DevPortalPagoPA

SoluzioniWebinar
Tabella dei contenuti

Checks of the digest by a producer

When a producer receives a request from a consumer, it must always perform the voucher verifications. These verifications depend on the voucher type: Bearer or DPoP.
In both cases, if the consumer was required to include additional audit information according to the AgID Audit REST 02 pattern, an extra verification must be carried out on the digest.
For both Bearer and DPoP vouchers, the voucher will include an additional field called digest.
Additionally, the request header will contain a second token, a JWS produced according to RFC 7519, which appears in the AgID-JWT-TrackingEvidence header.

JWS content

An example JWS header:
1{
2  "alg": "RS256",
3  "kid": "ZmYxZGE2YjQtMzY2Yy00NWI5LThjNGItMDJmYmQyZGIyMmZh",
4  "typ": "JWT"
5}
6
The payload fields contain the audit information that the consumer sends to the producer, as described in the e-service documentation. Their structure and content may vary, depending on the producer’s specific requirements for the e-service.

Verifications to perform

The producer must verify that the hash calculated from the JWS matches the hash included in the digest field of the voucher issued by PDND.
The producer should:
  1. Extract the JWS from the AgID-JWT-TrackingEvidence header and verify its signature;
  2. Verify that the hash of the JWS matches the hash contained in the digest field of the voucher issued by PDND.

Signature verification

To verify the authenticity and validity of the private key used to sign the JWS, the producer must:
  1. Authenticate to the PDND APIs as described in the dedicated flow;
  2. Perform a call: GET /keys/{kid} where {kid} is the value of the kid field from the JWS header;
  3. Receive from PDND a response containing the public key in the n field;
  4. Verify that the JWS signature, generated by the consumer with its private key, matches the public key retrieved from PDND.
Note: If the PDND API returns a 404 – Not Found error, it means that the key is not registered on PDND, and the request must therefore be considered invalid.

Hash calculation and comparison

If the key is present and valid, the producer can proceed with a second verification — a notarial check. In practice, it verifies that the trace deposited by the consumer on PDND when requesting authorization matches the one included in the voucher issued by PDND.
If the two match, it confirms that the complementary information inside the JWS is exactly what the consumer declared to PDND during the authorization request.
To perform this check:
  1. The producer takes the JWS and computes a non-reversible hash using the same operation performed by the consumer in the second step.
  2. The producer then compares this hash with the one in the field digest.value of the voucher (contained in the Authorization header).
If the two hashes match, it means that the consumer has made a declaration consistent with the trace recorded in PDND.
Next page → Tutorials for consumers

Hai bisogno di aiuto?

Apri un ticket utilizzando l’apposita funzione all’interno della tua Area Riservata

Dicci cosa ne pensi

Per segnalare problemi o dare feedback, puoi aprire una segnalazione su Github