5. REST API

5.1. HTTP Request and Response

Certain response formats are common for all requests. They are documented here instead of with each individual request. Furthermore, we note that clients may theoretically fail to receive any response. In this case, the client should verify that the Internet connection is working properly, and then proceed to handle the error as if an internal error (500) had been returned.

ANY /*

Request:

Unless specified otherwise, HTTP requests that carry a message body must have the content type application/json.

Request Headers

Response:

Response Headers
200 Ok:
The request was successful.
400 Bad request:
One of the arguments to the request is missing or malformed.
500 Internal server error:
This always indicates some serious internal operational error of the Anastasis provider, such as a program bug, database problems, etc., and must not be used for client-side problems. When facing an internal server error, clients should retry their request after some delay. We recommended initially trying after 1s, twice more at randomized times within 1 minute, then the user should be informed and another three retries should be scheduled within the next 24h. If the error persists, a report should ultimately be made to the auditor, although the auditor API for this is not yet specified. However, as internal server errors are always reported to the exchange operator, a good operator should naturally be able to address them in a timely fashion, especially within 24h.

Unless specified otherwise, all error status codes (4xx and 5xx) have a message body with an ErrorDetail JSON object.

Details:

interface ErrorDetail {

  // Numeric error code unique to the condition, see gnu-taler-error-codes in GANA.
  // The other arguments are specific to the error value reported here.
  code: number;

  // Human-readable description of the error, i.e. "missing parameter", "commitment violation", ...
  // Should give a human-readable hint about the error's nature. Optional, may change without notice!
  hint?: string;

}

5.2. Protocol Version Ranges

Anastasis services expose the range of API versions they support. Clients in turn have an API version range they support. These version ranges are written down in the libtool version format.

A protocol version is a positive, non-zero integer. A protocol version range consists of three components:

  1. The current version. This is the latest version of the protocol supported by the client or service.
  2. The revision number. This value should usually not be interpreted by the client/server, but serves purely as a comment. Each time a service/client for a protocol is updated while supporting the same set of protocol versions, the revision should be increased. In rare cases, the revision number can be used to work around unintended breakage in deployed versions of a service. This is discouraged and should only be used in exceptional situations.
  3. The age number. This non-zero integer identifies with how many previous protocol versions this implementation is compatible. An age of 0 implies that the implementation only supports the current protocol version. The age must be less or equal than the current protocol version.

To avoid confusion with semantic versions, the protocol version range is written down in the following format:

current[:revision[:age]]

The angle brackets mark optional components. If either revision or age are omitted, they default to 0.

Examples:

  • “1” and “1” are compatible
  • “1” and “2” are incompatible
  • “2:0:1” and “1:0:0” are compatible
  • “2:5:1” and “1:10:0” are compatible
  • “4:0:1” and “2:0:0” are incompatible
  • “4:0:1” and “3:0:0” are compatible

Note

Semantic versions are not a good tool for this job, as we concisely want to express that the client/server supports the last n versions of the protocol. Semantic versions don’t support this, and semantic version ranges are too complex for this.

Warning

A client doesn’t have one single protocol version range. Instead, it has a protocol version range for each type of service it talks to.

Warning

For privacy reasons, the protocol version range of a client should not be sent to the service. Instead, the client should just use the two version ranges to decide whether it will talk to the service.

5.3. Common encodings

This section describes how certain types of values are represented throughout the API.

5.3.1. Binary Data

type Base32 = string;

Binary data is generally encoded using Crockford’s variant of Base32 (http://www.crockford.com/wrmg/base32.html), except that “U” is not excluded but also decodes to “V” to make OCR easy. We will still simply use the JSON type “base32” and the term “Crockford Base32” in the text to refer to the resulting encoding.

5.3.2. Hash codes

Hash codes are strings representing base32 encoding of the respective hashed data. See base32.

// 64-byte hash code.
type HashCode = string;
// 32-byte hash code.
type ShortHashCode = string;

5.3.3. Large numbers

Large numbers such as 256 bit keys, are transmitted as other binary data in Crockford Base32 encoding.

5.3.4. Timestamps

Timestamps are represented by the following structure:

interface Timestamp {
  // Milliseconds since epoch, or the special
  // value "never" to represent an event that will
  // never happen.
  t_ms: number | "never";
}
interface Duration {
  // Duration in milliseconds or "forever"
  // to represent an infinite duration.
  d_ms: number | "forever";
}

5.3.5. Integers

// JavaScript numbers restricted to integers.
type Integer = number;

5.3.6. Objects

// JavaScript objects, no further restrictions.
type Object = object;

5.3.7. Keys

// EdDSA and ECDHE public keys always point on Curve25519
// and represented  using the standard 256 bits Ed25519 compact format,
// converted to Crockford Base32.
type EddsaPublicKey = string;
// EdDSA and ECDHE public keys always point on Curve25519
// and represented  using the standard 256 bits Ed25519 compact format,
// converted to Crockford Base32.
type EddsaPrivateKey = string;

5.3.8. Signatures

// EdDSA signatures are transmitted as 64-bytes base32
// binary-encoded objects with just the R and S values (base32_ binary-only).
type EddsaSignature = string;

5.3.9. Amounts

type Amount = string;

Amounts of currency are serialized as a string of the format <Currency>:<DecimalAmount>. Taler treats monetary amounts as fixed-precision numbers, with 8 decimal places. Unlike floating point numbers, this allows accurate representation of monetary amounts.

The following constrains apply for a valid amount:

  1. The <Currency> part must be at most 11 characters long and may only consist of ASCII letters (a-zA-Z).
  2. The integer part of <DecimalAmount> may be at most 2^52.
  3. The fractional part of <DecimalAmount> may contain at most 8 decimal digits.

Note

“EUR:1.50” and “EUR:10” are valid amounts. These are all invalid amounts: “A:B:1.5”, “EUR:4503599627370501.0”, “EUR:1.”, “EUR:.1”.

An amount that is prefixed with a + or - character is also used in certain contexts. When no sign is present, the amount is assumed to be positive.

5.3.10. Time

In signed messages, time is represented using 64-bit big-endian values, denoting microseconds since the UNIX Epoch. UINT64_MAX represents “never”.

struct GNUNET_TIME_Absolute {
  uint64_t timestamp_us;
};
struct GNUNET_TIME_AbsoluteNBO {
  uint64_t abs_value_us__;       // in network byte order
};

5.3.11. Cryptographic primitives

All elliptic curve operations are on Curve25519. Public and private keys are thus 32 bytes, and signatures 64 bytes. For hashing, including HKDFs, Taler uses 512-bit hash codes (64 bytes).

struct GNUNET_HashCode {
  uint8_t hash[64];      // usually SHA-512
};
struct TALER_EcdhEphemeralPublicKeyP {
  uint8_t ecdh_pub[32];
};
struct UUID {
  uint32_t value[4];
};

5.3.12. Signatures

Any piece of signed data, complies to the abstract data structure given below.

struct Data {
  struct GNUNET_CRYPTO_EccSignaturePurpose purpose;
  type1_t payload1;
  type2_t payload2;
  ...
};

/*From gnunet_crypto_lib.h*/
struct GNUNET_CRYPTO_EccSignaturePurpose {
  /**

  The following constraints apply for a valid amount:

   * This field is used to express the context in
   * which the signature is made, ensuring that a
   * signature cannot be lifted from one part of the protocol
   * to another. See `src/include/taler_signatures.h` within the
   * exchange's codebase (git://taler.net/exchange).
   */
  uint32_t purpose;
  /**
   * This field equals the number of bytes being signed,
   * namely 'sizeof (struct Data)'.
   */
  uint32_t size;
};

5.3.13. Receiving Configuration

GET /config

Obtain the configuration details of the escrow provider.

Response:

Returns an EscrowConfigurationResponse.

interface EscrowConfigurationResponse {

  // Protocol identifier, clarifies that this is an Anastasis provider.
  name: "anastasis";

  // libtool-style representation of the Exchange protocol version, see
  // https://www.gnu.org/software/libtool/manual/html_node/Versioning.html#Versioning
  // The format is "current:revision:age".
  version: string;

  // Currency in which this provider processes payments.
  currency: string;

  // Supported authorization methods.
  methods: AuthorizationMethodConfig[];

  // Maximum policy upload size supported.
  storage_limit_in_megabytes: number;

  // Payment required to maintain an account to store policy documents for a year.
  // Users can pay more, in which case the storage time will go up proportionally.
  annual_fee: Amount;

  // Payment required to upload truth.  To be paid per upload.
  truth_upload_fee: Amount;

  // Limit on the liability that the provider is offering with
  // respect to the services provided.
  liability_limit: Amount;

  // Salt value with 128 bits of entropy.
  // Different providers
  // will use different high-entropy salt values. The resulting
  // **provider salt** is then used in various operations to ensure
  // cryptographic operations differ by provider.  A provider must
  // never change its salt value.
  server_salt: string;

}
interface AuthorizationMethodConfig {
  // Name of the authorization method.
  type: string;

  // Fee for accessing key share using this method.
  cost: Amount;

}

5.3.14. Receiving Terms of Service

GET /terms

Obtain the terms of service provided by the escrow provider.

Response:

Returns the terms of service of the provider, in the best language and format available based on the client’s request.

GET /privacy

Obtain the privacy policy of the service provided by the escrow provider.

Response:

Returns the privacy policy of the provider, in the best language and format available based on the client’s request.

5.3.15. Manage policy

This API is used by the Anastasis client to deposit or request encrypted recovery documents with the escrow provider. Generally, a client will deposit the same encrypted recovery document with each escrow provider, but provide a different truth to each escrow provider.

Operations by the client are identified and authorized by $ACCOUNT_PUB, which should be kept secret from third parties. $ACCOUNT_PUB should be an account public key using the Crockford base32-encoding.

In the following, UUID is always defined and used according to RFC 4122.

GET /policy/$ACCOUNT_PUB[?version=$NUMBER]

Get the customer’s encrypted recovery document. If version is not specified, the server returns the latest available version. If version is specified, returns the policy with the respective version. The response must begin with the nonce and an AES-GCM tag and continue with the ciphertext. Once decrypted, the plaintext is expected to contain:

  • the escrow policy
  • the separately encrypted master public key

Note that the key shares required to decrypt the master public key are not included, as for this the client needs to obtain authorization. The policy does provide sufficient information for the client to determine how to authorize requests for truth.

The client MAY provide an If-None-Match header with an Etag. In that case, the server MUST additionally respond with an 304 status code in case the resource matches the provided Etag.

Response:

200 OK:
The escrow provider responds with an EncryptedRecoveryDocument object.
304 Not modified:
The client requested the same resource it already knows.
400 Bad request:
The $ACCOUNT_PUB is not an EdDSA public key.
402 Payment Required:
The account’s balance is too low for the specified operation. See the Taler payment protocol specification for how to pay.
403 Forbidden:
The required account signature was invalid.
404 Not found:
The requested resource was not found.

Anastasis-Version: $NUMBER — The server must return actual version of the encrypted recovery document via this header. If the client specified a version number in the header of the request, the server must return that version. If the client did not specify a version in the request, the server returns latest version of the EncryptedRecoveryDocument.

Etag: Set by the server to the Base32-encoded SHA512 hash of the body. Used for caching and to prevent redundancies. The server MUST send the Etag if the status code is 200 OK.

If-None-Match: If this is not the very first request of the client, this contains the Etag-value which the client has received before from the server. The client SHOULD send this header with every request (except for the first request) to avoid unnecessary downloads.

Anastasis-Account-Signature: The client must provide Base-32 encoded EdDSA signature over hash of body with $ACCOUNT_PRIV, affirming desire to download the requested encrypted recovery document. The purpose used MUST be TALER_SIGNATURE_ANASTASIS_POLICY_DOWNLOAD (1401).

POST /policy/$ACCOUNT_PUB

Upload a new version of the customer’s encrypted recovery document. While the document’s structure is described in JSON below, the upload should just be the bytestream of the raw data (i.e. 32-byte nonce followed by 16-byte tag followed by the encrypted document). If the request has been seen before, the server should do nothing, and otherwise store the new version. The body must begin with a nonce, an AES-GCM tag and continue with the ciphertext. The format is the same as specified for the response of the GET method. The Anastasis server cannot fully validate the format, but MAY impose minimum and maximum size limits.

Request:

Query Parameters
  • storage_duration=YEARS – For how many years from now would the client like us to store the recovery document? Defaults to 0 (that is, do not extend / prolong existing storage contract). The server will respond with a 402 Payment required, but only if the rest of the request is well-formed (account signature must match). Clients that do not actually intend to make a new upload but that only want to pay may attempt to upload the latest backup again, as this option will be checked before the 304 Not modified case.
  • timeout_ms=NUMBEROptional. If specified, the Anastasis server will wait up to timeout_ms milliseconds for completion of the payment before sending the HTTP response. A client must never rely on this behavior, as the backend may return a response immediately.

If-None-Match: This header MUST be present and set to the SHA512 hash (Etag) of the body by the client. The client SHOULD also set the Expect: 100-Continue header and wait for 100 continue before uploading the body. The server MUST use the Etag to check whether it already knows the encrypted recovery document that is about to be uploaded. The server MUST refuse the upload with a 304 status code if the Etag matches the latest version already known to the server.

Anastasis-Policy-Signature: The client must provide Base-32 encoded EdDSA signature over hash of body with $ACCOUNT_PRIV, affirming desire to upload an encrypted recovery document.

Payment-Identifier: Base-32 encoded 32-byte payment identifier that was included in a previous payment (see 402 status code). Used to allow the server to check that the client paid for the upload (to protect the server against DoS attacks) and that the client knows a real secret of financial value (as the kdf_id might be known to an attacker). If this header is missing in the client’s request (or the associated payment has exceeded the upload limit), the server must return a 402 response. When making payments, the server must include a fresh, randomly-generated payment-identifier in the payment request.

Response:

204 No content:
The encrypted recovery document was accepted and stored. Anastasis-Version and Anastasis-UUID headers indicate what version and UUID was assigned to this encrypted recovery document upload by the server.
304 Not modified:
The same encrypted recovery document was previously accepted and stored. Anastasis-Version header indicates what version was previously assigned to this encrypted recovery document.
400 Bad request:
The $ACCOUNT_PUB is not an EdDSA public key or mandatory headers are missing. The response body MUST elaborate on the error using a Taler error code in the typical JSON encoding.
402 Payment required:
The account’s balance is too low for the specified operation. See the Taler payment protocol specification for how to pay. The response body MAY provide alternative means for payment.
403 Forbidden:
The required account signature was invalid. The response body may elaborate on the error.
413 Request entity too large:
The upload is too large or too small. The response body may elaborate on the error.

Details:

interface EncryptedRecoveryDocument {
  // Nonce used to compute the (iv,key) pair for encryption of the
  // encrypted_compressed_recovery_document.
  nonce: [32]; //bytearray

  // Authentication tag.
  aes_gcm_tag: [16]; //bytearray

  // Variable-size encrypted recovery document. After decryption,
  // this contains a gzip compressed JSON-encoded RecoveryDocument.
  // The salt of the HKDF for this encryption must include the
  // string "erd".
  encrypted_compressed_recovery_document: []; //bytearray of undefined length

}
interface RecoveryDocument {
  // Account identifier at backup provider, AES-encrypted with
  // the (symmetric) master_key, i.e. an URL
  // https://sync.taler.net/$BACKUP_ID and
  // a private key to decrypt the backup.  Anastasis is oblivious
  // to the details of how this is ultimately encoded.
  backup_account: []; //bytearray of undefined length

  // List of escrow providers and selected authentication method.
  methods: EscrowMethod[];

  // List of possible decryption policies.
  policy: DecryptionPolicy[];

}
interface EscrowMethod {
  // URL of the escrow provider (including possibly this Anastasis server).
  provider_url : string;

  // Type of the escrow method (e.g. security question, SMS etc.).
  escrow_type: string;

  // UUID of the escrow method (see /truth/ API below).
  uuid: string;

  // Key used to encrypt the Truth this EscrowMethod is related to.
  // Client has to provide this key to the server when using /truth/.
  truth_encryption_key: [32]; //bytearray

  // Salt used to encrypt the truth on the Anastasis server.
  truth_salt: [32]; //bytearray

  // The challenge to give to the user (i.e. the security question
  // if this is challenge-response).
  // (Q: as string in base32 encoding?)
  // (Q: what is the mime-type of this value?)
  //
  // For some methods, this value may be absent.
  //
  // The plaintext challenge is not revealed to the
  // Anastasis server.
  challenge: []; //bytearray of undefined length

}
interface DecryptionPolicy {
  // Salt included to encrypt master key share when
  // using this decryption policy.
  policy_salt: [32]; //bytearray

  // Master key, AES-encrypted with key derived from
  // salt and keyshares revealed by the following list of
  // escrow methods identified by UUID.
  encrypted_master_key: [32]; //bytearray

  // List of escrow methods identified by their UUID.
  uuid: string[];

}

5.3.16. Managing truth

Truth always consists of an encrypted key share and encrypted authentication data. The key share and the authentication data are encrypted using different keys. Additionally, truth includes the name of the authentication method, the mime-type of the authentication data, and an expiration time in cleartext.

This API is used by the Anastasis client to deposit truth or request a (encrypted) key share with the escrow provider.

An escrow method specifies an Anastasis provider and how the user should authorize themself. The truth API allows the user to provide the (encrypted) key share to the respective escrow provider, as well as auxiliary data required for such a respective escrow method.

An Anastasis-server may store truth for free for a certain time period, or charge per truth operation using GNU Taler.

POST /truth/$UUID

Upload a TruthUploadRequest-Object according to the policy the client created before (see RecoveryDocument). If request has been seen before, the server should do nothing, and otherwise store the new object.

Request:

Query Parameters
  • timeout_ms=NUMBEROptional. If specified, the Anastasis server will wait up to timeout_ms milliseconds for completion of the payment before sending the HTTP response. A client must never rely on this behavior, as the backend may return a response immediately.

Response:

204 No content:
Truth stored successfully.
304 Not modified:
The same truth was previously accepted and stored under this UUID. The Anastasis server must still update the expiration time for the truth when returning this response code.
402 Payment required:
This server requires payment to store truth per item. See the Taler payment protocol specification for how to pay. The response body MAY provide alternative means for payment.
409 Conflict:
The server already has some truth stored under this UUID. The client should check that it is generating UUIDs with enough entropy.
412 Precondition failed:
The selected authentication method is not supported on this provider.

Details:

interface TruthUploadRequest {
  // Contains the information of an interface EncryptedKeyShare, but simply
  // as one binary block (in Crockford Base32 encoding for JSON).
  key_share_data: []; //bytearray

  // Key share method, i.e. "security question", "SMS", "e-mail", ...
  type: string;

  // Variable-size truth. After decryption,
  // this contains the ground truth, i.e. H(challenge answer),
  // phone number, e-mail address, picture, fingerprint, ...
  // **base32 encoded**.
  //
  // The nonce of the HKDF for this encryption must include the
  // string "ECT".
  encrypted_truth: []; //bytearray

  // MIME type of truth, i.e. text/ascii, image/jpeg, etc.
  truth_mime?: string;

  // For how many years from now would the client like us to
  // store the truth?
  storage_duration_years: Integer;

}
GET /truth/$UUID

Get the stored encrypted key share. Also, the user has to provide the correct truth_encryption_key with every get request (see below). The encrypted key share is returned simply as a byte array and not in JSON format.

Query Parameters
  • response=H_RESPONSEOptional. If $H_RESPONSE is specified by the client, the server checks if $H_RESPONSE matches the expected response. This can be the hash of the security question (as specified before by the client within the TruthUploadRequest (see encrypted_truth)), or the hash of the PIN code sent via SMS, E-mail or postal communication channels. When $H_RESPONSE is correct, the server responds with the encrypted key share.
  • timeout_ms=NUMBEROptional. If specified, the Anastasis server will wait up to timeout_ms milliseconds for completion of the payment or the challenge before sending the HTTP response. A client must never rely on this behavior, as the backend may return a response immediately.

Response:

200 OK:
EncryptedKeyShare is returned in body (in binary).
202 Accepted:
The escrow provider will respond out-of-band (i.e. SMS). The body may contain human- or machine-readable instructions on next steps. In case the response is in JSON, the format is given by ChallengeInstructionMessage.
208 Already Reported:
An authentication challenge was recently send, client should simply respond to the pending challenge.
303 See other:
The provider redirects for authentication (i.e. video identification/WebRTC). If the client is not a browser, it should launch a browser at the URL given in the Location header and allow the user to re-try the operation after successful authorization.
402 Payment required:
The service requires payment for access to truth. See the Taler payment protocol specification for how to pay. The response body MAY provide alternative means for payment.
403 Forbidden:
The server requires a valid “response” to the challenge associated with the UUID.
404 Not found:
The server does not know any truth under the given UUID.
408 Request Timeout:
Accessing this truth requires satisfying an external authentication challenge (and not merely passing a response in the request) and this has not happened before the timeout was reached.
410 Gone:
The server has not (recently) issued a challenge under the given UUID, but a reply was provided. (This does not apply for secure question.)
417 Expectation Failed:
The decrypted truth does not match the expectations of the authentication backend, i.e. a phone number for sending an SMS is not a number, or an e-mail address for sending an E-mail is not a valid e-mail address.
503 Service Unavailable:
Server is out of Service.

Truth-Decryption-Key: Key used to encrypt the truth (see encrypted_truth within TruthUploadRequest) and which has to provided by the user. The key is stored with the according EscrowMethod. The server needs this key to get the info out of TruthUploadRequest needed to verify the $RESPONSE.

Details:

interface EncryptedKeyShare {
  // Nonce used to compute the decryption (iv,key) pair.
  nonce_i: [32]; //bytearray

  // Authentication tag.
  aes_gcm_tag_i: [16]; //bytearray

  // Encrypted key-share in base32 encoding.
  // After decryption, this yields a KeyShare.  Note that
  // the KeyShare MUST be encoded as a fixed-size binary
  // block (instead of in JSON encoding).
  //
  // HKDF for the key generation must include the
  // string "eks" as salt.
  // Depending on the method,
  // the HKDF may additionally include
  // bits from the response (i.e. some hash over the
  // answer to the security question).
  encrypted_key_share_i: [32]; //bytearray

}
interface KeyShare {
  // Key material to concatenate with policy_salt and KDF to derive
  // the key to decrypt the master key.
  key_share: [32]; //bytearray

  // Signature over method, UUID, and key_share.
  account_sig: EddsaSignature;

}
type ChallengeInstructionMessage =
  | IbanChallengeInstructionMessage;

interface IbanChallengeInstructionMessage {

  // What kind of challenge is this?
  method: "iban";

  // How much should be wired?
  amount: Amount;

  // What is the target IBAN?
  credit_iban: String;

  // What is the receiver name?
  business_name: String;

  // What is the expected wire transfer subject?
  wire_transfer_subject: Integer;

  // Hint about the origin account that must be used.
  debit_account_hint: String;

}