Testing your Digital Signatures with Sandbox Utilities
Developing and testing applications that implement digital signatures can be challenging as one needs to be very precise about how the signing string is constructed. To that end, SMBC Group have exposed a set of digital signature utilities for the sandbox to enable you to fully test your digital signature implementation before proceeding with the relevant PIS operations that require digital signatures. The Berlin Group specification adopts the IETF Draft for Signing HTTP Messages by Cavage/Sporny and introduces the following HTTP request headers.
- TPP-Signature-Certificate: This is the certificate used for signing the request, in base64 encoding. To access production APIs, you will need a valid eIDAS qualified certificates for electronic seals (QSeal) to digitally sign your requests; furthermore, note that the TPP Authorisation Number in both the QSeal and QWAC certificates must match.
- Digest: This header is included only if the "Signature" element is contained in the header of the request and contains a hash of the request payload. SMBC Group supports only SHA-256 for digests.
- Signature: The digital signature header in the format defined by the Cavage/Sporny specification and comprises the following parameters, all of which are mandated by SMBC Group:
- keyId: This is an opaque string that the server can use to look up the component they need to validate the signature.
- signature: This is a base64 encoded digital signature constructed using the "algorithm" and "headers" signature parameters to form a canonicalized "signing string".
- headers: This is used to specify the list of HTTP headers included when generating the signature for the message. Note that the order of the headers is significant as the signing string is constructed by concatenating the headers in the order defined by the "headers" parameter. While the full set of mandatory fields in "Signature/headers" will vary by operation for production APIs, the common mandatory fields are: (request-target), date, digest.
- algorithm: This is used to specify the digital signature algorithm to use when generating the signature. SMBC Group supports only RSA-SHA256 for digital signature algorithm.
For your convenience, we have prepared the following sandbox certificate and private key for use with the sandbox APIs including the sandbox utilities described below. That said, you are free to use your own certificate/private key pairs.
Download our Sandbox Test QWAC and QSEAL certificates here.
Testing your Digital Signature Implementation
SMBC Group recommends the following approach to develop and test your digital signature implementation:
# |
Step and Use Case |
Provenance |
Endpoint |
Parameters |
1 |
Generate signing string and digital signature
|
SMBC Group |
HTTP headers
Request payload
|
|
2 |
Validate Berlin Group request headers for digital signatures
|
SMBC Group |
HTTP headers
Request payload
|
|
3 |
Submit payment and signing basket requests with digital signatures
|
Berlin Group |
All PISP operations requiring digital signatures including POST /payments/{payment-product} |
See the respective API documentation pages. |