"sensitive":{"type":"boolean","description":"If true the key is sensitive. To export a key sensitive must be false"}},"required":["decrypt","sign","unwrap"]},"DeriveKeyDto":{"type":"object","description":"Derive key request.","properties":{"masterKeyLabel":{"type":"string","default":"masterKeyName","description":"The name of the master key.","minLength":1},"masterKeyPassword":{"type":"array","items":{"pattern":"^.{1}$"}},"derivationPath":{"type":"string","default":"1/2/3","description":"BIP32 / SLIP10 derivation path to be used (without leading /)","example":"1/2/3","minLength":1},"attributes":{"$ref":"#/components/schemas/DeriveKeyAttributes"}},"required":["derivationPath","masterKeyLabel"]},"DecryptRequestResponseDto":{"type":"object","description":"Response for a decrypt request.","properties":{"decryptRequestId":{"type":"string","description":"The id that has been assigned to the decrypt request."}}},"DecapsulateRequestDto":{"type":"object","properties":{"decapsulationKeyName":{"type":"string","description":"Name of the key to be used for the encapsulation process..","minLength":1},"keyPassword":{"type":"array","items":{"pattern":"^.{1}$"}},"ciphertext":{"type":"string","description":"The encapsulated key.","minLength":1}},"required":["ciphertext","decapsulationKeyName"]},"DecapsulationResponseDto":{"type":"object","description":"Response payload for a key-decapsulation operation.","properties":{"sharedSecret":{"type":"string","description":"Base64‑encoded shared secret."}}},"DataObjectAttributes":{"type":"object","description":"The attributes of a data object.","properties":{"modifiable":{"type":"boolean","description":"If true the data object can be modified."},"destroyable":{"type":"boolean","description":"If true the data object can be deleted."},"private":{"type":"boolean","description":"If true the data object is encrypted"}}},"DataObjectDto":{"type":"object","description":"Data object","properties":{"name":{"type":"string","description":"The name of the data object.","minLength":1},"value":{"type":"string","format":"base64","description":"The value (base64 encoded) of the data object. The maximum size of the value is 64 kilobytes.","minLength":1},"attributes":{"$ref":"#/components/schemas/DataObjectAttributes"}},"required":["name","value"]},"CreateRfcTimestampDto":{"type":"object","description":"Create a RFC3161 timestamp.","properties":{"payload":{"type":"string","format":"base64","description":"The payload for which the timestamp should be created.","minLength":1},"hashAlgorithm":{"type":"string","description":"The hash algorithm to use for creating the timestamp.","example":"SHA256","minLength":1}},"required":["hashAlgorithm","payload"]},"RfcTimestampDto":{"type":"object","description":"Create RFC timestamp response","properties":{"timestamp":{"type":"string","description":"The RFC3161 timestamp created by the HSM (base64 encoded)."}}},"SynchronousSignCertificateRequestDto":{"type":"object","description":"Generates a valid x509 certificate.","properties":{"signKeyName":{"type":"string","default":"keyname","description":"The name of the key.","minLength":1},"keyPassword":{"type":"array","items":{"pattern":"^.{1}$"}},"signatureAlgorithm":{"type":"string","description":"The signature algorithm to be used. The chosen algorithm has to be compatible with the type of the key referenced by the signKeyName.","enum":["SHA224_WITH_RSA","SHA256_WITH_RSA","SHA384_WITH_RSA","SHA512_WITH_RSA","SHA256_WITH_ECDSA","SHA384_WITH_ECDSA","SHA512_WITH_ECDSA"]},"standardCertificateAttributes":{"$ref":"#/components/schemas/CertificateAttributesDto","description":"The standard certificate request attributes for X.500 series"},"validity":{"type":"integer","format":"int32","description":"The days from today after which the certificate is not valid. e.g. 365 //valid for 1 year."},"copyExtensions":{"type":"string","default":"no_copy","description":"The copyExtensions option should be used with caution. If care is not taken then it can be a security risk. COPY copies extensions without basicConstraints, this because for example if a certificate request contains a basicConstraints extension with CA:TRUE and the user does not spot this when the certificate is displayed then this will hand the requester a valid CA certificate. NO_COPY request does not copy the extensions from the CSR.","enum":["NO_COPY","COPY"]},"certificateSigningRequest":{"type":"string","description":"The certificate signing request (csr)."},"keyUsage":{"type":"array","description":"KeyUsage is set if copyExtensions = NO_COPY.The key usage extension defines the purpose (for example, encipherment, signature, or certificate signing) of the key contained in the certificate. If the public key is used for entity authentication, then the certificate extension should have the key usage Digital signature.","items":{"type":"string","enum":["DIGITAL_SIGNATURE","CONTENT_COMMITMENT","KEY_ENCIPHERMENT","DATA_ENCIPHERMENT","KEY_AGREEMENT","KEY_CERT_SIGN","CRL_SIGN","ENCIPHER_ONLY","DECIPHER_ONLY"]}},"extendedKeyUsage":{"type":"array","description":"ExtendedKeyUsage is set if copyExtensions = NO_COPY. This extension indicates one or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension. In general, this extension will appear only in end entity certificates.","items":{"type":"string","enum":["ANY_EXTENDED_KEY_USAGE","SERVER_AUTH","CLIENT_AUTH","CODE_SIGNING","EMAIL_PROTECTION","TIME_STAMPING","OCSP_SIGNING"]}},"subjectAlternativeNames":{"type":"array","description":"Subject Alternative Name (SAN) is set if copyExtensions = NO_COPY.The Subject Alternative Name (SAN) is an extension to the X.509 standard that allows a single certificate to secure multiple hostnames, IP addresses, or other identifiers. It is used by clients to verify that the presented certificate is valid for the server they are connecting to. Sample: SAN=dns:my-primary-host.example.com,dns:*.api.example.com,dns:localhost,ip:192.168.1.10,ip:127.0.0.1,ip:::1,uri:https://service.example.com/endpoint,email:admin@example.com,rid:1.2.3.4","items":{"$ref":"#/components/schemas/SubjectAlternativeName"}},"certificateAuthority":{"type":"boolean"}},"required":["certificateSigningRequest","signKeyName","signatureAlgorithm","validity"]},"CertificateResponseDto":{"type":"object","description":"Response containing the certificate.","properties":{"label":{"type":"string","description":"The name of the key a certificate is attached to."},"certificate":{"type":"string","description":"The base64 encoded certificate."}}},"SynchronousRolloverSelfSignCertificateRequestDto":{"type":"object","description":"Rollover Self-Signed Certificate request with Smart Key Attributes.","properties":{"label":{"type":"string","default":"keyname","description":"The name of the key.","minLength":1},"keyPassword":{"type":"array","items":{"pattern":"^.{1}$"}}},"required":["label"]},"SynchronousRolloverCertificateSigningRequestDto":{"type":"object","description":"Rollover CSR request","properties":{"signKeyName":{"type":"string","default":"keyname","description":"The name of the key for which CSR will be provided.","minLength":1},"keyPassword":{"type":"array","items":{"pattern":"^.{1}$"}}},"required":["signKeyName"]},"RolloverCsrResponseDto":{"type":"object","description":"Response containing the CSR to be signed.","properties":{"certificateSigningRequest":{"type":"string","description":"The generated certificate signing request (CSR)."}}},"SynchronousCertificateRequestRequestDto":{"type":"object","description":"Create a certificate request.","properties":{"signKeyName":{"type":"string","default":"keyname","description":"The name of the key used to sign the certificate request.","minLength":1},"keyPassword":{"type":"array","items":{"pattern":"^.{1}$"}},"signatureAlgorithm":{"type":"string","description":"The signature algorithm to be used. The chosen algorithm has to be compatible with the type of the key referenced by the signKeyName.","enum":["SHA224_WITH_RSA","SHA256_WITH_RSA","SHA384_WITH_RSA","SHA512_WITH_RSA","SHA256_WITH_ECDSA","SHA384_WITH_ECDSA","SHA512_WITH_ECDSA"]},"standardCertificateAttributes":{"$ref":"#/components/schemas/CertificateAttributesDto","description":"The standard certificate request attributes for X.500 series"},"keyUsage":{"type":"array","description":"The key usage extension defines the purpose (for example, encipherment, signature, or certificate signing) of the key contained in the certificate. If the public key is used for entity authentication, then the certificate extension should have the key usage Digital signature.","items":{"type":"string","enum":["DIGITAL_SIGNATURE","CONTENT_COMMITMENT","KEY_ENCIPHERMENT","DATA_ENCIPHERMENT","KEY_AGREEMENT","KEY_CERT_SIGN","CRL_SIGN","ENCIPHER_ONLY","DECIPHER_ONLY"]}},"extendedKeyUsage":{"type":"array","description":"This extension indicates one or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension. In general, this extension will appear only in end entity certificates.","items":{"type":"string","enum":["ANY_EXTENDED_KEY_USAGE","SERVER_AUTH","CLIENT_AUTH","CODE_SIGNING","EMAIL_PROTECTION","TIME_STAMPING","OCSP_SIGNING"]}},"subjectAlternativeNames":{"type":"array","description":"The Subject Alternative Name (SAN) is an extension to the X.509 standard that allows a single certificate to secure multiple hostnames, IP addresses, or other identifiers. It is used by clients to verify that the presented certificate is valid for the server they are connecting to. Sample: SAN=dns:my-primary-host.example.com,dns:*.api.example.com,dns:localhost,ip:192.168.1.10,ip:127.0.0.1,ip:::1,uri:https://service.example.com/endpoint,email:admin@example.com,rid:1.2.3.4","items":{"$ref":"#/components/schemas/SubjectAlternativeName"}}},"required":["signKeyName","signatureAlgorithm","standardCertificateAttributes"]},"CertificateRequestResponseDto":{"type":"object","description":"Response containing the CSR to be signed.","properties":{"label":{"type":"string","description":"The name of the key the CSR is associated with."},"certificateSigningRequest":{"type":"string","description":"The generated certificate signing request (CSR)."}}},"RolloverSelfSignCertificateRequestDto":{"type":"object","description":"Rollover Self-Signed Certificate request with Smart Key Attributes.","properties":{"signKeyName":{"type":"string","default":"keyname","description":"The name of the key","minLength":1},"keyPassword":{"type":"array","items":{"pattern":"^.{1}$"}},"metaData":{"type":"string","format":"base64","description":"Additional meta data that will be provided to the approval client."},"metaDataSignature":{"type":"string","format":"base64","description":"Signature for the meta data."}},"required":["signKeyName"]},"SignedRolloverSelfSignCertificateRequestDto":{"type":"object","description":"Rollover a self-signed x509 certificate (asynchronous). After the request was approved the x509 can be obtained with GET /v1/request/{id}","properties":{"rolloverSelfSignCertificateRequest":{"$ref":"#/components/schemas/RolloverSelfSignCertificateRequestDto"},"requestSignature":{"$ref":"#/components/schemas/SignatureDto"}},"required":["rolloverSelfSignCertificateRequest"]},"RolloverImportCertificateRequestDto":{"type":"object","description":"Rollover import certificate request","properties":{"label":{"type":"string","default":"keyname","description":"The name of the key for which certificate will be provided.","minLength":1},"keyPassword":{"type":"array","items":{"pattern":"^.{1}$"}},"certificate":{"type":"string","format":"base64","description":"Certificate that should be set to the key.","minLength":1}},"required":["certificate","label"]},"RolloverCsrSignRequestDto":{"type":"object","description":"Rollover CSR request with Smart Key Attributes.","properties":{"signKeyName":{"type":"string","default":"keyname","description":"The name of the key for which CSR will be provided.","minLength":1},"keyPassword":{"type":"array","items":{"pattern":"^.{1}$"}},"metaData":{"type":"string","format":"base64","description":"Additional meta data that will be provided to the approval client."},"metaDataSignature":{"type":"string","format":"base64","description":"Signature for the meta data."}},"required":["signKeyName"]},"SignedRolloverCertificateSigningRequestDto":{"type":"object","description":"Rollover CSR request (asynchronous) for provided ska-key.","properties":{"rolloverCsrSignRequest":{"$ref":"#/components/schemas/RolloverCsrSignRequestDto"},"requestSignature":{"$ref":"#/components/schemas/SignatureDto"}},"required":["rolloverCsrSignRequest"]},"CertificateListDto":{"type":"object","description":"List Certificate in human-readable format.","properties":{"detailLevel":{"type":"string","default":"level1","description":"The detail level of the response.","enum":["level1","level2","level3","level4","level5"]},"filter":{"$ref":"#/components/schemas/CertificateListFilterDto"},"paging":{"$ref":"#/components/schemas/ListCertificatePagingDto"}}},"CertificateListFilterDto":{"type":"object","description":"Filter Certificate response by certificate attributes. All attributes are (AND) associated.","properties":{"keyName":{"type":"string","default":"keyname","description":"(optional) Filter response by a given keyName (fetches the certificate information for a specific key)"},"subject":{"type":"string","description":"(optional) Filter response by the subject of the certificate (fetches the certificate information for a given subject)"},"issuer":{"type":"string","description":"(optional) Filter response by the issuer of the certificate (fetches the certificate information for a given issuer)"},"showCACertificatesOnly":{"type":"boolean","description":"(optional) Filter response to only show CA certificates [basicConstraint: CA=true]"},"publicKeyAlgorithm":{"type":"string","description":"(optional) Filter response by the key algorithm of the certificate. (RSA, EC, ..)"},"showPrimusX509Certificate":{"type":"boolean","default":false,"description":"(optional) Include default PrimusX509Certificate in response"}}},"ListCertificatePagingDto":{"type":"object","description":"Metadata for enabling result paging","properties":{"pageNumber":{"type":"integer","format":"int32","description":"The number of the page of results to be returned.","minimum":0},"pageSize":{"type":"integer","format":"int32","default":100,"description":"The number of results to be returned per page","minimum":1},"certificateExpiryOrder":{"type":"string","description":"Sort order of the certificate expiry dates.","enum":["NOT_BEFORE_UTC_ASC","NOT_BEFORE_UTC_DESC","NOT_AFTER_UTC_ASC","NOT_AFTER_UTC_DESC","NOT_BEFORE_ASC","NOT_BEFORE_DESC","NOT_AFTER_ASC","NOT_AFTER_DESC"]}},"required":["certificateExpiryOrder"]},"CertificateDetailLevel1":{"allOf":[{"$ref":"#/components/schemas/CertificateListLevel"},{"type":"object","properties":{"keyName":{"type":"string","description":"The name of the key associated to the key."},"issuer":{"type":"string","description":"The issuer of the certificate."},"subject":{"type":"string","description":"The subject of the certificate."},"validity":{"$ref":"#/components/schemas/CertificateValidityDto","description":"The validity period."},"serialNumber":{"type":"integer","description":"The serial Number period."},"signatureAlgorithm":{"type":"string","description":"The signature algorithm."},"rawCertificate":{"type":"string","description":"The base64 encoded raw X.509 certificate."}}}],"description":"Certificate with detail level 1. These are the fields that most people care about at a glance basically the “business card” portion of the certificate"},"CertificateListLevel":{"type":"object","description":"Base Certificate Object","discriminator":{"propertyName":"detailLevel"},"properties":{"id":{"type":"string","description":"Id of the certificate."},"detailLevel":{"type":"string"}},"required":["detailLevel"]},"CertificateListResponseDto":{"type":"object","description":"Response containing the requested certificates with the specified detail level.","properties":{"certificates":{"type":"array","items":{"description":"The requested certificates."}}}},"CertificateValidityDto":{"type":"object","description":"Certificate Validity.","properties":{"notBeforeUTC":{"type":"string","format":"date-time","description":"not before, human readable (UTC)"},"notBefore":{"type":"string","format":"date-time","description":"not before"},"notAfterUTC":{"type":"string","format":"date-time","description":"not after, human readable (UTC)"},"notAfter":{"type":"string","format":"date-time","description":"not after"}}},"CertificateImportDto":{"type":"object","description":"Certificate import request, the key must exist, if a certificate already exists (e.g. self-signed), it will be overridden","properties":{"label":{"type":"string","default":"keyname","description":"The name of the certificate.","minLength":1},"certificate":{"type":"string","format":"base64","description":"Certificate that should be set to the imported key"}},"required":["label"]},"BlockKeyRequestResponseDto":{"type":"object","description":"Response to a block key request.","properties":{"blockKeyRequestId":{"type":"string","description":"The id that has been assigned to the block key request."}}},"ApproverRestoreWithPasswordKnownDto":{"type":"object","description":"Restore the approver key identified by name and (optional) a new backup password.","properties":{"approverName":{"type":"string","description":"The name of the approver e.g. the e-mail address","minLength":1}},"required":["approverName"]},"ApproverRestoreWithPasswordKnownResponseDto":{"type":"object","description":"Response containing the OneTimeCode.","properties":{"oneTimeCode":{"type":"array","description":"The OneTimePassword used for authentication of the onboarding process","items":{"type":"string"},"minItems":1}},"required":["oneTimeCode"]},"ApproverRestoreWithPasswordUnknownDto":{"type":"object","description":"Restore the approver key identified by name and (optional) a new backup password.","properties":{"approverName":{"type":"string","description":"The name of the approver e.g. the e-mail address","minLength":1},"newBackupPassword":{"type":"array","items":{"pattern":"^.{1}$"},"minItems":1}},"required":["approverName","newBackupPassword"]},"ApproverRenewOneTimePasswordDto":{"type":"object","description":"Renew the one time code or QR code for an approver.","properties":{"approverName":{"type":"string","description":"The name of the approver","minLength":1},"qrCode":{"type":"boolean","description":"If true, a QR code will be generated and returned instead of OTP.","example":false}},"required":["approverName"]},"ApproverOnboardDto":{"type":"object","description":"Onboard approver request with name, backup password and a secret for AES_GCM transport encryption of the pkcs12-container.","properties":{"approverName":{"type":"string","description":"The name of the approver e.g. the e-mail address","minLength":1},"oneTimeCode":{"type":"array","items":{"pattern":"^.{1}$"},"minItems":1},"transportPassword":{"type":"array","items":{"pattern":"^.{1}$"},"minItems":1}},"required":["approverName","oneTimeCode","transportPassword"]},"ApproverOnboardResponseDto":{"type":"object","description":"Response containing the encrypted payload of the approvers onboarding.","properties":{"encryptedPayload":{"type":"string","description":"The encrypted payload containing the approvers p12 container and certificate","minLength":1},"initializationVector":{"type":"string","description":"The initialization Vector used to decrypt the approvers p12 container","minLength":1}},"required":["encryptedPayload","initializationVector"]},"SendApprovalDto":{"type":"object","description":"Request to submit the authorization token of an approval client.","properties":{"id":{"type":"string","description":"Id of the task for which the approval is being submitted.","minLength":1},"approvalToBeSigned":{"type":"string","description":"The approval token as received in the task or constructed by the client using additional data received in the task (base64 encoded)","minLength":1},"signature":{"type":"string","description":"The signature of the approvalToBeSigned received with the task (base64 encoded)","minLength":1},"approvalDigestAlgorithm":{"type":"string","description":"The digest algorithm used for signing the approvalToBeSigned. The signature algorithm is given by the approver's private key","enum":["SHA-224","SHA-256","SHA-384","SHA-512","SHA3-224","SHA3-256","SHA3-384","SHA3-512"],"example":"SHA-256","minLength":1},"approverPublicKey":{"type":"string","description":"If approver is public key based: The public key of the approver in the same format as provided during key creation (base64 encoded)"},"approverCertificate":{"type":"string","description":"If approver is certificate based: The certificate of the approver in the same format as provided during key creation (base64 encoded)"}},"required":["approvalDigestAlgorithm","approvalToBeSigned","id","signature"]},"DeleteTaskRequestDto":{"type":"object","description":"Request to delete a task.","properties":{"timestamp":{"type":"string","format":"date-time","description":"The ISO-8601 formatted timestamp that has been signed by the approval client.","minLength":1},"timestampSignature":{"type":"string","format":"base64","description":"Signature(base64 encoded)  for the timestamp (ISO-8601) that was done using the key of the approver. Format of the signature is depending on the algorithm used and as returned when using a JDK's native Signature.sign() method.<br>Example (EC key):<br>echo \"MEUCIDOsDySFOWOcMKulHmR3uB8YCF7oX+vQ4dU8ooYC1OCvAiEApwMbu7nF19woZhO/KCIRV1api8oa/QCV2M2pcINAnEQ=\" | base64 -D | openssl asn1parse -inform DER<br>    0:d=0  hl=2 l=  69 cons: SEQUENCE<br>    2:d=1  hl=2 l=  32 prim: INTEGER           :33AC0F248539639C30ABA51E6477B81F18085EE85FEBD0E1D53CA28602D4E0AF<br>   36:d=1  hl=2 l=  33 prim: INTEGER           :A7031BBBB9C5D7DC286613BF2822115756A98BCA1AFD0095D8CDA97083409C44","minLength":1},"timestampSigningCertificate":{"type":"string","format":"base64","description":"Certificate used for the timestampSignature. Use when tasks for all approvers or a specific approver shall be fetched, but without access to the approver's private key. To load all tasks neither the approverPublicKey nor the approverCertificate may be set. If either one is set only the tasks for this specific approver is loaded."},"approverPublicKey":{"type":"string","format":"base64","description":"Public key of the approver (base64 encoded). Either the approverPublicKey or the approverCertificate has to be provided if the timestampSigningCertificate is not set."},"approverCertificate":{"type":"string","format":"base64","description":"Certificate of the approver in DER format (base64 encoded). Either the approverPublicKey or the approverCertificate has to be provided if the timestampSigningCertificate is not set."},"timestampDigestAlgorithm":{"type":"string","description":"The message digest algorithm that was used for computing the timestamp signature.","enum":["SHA-224","SHA-256","SHA-384","SHA-512","SHA3-224","SHA3-256","SHA3-384","SHA3-512","EdDSA"],"example":"SHA-256","minLength":1},"id":{"type":"string","description":"Id of the task which shall be deleted.","minLength":1}},"required":["id","timestamp","timestampDigestAlgorithm","timestampSignature"]},"ModifyKeyAttributes":{"type":"object","description":"The attributes of the key that should be modified. At least one.","properties":{"newLabel":{"type":"string","default":"newKeyName","description":"The new name of the key."},"newPassword":{"type":"array","items":{"pattern":"^.{1}$"}},"encrypt":{"type":"boolean","description":"If true the key can be used to encrypt data. This attribute is only supported for symmetric keys."},"decrypt":{"type":"boolean","description":"If true the key can be used to decrypt data."},"verify":{"type":"boolean","description":"This attribute is only supported for symmetric keys."},"sign":{"type":"boolean","description":"If true the key can sign."},"wrap":{"type":"boolean","description":"If true the key can be used to wrap another key. This attribute is only supported for symmetric keys."},"unwrap":{"type":"boolean","description":"If true the key can be used to unwrap keys."},"derive":{"type":"boolean","default":false,"description":"If true it is possible to derive from this key."},"extractable":{"type":"boolean","default":false,"description":"If true the key is extractable. This option can only be true for keys without smart key attributes."},"modifiable":{"type":"boolean","default":true,"description":"If true the key can be modified. The 'modifiable' attribute applies exclusively to the key attribute and not to SKA-Policy."},"destroyable":{"type":"boolean","default":false,"description":"If true the key can be deleted."},"sensitive":{"type":"boolean","description":"If true the key is sensitive. To export a key sensitive must be false"},"copyable":{"type":"boolean","default":false,"description":"If true the encrypted key can be stored in an external memory"}}},"ModifyKeyDto":{"type":"object","description":"Modify key request.","properties":{"label":{"type":"string","default":"keyname","description":"The name of the key.","minLength":1},"password":{"type":"array","items":{"pattern":"^.{1}$"}},"modifyAttributes":{"$ref":"#/components/schemas/ModifyKeyAttributes"}},"required":["label","modifyAttributes"]},"SystemTimeInformationDto":{"type":"object","description":"System Time Information","properties":{"hsmTime":{"type":"string","description":"The current system time of the HSM (ISO-8601 formatted timestamp)"},"timestampKeyName":{"type":"string","description":"The key to sign the timestamp with SHA256withECDSA"},"timestampSignature":{"type":"string","description":"The signature of the timestamp with optional payload"},"hostTime":{"type":"string","description":"The current system time of the TSB Host (ISO-8601 formatted timestamp)"}}},"LicenseInformationDto":{"type":"object","description":"License information","properties":{"clientFlags":{"type":"array","items":{"description":"The flags that are set for the current subscription of the client."},"uniqueItems":true}}},"KeyStoreStatisticsDto":{"type":"object","properties":{"keyStoreStatistics":{"type":"string"}}},"HsmLogDto":{"type":"object","description":"Signed HSM Logs","properties":{"signature":{"type":"string","description":"The log signature generated with the attestation-key. (Base64 encoded)"},"signatureAlgorithm":{"type":"string","description":"The signature algorithm used to generate the signature."},"attestationCertificate":{"type":"string","description":"The attestation-key certificate to verify the log-signature."},"log":{"type":"string","description":"The HSM log as a String"}}},"GenerateRandomDto":{"type":"object","description":"Generate random response","properties":{"random":{"type":"string","description":"The random bytes generated by the HSM (base64 encoded)."}}},"AttestationCertificateDto":{"type":"object","description":"Response containing the certification chain of the attestation key.","properties":{"attestationCertificateChain":{"type":"array","items":{"format":"byte","description":"Certificate chain consisting of base64 encoded certificates."}}}},"ApproverOnboardingCertificateDto":{"type":"object","description":"Response containing the Certificate of approver(s).","properties":{"approverName":{"type":"string","description":"The name of the approver e.g. the e-mail address","minLength":1},"approverCertificate":{"type":"string","description":"The certificate of the approver.","minLength":1}},"required":["approverCertificate","approverName"]},"ApproverOnboardingStatusResponseDto":{"type":"object","description":"Response containing the OneTimePassword.","properties":{"onboarded":{"type":"array","description":"List of onboarded approvers (certificates)","items":{"$ref":"#/components/schemas/ApproverOnboardingCertificateDto"},"minItems":1},"pending":{"type":"array","description":"List of pending onboarded approvers (certificates)","items":{"$ref":"#/components/schemas/ApproverOnboardingCertificateDto"},"minItems":1}},"required":["onboarded","pending"]}},"securitySchemes":{"bearerAuth":{"type":"http","scheme":"bearer","bearerFormat":"JWT"}}}}