Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Developed by Sasikumar Ganesan, Jurgen Niinre, Dr. P. S. Ramkumar, Kassy Kadio, in cooperation with GIZ, ITU, and DIAL
Key Digital Functionalities describe the core (required) functions that this Building Block must be able to perform.
To facilitate the eSignature service as described in section 2, the Building Block must have specific Key Digital Functionalities.
The Hardware Security Module (HSM) is an integral part of the eSignature Building Block. The HSM ensures the protection of a key with utmost safety. Without an HSM the key can potentially fall into the wrong hands and could result in huge mistrust. All keys used in our one-time signatures are created, used, and destroyed within the HSM. The HSM should be configured with FIPS 140-2 Level 3. This device will follow PKCS11 or JCE standards.
The eSignature creation device (SCD) is the component where the user's private key would be stored. The SCD could be a Smart card, Mobile App, Sim card App, or equivalent. The SCD interacts with the eSignature Building Block using its own internal protocol. Every eSignature Building Block will support one or many such SCDs. Most of the SCD would be protected with a secure PIN/Biometrics.
The SCD should be qualified with at least one of the following FIPS 140-2/3 Level 3 or Annex II of Regulation (EU) No 910/2014 (eIDAS) or equivalent common criteria certification.
The time of a sign is an important part of the signature. Without a proper time of the signature, we can never trust the signature, as one can not find if the signature happened before its expiry or after expiry. Most often this functionality is provided by the timestamping server hosted by the CA. This service follows RFC 3161
This is one of the most important functionality of eSignature. This service is responsible for providing the One Time Signature API and interacts with the Hardware Security Module (HSM). This service validates the user against the Authorization Building Block. A valid user is allowed to create a key in HSM and sign it. Every key created here will also need an X509 certificate. The certificate management module will publish this created X509 certificate.
Keys created during One Time Signature should be deleted after the signature process. Logs SHOULD be kept in a database of the details of the deletion. Logs MUST include timestamps and identify the user and affiliation that performed the transaction.
eSignature creation device (SCD) On-Boarding is the module responsible for binding the SCD and user. The module interacts with the Identity Building Block and will validate the user's presence before issuing the Certificate. This module is responsible for talking to the SCD for all types of key management and administrative needs. This module is hosted on a server and would ensure the keeping of clear audit records and Know Your Customer/Client (KYC) records.
The SCD Signing is one of the vital functions of the eSignature Building Block. When a user holds its key in an SCD then this module is responsible for interacting with the SCD to sign any required document. This module works in asynchronous mode. A signature is requested on demand using the API. However, the module interacts with the SCD asynchronously. The module is responsible for connecting to SCD for all signing purposes.
All certificates that are created within the SCD will be hosted in this module. The module lets everyone have their X509 public certificate hosted for any verification. The module should have an administrative ability to allow people to revoke the keys on demand. The module has to maintain the OCSP & CRL-based revocations. Key revocation is not available in Onetime Signatures as the certificate is short-lived.
This module is responsible for notifying the SCD device when a signature is needed. This helps the SCD to alert the user. The user can look through the notification and accept to sign the document. The module is also responsible for notification of a signature to the user's mobile phone/email/SCD. The notification to the user can be used as an audit record by the user. This interface abstracts the messaging with an omnichannel interface. The notification Building Block can be used to send notifications to the end user/device.
This interface handles the necessary health, metrics, traceability and legal needs for the given Building Block. While there are no certain standards to this, it is recommended to follow the OpenTelemetry design to address some of the challenges. Issuance of signature certificates is usually backed by several legal regulations. The requirements can range from KYC details available upon Judicial intervention, Revocation and Transparency of the revoked certificate as per OCSP/CRL (Similar to RFC 6961/RFC 5280) and Dispute Resolution.
Once the signature is completed the signature backend keeps the signature until the eService server makes a request. Once the eService has received the Signature Token (SignatureId), It can request the eSignature BB to send the final signature. Once the Signature Token is validated the BB sends the signature. This happens over a backend-protected channel.
This is the callback service available in eService. Once the signature is complete the user will be redirected to the eService. This module is responsible for understanding the redirect request and the HTTP parameters that are passed during this redirection.
This module is responsible for validating a digital signature. This is provided as a library. A format-specific validation library should be provided. The majority of the format adopted in this specification provides a clear explanation of how to validate the signature. But in a few specified formats like ASC, it may be necessary for the signature service to explicitly state the validation mechanism. It is also expected that the service provider will provide a library, application (optional), and online service(optional) to validate the signature.
The version history table describes the major changes to the specifications between published versions.
0.8
Sasikumar Ganesan, Jurgen Niinre, Dr. P. S. Ramkumar, Kassy Kadio
Initial draft specifications
0.9
eSignature team, Architecture team, Technical Committee
Technical review and updates
1.0
eSignature team + Product Committee
Presentation updates
This section provides context for this Building Block.
eSignature Building Block provides the necessary functionalities to bring handwritten signatures to the digital world. Handwritten signatures have served as a way to agree/witness a given document, yet, in today's digital world most documents are in digital form. The digital form varies between structured (XML, JSON) and unstructured documents (PDF, Word, Image, CSV, Spreadsheet). eSignatures can be added to digital documents similar to handwritten signatures achieving the same functionality.
Additionally, eSignatures improve user experience in managing the signing process as the same can be embedded directly in e-Services, leaving out the need to print out forms, sign on paper, scan, and upload/send.
eSignature provides a considerable advantage over handwritten signatures because of the availability for verification at any point in time. This allows for remote validation of signatures, content (content being the same as that during signing), identity, and time. This assurance allows us to trust a signed document remotely and can be used for legally binding agreements. Sample use cases include:
Submitting applications to Government agencies (e.g. Child Care, Residence Registration, Marriage, etc.)
Purchase and use banking services (i.e. making transfers, adding transfer limits, applying for loans)
Purchasing telecom services (i.e. purchase SIM/eSIM, change contract, add a TV subscription)
Purchase utility services (i.e. new contract for electricity, gas)
Purchase insurance contract
With eSignature there is no need to print documents on paper anymore, saving a lot of paper and promoting a green lifestyle. This can also save money and can be calculated with an online calculator designed for the eSignature practice.
Ability to support eSignature for everyone.
Ability to support eSignature through a specialized user device/card.
The ability for third-party services (including other Building Blocks) to interact, sign, and verify the eSignatures in a standardized model.
Users: people or applications (delegated by a user) who use the eSignature Building Block to give eSignatures.
Services: third-party services that require a user eSignature to provide the service.
Auditor: individual or organization that reviews the platform for any misuse (intentional or unintentional)
Administrator: individual or team that configures the eSignature Building Block and is responsible for ensuring the functioning of the Building Block.
Certification Authority: a certification authority that can issue a certificate as X509.
Timestamp Authority: a trusted third party who can provide certified time.
There are two lifecycles available for the eSignature Building Block. Both mechanisms have their own unique advantages, therefore it is recommended to follow both for an inclusive approach.
One-time signatures are one of the easiest ways to get large-scale adoption of eSignatures. This approach does not require any device to be owned by the end user. This approach relies on the work done by the ID Building Block to authenticate an end user.
User authenticates against the ID Building Block
The user is redirected to the eSignatures Building Block
A new key pair is created in the HSM (Hardware Security Module)
An X509 Certificate is issued with the details from the ID Building Block (Name, Age, Gender, Location)
The new key is used to timestamp and sign the document
The X509 certificate is set to expire 1 minute from the time of creation
The signed document is sent
The private key is deleted from the HSM
The SCD (Signature Creation Device) is a personal device of the user. It could be a Mobile Phone, SIM card, Smart Card, Secure SD Card, USB Storage device, NFC Card, etc. The SCD device can be used to store the keys for long-term usage. This allows the user to interact with the ID Building Block once and create a key on the SCD. This key then can be used for signing any document without interacting with the ID Building block.
The binding of the private key with the user is called On-boarding. In this process, a user is authenticated and his key is created on the SCD.
User authenticates against the ID Building Block
The user is redirected to the eSignature page where his SCD device is detected
The user is asked to select a valid SCD device and enter its security PIN/Biometric/One Time Password
The eSignature Building Block interacts with the SCD (protocols are left open for implementation) to create a Key Pair
A CSR (Certificate Signing Request) is created
This request is sent to the eSignature Building Block
The Building Block verified the ID Building Block token and the data in the CSR
If they match then the CSR is converted to an X509 certificate and the same is issued back to the device
The key created on the SCD device can be used by the user to digitally sign any of the documents.
The third-party who needs to sign the document will be redirected to the eSignature Building Block
The eSignature Building Block will ask for the pseudonym (eSignature handle) from the user
The user provides the pseudonym to the eSignature Building Block
The eSignature Building Block sends a notification to the SCD (Internal Protocol)
The user is shown his choice to sign or not to sign
Once the user signs the SCD will send the signature to the third-party
The Digital Signature will then be attached to the given document in one of the supported formats as described by the eSignature Building Block
View and provide consent to the document that is about to be signed
Register the user's Signature Creation Device (SCD)
Confirm the signature with a PIN code on the user's SCD
View user's SCD-s and certificates
Digitally sign the documents (PDF, Word, Excel, JSON, XML, Image)
Use a personal device to store the keys safely
Ability to sign the document where the user has no device
Ability to sign a document without the involvement of ID Building Block
Ability to sign a document using only the ID issued by the ID Building Block
User
Ability to view the list of signings performed
Invoke eSignatures to obtain a digital signature
Sign the digital document in the desired eSignature format
Allow a safe async way to obtain signatures
A simple-to-use library to validate the eSignature
Retrieve and review specific audit data
Validate and get signatures on any audit data
Audit cryptographic functioning and compliance for auditing and key security
Configure the system without intervening with the signature process
Administer without modification or tampering with the data or key security
eSignature Building Block will provide a helper library for the Services. The helper library could be used to integrate eSignatures faster.
Get digital document digest to be sent to eSignature Building Block. Obtaining just the hash reduces the storage overhead and also avoids the privacy concern of sending the original document.
Embedding received eSignature back into the document or attaching it in case of detached signatures.
Validate digitally signed documents and the validity of the certificate.
Supports the following signature formats:
In order for eSignatures to be secure and adhere to privacy regulations the eSignature Building Block uses the following levels of authentication,
Authentication via ID Building Block: the service that uses eSignature will have to authenticate the user against the ID Building Block.
Unique pseudonym: the service is redirected to a webpage on the eSignature portal where the user can enter a unique pseudonym known only to the user to start the signing process (without a pin, the signing will not be complete).
Asking for a PIN code on the user's device: eSignature Building Block will send a request to the user's device so that the user can confirm the signing request with a PIN.
The signature will be returned using an internal API protected by the Information Mediation Building Block.
eSignature Building Block must log all signing transactions to be compliant with current regulations. The minimum details to be logged are:
User's identity without revealing personally identifiable information.
Document digest.
Timestamp of the signing.
This section provides a detailed view of how this Building Block will interact with other Building Blocks to support common use cases.
This internal workflow is used by the eSignature Building Block to provide one-time signature. In order to make the sequence diagram easier to follow the eSignature Building Block is divided into front-end and back-end parts. Frontend constitutes the functionality running in the user's internet browser and backend refers to the API running on a server.
Workflow is kicked off by a third party using the eSignature client library to get a digest of document to be signed. Using the digest (hash) the redirection request is made towards the eSignature Building Block front-end. If required by the Building Block configuration, it will also check if the Payment token supplied by the request is valid. In the eSignature Building Block front-end, the user selects the option to use National ID to do a one-time signature. Then the user is redirected to the Identity Building Block to authenticate and user data is returned back to the eSignature Building Block back-end after completion of all standard interaction API calls. Then a Host Security Module (HSM) hardware is used to generate a temporary keypair. From that keypair, the public part is exported as a Certificate Signing Request (CSR). CSR is submitted to a Certificate Authority (CA) instance that will generate and publish a short-lived (1-minute) certificate based on the supplied CA.
After the certificate has been created the private key in the Hardware Security Module (HSM) is used to sign a document digest. After the document digest is signed, a timestamp is requested on the signature from the timestamping service. After the timestamp is generated and received on a signature, the results are saved into a database, and a signature ID is generated to reference the signature data. The signature ID is then returned to the eSignature front-end, and the user's flow is redirected back to the e-Service provider using the callback URL and signature ID. After receiving the signature ID the e-Service provider can then receive the signature from the eSignature Building Block back-end. As an option, the eSignature Building Block back-end can verify the requests coming from the correct IP. After finally receiving the signature, eService can merge it with the original document to get a signed version of it using the client-side library received from the eSignature Building Block front-end.
In case of signing in with the user's device, there are multiple workflows:
Register the user's Signature Creation Device (SCD).
Signing with the user's Signature Creation Device (SCD).
Registering starts with the user authenticating against the ID Building Block and getting the authentication token. After the user is authenticated, a Remote SCD service is called to onboard the user. There is a request sent to the user's device to create keys. After keys are generated the public part of the keypair is sent to the eSignature Building Block as a Certificate Signing Request (CSR). CSR is submitted to a certificate authority (CA) instance that will generate and publish a certificate based on the supplied CA.
This internal workflow is for signing with the user's Signature Creation Device (SCD). In order to make the sequence diagram easier to follow the eSignature Building Block is divided into front-end and back-end parts. Front-end constitutes the functionality running in the user's internet browser and back-end refers to the API running on a server.
First, eService fetches the client-side library from the eSignature Building Block front-end. The client library is used to create a digest of the document to be signed. Using the digest (hash) the redirection request is made towards the eSignature Building Block front-end. In the eSignature Building Block front-end, the user selects the option to use the SCD model. The pseudonym entry page is shown and the user enters the pseudonym, which is sent to the e-Signature Building Block back-end to receive the generated pseudonym token. After receiving a pseudonym token, eSignature Building Block back-end can be invoked to create the signature. eSignature Building Block back-end will then invoke Remote SCD Service to create the signature. Remote SCD service will send a notification to the user's SCD with a notification and request to put PIN code. After the user enters the PIN code, a signature is generated and sent back to the Remote SCD Service. Remote SCD Service will then send the signature back to the eSignature Building Block back-end.
After the Signature is received, eSignature Building Block back-end will send a request to the Timestamping Authority for a timestamp on the signature to be created. After the timestamp is generated and received on a signature, the results are saved into a database, and a signature ID is generated to reference the signature data. Signature ID is then returned to the eSignature front-end, and the user's flow is redirected back to the eService provider using the callback URL and signature ID. After receiving the signature ID the eService provider can then receive the signature from the eSignature Building Block back-end. As an option, the eSignature Building Block back-end can verify the requests coming from the correct IP. After finally receiving the signature, eService can merge it with the original document to get a signed version of it using the client-side library received from the eSignature Building Block front-end.
Terminology used within this specification.
Term
Description
eSignature, e-Signature, electronic signature, digital signature
A data unit which is used by a Signatory to indicate his or her link to a Document
Certificate
Data that links a public key to a natural person and confirms the name of that person
Signatory/User
A natural person or an application delegated by the user who can create a digital signature
eSignature creation device (SCD)
Configured software and/or hardware used to create an eSignature. Two types of eSignature creation devices are supported: * Local - Private keys are stored locally on mobile devices. * Remote - Private keys are stored on the remote secure storage.
Signing application, Signature requestor, Third-Party
An application that has the Document that needs the Signatory's signature
Document (to be signed)
Data that needs to be signed by the Signatory. It can be any data file in an arbitrary format. Document to be signed is usually handled by a third party and made available to Signatory after signing.
Onboarding
The process of identifying Signatory, issuing a Certificate, and binding it to an eSignature Creation Device. User identification is performed using Govstack's Identity Building Block.
HSM
Hardware Security Module - a device or software that can store private keys safely.
SCD
Signature Creation Device - Can be local or remote based on where the keys are stored.
X509
A certificate format as defined in
Timestamp
Compliant to
Sign
The process of using SCD or One Time signature APIs to encrypt the hash of the document.
CSR
Certificate Signing Request as per
One time Signature
A private key is created upon authentication of the user and expires right after the signature. Should not be confused with OTS or related signature models.
Revocation
All revocation of certificates will be available over . Follows the respective standards RFC 8954.
This section links to any external documents that may be relevant, such as standards documents or other descriptions of this Building Block that may be useful.
Some common workflows that leverage the eSignature Building Block can be found here:
https://govstack-global.atlassian.net/wiki/spaces/GH/pages/261947413/eSignature+Use+Case
https://govstack-global.atlassian.net/wiki/spaces/GH/pages/261947413/eSignature+Use+Case
A historical log of key decisions regarding this Building Block.
A list of topics that may be relevant to future versions of this Building Block.
A list of functions out of the scope of this Building Block.
This section provides a reference for APIs that should be implemented by this Building Block.
A Set of microservices is defined to receive requests from other GovStack-compatible Building Blocks and third-party Services with relevant inputs and return processed results from key digital functionalities of this Building Block. This section provides a reference for APIs that should be implemented by this Building Block. The APIs defined here establish a blueprint for how the Building Block will interact with other Building Blocks or third-party services. Additional APIs may be implemented by the Building Block, but the listed APIs define a minimal set of functionality that should be provided by any implementation of this Building Block.
eSignature Building Block must expose its microservices through RESTful API interfaces as defined by OpenAPI v3+ standards. A summary of the APIS exposed by this Building Block is summarized in the table below.
The update API can be used to revoke the certificate. All revoked certificates will be available over OCSP.
This section will highlight important requirements or describe any additional cross-cutting requirements that apply to this Building Block.
The Cross-cutting requirements described in this section are an extension of the cross-cutting requirements defined in the architecture specification document.
HSM must be compliant to a minimum of FIPS 140-2 Level 3. This guarantees the protection of private keys. HSM/Key Management application shall not print any information about the end-use details. Keys should be created only within the HSM. This may apply to all other Building Blocks when dealing with cryptographic keys.
All audit logs shall be integrity-protected against tampering. The eSignature Building Block shall follow the data policy and audit logging requirements as laid out in the GovStack architecture.
Signing using a single key can compromise the user's privacy in the long run. For example, a single key used to sign the consent of health form and agreement of the medical insurance could reveal that the consent and the agreement are from the same person. Generally available signed documents could be used to perform 360-degree profiling. This violates the Generic Architectural Privacy recommendation. Privacy-preserving techniques can be used in signature schemes, document storage, or reducing the key's lifespan to protect the user's privacy.
The system shall provide traceability across services using trace ID or similar design patterns. (REQUIRED)
The system shall provide logs to help debug the problems. (REQUIRED)
The system shall not print sensitive information. (REQUIRED)
Private Key
User details
Authentication Token
Payment Token
Signature of the document
Full Certificate (Thumbprint is allowed to be printed)
User PIN
OTP
In case a user/mobile app is involved, then logging shall provide traceability from the app to the server. (REQUIRED)
Use one time Certificate and keys created on the fly to make an eSignature
API version
v1JWT Authentication token received from ID BB
eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6IjcyNzcyYzI5OGNkZDNmYmQ3YmQxNmI5NTAxZDY0ODdiIn0.eyJwdWIiOiJKb2huIERvZSJ9.zNNhLDuydPHC7-YQYDhaGTaqS-efAL79pJXdWWm5Y7Fd94fVRCLvRTaA16ffQyhYPXHKcx8Q9baTB_fX0PtBuAJWT Authentication token received from Payment BB
eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6IjcyNzcyYzI5OGNkZDNmYmQ3YmQxNmI5NTAxZDY0ODdiIn0.eyJwdWIiOiJKb2huIERvZSJ9.zNNhLDuydPHC7-YQYDhaGTaqS-efAL79pJXdWWm5Y7Fd94fVRCLvRTaA16ffQyhYPXHKcx8Q9baTB_fX0PtBuAPre format the signature in a given format so that it can be inserted by the formatting library XAdES|CAdES|ASIC|JWS|PAdES
PAdESPossible values: hash as byte array encoded in base64
53F4yGNsOXymuGL9JjF3/Qi377pQVLqkDZuc1shPJB3xFJHJnhW8yepjhU8ILTz/wYoahXnzKj8xyT7PtbtwEA==hash type used SHA2-256|SHA2-384|SHA2-512|SHA3-256|SHA3-384|SHA3-512|BLAKE2B
SHA2-256Possible values: Data to be displayed on users SCD (for ex transactionId)
Please sign the consent form as requested (transactionId: 1234)Timestamp in ISO 8601
2023-03-20T09:12:28ZPOST /{version}/sign/onetime HTTP/1.1
Host: localhost:9090
X-GovStack-AuthenticationToken: eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6IjcyNzcyYzI5OGNkZDNmYmQ3YmQxNmI5NTAxZDY0ODdiIn0.eyJwdWIiOiJKb2huIERvZSJ9.zNNhLDuydPHC7-YQYDhaGTaqS-efAL79pJXdWWm5Y7Fd94fVRCLvRTaA16ffQyhYPXHKcx8Q9baTB_fX0PtBuA
Content-Type: application/json
Accept: */*
Content-Length: 266
{
"format": "PAdES",
"hash": "53F4yGNsOXymuGL9JjF3/Qi377pQVLqkDZuc1shPJB3xFJHJnhW8yepjhU8ILTz/wYoahXnzKj8xyT7PtbtwEA==",
"hashType": "SHA2-256",
"dataToBeDisplayed": "Please sign the consent form as requested (transactionId: 1234)",
"requestTimestamp": "2023-03-20T09:12:28Z"
}{
"signature": "53F4yGNsOXymuGL9JjF3Qi377pQVLqkDZuc1shPJB3xFJHJnhW8yepjhU8ILTz/wYoahXnzKj8xyT7PtbtwEA==",
"certificate": "-----BEGIN CERTIFICATE-----\r\nMIIDfDCCAmSgAwIBAgIQaSg0J93/hMMyFZ/DNEDM3DANBgkqhkiG9w0BAQsFADAp\r\nMScwJQYDVQQDDB5CLkVzdCBTb2x1dGlvbnMgU2lnbmluZyBQb3J0YWwwHhcNMjMw\r\nNDE0MTAzOTA5WhcNMjUwNzE3MTAzOTA5WjATMREwDwYDVQQDDAhKb2huIERvZTCC\r\nASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANU2fYwu2tz/D4GpTZZhPn4g\r\nFTH4TSbez1Ux9eMsmklYrmqdr3bBzJ4k8I1wkOBioxrXnH/s4zq7I1dJCbAsAzpd\r\niK8IBHo5XxwX2Num+HxRdU+nTOtfa4MZTGnvf4ZzLYBEK1lIsXQxAbMkPu4cBH8t\r\n9ir72GGU2qM/iMOv25eA75+cmNFj+02DohgpxXhErnZB/9mY+8oLvIFM5traf92U\r\nF4OPsepQYpJUM4u2prxbdcwVCmZ70FielcykaG7u84PRKbmAA50x2UQgsksThmxA\r\nPJlIvEoCS4BAAoLlY+ti0IFhThqYjG+FcRR5R48wa+oAJBquDG1eko6dTzp3BdEC\r\nAwEAAaOBtTCBsjAJBgNVHRMEAjAAMB0GA1UdDgQWBBR68RAciltftWZW4pAxqMQ0\r\nhigSEzBkBgNVHSMEXTBbgBRYpaezWi0heg09El0UypLU81uA4KEtpCswKTEnMCUG\r\nA1UEAwweQi5Fc3QgU29sdXRpb25zIFNpZ25pbmcgUG9ydGFsghQZ+B3m7iBv8Daf\r\nWiIkRB5NbVbQsTATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwDQYJ\r\nKoZIhvcNAQELBQADggEBAI+5OAffnf3sn/jN58idSLUC09vWc6KPEzfZ2QLhDftq\r\nAfwSquItYFFuuQNh/x93HSprglDwL3U6sqRq0owMSSXXcLctVQr/MTEXyiRmQjUT\r\nHykwS/ovSw93E6VRnrF0qnaf6qOOAi0FfLxCV/1p3aEQBt7f/krZaW4Y33XrKi5F\r\nNnMhqQLtgZy9xXR0dNQ0ZKorEIptUrcujT8aRlEN4oqE7oo4j41TsksBQgEFfIeg\r\nljS6baoEko6n5ozyFzfeDWzd0yTzviXmUZGzOt1ZLFbd5In5+LX4Z0QwzhUA+uyt\r\nCu17qrRiPt2JzALHjbkdV3OB5sbOSZDHl3aUuqll6Dg=\r\n-----END CERTIFICATE-----",
"signatureTimestamp": "r/PzWEEgXyubXH/GCG6fLADU9Rz4e3b0KdZuNwfX/xk=",
"responseTimestamp": "2023-03-20T09:12:38Z",
"status": {
"code": "OK",
"message": "Signature generated successfully"
}
}Create certificate on user's SCD (Signature Creation Device)
API version
v1JWT Authentication token received from ID BB
eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6IjcyNzcyYzI5OGNkZDNmYmQ3YmQxNmI5NTAxZDY0ODdiIn0.eyJwdWIiOiJKb2huIERvZSJ9.zNNhLDuydPHC7-YQYDhaGTaqS-efAL79pJXdWWm5Y7Fd94fVRCLvRTaA16ffQyhYPXHKcx8Q9baTB_fX0PtBuAJWT Authentication token received from Payment BB
eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6IjcyNzcyYzI5OGNkZDNmYmQ3YmQxNmI5NTAxZDY0ODdiIn0.eyJwdWIiOiJKb2huIERvZSJ9.zNNhLDuydPHC7-YQYDhaGTaqS-efAL79pJXdWWm5Y7Fd94fVRCLvRTaA16ffQyhYPXHKcx8Q9baTB_fX0PtBuACertificate Signing Request, in base64
Remote SCD type REMOTE_SCD_APP_APPLE|REMOTE_SCD_APP_ANDROID|REMOTE_SCD_APP_SE_APPLE|REMOTE_SCD_APP_SE_ANDROID|REMOTE_SCD_SIM|REMOTE_SCD_ESIM
Device token (Android/Apple) for REMOTE_SCD_APP* and REMOTE_SCD_APP_SE*, for other TBD
Key index to be used on SCD
Optional pseodonym chosen by user
Timestamp in ISO 8601
POST /{version}/cert/create HTTP/1.1
Host: localhost:9090
X-GovStack-AuthenticationToken: eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6IjcyNzcyYzI5OGNkZDNmYmQ3YmQxNmI5NTAxZDY0ODdiIn0.eyJwdWIiOiJKb2huIERvZSJ9.zNNhLDuydPHC7-YQYDhaGTaqS-efAL79pJXdWWm5Y7Fd94fVRCLvRTaA16ffQyhYPXHKcx8Q9baTB_fX0PtBuA
Content-Type: application/json
Accept: */*
Content-Length: 1111
{
"CSR": "-----BEGIN CERTIFICATE REQUEST-----\r\nMIICWDCCAUACAQAwEzERMA8GA1UEAwwISm9obiBEb2UwggEiMA0GCSqGSIb3DQEB\r\nAQUAA4IBDwAwggEKAoIBAQDVNn2MLtrc/w+BqU2WYT5+IBUx+E0m3s9VMfXjLJpJ\r\nWK5qna92wcyeJPCNcJDgYqMa15x/7OM6uyNXSQmwLAM6XYivCAR6OV8cF9jbpvh8\r\nUXVPp0zrX2uDGUxp73+Gcy2ARCtZSLF0MQGzJD7uHAR/LfYq+9hhlNqjP4jDr9uX\r\ngO+fnJjRY/tNg6IYKcV4RK52Qf/ZmPvKC7yBTOba2n/dlBeDj7HqUGKSVDOLtqa8\r\nW3XMFQpme9BYnpXMpGhu7vOD0Sm5gAOdMdlEILJLE4ZsQDyZSLxKAkuAQAKC5WPr\r\nYtCBYU4amIxvhXEUeUePMGvqACQargxtXpKOnU86dwXRAgMBAAGgADANBgkqhkiG\r\n9w0BAQsFAAOCAQEABmsIpQACArM5w7uQysuh6Aooe/fe6It9kYNccmHXf+Hta+i0\r\nzrXkOBZ80EuOFebuGzuc2R/cVpB4X6l9D6wNbn8Ee1NcnQOBb16U8Pjci9h24cVE\r\noDRAEJdae39ND4UFm4JAjiDfWO7cM0YtPkAAmtsY5ZWruReNVUsXJeco0fbIghuL\r\nhORaNIwEhw7zczpIDoQblNgaL7Tq4qpMPCf6hg+5KeoJEzQDlRBmLIrnFRTwCXpT\r\nDgWkOkbnsB1p4ebO/8RfD5sEmTIwiQHV2J71Ob6NMrBHbArZ79dyAdzuefQeRIhO\r\nLJEN4ipQLrwvjciJG9s48xEWrWrMNwT9AW+lWA==\r\n-----END CERTIFICATE REQUEST-----",
"SCDType": "REMOTE_SCD_APP_ANDROID",
"SCDRemoteId": "654C4DB3-3F68-4969-8ED2-80EA16B46EB0",
"SCDKeyId": 0,
"pseudonym": "johndoe5766",
"requestTimestamp": "2023-03-20T09:12:28Z"
}{
"certificateId": "09440694c5c1798a23aad320abcd04b83f02f5ea12b8865df073d0e77ad5ae27",
"pseudonym": "johndoe5766",
"certificate": "-----BEGIN CERTIFICATE-----\r\nMIIDfDCCAmSgAwIBAgIQaSg0J93/hMMyFZ/DNEDM3DANBgkqhkiG9w0BAQsFADAp\r\nMScwJQYDVQQDDB5CLkVzdCBTb2x1dGlvbnMgU2lnbmluZyBQb3J0YWwwHhcNMjMw\r\nNDE0MTAzOTA5WhcNMjUwNzE3MTAzOTA5WjATMREwDwYDVQQDDAhKb2huIERvZTCC\r\nASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANU2fYwu2tz/D4GpTZZhPn4g\r\nFTH4TSbez1Ux9eMsmklYrmqdr3bBzJ4k8I1wkOBioxrXnH/s4zq7I1dJCbAsAzpd\r\niK8IBHo5XxwX2Num+HxRdU+nTOtfa4MZTGnvf4ZzLYBEK1lIsXQxAbMkPu4cBH8t\r\n9ir72GGU2qM/iMOv25eA75+cmNFj+02DohgpxXhErnZB/9mY+8oLvIFM5traf92U\r\nF4OPsepQYpJUM4u2prxbdcwVCmZ70FielcykaG7u84PRKbmAA50x2UQgsksThmxA\r\nPJlIvEoCS4BAAoLlY+ti0IFhThqYjG+FcRR5R48wa+oAJBquDG1eko6dTzp3BdEC\r\nAwEAAaOBtTCBsjAJBgNVHRMEAjAAMB0GA1UdDgQWBBR68RAciltftWZW4pAxqMQ0\r\nhigSEzBkBgNVHSMEXTBbgBRYpaezWi0heg09El0UypLU81uA4KEtpCswKTEnMCUG\r\nA1UEAwweQi5Fc3QgU29sdXRpb25zIFNpZ25pbmcgUG9ydGFsghQZ+B3m7iBv8Daf\r\nWiIkRB5NbVbQsTATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwDQYJ\r\nKoZIhvcNAQELBQADggEBAI+5OAffnf3sn/jN58idSLUC09vWc6KPEzfZ2QLhDftq\r\nAfwSquItYFFuuQNh/x93HSprglDwL3U6sqRq0owMSSXXcLctVQr/MTEXyiRmQjUT\r\nHykwS/ovSw93E6VRnrF0qnaf6qOOAi0FfLxCV/1p3aEQBt7f/krZaW4Y33XrKi5F\r\nNnMhqQLtgZy9xXR0dNQ0ZKorEIptUrcujT8aRlEN4oqE7oo4j41TsksBQgEFfIeg\r\nljS6baoEko6n5ozyFzfeDWzd0yTzviXmUZGzOt1ZLFbd5In5+LX4Z0QwzhUA+uyt\r\nCu17qrRiPt2JzALHjbkdV3OB5sbOSZDHl3aUuqll6Dg=\r\n-----END CERTIFICATE-----",
"responseTimestamp": "2023-03-20T09:12:38Z",
"status": {
"code": "OK",
"message": "Certificate generated successfully"
}
}Get list of all user certificates
API version
v1Add filter condition ALL|ACTIVATED|EXPIRED|REVOKED|SUSPENDED
ALLPossible values: JWT Authentication token received from ID BB
eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6IjcyNzcyYzI5OGNkZDNmYmQ3YmQxNmI5NTAxZDY0ODdiIn0.eyJwdWIiOiJKb2huIERvZSJ9.zNNhLDuydPHC7-YQYDhaGTaqS-efAL79pJXdWWm5Y7Fd94fVRCLvRTaA16ffQyhYPXHKcx8Q9baTB_fX0PtBuAGET /{version}/cert/list HTTP/1.1
Host: localhost:9090
X-GovStack-AuthenticationToken: eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6IjcyNzcyYzI5OGNkZDNmYmQ3YmQxNmI5NTAxZDY0ODdiIn0.eyJwdWIiOiJKb2huIERvZSJ9.zNNhLDuydPHC7-YQYDhaGTaqS-efAL79pJXdWWm5Y7Fd94fVRCLvRTaA16ffQyhYPXHKcx8Q9baTB_fX0PtBuA
Accept: */*
[
{
"certificateId": "09440694c5c1798a23aad320abcd04b83f02f5ea12b8865df073d0e77ad5ae27",
"certificate": "-----BEGIN CERTIFICATE-----\r\nMIIDfDCCAmSgAwIBAgIQaSg0J93/hMMyFZ/DNEDM3DANBgkqhkiG9w0BAQsFADAp\r\nMScwJQYDVQQDDB5CLkVzdCBTb2x1dGlvbnMgU2lnbmluZyBQb3J0YWwwHhcNMjMw\r\nNDE0MTAzOTA5WhcNMjUwNzE3MTAzOTA5WjATMREwDwYDVQQDDAhKb2huIERvZTCC\r\nASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANU2fYwu2tz/D4GpTZZhPn4g\r\nFTH4TSbez1Ux9eMsmklYrmqdr3bBzJ4k8I1wkOBioxrXnH/s4zq7I1dJCbAsAzpd\r\niK8IBHo5XxwX2Num+HxRdU+nTOtfa4MZTGnvf4ZzLYBEK1lIsXQxAbMkPu4cBH8t\r\n9ir72GGU2qM/iMOv25eA75+cmNFj+02DohgpxXhErnZB/9mY+8oLvIFM5traf92U\r\nF4OPsepQYpJUM4u2prxbdcwVCmZ70FielcykaG7u84PRKbmAA50x2UQgsksThmxA\r\nPJlIvEoCS4BAAoLlY+ti0IFhThqYjG+FcRR5R48wa+oAJBquDG1eko6dTzp3BdEC\r\nAwEAAaOBtTCBsjAJBgNVHRMEAjAAMB0GA1UdDgQWBBR68RAciltftWZW4pAxqMQ0\r\nhigSEzBkBgNVHSMEXTBbgBRYpaezWi0heg09El0UypLU81uA4KEtpCswKTEnMCUG\r\nA1UEAwweQi5Fc3QgU29sdXRpb25zIFNpZ25pbmcgUG9ydGFsghQZ+B3m7iBv8Daf\r\nWiIkRB5NbVbQsTATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwDQYJ\r\nKoZIhvcNAQELBQADggEBAI+5OAffnf3sn/jN58idSLUC09vWc6KPEzfZ2QLhDftq\r\nAfwSquItYFFuuQNh/x93HSprglDwL3U6sqRq0owMSSXXcLctVQr/MTEXyiRmQjUT\r\nHykwS/ovSw93E6VRnrF0qnaf6qOOAi0FfLxCV/1p3aEQBt7f/krZaW4Y33XrKi5F\r\nNnMhqQLtgZy9xXR0dNQ0ZKorEIptUrcujT8aRlEN4oqE7oo4j41TsksBQgEFfIeg\r\nljS6baoEko6n5ozyFzfeDWzd0yTzviXmUZGzOt1ZLFbd5In5+LX4Z0QwzhUA+uyt\r\nCu17qrRiPt2JzALHjbkdV3OB5sbOSZDHl3aUuqll6Dg=\r\n-----END CERTIFICATE-----",
"status": {
"code": "ACTIVE",
"message": "Certificate active"
}
},
{
"certificateId": "a92dba58903a6387aedee6f178d84de674e6a9b7d779a8e6add3db5f752ce5ab",
"certificate": "-----BEGIN CERTIFICATE-----\r\nMIIDfDCCAmSgAwIBAgIQaSg0J93/hMMyFZ/DNEDM3DANBgkqhkiG9w0BAQsFADAp\r\nMScwJQYDVQQDDB5CLkVzdCBTb2x1dGlvbnMgU2lnbmluZyBQb3J0YWwwHhcNMjMw\r\nNDE0MTAzOTA5WhcNMjUwNzE3MTAzOTA5WjATMREwDwYDVQQDDAhKb2huIERvZTCC\r\nASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANU2fYwu2tz/D4GpTZZhPn4g\r\nFTH4TSbez1Ux9eMsmklYrmqdr3bBzJ4k8I1wkOBioxrXnH/s4zq7I1dJCbAsAzpd\r\niK8IBHo5XxwX2Num+HxRdU+nTOtfa4MZTGnvf4ZzLYBEK1lIsXQxAbMkPu4cBH8t\r\n9ir72GGU2qM/iMOv25eA75+cmNFj+02DohgpxXhErnZB/9mY+8oLvIFM5traf92U\r\nF4OPsepQYpJUM4u2prxbdcwVCmZ70FielcykaG7u84PRKbmAA50x2UQgsksThmxA\r\nPJlIvEoCS4BAAoLlY+ti0IFhThqYjG+FcRR5R48wa+oAJBquDG1eko6dTzp3BdEC\r\nAwEAAaOBtTCBsjAJBgNVHRMEAjAAMB0GA1UdDgQWBBR68RAciltftWZW4pAxqMQ0\r\nhigSEzBkBgNVHSMEXTBbgBRYpaezWi0heg09El0UypLU81uA4KEtpCswKTEnMCUG\r\nA1UEAwweQi5Fc3QgU29sdXRpb25zIFNpZ25pbmcgUG9ydGFsghQZ+B3m7iBv8Daf\r\nWiIkRB5NbVbQsTATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwDQYJ\r\nKoZIhvcNAQELBQADggEBAI+5OAffnf3sn/jN58idSLUC09vWc6KPEzfZ2QLhDftq\r\nAfwSquItYFFuuQNh/x93HSprglDwL3U6sqRq0owMSSXXcLctVQr/MTEXyiRmQjUT\r\nHykwS/ovSw93E6VRnrF0qnaf6qOOAi0FfLxCV/1p3aEQBt7f/krZaW4Y33XrKi5F\r\nNnMhqQLtgZy9xXR0dNQ0ZKorEIptUrcujT8aRlEN4oqE7oo4j41TsksBQgEFfIeg\r\nljS6baoEko6n5ozyFzfeDWzd0yTzviXmUZGzOt1ZLFbd5In5+LX4Z0QwzhUA+uyt\r\nCu17qrRiPt2JzALHjbkdV3OB5sbOSZDHl3aUuqll6Dg=\r\n-----END CERTIFICATE-----",
"status": {
"code": "REVOKED",
"message": "Certificate was revoked on 05.01.2023 because device was lost"
}
}
]Update certificate status
API version
v1certificateId that indicates the certificate to be updated
09440694c5c1798a23aad320abcd04b83f02f5ea12b8865df073d0e77ad5ae27JWT Authentication token received from ID BB
eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6IjcyNzcyYzI5OGNkZDNmYmQ3YmQxNmI5NTAxZDY0ODdiIn0.eyJwdWIiOiJKb2huIERvZSJ9.zNNhLDuydPHC7-YQYDhaGTaqS-efAL79pJXdWWm5Y7Fd94fVRCLvRTaA16ffQyhYPXHKcx8Q9baTB_fX0PtBuATimestamp in ISO 8601
PATCH /{version}/cert/{certificateId} HTTP/1.1
Host: localhost:9090
X-GovStack-AuthenticationToken: eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6IjcyNzcyYzI5OGNkZDNmYmQ3YmQxNmI5NTAxZDY0ODdiIn0.eyJwdWIiOiJKb2huIERvZSJ9.zNNhLDuydPHC7-YQYDhaGTaqS-efAL79pJXdWWm5Y7Fd94fVRCLvRTaA16ffQyhYPXHKcx8Q9baTB_fX0PtBuA
Content-Type: application/json
Accept: */*
Content-Length: 136
{
"requestTimestamp": "2023-03-20T09:12:28Z",
"status": {
"code": "SUSPENDED",
"message": "Certificate to be suspended because of user action"
}
}{
"responseTimestamp": "2023-03-20T09:12:38Z",
"status": {
"code": "SUSPENDED",
"message": "Certificate supended because of user action on 02.02.2023"
}
}Use user's SCD (Signature Creation Device) to create an eSignature
API version
v1JWT pseudonym token
eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6IjcyNzcyYzI5OGNkZDNmYmQ3YmQxNmI5NTAxZDY0ODdiIn0.eyJwdWIiOiJKb2huIERvZSJ9.zNNhLDuydPHC7-YQYDhaGTaqS-efAL79pJXdWWm5Y7Fd94fVRCLvRTaA16ffQyhYPXHKcx8Q9baTB_fX0PtBuAPre format the signature in a give format so that it can be inserted by the formatting library XAdES|CAdES|ASIC|JWS|PAdES
PAdESPossible values: hash as byte array encoded in base64
53F4yGNsOXymuGL9JjF3/Qi377pQVLqkDZuc1shPJB3xFJHJnhW8yepjhU8ILTz/wYoahXnzKj8xyT7PtbtwEA==hash type used SHA2-256|SHA2-384|SHA2-512|SHA3-256|SHA3-384|SHA3-512|BLAKE2B
SHA2-256Possible values: Data to be displayed on users SCD (for ex transactionId)
Please sign the consent form as requested (transactionId: 1234)hex string value of hash to mitigate replay attacks
d2dff00401c92ca6879ef5f0938ce31580898266d59832d8531e8d04fc3898a6hex string value of hash used to maintain state between the request and the callback
2569cb4125cb7303f0f16782e7e2814b2269888c734af4c90639653e4f92d3a5Timestamp in ISO 8601
2023-03-20T09:12:28ZPOST /{version}/sign/pseudonym HTTP/1.1
Host: localhost:9090
Content-Type: application/json
Accept: */*
Content-Length: 416
{
"format": "PAdES",
"hash": "53F4yGNsOXymuGL9JjF3/Qi377pQVLqkDZuc1shPJB3xFJHJnhW8yepjhU8ILTz/wYoahXnzKj8xyT7PtbtwEA==",
"hashType": "SHA2-256",
"dataToBeDisplayed": "Please sign the consent form as requested (transactionId: 1234)",
"nonce": "d2dff00401c92ca6879ef5f0938ce31580898266d59832d8531e8d04fc3898a6",
"state": "2569cb4125cb7303f0f16782e7e2814b2269888c734af4c90639653e4f92d3a5",
"requestTimestamp": "2023-03-20T09:12:28Z"
}{
"signatureId": "7607fa7f45b2558201baf05215521a7df63078774f0b0d1ad15ccfcb0aad9484",
"responseTimestamp": "2023-03-20T09:12:38Z",
"status": {
"code": "OK",
"message": "Signature generated successfully"
}
}Provide interactive html for pseodonym entry form that will get the signature via sign/pseudonym and will call callbackUrl
API version
v1Pre format the signature in a give format so that it can be more inserted by the formatting library XAdES|CAdES|ASIC|JWS|PAdES
PAdESPossible values: hash as byte array encoded in base64
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAhash type used SHA2-256|SHA2-384|SHA2-512|SHA3-256|SHA3-384|SHA3-512|BLAKE2B
SHA2-256Possible values: Data to be displayed on users SCD (for ex transactionId)
UGxlYXNlIHNpZ24gdGhlIGNvbnNlbnQgZm9ybSBhcyByZXF1ZXN0ZWQgKHRyYW5zYWN0aW9uSWQ6MTIzNCkTimestamp in ISO 8601
2023-03-20T09%3A12%3A28Zhex string value of hash to mitigate replay attacks
d2dff00401c92ca6879ef5f0938ce31580898266d59832d8531e8d04fc3898a6hex string value of hash used to maintain state between the request and the callback
2569cb4125cb7303f0f16782e7e2814b2269888c734af4c90639653e4f92d3a5Callback url to be sent on signing response. Callback URL will have query parameters from SignatureResponse statusCode(base64urlencoded), statusMessage(base64urlencoded), signature (base64urlencoded), certificate (base64urlencoded), signatureTimestamp (base64urlencoded), responseTimestamp (urlencoded), pseudonymToken (jwt)
https%3A%2F%2FmysiteGET /{version}/sign/interactivePseudonym HTTP/1.1
Host: localhost:9090
Accept: */*
textIn order not to get the pseodonym token internally
API version
v1Unique pseudonym
johndoe5766GET /{version}/token/pseodonym/{pseudonym} HTTP/1.1
Host: localhost:9090
Accept: */*
{
"jwt": "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6IjcyNzcyYzI5OGNkZDNmYmQ3YmQxNmI5NTAxZDY0ODdiIn0.eyJwdWIiOiJKb2huIERvZSJ9.zNNhLDuydPHC7-YQYDhaGTaqS-efAL79pJXdWWm5Y7Fd94fVRCLvRTaA16ffQyhYPXHKcx8Q9baTB_fX0PtBuA"
}In order not to get the pseodonym token internally
API version
v1get signature response for signatureId
7607fa7f45b2558201baf05215521a7df63078774f0b0d1ad15ccfcb0aad9484GET /{version}/sign/response/{signatureId} HTTP/1.1
Host: localhost:9090
Accept: */*
{
"signature": "53F4yGNsOXymuGL9JjF3Qi377pQVLqkDZuc1shPJB3xFJHJnhW8yepjhU8ILTz/wYoahXnzKj8xyT7PtbtwEA==",
"certificate": "-----BEGIN CERTIFICATE-----\r\nMIIDfDCCAmSgAwIBAgIQaSg0J93/hMMyFZ/DNEDM3DANBgkqhkiG9w0BAQsFADAp\r\nMScwJQYDVQQDDB5CLkVzdCBTb2x1dGlvbnMgU2lnbmluZyBQb3J0YWwwHhcNMjMw\r\nNDE0MTAzOTA5WhcNMjUwNzE3MTAzOTA5WjATMREwDwYDVQQDDAhKb2huIERvZTCC\r\nASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANU2fYwu2tz/D4GpTZZhPn4g\r\nFTH4TSbez1Ux9eMsmklYrmqdr3bBzJ4k8I1wkOBioxrXnH/s4zq7I1dJCbAsAzpd\r\niK8IBHo5XxwX2Num+HxRdU+nTOtfa4MZTGnvf4ZzLYBEK1lIsXQxAbMkPu4cBH8t\r\n9ir72GGU2qM/iMOv25eA75+cmNFj+02DohgpxXhErnZB/9mY+8oLvIFM5traf92U\r\nF4OPsepQYpJUM4u2prxbdcwVCmZ70FielcykaG7u84PRKbmAA50x2UQgsksThmxA\r\nPJlIvEoCS4BAAoLlY+ti0IFhThqYjG+FcRR5R48wa+oAJBquDG1eko6dTzp3BdEC\r\nAwEAAaOBtTCBsjAJBgNVHRMEAjAAMB0GA1UdDgQWBBR68RAciltftWZW4pAxqMQ0\r\nhigSEzBkBgNVHSMEXTBbgBRYpaezWi0heg09El0UypLU81uA4KEtpCswKTEnMCUG\r\nA1UEAwweQi5Fc3QgU29sdXRpb25zIFNpZ25pbmcgUG9ydGFsghQZ+B3m7iBv8Daf\r\nWiIkRB5NbVbQsTATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwDQYJ\r\nKoZIhvcNAQELBQADggEBAI+5OAffnf3sn/jN58idSLUC09vWc6KPEzfZ2QLhDftq\r\nAfwSquItYFFuuQNh/x93HSprglDwL3U6sqRq0owMSSXXcLctVQr/MTEXyiRmQjUT\r\nHykwS/ovSw93E6VRnrF0qnaf6qOOAi0FfLxCV/1p3aEQBt7f/krZaW4Y33XrKi5F\r\nNnMhqQLtgZy9xXR0dNQ0ZKorEIptUrcujT8aRlEN4oqE7oo4j41TsksBQgEFfIeg\r\nljS6baoEko6n5ozyFzfeDWzd0yTzviXmUZGzOt1ZLFbd5In5+LX4Z0QwzhUA+uyt\r\nCu17qrRiPt2JzALHjbkdV3OB5sbOSZDHl3aUuqll6Dg=\r\n-----END CERTIFICATE-----",
"signatureTimestamp": "r/PzWEEgXyubXH/GCG6fLADU9Rz4e3b0KdZuNwfX/xk=",
"responseTimestamp": "2023-03-20T09:12:38Z",
"status": {
"code": "OK",
"message": "Signature generated successfully"
}
}eSignature BB will call this callback URL on external service once signing is completed
API version
v1signatureId that can be used to retreive the response as hex string of hash
7607fa7f45b2558201baf05215521a7df63078774f0b0d1ad15ccfcb0aad9484hex string value of hash to mitigate replay attacks
d2dff00401c92ca6879ef5f0938ce31580898266d59832d8531e8d04fc3898a6hex string value of hash used to maintain state between the request and the callback
2569cb4125cb7303f0f16782e7e2814b2269888c734af4c90639653e4f92d3a5GET /{version}/esignature/callback HTTP/1.1
Host: localhost:9090
Accept: */*
Returns html for continuing user's flow
textWay for users and auditors to review the signature requests made
API version
v1Timestamp in ISO 8601
2023-03-20T09%3A12%3A28ZTimestamp in ISO 8601
2023-03-20T09%3A12%3A28ZJWT Authentication token received from ID BB
eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6IjcyNzcyYzI5OGNkZDNmYmQ3YmQxNmI5NTAxZDY0ODdiIn0.eyJwdWIiOiJKb2huIERvZSJ9.zNNhLDuydPHC7-YQYDhaGTaqS-efAL79pJXdWWm5Y7Fd94fVRCLvRTaA16ffQyhYPXHKcx8Q9baTB_fX0PtBuAGET /{version}/audit/log HTTP/1.1
Host: localhost:9090
X-GovStack-AuthenticationToken: eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6IjcyNzcyYzI5OGNkZDNmYmQ3YmQxNmI5NTAxZDY0ODdiIn0.eyJwdWIiOiJKb2huIERvZSJ9.zNNhLDuydPHC7-YQYDhaGTaqS-efAL79pJXdWWm5Y7Fd94fVRCLvRTaA16ffQyhYPXHKcx8Q9baTB_fX0PtBuA
Accept: */*
[
{
"signatureType": "ONETIME",
"signature": "53F4yGNsOXymuGL9JjF3Qi377pQVLqkDZuc1shPJB3xFJHJnhW8yepjhU8ILTz/wYoahXnzKj8xyT7PtbtwEA==",
"certificate": "-----BEGIN CERTIFICATE-----\r\nMIIDfDCCAmSgAwIBAgIQaSg0J93/hMMyFZ/DNEDM3DANBgkqhkiG9w0BAQsFADAp\r\nMScwJQYDVQQDDB5CLkVzdCBTb2x1dGlvbnMgU2lnbmluZyBQb3J0YWwwHhcNMjMw\r\nNDE0MTAzOTA5WhcNMjUwNzE3MTAzOTA5WjATMREwDwYDVQQDDAhKb2huIERvZTCC\r\nASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANU2fYwu2tz/D4GpTZZhPn4g\r\nFTH4TSbez1Ux9eMsmklYrmqdr3bBzJ4k8I1wkOBioxrXnH/s4zq7I1dJCbAsAzpd\r\niK8IBHo5XxwX2Num+HxRdU+nTOtfa4MZTGnvf4ZzLYBEK1lIsXQxAbMkPu4cBH8t\r\n9ir72GGU2qM/iMOv25eA75+cmNFj+02DohgpxXhErnZB/9mY+8oLvIFM5traf92U\r\nF4OPsepQYpJUM4u2prxbdcwVCmZ70FielcykaG7u84PRKbmAA50x2UQgsksThmxA\r\nPJlIvEoCS4BAAoLlY+ti0IFhThqYjG+FcRR5R48wa+oAJBquDG1eko6dTzp3BdEC\r\nAwEAAaOBtTCBsjAJBgNVHRMEAjAAMB0GA1UdDgQWBBR68RAciltftWZW4pAxqMQ0\r\nhigSEzBkBgNVHSMEXTBbgBRYpaezWi0heg09El0UypLU81uA4KEtpCswKTEnMCUG\r\nA1UEAwweQi5Fc3QgU29sdXRpb25zIFNpZ25pbmcgUG9ydGFsghQZ+B3m7iBv8Daf\r\nWiIkRB5NbVbQsTATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwDQYJ\r\nKoZIhvcNAQELBQADggEBAI+5OAffnf3sn/jN58idSLUC09vWc6KPEzfZ2QLhDftq\r\nAfwSquItYFFuuQNh/x93HSprglDwL3U6sqRq0owMSSXXcLctVQr/MTEXyiRmQjUT\r\nHykwS/ovSw93E6VRnrF0qnaf6qOOAi0FfLxCV/1p3aEQBt7f/krZaW4Y33XrKi5F\r\nNnMhqQLtgZy9xXR0dNQ0ZKorEIptUrcujT8aRlEN4oqE7oo4j41TsksBQgEFfIeg\r\nljS6baoEko6n5ozyFzfeDWzd0yTzviXmUZGzOt1ZLFbd5In5+LX4Z0QwzhUA+uyt\r\nCu17qrRiPt2JzALHjbkdV3OB5sbOSZDHl3aUuqll6Dg=\r\n-----END CERTIFICATE-----",
"signatureTimestamp": "r/PzWEEgXyubXH/GCG6fLADU9Rz4e3b0KdZuNwfX/xk=",
"responseTimestamp": "2023-03-20T09:12:38Z",
"status": {
"code": "OK",
"message": "Signature generated successfully"
}
}
]This section lists the technical capabilities of this Building Block.
The eSignature Building Block has several functional layers within it. Some functional layers follow the existing set of protocols and custom protocols, While the other functional requirements are defined within this specification. In this section, we will provide a clear indication to state what blocks follow what kind of protocols.
In the case of the One-Time Signature, a Hardware Security Module (HSM) must be used to create cryptographic keys. (REQUIRED)
It must be used to sign a certificate. (REQUIRED)
Keys shall not be exported. (REQUIRED)
MUST be protected well with best security practices. (REQUIRED)
Signature Creation Device (SCD) should have secure storage to protect private keys. (REQUIRED)
SCD may have proprietary APIs with the eSignature Building Block. (REQUIRED)
SCD is assumed to be with the user. (REQUIRED)
A user's PIN is a must for the SCD. (REQUIRED)
Keys shall not be exportable. (REQUIRED)
For a valid signature, a timestamp server is a must. (REQUIRED)
The timestamp server shall follow RFC3161. (REQUIRED)
eSignature Building Block may be a certifying authority. (REQUIRED)
If not, the Building Block shall have access to a certifying authority and be able to issue certificates or be a subordinate certification authority. (REQUIRED)
Service shall support the onboarding of the Signature Creation Device (SCD). (REQUIRED)
Service shall support both the key functionalities of signing using SCD and One-Time Signature. (REQUIRED)
The user shall be authenticated through the ID Building Block for the One-Time Signature. (REQUIRED)
The user shall be allowed to perform a signature through a pseudonym without user login. (REQUIRED)
Optionally can support payments through a payment gateway. (OPTIONAL)
Shall support all the listed signature types. (REQUIRED)
Shall support redirection and callback as per the specification. (REQUIRED)
All user activities should be available for audit. (REQUIRED)
May have the feature to tamper-proof the audit records. (REQUIRED)
Auditors shall have the ability to get audit-proof of a transaction. (REQUIRED)
Shall provide the ability to list and revoke a certificate. (REQUIRED)
The user shall have the ability to revoke their keys (API-based or through customer care). (REQUIRED)
Certificates shall have any of the following statuses (REQUIRED):
Active – The certificate is active and can be used for signing.
Expired – certificates are expired and should be renewed.
Suspended – certificate is suspended. The reason for suspension shall be provided together with status information.
Revoked – certificate is revoked. The reason for revoking shall be provided together with status information.
Users shall be able to view their certificates and corresponding statuses. (REQUIRED)
Shall provide the ability to notify the user over email, SMS, app notification, or any other equivalent. (REQUIRED)
The user shall be notified of failed and successful transactions. (REQUIRED)
The Messaging interface should send relevant information to the logging sub-block to maintain the history of all messages sent from this Building Block, which are useful for audit purposes. (RECOMMENDED)
The messaging interface should provide the necessary protocol, data format, and information and interface to interact with the Messaging Building Block for sending notifications to a specific target Signature Creation Device or user through a variety of channels (SMS/email/etc.) (RECOMMENDED)
Note: The keywords "must", "must not", "required", "shall", "shall not", "should", "should not", "recommended", "may", and "optional" in this document are to be interpreted as described in RFC 2119
This section provides information on the core data structures/data models that are used by this Building Block.
SignatureId
String
Unique Signature Token for signature operations. This can be a random String as well.
SignatureType
Enum
Can be ONETIME or SCD
SignatureFormat
Enum
Signature format that should be applied. Can be XAdES, CAdES, ASIC, JWS, PAdES
Hash
String
Hash to be signed in hex characters or base64
HashType
Enum
Hash type - SHA2-256, SHA2-384, SHA2-512, SHA3-256, SHA3-384, SHA3-512, BLAKE2B
DisplayData
String
Text string to be shown on user’s device (SCD). Limited to 256 characters.
Certificate
String
X509 Certificate in PEM format
RequestTimestamp
Timestamp
Timestamp of the request
Signature
Signature
Signature in base64 format
SignatureTimestamp
String
rfc3161 asn.1 in base64
ResponseTimestmap
Timestamp
Timestamp of the response
Status
Enum
Request status enum. Can be OK, ERROR
StatusDesc
String
Description of status
CallbackURL
URL
URL to call back with results
Pseudonym
String
Unique pseudonym for the user that is bound to the specific SCD/Key id combo. We can call this as Key Handle
AuthToken
String
JWT Token from ID Building Block
PaymentToken
String
Jwt Token from Payments Building Block
AuthToken
String
JWT Token from ID Building Block
PaymentToken
String
JWT Token from Payments Building Block
CSR
String
Certificate signing request PKCS#10 in PEM format
SCDType
Enum
The SCD type that is used by user. Can be of REMOTE_SCD_APP_APPLE, REMOTE_SCD_APP_ANDROID, REMOTE_SCD_APP_SE_APPLE, REMOTE_SCD_APP_SE_ANDROID, REMOTE_SCD_SIM, REMOTE_SCD_ESIM,
REMOTE_SCD_SMARTID
SCDKeyId
Number
Key id for case the SCD has multiple certificates
SCDRemoteId
String
Remote identifier for the SCD communication, for REMOTE_SCD_APP* devices it is push ID, for REMOTE_SCD_ESIM/ REMOTE_SCD_SIM it is msisdn
For
REMOTE_SCD_SMARTID it is citizen id
Pseudonym
String
Unique pseudonym for the user that is bound to the specific SCD/Key id combo. We can call this as Key Handle
CertReqTimestamp
Timestamp
Timestamp for the certificate request
CertId
String
Unique identifier for the certificate, SCD, Key id combo
Certificate
String
X509 Certificate in PEM format in ACTIVE status
CertRespTimestamp
Timestamp
Timestamp for the Certificate response
Status
Enum
Request status. Can be of of OK, ERROR
StatusDesc
String
Description of status