 |
Java API
HSM Dinamo
|
|
Java API
HSM Dinamo
|
Encode and Decode operations according to the SPB standard.
The APIs of the SPB module are intended for encoding and decoding messages in the SPB (Brazilian Payment System) standard, in accordance with the RSFN (National Financial System Network) Security Manual published by BACEN (Central Bank of Brazil).
The Brazilian Payment System (SPB) works on a system of message exchanges between financial institutions, on a private network called RSFN. The standards are defined and published by the Central Bank. All messages exchanged are encrypted and digitally signed, using a digital envelope scheme. The SPB module is responsible for handling message security.
The SPB module basically performs three functions: Encode and Decode in SPB messages, and management of SPB certificates.
Encode is performed on the messages going to the output queue and consists of:
Decode does the reverse process, acting on messages that arrive in the input queue;
Every operation with public and private keys is linked to the use of X.509 certificates, so in addition to Encode and Decode the SPB module also needs to have some certificate management.
Each institution is identified in the SPB by its ISPB code (8 digits) and can exchange messages in so-called message domains, each of which requires a different certificate. Each institution can only have one active certificate at a time in a domain.
In the SPB module, institutions (and their equivalent certificates) can only be identified by the ISPB code.
The SPB module is responsible for encrypting messages in accordance with BACEN definitions, and the SPB communication structure can be used by other systems between financial institutions motivated by the emergence of new applications within BACEN, for example:
In HSM, certificate management is done using Maps, which are pointing and reference objects. All references in the SPB module are to Maps, not to keys and certificates.
Regarding the internal naming described below, the idea is that keys, certificates and maps are managed by the specialized SPB functions of the HSM client library, so that these naming rules are completely transparent to the application, which only needs to search for the ISPB code.
If the Encode and Decode functions only needed to handle messages using active certificates, it would be enough to keep these certificates in the base, but there are cases, such as an auditing process, where the application needs to open or verify the signature of an old message that was generated using a certificate that has already been deactivated (or will still be activated in the future). This is why HSM needs to keep and accumulate all the certificates in the base, both its own and those of third parties, as they are imported, activated and deactivated.
The BACEN manual specifies that XML messages must be represented in Unicode UTF-16 BE format. For mod_SPB it doesn't matter, since the content that will be signed and encrypted in the Encode will be exactly that sent by the user, the HSM does not perform automatic text conversion either in the Encode or the Decode.
The BACEN manual mentions messages and file pointers that can be included in the content of an SPB message. The difference is that XML messages must be represented in UTF16-BE format, while files do not have this requirement.
This distinction between message and file is important for the caller, as they will decide whether they need to convert the format or not before sending it to the HSM.
In the case of messages indicating compressed content, the premise of the implementation is that the sender has the necessary compression infrastructure, so the HSM signs and encrypts what the application passes in Encode, while in the case of the recipient the premise is that they may not have the decompression infrastructure at hand, so the HSM decompresses the content in Decode and delivers the decompressed content, including automatically detecting whether the standard used is gzip or pkzip.
All messages sent are signed, and some may be for public use, with no specified recipient.
| C04 | Message | Archive | Signed | Ciphered | Zipped | Recipient | Encode | Decode |
|---|---|---|---|---|---|---|---|---|
| 0 | x | x | x | |||||
| 1 | x | x | x | use cert not yet activated | use cert not yet activated | |||
| 2 | x | x | public | accepts blank destination | accepts blank destination | |||
| 3 | x | x | ||||||
| 4 | x | x | ||||||
| 6 | x | x | public | accepts blank destination | accepts blank destination | |||
| 8 | x | x | x | x | you should already receive it zipped | unzips automatically | ||
| 10 | x | x | x | public | you should already receive it zipped | unzips automatically |
By Bacen's definition, the exchange and activation of SPB certificates is done within the system using specific messages.
The HSM can detect this type of message in Decode and promote the exchange of the certificate on the HSM's base automatically, without the application having to explicitly call the certificate activation API.
This is a parameterization option for the Decode call.
The HSM will handle the GEN0007 decode (certificate update notice via BACEN broadcast), the response to a GEN0008 (a digital certificate query, the response to which is a GEN0008R1), the response to a GEN0006 as well as the GEN0018 (BACEN certificate). For HSM, GEN0007 and the answer to GEN0008 are equivalent. In the case of GEN0018, the certificate in the message is imported, but it is not activated automatically, because the manual specifies that BACEN sends the messages at least 03 days before activation; so the application is responsible for controlling the time between receipt and activation; and to activate it is enough to inform CA and NS, because the certificate will already be imported into the HSM base.
The GEN0006 message is used by institutions to inform BACEN of the activation or update of the status of a certificate. In the HSM, the response to this message (GEN0006R1) has special treatment to promote the activation of the certificate (as of firmware version 5.0.16).
The normal operation flow for activating a new certificate involves a GEN0006 message from the institution to BACEN, which then sends a GEN0007 broadcast message informing all participants that the institution's certificate must be changed. As the institution itself also receives this GEN0007, it is at this point (during Decode) that the application can instruct the HSM to automatically activate the new certificate in its local base.
Internally, HSM only operates, imports and exports certificates in DER (binary) format, but in the library the certificate import operations support both DER and PEM (base64) format, with automatic detection.
The HSM SPB module allows you to perform encoding and decoding operations on SPB messages using keys and certificates within the HSM.
This means that the entire base of certificates and private keys of the institution itself and of the institutions with which the bank communicates will be stored and centralized in the HSM, without the need for external control.
The identification of the keys and certificates to be used is done using the ISPB code of the institutions in a way that is natural for the calling applications, instead of the common model of using the native identifiers of the keys and certificates.
To make this relationship of ISPB with keys and certificates, an object in the HSM called map was used, which simply links an ISPB to a private key and/or a certificate. This makes it possible to pass only the ISPB to an SPB encoding call instead of a key name.
In order to make it easier to use, a formation law is defined for the names of these objects.
For the key names:
k_<ISPB>_<dom>_<yyyymmddhhmmss>
k: 01 character, literal<ISPB>: 08 characters, ISPB code<dom>: up to 05 characters, domain<yyyyymmddhhmmss>: 14 characters, GMT timestamp when the key was generated.
Total: up to 31 characters, e.g: k_12345678_str01_20131029110223
For certificate names:
c_<ISPB>_<dom>_<yyyymmddhhmmss>
c: 01 character, literal<ISPB>: 08 characters, ISPB code<dom>: up to 05 characters, domain<yyyymmddhhmmss>: 14 characters, GMT timestamp when the certificate was imported.
Total: up to 31 characters, e.g: c_12345678_spb_20131101120334
The same training law applies to third-party certificates.
The map is simply an internal HSM object that stores the Ids of two other objects. In the case of the SPB module, it stores the Id of the certificate and the Id of the private key. Each Id occupies a position within the map called a slot.
Since every message involves certificate processing, the SPB module needs a way of uniquely identifying each certificate for each institution in each domain. According to the Bacen standard, each certificate has a serial number (SN) of up to 32 bytes, defined by the Certificate Authority (CA) that issues it, but there is no guarantee that serial numbers are globally unique, so the identification of the certificate needs to include information on the CA (each CA in the SPB has an identification byte) and the NS, which exceeds the 32-character limit for HSM identifiers; RFC 3280 also makes this distinction to uniquely identify a certificate. The Ids of the certificate maps used in the SPB module use a name compression scheme.
The solution adopted is an MD5 hash, which is exactly 16 bytes long (32 characters) and does not produce a collision for this use case. The definition of what will go into the composition of the hash is (CA+NS), where CA and SN are composed of uppercase hexadecimal characters.
ISPB@dom. O @ is adopted to improve naming on the client, internally in the firmware @ is translated into _.The use of @dom by the calling application is optional; the institution may not use application domains.
From the point of view of the calling application, it can refer to maps as ISPB@dom or CA@NSto use the same Encode/Decode API. The HSM library detects this automatically.
Maps allow slots to point to an FQN, meaning that the certificate and key can be in different partitions. In any case, the map must always exist in the partition of the logged-in user, even if the ids pointed to in the slots are in another partition. In principle, the best way to use it is to keep all the certificates and keys of an ISPB on the same partition, without references to remote partitions.
To make it easier to identify objects and search for ISPBs, active certificates and certificate+private key pairs have a MAP with the ISPB identifier.
All certificates and certificate+private key pairs, regardless of whether they are active or not, have a MAP with MD5 id (CA+SN) for identification and history, where CA is the identifier of the Certificate Authority and SN is the certificate's serial number.
The name of the map object is the identifier of the institution, which can be of 2 types:
03@00000000000000000000000087654321 12345678@MES01 The API documentation states whether both types of identifier are accepted or just one of them.
If you want to use objects in other users' partitions, you must specify the partition id in the identifier.
The indication is made by adding the name of the partition where the objects are located at the beginning of the identifier, separated by /.
Example: usuario/12345678@MES01
The sequence of APIs DSPBEncodeInit(), DSPBEncodeCont() and DSPBEncodeEnd() perform an SPB message encoding operation.
The call structure with init/cont/end sequence allows the calling application to use the API with any message size, including large files.
The use of parameters with source and destination ISPB identifiers in APIs aims to increase the level of verification between what the application actually has (the SPB message) and what it thinks it has (the API parameters).
The encryption operation does not change the message representation format, so the application must send the message as defined by the Central Bank (e.g. UTF-16BE). The message will be encrypted and signed as it is received.
The sequence of APIs DSPBDecodeInit(), DSPBDecodeCont() and DSPBDecodeEnd() perform an SPB message decoding operation.
The call structure with init/cont/end sequence allows the calling application to use the API with any message size.
The use of source and destination ISPB parameters in APIs is intended to increase the level of verification between what the application actually has (the SPB message) and what it thinks it has (the API parameters).
During the decode, the HSM firmware is able to detect that the message is about a certificate change and perform this update and activation automatically (without the need for further action by the application), so the bAutoUpdateCert flag must be set.
The decoding operation does not change the message representation format. The message will be passed to the application as it was deciphered.
To facilitate management and abstract away the more complex details of the SPB module, the HSM manufacturer provides a graphical console. Through it, all operations relating to loading and activating certificates, generating keys and certificate requests, creating and viewing domains, permitting partitions and many others can be easily carried out.
Check with your supplier about the availability of the HSM SPB Management Console.
More details in the equipment documentation.
Functions | |
| void | SPBActivateCertificate (String szDomain, byte bCA, String szSN) throws TacException |
| Activates a certificate that has already been imported into HSM. | |
| void | SPBActivateCertificate (String szDomain, byte bCA, String szSN, int dwParam) throws TacException |
| Activates a certificate that has already been imported into HSM. | |
| void | SPBSetISPBMap (String strISPB, String strKeyId, String strCertId) throws TacException |
| Creates a map with the institution's key and certificate in a slot. | |
| byte[] | SPBGenerateCSR (String sPrivateKeyName, String sRazaoSocial, String sISPB, String sSISBACEN, int iSequencial, boolean bProducao, String sCidade, String sUF) throws TacException |
| Generates a new CSR based on an existing key (RSA 2048). | |
| byte[] | SPBGenerateCSR (String sPrivateKeyName, String sSubject) throws TacException |
| Generates a new CSR based on an existing key (RSA 2048). | |
| byte[] | generatePKCS10CSR (String szKeyId, String szDN, int dwOutType) throws TacException |
| It generates a CSR. | |
| void | SPBImportCertificate (String szDomain, byte[] bCertificate) throws TacException |
| Import a certificate into an HSM namespace. | |
| void | SPBImportCertificate (String szDomain, byte[] bCertificate, boolean isActive) throws TacException |
| Import a certificate into an HSM namespace. | |
| void | SPBImportCertificate (String szDomain, byte[] bCertificate, boolean isActive, int dwParam) throws TacException |
| Import a certificate into an HSM namespace. | |
| void | SPBImportPKCS12 (String path, String pass, String domain, boolean isActivate, int dwFlags) throws TacException |
| Imports a certificate from a PKCS#12 container into the HSM. | |
| byte[] | SPBGetCertificate (String strIdCertificate) throws TacException |
| Retrieves a certificate stored in a namespace in the HSM. | |
| byte[] | SPBDecode (String szSrcISPB, String szDstISPB, byte[] pbMsgIn, boolean bAcceptExpiredCert, boolean bAutoUpdateCert) throws TacSPBException, IOException |
| Decodes a message in the SPB standard, checking signatures, decrypting, but does not check encoding. | |
| byte[] | SPBDecode (String szSrcISPB, String szDstISPB, byte[] pbMsgIn, boolean bAcceptExpiredCert, boolean bAutoUpdateCert, boolean bEncodingCheck) throws TacSPBException, IOException |
| Decrypts a message in the SPB standard, checking signatures and decrypting. | |
| byte[] | SPBDecode (String szSrcISPB, String szDstISPB, byte[] pbMsgIn, boolean bAcceptExpiredCert, boolean bAutoUpdateCert, boolean bEncodingCheck, int dwFlags) throws TacSPBException, IOException |
| Decrypts a message in the SPB standard, checking signatures and decrypting. | |
| byte[] | SPBDecode (String szSrcISPB, String szDstISPB, byte[] pbMsgIn) throws TacException, IOException |
| byte[] | SPBEncode (String szSrcISPB, String szDstISPB, byte[] pbMsgIn, byte bSpecialTreatment) throws TacException |
| Encodes a message with the SPB header, signing, encrypting and including all the header fields defined in the RSFN security manual. | |
| byte[] | SPBEncode (String szSrcISPB, String szDstISPB, byte[] pbMsgIn, byte bSpecialTreatment, int dwFlags) throws TacException |
| Encodes a message with the SPB header, signing, encrypting and including all the header fields defined in the RSFN security manual. | |
| void SPBActivateCertificate | ( | String | szDomain, |
| byte | bCA, | ||
| String | szSN ) throws TacException |
Activates a certificate that has already been imported into HSM.
If another certificate is active, it will be inactivated. Only one certificate will remain active per institution, per domain within an HSM namespace.
| szDomain | SPB operating domain |
| bCA | number of the CA that issued the certificate |
| szSN | Serial number of the certificate to be activated. |
| TacException |
| void SPBActivateCertificate | ( | String | szDomain, |
| byte | bCA, | ||
| String | szSN, | ||
| int | dwParam ) throws TacException |
Activates a certificate that has already been imported into HSM.
If another certificate is active, it will be inactivated. Only one certificate will remain active per institution, per domain within an HSM namespace.
| szDomain | SPB operating domain | ||||||
| bCA | number of the CA that issued the certificate | ||||||
| szSN | Serial number of the certificate to be activated. | ||||||
| dwParam | The following table of flags is supported.
|
| TacException |
| void SPBSetISPBMap | ( | String | strISPB, |
| String | strKeyId, | ||
| String | strCertId ) throws TacException |
Creates a map with the institution's key and certificate in a slot.
| strISPB | - Map identification (can be ISPB) |
| strKeyId | - Key identification |
| strCertId | - Certificate identification |
| TacException | Throws exception in case of signature errors |
| byte[] SPBGenerateCSR | ( | String | sPrivateKeyName, |
| String | sSocialReason, | ||
| String | sISPB, | ||
| String | sSISBACEN, | ||
| int | iSequential, | ||
| boolean | bProduction, | ||
| String | sCity, | ||
| String | sUF ) throws TacException |
Generates a new CSR based on an existing key (RSA 2048).
| sPrivateKeyName | Key id in the HSM. |
| sSocialReason | Name of the entity's corporate name, in accordance with the RSFN Security Manual. |
| sISPB | ISPB code (08 digits). This is the institution's CNPJ base number. |
| sSISBACEN | The institution's SISBACEN code (05 characters). |
| iSequential | Unique sequential numbering for generating the key pair, in accordance with the RSFN Security Manual. |
| bProduction | True to indicate a production environment certificate and false to indicate a homologation environment certificate. |
| sCity | City name. Optional parameter, can indicate NUL. |
| sUF | State name (02 characters). Optional parameter, can indicate NUL. |
| TacException |
| byte[] SPBGenerateCSR | ( | String | sPrivateKeyName, |
| String | sSubject ) throws TacException |
Generates a new CSR based on an existing key (RSA 2048).
| sPrivateKeyName | Key id in the HSM. |
| sSubject | DN (Dinstinguished Name) of the CSR to generate the Subject field of the certificate. The DN fields must be separated by '/'. |
| TacException |
| byte[] generatePKCS10CSR | ( | String | szKeyId, |
| String | szDN, | ||
| int | dwOutType ) throws TacException |
It generates a CSR.
| szKeyId | key name |
| szDN | String ending in zero of maximum length CORE_P10_CSR_DN_MAX_LEN, containing the DN (Dinstinguished Name) for generating the CSR. DN fields must be separated by '/'. |
| dwOutType | Output Format P10_CSR_DER(1) or P10_CSR_PEM(2) |
| TacException |
| void SPBImportCertificate | ( | String | szDomain, |
| byte[] | bCertificate ) throws TacException |
Import a certificate into an HSM namespace.
| szDomain | name of the domain the certificate will be imported into |
| bCertificate | byte array containing the certificate (PEM or DER format) |
| TacException |
| void SPBImportCertificate | ( | String | szDomain, |
| byte[] | bCertificate, | ||
| boolean | isActive ) throws TacException |
Import a certificate into an HSM namespace.
| szDomain | name of the domain the certificate will be imported into |
| bCertificate | byte array containing the certificate (PEM or DER format) |
| isActive | activates certificate after import |
| TacException |
| void SPBImportCertificate | ( | String | szDomain, |
| byte[] | bCertificate, | ||
| boolean | isActive, | ||
| int | dwParam ) throws TacException |
Import a certificate into an HSM namespace.
| szDomain | name of the domain the certificate will be imported into | ||||||||
| bCertificate | byte array containing the certificate (PEM or DER format) | ||||||||
| isActive | activates certificate after import | ||||||||
| dwParam | The following table of flags is supported.
|
| TacException |
| void SPBImportPKCS12 | ( | String | path, |
| String | pass, | ||
| String | domain, | ||
| boolean | isActivate, | ||
| int | dwFlags ) throws TacException |
Imports a certificate from a PKCS#12 container into the HSM.
| path | File path | ||||||||
| pass | Password | ||||||||
| dwFlags | Additional key parameters.
| ||||||||
| domain | Domain for import | ||||||||
| isActivate | Activates the certificate during import |
| TacException |
| byte[] SPBGetCertificate | ( | String | strIdCertificate | ) | throws TacException |
Retrieves a certificate stored in a namespace in the HSM.
| strIdCertificate | identificação do certificado no formato "<ISPB>@<Dominio>". Por exemplo: "11223344@SPR". |
| TacException |
| byte[] SPBDecode | ( | String | szSrcISPB, |
| String | szDstISPB, | ||
| byte[] | pbMsgIn, | ||
| boolean | bAcceptExpiredCert, | ||
| boolean | bAutoUpdateCert ) throws TacSPBException, IOException |
Decodes a message in the SPB standard, checking signatures, decrypting, but does not check encoding.
| szSrcISPB | identificação do ISPB de origem no formato "<ISPB>@<Dominio>". Por exemplo: "11223344@SPR". |
| szDstISPB | identificação do ISPB de destino no formato "<ISPB>@<Dominio>". Por exemplo: "11223344@SPR". |
| pbMsgIn | message encoded in the SPB standard passed as an array of bytes |
| bAcceptExpiredCert | true if the HSM should accept expired certificates in certificate exchange messages |
| bAutoUpdateCert | true to indicate that the HSM should automatically update the certificate of the institution that sent an SPB certificate exchange message |
| TacException | Error in HSM operation. |
| IOException | Writing error in the decoding memory (streams). |
| byte[] SPBDecode | ( | String | szSrcISPB, |
| String | szDstISPB, | ||
| byte[] | pbMsgIn, | ||
| boolean | bAcceptExpiredCert, | ||
| boolean | bAutoUpdateCert, | ||
| boolean | bEncodingCheck ) throws TacSPBException, IOException |
Decrypts a message in the SPB standard, checking signatures and decrypting.
| szSrcISPB | identificação do ISPB de origem no formato "<ISPB>@<Dominio>". Por exemplo: "11223344@SPR". |
| szDstISPB | identificação do ISPB de destino no formato "<ISPB>@<Dominio>". Por exemplo: "11223344@SPR". |
| pbMsgIn | message encoded in the SPB standard passed as an array of bytes |
| bAcceptExpiredCert | true if the HSM should accept expired certificates in certificate exchange messages |
| bAutoUpdateCert | true to indicate that the HSM should automatically update the certificate of the institution that sent an SPB certificate exchange message |
| bEncodingCheck | turns on coding range validation |
| TacException | Error in HSM operation. |
| IOException | Writing error in the decoding memory (streams). |
| byte[] SPBDecode | ( | String | szSrcISPB, |
| String | szDstISPB, | ||
| byte[] | pbMsgIn, | ||
| boolean | bAcceptExpiredCert, | ||
| boolean | bAutoUpdateCert, | ||
| boolean | bEncodingCheck, | ||
| int | dwFlags ) throws TacSPBException, IOException |
Decrypts a message in the SPB standard, checking signatures and decrypting.
| szSrcISPB | identificação do ISPB de origem no formato "<ISPB>@<Dominio>". Por exemplo: "11223344@SPR". Também pode ser passado o nome do map correspondente, fora do padrão de nomenclatura do módulo SPB em casos específicos, ver dwFlags. | ||||||||||
| szDstISPB | identificação do ISPB de destino no formato "<ISPB>@<Dominio>". Por exemplo: "11223344@SPR". Também pode ser passado o nome do map correspondente, fora do padrão de nomenclatura do módulo SPB em casos específicos, ver dwFlags. | ||||||||||
| pbMsgIn | message encoded in the SPB standard passed as an array of bytes | ||||||||||
| bAcceptExpiredCert | true if the HSM should accept expired certificates in certificate exchange messages | ||||||||||
| bAutoUpdateCert | true to indicate that the HSM should automatically update the certificate of the institution that sent an SPB certificate exchange message | ||||||||||
| bEncodingCheck | turns on coding range validation | ||||||||||
| dwFlags | Defines decoding details, and can take on the following values described in the table below.
|
| TacException | Error in HSM operation. |
| IOException | Writing error in the decoding memory (streams). |
| byte[] SPBDecode | ( | String | szSrcISPB, |
| String | szDstISPB, | ||
| byte[] | pbMsgIn ) throws TacException, IOException |
This is a method provided for convenience. It differs from the above method only in the list of arguments that must be used.
| byte[] SPBEncode | ( | String | szSrcISPB, |
| String | szDstISPB, | ||
| byte[] | pbMsgIn, | ||
| byte | bSpecialTreatment ) throws TacException |
Encodes a message with the SPB header, signing, encrypting and including all the header fields defined in the RSFN security manual.
| szSrcISPB | identificação do ISPB de origem no formato "<ISPB>@<Dominio>". Por exemplo: "11223344@SPR". |
| szDstISPB | identificação do ISPB de destino no formato "<ISPB>@<Dominio>". Por exemplo: "11223344@SPR". |
| pbMsgIn | Message passed as an array of bytes. HSM does not perform automatic format conversion. In the SPB standard, the defined format is UTF16-BE, and it is up to the API caller to ensure that the message is using the correct format. |
| bSpecialTreatment | Special treatment indicator. Item 5.6 of the RSFN security header manual. |
| TacException |
| byte[] SPBEncode | ( | String | szSrcISPB, |
| String | szDstISPB, | ||
| byte[] | pbMsgIn, | ||
| byte | bSpecialTreatment, | ||
| int | dwFlags ) throws TacException |
Encodes a message with the SPB header, signing, encrypting and including all the header fields defined in the RSFN security manual.
| szSrcISPB | identificação do ISPB de origem no formato "<ISPB>@<Dominio>". Por exemplo: "11223344@SPR". Também pode ser passado o nome do map correspondente, fora do padrão de nomenclatura do módulo SPB em casos específicos, ver dwFlags. | ||||||||||
| szDstISPB | identificação do ISPB de destino no formato "<ISPB>@<Dominio>". Por exemplo: "11223344@SPR". Também pode ser passado o nome do map correspondente, fora do padrão de nomenclatura do módulo SPB em casos específicos, ver dwFlags. | ||||||||||
| pbMsgIn | Message passed as an array of bytes. HSM does not perform automatic format conversion. In the SPB standard, the defined format is UTF16-BE, and it is up to the API caller to ensure that the message is using the correct format. | ||||||||||
| bSpecialTreatment | Special treatment indicator. Item 5.6 of the RSFN security header manual. | ||||||||||
| dwFlags | Defines decoding details, and can take on the following values described in the table below.
|
| TacException |