Tabella dei contenuti
How to sign a response for a subscriber
The ModI leaves it to the producer to define the correct procedure for signing the payload and for verification by the subscriber.
Below is an example of a possible way to manage the signing mechanism of an e-service’s response payload.
For more details, see the dedicated section.
Prerequisites
It is assumed that the producer has:
- created a producer keychain (see guide);
- generated at least one set of cryptographic material and uploaded the related public key to PDND within the client (see tutorial);
- associated the producer keychain with the e-service for which it wants to sign the response to the subscriber (see tutorial).
Preparation - Define the structure of the response
The producer defines the structure for signing an HTTP response payload using RSA, to ensure that the data comes from an e-service and has not been modified.
The JSON response the producer sends to the subscriber will be structured as follows:
1{
2 "data": {
3 "field1": "value1",
4 "field2": "value2"
5 },
6 "signature": "<rsa_signature_in_base64>",
7 "kid": "<id_public_key>"
8}
9
10| Field name | Meaning |
|---|---|
| data | contains the payload, i.e., the actual data that the e-service sends to subscribers |
| signature | contains the digital signature of the data field, calculated by the e-service using an RSA private key (belonging to a keychain associated with the e-service) and encoded in base64 |
| kid | identifier of the key used for signing; allows the subscriber to know which public key to use for verifying the signature |
Once defined, proceed to sign the response.
Step 1 - Create the hash
The content of the data field is converted into a byte string and passed through a hashing function such as SHA256.
Step 2 - Sign the hash
The calculated hash is then signed using the private key corresponding to one of the public keys uploaded to the producer keychain associated with the e-service.
The signature ensures that only the holder of the private key corresponding to the kid (producer) can generate the specific signature for that content.
The kid of the uploaded public key is available within the keychain, by opening the page for the individual key (Producing > Producer keychains, Public keys tab, selecting the specific key of interest).
The kid of the uploaded public key is available within the keychain, by opening the page for the individual key (Producing > Producer keychains, Public keys tab, selecting the specific key of interest).
Step 3 - Integrate the signature in the response
As defined in the preparation step, the payload will contain:
- data – the actual data;
- signature – the newly created signature encoded in base64;
- kid – the kid of the key used for signing.
This way, the subscriber can uniquely identify the key to be used for verification.
The response is then sent to the subscriber.
The response is then sent to the subscriber.
Hai bisogno di aiuto?
Apri un ticket utilizzando l’apposita funzione all’interno della tua Area Riservata
