RSEs use this service to download a previously requested Application Certificate.
PORT | 8892 |
---|---|
PATH | /download/application-certificate |
HTTP Method | GET |
HTTP Request Body | Empty |
HTTP Request Headers |
HTTP Header 'Download-Req' containing a Base64 encoded ASN.1 serialized SecuredAuthenticatedDownloadRequest, containing a SignedAuthenticatedDownloadRequest, containing a ScopedAuthenticatedDownloadRequest, containing an AuthenticatedDownloadRequest with a filename property of the form [0-9A-F]{16}.zip, where the group of 16 hexadecimal digits is the device's request hash obtained from the initial provision application certificate request. There shall be exactly one application certificate per file. Range (optional) as defined in RFC 2616: To support partial downloads for resuming interrupted transfers. Examples:
|
HTTP Response Body | If no Range header is present, the entire zip file corresponding to the requested batch. If a Range header is present, the specified bytes of the referenced file. |
Preconditions
- The requested certificate has already been generated
- The requesting device has not been previously revoked
Postconditions
- The file corresponding to the certificate specified in the request URL is returned
- The content of the file is exactly one application
certificate file per certificate download file. The content of the certificate file is
the binary representation of the application certificate named as in:
- X
- X shall be the lower 8-bytes of the SHA-256 hash of the device request in hexadecimal (case insensitive 16 hexadecimal digits)
- Where there is no extension
Error Handling
See "RA-EE Errors" in Overview of Used Error Codes
Quality of Service
For PoC, the volume for this interface is still TBD but is not expected to have significant impact on system throughput requirements.
Quality of Protection
- RA protects access with HTTPS (TLS V1.2)
- Supports at a minimum OpenSSL cipher suite ECDHE-ECDSA-AES128-SHA256
- Uses certificate-based client authentication of data signed by the device enrollment certificate, validated at the application layer. This is a supplement to the one-way TLS authentication, to provide two-way authentication with a TLS/1609.2 hybrid scheme.