Signing Requests
Version v.1.0.

Signing Requests

Instructions

Steps for signing request

  • Prepare your valid QSeal PSD2 Certificate
  • Create base64 data digest
  • Create signing string
  • Create signature header
  • Add required headers fields
1. Prepare your valid QSeal PSD2 Certificate

Use your (PSD2) eIDAS QSEAL certificate issued by the Qualified Trust Service Provider of your choice.

2. Create base64 data digest
  • Get POST body parameters or empty string for GET requests
  • Generate binary SHA-512 (or SHA-256 also allowed) hash from this data
  • Generate base64 string from binary hash
  • Prepend hash algorithm

Example digest on empty string:

echo -n | openssl dgst -binary -sha512 | openssl base64

3. Create signing string

Get required header values and sign with private key

Example data be like (write temp data in to /tmp/data):

/tmp/data

date: Tue, 29 Jun 2021 13:06:04 GMT
digest: sha-512=z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs
6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg==
x-request-id: 08dcb900-215a-4cf7-ac48-ca7b3d4b56e6

openssl dgst -sha512 -sign private_qseal.pem
/tmp/data | openssl base64

4. Create signature header

Signature header must contain following parts

Name Value
keyId Get certificate Serial Number
algorithm Specify algorithm (sha-256 or sha-512)
headers listed headers from signature (date digest x-request-id)
signature signature from previous step

Example header must like this:

keyId="1523433508",algorithm="rsa-sha512",headers="date digest x-request-id",signature="sKeinXMguBeKVr+BtGdLr25ttZU/9XllXvMmwC7tvE2wCBYD87YZ2n8KdwJ7O58EDUaGxTF5LzMILxicG3pF6VBSBcyTMigoFTO+74dydBzoP5eyuYrzZNotizTCDfvCjdFvhlO9kZfKg9+buiHIfpcBBXdFTkS63vZHlRZqpj98yj1AUjhwsbmm/CJ01cLq1lj963Ky1kPsHlnW/xwnnzwapT4ATh/EArENcyvmH3hjF4ZsaPd4+U50Dc2fcl8SCUi+zoRNU4tWFxXdR7XoTeFdez+qQbQIAxWiVw+4uuurS3ZFmhnVnE5sKsx4ORMkeFLbqzipEMCE6n7Uugj3XQ=="

5. Add all required headers

Authorization: Bearer Token from OAuth2

  • X-Request-ID: Generate unique UUID for all requests
  • X-Consent-ID: Specify consent ID (Optional, in other case use consent from token)
  • X-Client-ID: Client ID from application
  • Date: Current GMT date
  • Digest: Base64 from sha256/512 POST body or empty string for GET request
  • Signature: Generate from last step
  • TPP-Signature-Certificate: QSeal Public Certificate without all line breaks

Example headers:

Authorization:Bearer
eyJhbGciOiJSUzI1NiIsImtpZCI6ImZjNWExMDYxZGRiZDUzZTk3OGUzODY2MzM0ZjIyMWZhIiwidHlwIjoiSldUIn0.eyJuYmYiOjE2MjQ5NzYzNTYsImV4cCI6MTYyNDk3OTk1NiwiaXNzIjoiaHR0cDovLzEyNy4wLjAuMTo3ODg0IiwiYXVkIjpbImh0dHA6Ly8xMjcuMC4wLjE6Nzg4NC9yZXNvdXJjZXMiLCJBSVMiXSwiY2xpZW50X2lkIjoiMDZiYjAzZDUtZmIwMS00ODcwLTlkMjEtYTdiMWQyMTM1ZDY4Iiwic3ViIjoiMTE3Nzg4OCIsImF1dGhfdGltZSI6MTYyNDk3MTk1OCwiaWRwIjoibG9jYWwiLCJzY29wZSI6WyJhaXMuc2FuZGJveCIsIm9mZmxpbmVfYWNjZXNzIl0sImFtciI6WyJwd2QiXX0.qPoRY7BBLMaNEZyzgISSC81G1FxnCneS64EFq7-L65qLgZplBybfTbgGXROnL_MrEuD7oIYMgk_ytw58BGYJ4YQZa4ppCQCwgtSQncgX9SIhGnGFqGNTjCiLcVv68AuEVeDBze2EdwYtPTP3z2laqQ8ofpEfsINJ7GyQm2RNRXAtAAaY1bSIrBgm770jixhDaYA3Ou55R4mTTz_qLTt0CJtnMYMf7hCSVpgmiaW8OKpwC1cLmLl5PAaNjKEculMUjKbT_nf7M8tbmIv49dQ_M25X4GlRCt3PEwUXMkiZfDS2bb3TK3fB8wf_Lnle59l0Nl57_2hkU8PEOJ1fBpFqtg
X-Request-ID:f1b01e9e-6256-44d8-9cb8-696429530147
X-Client-ID:06bb03d5-fb01-4870-9d21-a7b1d2135d68
Date:Tue, 29 Jun 2021 14:19:16 GMT
Digest:sha-512=z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg== Signature:keyId="1523433508",algorithm="rsa-sha512",headers="date digest x-request-id",signature="sKeinXMguBeKVr+BtGdLr25ttZU/9XllXvMmwC7tvE2wCBYD87YZ2n8KdwJ7O58EDUaGxTF5LzMILxicG3pF6VBSBcyTMigoFTO+74dydBzoP5eyuYrzZNotizTCDfvCjdFvhlO9kZfKg9+buiHIfpcBBXdFTkS63vZHlRZqpj98yj1AUjhwsbmm/CJ01cLq1lj963Ky1kPsHlnW/xwnnzwapT4ATh/EArENcyvmH3hjF4ZsaPd4+U50Dc2fcl8SCUi+zoRNU4tWFxXdR7XoTeFdez+qQbQIAxWiVw+4uuurS3ZFmhnVnE5sKsx4ORMkeFLbqzipEMCE6n7Uugj3XQ==" TPP-Signature-Certificate:MIIDkDCCAnigAwIBAgIEWs3AJDANBgkqhkiG9w0BAQsFADCBiTELMAkGA1UEBhMCTkwxEDAOBgNVBAgMB1V0cmVjaHQxEDAOBgNVBAcMB1V0cmVjaHQxETAPBgNVBAoMCFJhYm9iYW5rMRwwGgYDVQQLDBNPbmxpbmUgVHJhbnNhY3Rpb25zMSUwIwYDVQQDDBxQU0QyIEFQSSBQSSBTZXJ2aWNlcyBTYW5kYm94MB4XDTE4MDQxMTA3NTgyOFoXDTIzMDQxMTA3NTgyOFowgYkxCzAJBgNVBAYTAk5MMRAwDgYDVQQIDAdVdHJlY2h0MRAwDgYDVQQHDAdVdHJlY2h0MREwDwYDVQQKDAhSYWJvYmFuazEcMBoGA1UECwwTT25saW5lIFRyYW5zYWN0aW9uczElMCMGA1UEAwwcUFNEMiBBUEkgUEkgU2VydmljZXMgU2FuZGJveDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANoAjqGWUgCIm2F+0sBSEwLal+T3u+uldLikpxHCB8iL1GD7FrRjcA+MVsxhvHly7vRsHK+tQyMSaeK782RHpY33qxPLc8LmoQLb2EuiQxXj9POYkYBQ74qkrZnvKVlR3WoyQWeDOXnSY2wbNFfkP8ET4ElwyuIIEriwYhab0OIrnnrO8X82/SPZxHwEd3aQjQ6uhiw8paDspJbS5WjEfuwY16KVVUYlhbtAwGjvc6aK0NBm+LH9fMLpAE6gfGZNy0gzMDorVNbkQK1IoAGD8p9ZHdB0F3FwkILEjUiQW6nK+/fKDNJ0TBbpgZUpY8bR460qzxKdeZ1yPDqX2Cjh6fkCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAYL4iD6noMJAt63kDED4RB2mII/lssvHhcxuDpOm3Ims9urubFWEpvV5TgIBAxy9PBinOdjhO1kGJJnYi7F1jv1qnZwTV1JhYbvxv3+vk0jaiu7Ew7G3ASlzruXyMhN6t6jk9MpaWGl5Uw1T+gNRUcWQRR44g3ahQRIS/UHkaV+vcpOa8j186/1X0ULHfbcVQk4LMmJeXqNs8sBAUdKU/c6ssvj8jfJ4SfrurcBhY5UBTOdQOXTPY85aU3iFloerx7Oi9EHewxInOrU5XzqqTz2AQPXezexVeAQxP27lzqCmYC7CFiam6QBr06VebkmnPLfs76n8CDc1cwE6gUl0rMA==