First, we should confirm how the current encryption/decryption process with the CRA works. As far as I can gather, a user’s EPF acts as a shared key/secret that is used by both the CRA and us to encrypt/decrypt files. If this is the case, then we need to apply to the CRA for a new reference number and authorization code, which is necessary for a new EPF to be derived. This (ref #, auth code) pair should identify the ITVR app and not a specific user, so the application process might be different from what it was before.
Then, we will need the CA and Directory addresses in order to obtain the EPF using the (ref #, auth code) pair. The details behind this are illustrated in the CreateCredential.java example, which can be found in etjava/examples/source/com/entrust/toolkit/examples/credentials, where etjava resides in the FTP address above. Note that the Directory addresses seem to be provided in the “connection” txt files in the FTP address above.
We can then use the EPF to encrypt/decrypt files; see etjava/examples/source/com/entrust/toolkit/examples/pkcs7
Lastly, we should test that the encryption/decryption process works in the CRA test environment; if you do not have Java on your local machine, you can use a Docker image that does have Java installed.
Edit: Upon receiving further information, it looks like the EPF file is not a shared secret but is perhaps only used by the CRA to encrypt files they send to us (which we then decrypt using the same EPF)? It seems like we’re supposed to encrypt using a different certificate; perhaps it is the “Root_Ext_Trans.der” certificate for the CRA test environment, and the “Root_Ext_Prod.der” certificate for the CRA prod environment? These certificates are found in the FTP address specified above. We’ll need to confirm all this...
FTP address: ftp://ftp.cra-arc.gc.ca/pub/PKI
First, we should confirm how the current encryption/decryption process with the CRA works. As far as I can gather, a user’s EPF acts as a shared key/secret that is used by both the CRA and us to encrypt/decrypt files. If this is the case, then we need to apply to the CRA for a new reference number and authorization code, which is necessary for a new EPF to be derived. This (ref #, auth code) pair should identify the ITVR app and not a specific user, so the application process might be different from what it was before.
Then, we will need the CA and Directory addresses in order to obtain the EPF using the (ref #, auth code) pair. The details behind this are illustrated in the CreateCredential.java example, which can be found in etjava/examples/source/com/entrust/toolkit/examples/credentials, where etjava resides in the FTP address above. Note that the Directory addresses seem to be provided in the “connection” txt files in the FTP address above.
We can then use the EPF to encrypt/decrypt files; see etjava/examples/source/com/entrust/toolkit/examples/pkcs7
Lastly, we should test that the encryption/decryption process works in the CRA test environment; if you do not have Java on your local machine, you can use a Docker image that does have Java installed.
Edit: Upon receiving further information, it looks like the EPF file is not a shared secret but is perhaps only used by the CRA to encrypt files they send to us (which we then decrypt using the same EPF)? It seems like we’re supposed to encrypt using a different certificate; perhaps it is the “Root_Ext_Trans.der” certificate for the CRA test environment, and the “Root_Ext_Prod.der” certificate for the CRA prod environment? These certificates are found in the FTP address specified above. We’ll need to confirm all this...