Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
Rozdział zawiera opis algorytmu weryfikacji sygnatury wraz z opisem metod służących do pobrania publicznych kluczy podpisujących.
Lista metod
:Status colour Blue title GET /v1/izi/signing-keys/public
- /wiki/spaces/PL/pages/200933378 Pobranie kluczaStatus colour Blue title GET /v1/izi/signing-keys/public/{version}
- Pobranie klucza dla wersji
Na tej stronie:
Table of Contents | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
|
Algorytm weryfikacji sygnatury
Signature verification algorithm:
Recipient receives signed request with headers:
x-signature
- signaturex-signature-timestamp
- ISO8601 datetime string in UTC timezone with time of signature generation ex.2023-05-11T15:02:23.429Z
x-public-key-ver
- version of keys used to generate signaturex-public-key-hash
-SHA-256
hash of public key used to generate signature
Recipient checks if already have cached public key with given version
key present in cache:
recipient checks if public key hash matches calculated as:
SHA-256
hash frompublic_key_base64
field. if verification is:positive - continue
negative - reject request with http: 401
{ "error_code": "INVALID_SIGNATURE", "error_message": "error description" }
key not present in cache:
obtain public key from
/v1/izi/signing-keys/public/{keyVersion}
or/api/v1/izi/signing-keys/public
and verify hash as above
Prepare base64 string that consists of
DIGEST,external-merchant-id,x-public-key-ver,x-signature-timestamp
. Values are separated with commasx-public-key-ver
,x-signature-timestamp
from headers, use empty value if header is missing.merchant_external_id
value comes from endpoints/v1/izi/signing-keys/public/{keyVersion}
and/v1/izi/signing-keys/public
asmerchant_external_id
fieldDIGEST
: base64 form ofSHA-256
hash (Message Digest) generated from request body. Use empty byte array as request body if body is missing.
Decode base64 signature and verify it with the
SHA256withRSA
algorithm for the given public key and signature string. If verification:positive - continue
negative - reject request with http: 401
{ "error_code": "INVALID_SIGNATURE", "error_message": "error description" }
Recipient compares
x-signature-timestamp
value to current time. If difference is:less or equal to 240s -
continue
bigger than 240s - reject request with http: 401
{ "error_code": "INVALID_SIGNATURE", "error_message": "error description" }
Manual signature verification:
curl --location 'http://{basket-app-host}/basket-app/api/v1/izi/signing-keys/public/{keyVersion}'
replace {Unknown macro: { {keyVersion}}}with value from header:
x-public-key-ver
echo "$PUBLIC_KEY_BASE64" | openssl base64 -d -A | openssl rsa -pubin -inform DER -outform PEM -out pubkey.pem
replace$PUBLIC_KEY_BASE64
with value from field:public_key_base64
DIGEST=$(echo -n "$(<message_body)" | openssl dgst -sha256 -binary | openssl enc -base64 -A)
wheremessage_body
is a file with EXACT request body (without any additions, whitespaces etc.)echo -n "$DIGEST,$EXTERNAL_MERCHANT_ID,$KEY_VERSION,$SIGNATURE_TIMESTAMP" | openssl enc -base64 -A -out signature_string
where$EXTERNAL_MERCHANT_ID
value is from public key endpoint - fieldmerchant_external_id
,$KEY_VERSION
value is from headerx-public-key-ver
and$SIGNATURE_TIMESTAMP
value is fromx-signature-timestamp
openssl enc -base64 -d -A -in request_signature -out signature.bin
whererequest_signature
is a file with value from headerx-signature
openssl dgst -sha256 -verify pubkey.pem -signature signature.bin signature_string
should printVerified OK