EncryptedData

  • The provided data represents an encrypted value along with the necessary metadata for decryption, formatted as a JSON object.

  • The JSON object contains four key fields: encryptedValue, encapsulatedKey, signature, and recipientKeyId, all of which are base64 encoded strings.

  • encryptedValue holds the actual encrypted data, with a maximum size of 65536 bytes, while encapsulatedKey represents the encryption key.

  • signature is a COSE_Sign1 object which varies depending on if the sender is the device or the issuer, and is used for verification.

  • recipientKeyId is the certificate serial number, used by the sender to encrypt the data and by the device to confirm that the key being used to decrypt matches.

An encrypted value and all metadata required to decrypt.

JSON representation 
{
  "encryptedValue": string,
  "encapsulatedKey": string,
  "signature": string,
  "recipientKeyId": string
}
Fields
encryptedValue

string

The base64 encoded, encrypted value. Max size: 65536 bytes.
encapsulatedKey

string

The base64 encoded key that was used to encrypt the encrypted value.
signature

string

The base64 encoded signature of the plaintext value appended with the recipient's public encryption key. When this is sent from the device, this will be a COSE_Sign1 object, in the ProofOfOwnership format. The "challenge" in this format will be SHA-256(plaintext + recipient public key). When this is sent from the issuer, this will be a standard COSE_Sign1 object with payload = SHA-256(plaintext + recipient public key). For more details on ProofOfOwnership: https://developer.android.com/reference/android/security/identity/IdentityCredential#proveOwnership(byte[])
recipientKeyId

string

The key id of the recipient's public key that sender used to encrypt data. The value is the certificate serial number in upper-case hex encoding. This is not the key id of the encapsulated key. The device will confirm that this key id matches the key id of the key being used for decryption.