Signing Requests
Instructions
Steps for signing request
- Prepare your valid QSeal PSD2 Certificate
- Create base64 data digest
- Create signing string
- Create signature header
- Add required headers fields
Use your (PSD2) eIDAS QSEAL certificate issued by the Qualified Trust Service Provider of your choice.
- Get POST body parameters or empty string for GET requests
- Generate binary SHA-512 (or SHA-256 also allowed) hash from this data
- Generate base64 string from binary hash
- Prepend hash algorithm
Example digest on empty string:
echo -n | openssl dgst -binary -sha512 | openssl base64
Get required header values and sign with private key
Example data be like (write temp data in to /tmp/data):
/tmp/data
date: Tue, 29 Jun 2021 13:06:04 GMT
digest: sha-512=z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs
6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg==
x-request-id: 08dcb900-215a-4cf7-ac48-ca7b3d4b56e6
openssl dgst -sha512 -sign private_qseal.pem
/tmp/data | openssl base64
Signature header must contain following parts
Name | Value |
---|---|
keyId | Get certificate Serial Number |
algorithm | Specify algorithm (sha-256 or sha-512) |
headers | listed headers from signature (date digest x-request-id) |
signature | signature from previous step |
Example header must like this:
keyId="1523433508",algorithm="rsa-sha512",headers="date digest x-request-id",signature="sKeinXMguBeKVr+BtGdLr25ttZU/9XllXvMmwC7tvE2wCBYD87YZ2n8KdwJ7O58EDUaGxTF5LzMILxicG3pF6VBSBcyTMigoFTO+74dydBzoP5eyuYrzZNotizTCDfvCjdFvhlO9kZfKg9+buiHIfpcBBXdFTkS63vZHlRZqpj98yj1AUjhwsbmm/CJ01cLq1lj963Ky1kPsHlnW/xwnnzwapT4ATh/EArENcyvmH3hjF4ZsaPd4+U50Dc2fcl8SCUi+zoRNU4tWFxXdR7XoTeFdez+qQbQIAxWiVw+4uuurS3ZFmhnVnE5sKsx4ORMkeFLbqzipEMCE6n7Uugj3XQ=="
Authorization: Bearer Token from OAuth2
- X-Request-ID: Generate unique UUID for all requests
- X-Consent-ID: Specify consent ID (Optional, in other case use consent from token)
- X-Client-ID: Client ID from application
- Date: Current GMT date
- Digest: Base64 from sha256/512 POST body or empty string for GET request
- Signature: Generate from last step
- TPP-Signature-Certificate: QSeal Public Certificate without all line breaks
Example headers:
Authorization:Bearer
eyJhbGciOiJSUzI1NiIsImtpZCI6ImZjNWExMDYxZGRiZDUzZTk3OGUzODY2MzM0ZjIyMWZhIiwidHlwIjoiSldUIn0.eyJuYmYiOjE2MjQ5NzYzNTYsImV4cCI6MTYyNDk3OTk1NiwiaXNzIjoiaHR0cDovLzEyNy4wLjAuMTo3ODg0IiwiYXVkIjpbImh0dHA6Ly8xMjcuMC4wLjE6Nzg4NC9yZXNvdXJjZXMiLCJBSVMiXSwiY2xpZW50X2lkIjoiMDZiYjAzZDUtZmIwMS00ODcwLTlkMjEtYTdiMWQyMTM1ZDY4Iiwic3ViIjoiMTE3Nzg4OCIsImF1dGhfdGltZSI6MTYyNDk3MTk1OCwiaWRwIjoibG9jYWwiLCJzY29wZSI6WyJhaXMuc2FuZGJveCIsIm9mZmxpbmVfYWNjZXNzIl0sImFtciI6WyJwd2QiXX0.qPoRY7BBLMaNEZyzgISSC81G1FxnCneS64EFq7-L65qLgZplBybfTbgGXROnL_MrEuD7oIYMgk_ytw58BGYJ4YQZa4ppCQCwgtSQncgX9SIhGnGFqGNTjCiLcVv68AuEVeDBze2EdwYtPTP3z2laqQ8ofpEfsINJ7GyQm2RNRXAtAAaY1bSIrBgm770jixhDaYA3Ou55R4mTTz_qLTt0CJtnMYMf7hCSVpgmiaW8OKpwC1cLmLl5PAaNjKEculMUjKbT_nf7M8tbmIv49dQ_M25X4GlRCt3PEwUXMkiZfDS2bb3TK3fB8wf_Lnle59l0Nl57_2hkU8PEOJ1fBpFqtg
X-Request-ID:f1b01e9e-6256-44d8-9cb8-696429530147
X-Client-ID:06bb03d5-fb01-4870-9d21-a7b1d2135d68
Date:Tue, 29 Jun 2021 14:19:16 GMT
Digest:sha-512=z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg==
Signature:keyId="1523433508",algorithm="rsa-sha512",headers="date digest x-request-id",signature="sKeinXMguBeKVr+BtGdLr25ttZU/9XllXvMmwC7tvE2wCBYD87YZ2n8KdwJ7O58EDUaGxTF5LzMILxicG3pF6VBSBcyTMigoFTO+74dydBzoP5eyuYrzZNotizTCDfvCjdFvhlO9kZfKg9+buiHIfpcBBXdFTkS63vZHlRZqpj98yj1AUjhwsbmm/CJ01cLq1lj963Ky1kPsHlnW/xwnnzwapT4ATh/EArENcyvmH3hjF4ZsaPd4+U50Dc2fcl8SCUi+zoRNU4tWFxXdR7XoTeFdez+qQbQIAxWiVw+4uuurS3ZFmhnVnE5sKsx4ORMkeFLbqzipEMCE6n7Uugj3XQ=="
TPP-Signature-Certificate:MIIDkDCCAnigAwIBAgIEWs3AJDANBgkqhkiG9w0BAQsFADCBiTELMAkGA1UEBhMCTkwxEDAOBgNVBAgMB1V0cmVjaHQxEDAOBgNVBAcMB1V0cmVjaHQxETAPBgNVBAoMCFJhYm9iYW5rMRwwGgYDVQQLDBNPbmxpbmUgVHJhbnNhY3Rpb25zMSUwIwYDVQQDDBxQU0QyIEFQSSBQSSBTZXJ2aWNlcyBTYW5kYm94MB4XDTE4MDQxMTA3NTgyOFoXDTIzMDQxMTA3NTgyOFowgYkxCzAJBgNVBAYTAk5MMRAwDgYDVQQIDAdVdHJlY2h0MRAwDgYDVQQHDAdVdHJlY2h0MREwDwYDVQQKDAhSYWJvYmFuazEcMBoGA1UECwwTT25saW5lIFRyYW5zYWN0aW9uczElMCMGA1UEAwwcUFNEMiBBUEkgUEkgU2VydmljZXMgU2FuZGJveDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANoAjqGWUgCIm2F+0sBSEwLal+T3u+uldLikpxHCB8iL1GD7FrRjcA+MVsxhvHly7vRsHK+tQyMSaeK782RHpY33qxPLc8LmoQLb2EuiQxXj9POYkYBQ74qkrZnvKVlR3WoyQWeDOXnSY2wbNFfkP8ET4ElwyuIIEriwYhab0OIrnnrO8X82/SPZxHwEd3aQjQ6uhiw8paDspJbS5WjEfuwY16KVVUYlhbtAwGjvc6aK0NBm+LH9fMLpAE6gfGZNy0gzMDorVNbkQK1IoAGD8p9ZHdB0F3FwkILEjUiQW6nK+/fKDNJ0TBbpgZUpY8bR460qzxKdeZ1yPDqX2Cjh6fkCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAYL4iD6noMJAt63kDED4RB2mII/lssvHhcxuDpOm3Ims9urubFWEpvV5TgIBAxy9PBinOdjhO1kGJJnYi7F1jv1qnZwTV1JhYbvxv3+vk0jaiu7Ew7G3ASlzruXyMhN6t6jk9MpaWGl5Uw1T+gNRUcWQRR44g3ahQRIS/UHkaV+vcpOa8j186/1X0ULHfbcVQk4LMmJeXqNs8sBAUdKU/c6ssvj8jfJ4SfrurcBhY5UBTOdQOXTPY85aU3iFloerx7Oi9EHewxInOrU5XzqqTz2AQPXezexVeAQxP27lzqCmYC7CFiam6QBr06VebkmnPLfs76n8CDc1cwE6gUl0rMA==