14. Skip to content

14. CDOC2 system components

14.1 CDOC2 reference Java library

Implements client side functionality for CDOC2 system.

14.2 CDOC2 Capsule Server (CCS)

Stores encryption/decryption key material. Provides endpoints for auth-ticket creation and key material upload/download.

14.3 CDOC2 Shares Server (CSS)

Returns share identifiers to CDOC2 Client Application. Stores Key Shares. Recipient has to authenticate with the CSSs in order to download the shares contained in a Shares Capsule. Shares Capsules are distributed between multiple CDOC2 Shares Server instances, so that compromising one server doesn't expose key material. Instances run on independent premises.

14.4 CDOC2 Authentication server (auth-server)

Used in the SID/MID context to compose and issues a session token. The session token is an SD-JWT structure that is included, along with its signing certificate, as a header in requests to other components in the CDOC2 infrastructure.

14.5 CDOC2 Relying party server (rp-server)

Used in the SID/MID context to mediate and validate client requests to SID/MID relying party services. Validation includes verifying the session token provided by the client.

14.6 CDOC2 CLI user application

Command line utility to create/process CDOC2 files. Provides CLI interface to CDOC2 reference Java library.

15. Interfaces between system components

15.1 CDOC2 Capsule Server (CCS) interface

CSS interface provides the following endpoints:

  • /key-capsules/{transactionId} Get Server Capsule based on the transaction identifier. Used by recipient to request a Server Capsule.
  • /key-capsules Upload a Server Capsule to a CCS. Used by sender to upload Server Capsule to a CCS.

For full CCS OpenAPI specification, see Appendix C in protocol and cryptography spec.

15.2 CDOC2 Shares Server (CSS) interface

  • /key-shares/{shareId} Get key share for share identifier. Used by recipient to request a key share.
  • /key-shares Upload a key share and receive a share identifier. Used by sender to upload key share.
  • /key-shares/{shareId}/nonce Create nonce for creating an authentication ticket. Used by recipient to request a nonce.

For full CSS OpenAPI specification, see Appendix E in protocol and cryptography spec.