13. Skip to content

13. CDOC2 system components

13.1 CDOC2 reference Java library

Implements client side functionality for CDOC2 system.

13.2 CDOC2 Capsule Server (CCS)

Stores encryption/decryption key material. Provides endpoints for auth-ticket creation and key material upload/download.

13.3 CDOC2 Shares Server (CSS)

Returns share identifiers to CDOC2 Client Application. Stores Key Shares. Recipient has to authenticate with the CSSs in order to download the shares contained in a Shares Capsule. Shares Capsules are distributed between multiple CDOC2 Shares Server instances, so that compromising one server doesn't expose key material. Instances run on independent premises.

13.4 Authentication proxy

A server that relays the Mobile-ID and Smart-ID authentication requests to actual Mobile-ID/Smart-ID RP API services and acts as relying party (RP). Generates and stores secrets that cannot be revealed to CDOC2 Client Applications.

13.5 CDOC2 CLI user application

Command line utility to create/process CDOC2 files. Provides CLI interface to CDOC2 reference Java library.

14. Interfaces between system components

14.1 CDOC2 Capsule Server (CCS) interface

CSS interface provides the following endpoints:

  • /key-capsules/{transactionId} Get Server Capsule based on the transaction identifier. Used by recipient to request a Server Capsule.
  • /key-capsules Upload a Server Capsule to a CCS. Used by sender to upload Server Capsule to a CCS.

For full CCS OpenAPI specification, see Appendix C in protocol and cryptography spec.

14.2 CDOC2 Shares Server (CSS) interface

  • /key-shares/{shareId} Get key share for share identifier. Used by recipient to request a key share.
  • /key-shares Upload a key share and receive a share identifier. Used by sender to upload key share.
  • /key-shares/{shareId}/nonce Create nonce for creating an authentication ticket. Used by recipient to request a nonce.

For full CSS OpenAPI specification, see Appendix E in protocol and cryptography spec.