Sandbox Digital Signature Utility SMBC Group v1.0

Testing your Digital Signatures with Sandbox Utilities

Developing and testing applications that implement digital signatures can be challenging as one needs to be very precise about how the signing string is constructed. To that end, SMBC Group have exposed a set of digital signature utilities for the sandbox to enable you to fully test your digital signature implementation before proceeding with the relevant PIS operations that require digital signatures. The Berlin Group specification adopts the IETF Draft for Signing HTTP Messages by Cavage/Sporny and introduces the following HTTP request headers.

  1. TPP-Signature-Certificate: This is the certificate used for signing the request, in base64 encoding. To access production APIs, you will need a valid eIDAS qualified certificates for electronic seals (QSeal) to digitally sign your requests; furthermore, note that the TPP Authorisation Number in both the QSeal and QWAC certificates must match.
  2. Digest: This header is included only if the "Signature" element is contained in the header of the request and contains a hash of the request payload. SMBC Group supports only SHA-256 for digests.
  3. Signature: The digital signature header in the format defined by the Cavage/Sporny specification and comprises the following parameters, all of which are mandated by SMBC Group:
    1. keyId: This is an opaque string that the server can use to look up the component they need to validate the signature.
    2. signature: This is a base64 encoded digital signature constructed using the "algorithm" and "headers" signature parameters to form a canonicalized "signing string".
    3. headers: This is used to specify the list of HTTP headers included when generating the signature for the message. Note that the order of the headers is significant as the signing string is constructed by concatenating the headers in the order defined by the "headers" parameter. While the full set of mandatory fields in "Signature/headers" will vary by operation for production APIs,  the common mandatory fields are: (request-target), date, digest.
    4. algorithm: This is used to specify the digital signature algorithm to use when generating the signature. SMBC Group supports only RSA-SHA256 for digital signature algorithm.

For your convenience, we have prepared the following sandbox certificate and private key for use with the sandbox APIs including the sandbox utilities described below. That said, you are free to use your own certificate/private key pairs.

Download our Sandbox Test QWAC and QSEAL certificates here.

Testing your Digital Signature Implementation

SMBC Group recommends the following approach to develop and test your digital signature implementation:

#

Step and Use Case

Provenance

Endpoint

Parameters

1

Generate signing string and digital signature

  • This utility enables you to compare the three Berlin Group digital signature headers returned from this operation against what your code produces.
  • This utility further returns additional information that you can use for development and testing purposes including the derived signing string that we use to calculate the digital signature in both text and hashed formats. This enables you to validate the intermediate processing steps when generating the digital signature and needs to be correct before proceeding to the next step.
  • The "smbc-headers" HTTP header is Berlin Group operation agnostic and can be used to specify any headers of your choosing. This flexibility enables you to test both happy- and unhappy-paths for all your Berlin Group operations in relation to signing string and digital signature generation.

SMBC Group

POST /sandbox/v1/signature

HTTP headers

  • smbc-headers (SMBC): custom SMBC header used to specify the list of HTTP headers to be used when generating the signature for the message, e.g., consent-id, x-request-id, psu-id. Note that the order matters.
  • smbc-request-target (SMBC): In production, the (request-target) is derived from the production endpoint being used, for example "POST /berlingroup/v1/payments/pain.001-sepa-credit-transfers". This custom header enables you to simulate different production endpoints when testing your digital signature implementation.

Request payload

  • Any payload will do but we suggest using sample payloads that you are planning to use for, say, POST /payments.

 

2

Validate Berlin Group request headers for digital signatures

  • When you are satisfied that your application is generating the signing string and digital signature that matches POST /sandbox/v1/signature above, this utility enables you to validate the Berlin Group headers for the corresponding request.
  • As before, the "smbc-headers" HTTP header can be used to specify any headers of your choosing and therefore testing both happy- and unhappy-paths for all Berlin Group operations that require digital signatures.
 SMBC Group

POST /sandbox/v1/signature/validation

HTTP headers

  • smbc-headers (SMBC): custom SMBC header used to specify the list of HTTP headers to be used when generating the signature for the message, e.g., consent-id, x-request-id, psu-id. Note that the order matters.
  • Digest (Berlin Group): hash of the request payload.
  • Signature (Berlin Group): digital signature header in the format defined by the Cavage/Sporny specification.
  • TPP-Signature-Certificate (Berlin Group): certificate used for signing the request, in base64 encoding.

Request payload

  • Any payload will do but we suggest using sample payloads that you are planning to use for, say, POST /payments.

3

Submit payment and signing basket requests with digital signatures

  • When you have fully tested the digital signatures for, say, payment creation using the digital signature validation utility above, you are now ready to submit the full request to POST /payments.
  • In addition to all the standard Berlin Group checks (e.g. OAuth2, mandatory headers), selected PISP operations such as POST /payments require you to include the three Berlin Group headers for digital signatures. If your tests have passed using the two utilities above, you should not expect any digital signature errors when invoking these Berlin Group operations.
  • This enables you to separate the development and testing of the digital signature elements of your application from the rest of your application (e.g. OAuth2, mandatory headers).

Berlin Group

All PISP operations requiring digital signatures including POST /payments/{payment-product}

See the respective API documentation pages.

 

 

About us

Visit the main website to learn more about SMBC.

Need help?

Check our FAQs for common queries, otherwise please get in touch with our API support team to discuss your on-boarding.