AWS KMS
The issuer API can leverage AWS key management service to hook into the "cryptography as a service" or "encryption as a service" features provided by aws. With that, the issuer API can sign and verify credentials whilst keeping the secrets (signing keys) in an external secure environment.
If you are new to aws kms make sure to checkout the guides here. The rest of this document assumes you already know how AWS KMS works and have a it setup.
Setting Up Access keys and Secret keys for AWS
Prerequisites
- AWS Account: You need an active AWS account. If you don't have one, create it at AWS Console.
Create Access Keys
To securely interact with AWS services such as KMS, you need to configure your AWS access and secret keys. Here’s how to generate and configure these credentials:
- Log in to your AWS Management Console.
- Navigate to IAM (Identity and Access Management).
- In the left sidebar, click on Users, then choose your username.
- Go to the Security credentials tab.
- Under Access keys, click Create access key.
- Copy both the Access Key ID and Secret Access Key. Store them securely.
Key Creation
To create the key you can use the onboard endpoint provided by the issuer API and provide the necessary parameters to create the key in the AWS KMS service.
Creation via Issuer API
Endpoint:/onboard/issuer | API Reference
Example Request
curl -X 'POST' \
'https://issuer.portal.walt-test.cloud/onboard/issuer' \
-H 'accept: application/json' \
-H 'Content-Type: application/json' \
-d '{
"key": {
"backend": "aws",
"keyType": "secp256r1",
"config": {
"accessKeyId": "AKIA........QU5F",
"secretAccessKey": "6YDr..................7Sr",
"region": "eu-central-1"
}
},
"did": {
"method": "jwk"
}
}'
Body
{
"key": {
"backend": "aws",
"keyType": "secp256r1",
"config": {
"accessKeyId": "AKIA........QU5F",
"secretAccessKey": "6YDr..................7Sr",
"region": "eu-central-1"
}
},
"did": {
"method": "jwk"
}
}
Body Parameters
keybackend: String - Specifies the storage type of key. It can bejwk(manged by you),AWS(managed by AWS KMS) and others. Learn more about different types here.keyType: String - the algorithm used to generate the key. For Vault only ed25519 is possible.configaccessKeyId: String - The access key id for AWS KMS.secretAccessKey: String - The secret access key for AWS KMS.region: String - The region where the AWS KMS service is located.
did:method: String - Specifies the DID method. It can be key, jwk, web, cheqd.
Example Response
The onboard/issuer endpoint will return an object containing both the generated key in JWK format and the related DID.
{
"issuerKey": {
"type": "aws",
"config": {
"accessKeyId": "AKIAW......U2TQU5F",
"secretAccessKey": "6YDrEN1t+......I3OCwSc7Sr",
"region": "eu-central-1"
},
"id": "324ebf67-6bcc-4439-8b81-260bf0a82532",
"_publicKey": "{\"kty\":\"EC\",\"crv\":\"P-256\",\"x\":\"RfvJGDXOjz3NOSKgZ0VlijXST8S-j96DrG0C1AMNAK8\",\"y\":\"vSt2q7yIy0-AhAirMuuDmUScxkgf4JVfId-vTETraQA\"}",
"_keyType": "secp256r1"
},
"issuerDid": "did:jwk:eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2IiwieCI6IlJmdkpHRFhPanozTk9TS2daMFZsaWpYU1Q4Uy1qOTZEckcwQzFBTU5BSzgiLCJ5IjoidlN0MnE3eUl5MC1BaEFpck11dURtVVNjeGtnZjRKVmZJZC12VEVUcmFRQSJ9"
}
Properties
type: String - the type of key can be either "aws" when using AWS KMS or "jwk" when providing the key in full as JWK.configaccessKeyId: String - The access key id for AWS KMS.secretAccessKey: String - The secret access key for AWS KMS.region: String - The region where the AWS KMS service is located.
id: String - the ID of the key in the Transit Engine._publicKey(optional): Array - The public key can be fetched by the issuer API or directly provided, saving resources and reducing network requests._keyType(optional): String - The key type can be fetched by the issuer API or directly provided, saving resources and reducing network requests.issuerDid: String - the DID of the issuer. ::
Key Usage
Once you have successfully created a key that is one of the supported types listed above, you can use it in sign and issue operations offered by the issuer API.
If you've already had a look at
our /sign, /issue, /batchIssue
endpoints, you have seen that they all follow a similar request body structure, where the key that should be
used for signing credentials is provided via the issuerKey property. Now instead of providing the key as JWK, we
provide
a reference to a key stored in Vault with the required parameters and access credentials.
Below you can see an example of
issuerKey object referencing a key stored in AWS.
{
"issuerKey": {
"type": "aws",
"config": {
"accessKeyId": "AKIAW......U2TQU5F",
"secretAccessKey": "6YDrEN1t+......I3OCwSc7Sr",
"region": "eu-central-1"
},
"id": "324ebf67-6bcc-4439-8b81-260bf0a82532",
"_publicKey": "{\"kty\":\"EC\",\"crv\":\"P-256\",\"x\":\"RfvJGDXOjz3NOSKgZ0VlijXST8S-j96DrG0C1AMNAK8\",\"y\":\"vSt2q7yIy0-AhAirMuuDmUScxkgf4JVfId-vTETraQA\"}",
"_keyType": "secp256r1"
},
"issuerDid": "did:jwk:eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2IiwieCI6IlJmdkpHRFhPanozTk9TS2daMFZsaWpYU1Q4Uy1qOTZEckcwQzFBTU5BSzgiLCJ5IjoidlN0MnE3eUl5MC1BaEFpck11dURtVVNjeGtnZjRKVmZJZC12VEVUcmFRQSJ9"
}
Properties
type: String - the type of key can be either "aws" when using AWS KMS or "jwk" when providing the key in full as JWK.id: String - the ID of the key in the Transit Engine.configaccessKeyId: String - The access key id for AWS KMS.secretAccessKey: String - The secret access key for AWS KMS.region: String - The region where the AWS KMS service is located.
_publicKey(optional): Array - The public key can be fetched by the issuer API or directly provided, saving resources and reducing network requests._keyType(optional): String - The key type can be fetched by the issuer API or directly provided, saving resources and reducing network requests. ::
Example Issuance Request
Below you can see example issuance request
to jwt/issue using
a key created in the Vault Transit Secret Engine to
sign the credential.
curl -X 'POST' \
'https://issuer.portal.walt.id/openid4vc/jwt/issue' \
-H 'accept: text/plain' \
-H 'statusCallbackUri: https://example.com/$id' \
-H 'Content-Type: application/json' \
-d '{
"issuerKey": {
"type": "aws",
"config": {
"accessKeyId": "AKIAWF......FM2U2TQU5F",
"secretAccessKey": "6YDrEN1t+......2B9oI3OCwSc7Sr",
"region": "eu-central-1"
},
"id": "324ebf67-6bcc-4439-8b81-260bf0a82532",
"_publicKey": "{\"kty\":\"EC\",\"crv\":\"P-256\",\"x\":\"RfvJGDXOjz3NOSKgZ0VlijXST8S-j96DrG0C1AMNAK8\",\"y\":\"vSt2q7yIy0-AhAirMuuDmUScxkgf4JVfId-vTETraQA\"}",
"_keyType": "secp256r1"
},
"issuerDid": "did:jwk:eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2IiwieCI6IlJmdkpHRFhPanozTk9TS2daMFZsaWpYU1Q4Uy1qOTZEckcwQzFBTU5BSzgiLCJ5IjoidlN0MnE3eUl5MC1BaEFpck11dURtVVNjeGtnZjRKVmZJZC12VEVUcmFRQSJ9",
"credentialData": {
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://purl.imsglobal.org/spec/ob/v3p0/context.json"
],
"id": "urn:uuid:THIS WILL BE REPLACED WITH DYNAMIC DATA FUNCTION (see below)",
"type": [
"VerifiableCredential",
"OpenBadgeCredential"
],
"name": "JFF x vc-edu PlugFest 3 Interoperability",
...
},
"mapping": {
"id": "<uuid>",
...
}
}'
Header Parameters
statusCallbackUri: URL - Receive updates on the created issuance process, e.g. when a credential was successfully claimed. The parameter expects a URL which can accept a JSON POST request. The URL can also hold a$id, which will be replaced by the issuance session id. For example:https://myurl.com/$id,https://myurl.comorhttps://myurl.com/test/$idExpand To Learn More
Body
The data send to the provided URL will contain a JSON body:
id: String - the issuance session idtype: String - the event typedata: JsonObject - the data for the event
Event Types
Possible events (event types) and their data are:
resolved_credential_offerwith the credential offer as JSON (in our Web Wallet: called when the issuance offer is entered into the wallet, but not processing / accepted yet)requested_tokenwith the issuance request for the token as json object (called for the token required to receive the credentials)
Credential issuance (called for every credential that's issued (= requested from wallet))
jwt_issuewithjwtbeing the issued jwtsdjwt_issuewithsdjwtbeing the issued sdjwtbatch_jwt_issuewithjwtbeing the issued jwtbatch_sdjwt_issuewithsdjwtbeing the issued sdjwtgenerated_mdocwithmdocbeing the CBOR (HEX) of the signed mdoc
To allow for secure business logic flows, if a callback URL is set, and it cannot be reached, the issuance will not commence further (after that point). If no callback URL is set, the issuance logic does not change in any way.
Body
As you can see for the property issuerKey we only provided the required parameters of the TSE Key Reference Object
described above and left out _publicKey and _keyType
{
"issuerKey": {
"type": "aws",
"config": {
"accessKeyId": "AKIAWF......M2U2TQU5F",
"secretAccessKey": "6YDrEN1t+......9oI3OCwSc7Sr",
"region": "eu-central-1"
},
"id": "324ebf67-6bcc-4439-8b81-260bf0a82532",
"_publicKey": "{\"kty\":\"EC\",\"crv\":\"P-256\",\"x\":\"RfvJGDXOjz3NOSKgZ0VlijXST8S-j96DrG0C1AMNAK8\",\"y\":\"vSt2q7yIy0-AhAirMuuDmUScxkgf4JVfId-vTETraQA\"}",
"_keyType": "secp256r1"
},
"issuerDid": "did:jwk:eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2IiwieCI6IlJmdkpHRFhPanozTk9TS2daMFZsaWpYU1Q4Uy1qOTZEckcwQzFBTU5BSzgiLCJ5IjoidlN0MnE3eUl5MC1BaEFpck11dURtVVNjeGtnZjRKVmZJZC12VEVUcmFRQSJ9",
"credentialData": {
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://purl.imsglobal.org/spec/ob/v3p0/context.json"
],
"id": "urn:uuid:THIS WILL BE REPLACED WITH DYNAMIC DATA FUNCTION (see below)",
"type": [
"VerifiableCredential",
"OpenBadgeCredential"
],
"name": "JFF x vc-edu PlugFest 3 Interoperability",
...
},
"mapping": {
"id": "<uuid>",
...
}
}