Digital Signature Verification Tool for Account Aggregator Ecosystem - Sahamati
All API must be digitally signed which ensures non-repudiation & authentication of requester. This tool validates the digital signature being used in the APIs.
All API requests must be digitally signed using industry-grade signature algorithms. This ensures non-repudiation and authentication of API requester before the API service provider fulfills the request. This tool validates the digital signature being used in the API call. The procedure to generate the digital signature in API requests is explained below.
Sender Side:
- The data to sign if it is in object form, serialized to plain text
- A detached content signature is then generated for the data with sender's private key using RS256 algorithm and base64 encoding.
- The signature is set in the http header x-jws-signature
- The text is sent as http body to the receiver.
e.g:
eyJhbGciOiJSUzI1NiIsImtpZCI6IjQyNzE5MTNlLTdiOTMtNDlkZC05OTQ5LTFjNzZmZjVmYzVjZiIsImI2NCI6ZmFsc2UsImNyaXQiOlsiYjY0Il19..jG6_lRYLsODqnbtzm3qfzb_Oqb_ssBzvSeQ2DN7W9YU4x-BOeSwic3MDJ_djAqE-vgPG2efvza7Dz-3MMImqDpdVBHCorrbmU-cq4yqyXtfZDTqlpj2abDyAapoHug9Tt93Rqjy2aE7KV3HtkVNH8tBXaSjAs6MQLLfWFz2Y0LcyjHggUHaPzyGn8ouIg_fstSIcoiibSYaHHzQSRce0SkBsg1e27QsVDAVhMKJZuQaG615oxFwjPXkw_v9HH2RY8JYXynJhu5ik4opfJuKnoRyGVrX6jou6bHrEkri_tp_VW_pWaaqGLMyQX_WXbMhNNm-mVtALWLJGlBLI-nld-A
Receiving side:
- Extract the signature from header and extract the data from body of the http post request
- Verify the detached signature.
- If the verification successful, then perform the de-serialization for further processing
Verify API Signature
Consent Signature Verification Tool for Account Aggregator Ecosystem - Sahamati
In the AA ecosystem, Consents are signed artefacts authorizing a FIU to request for data with an FIP.
Consents must be transmitted with every FI Request to the Account Aggregator by FIU. Hence it is important for an AA to generate a consent artefact with signature that can be validated by the FIP before honouring the request. The procedure to verify consent signature is explained below
Sender Side:
- Serialize the consent to plain text
- A detached content signature is then generated for the data with sender's private key using RS256 algorithm and base64 encoding.
- The payload is encrypted with base64.
- The signature data is set in the consentJWS
- The request is then sent to the receiver.
e.g:
eyJhbGciOiJSUzI1NiIsImtpZCI6IjQyNzE5MTNlLTdiOTMtNDlkZC05OTQ5LTFjNzZmZjVmYzVjZiIsImI2NCI6ZmFsc2UsImNyaXQiOlsiYjY0Il19.{"consentStart":"2019-12-06T11:39:57.153Z","consentExpiry":"2019-12-06T11:39:57.153Z","consentMode":"VIEW","fetchType":"ONETIME","frequency":{"unit":"HOUR","value":1.0},"purpose":{"code":"101","refUri":"https://api.rebit.org.in/aa/purpose/101.xml","text":"Wealth management service","category":{"type":"category type"}},"fidataRange":{"from":"2017-07-13T11:33:34.509Z","to":"2017-07-13T11:33:34.509Z"},"dataLife":{"unit":"DAY","value":0.0},"dataProvider":{"id":"DP1","type":"FIP"},"customer":{"id":"customer@finvu.in"},"dataConsumer":{"id":"DC1","type":"AA"}}.jG6_lRYLsODqnbtzm3qfzb_Oqb_ssBzvSeQ2DN7W9YU4x-BOeSwic3MDJ_djAqE-vgPG2efvza7Dz-3MMImqDpdVBHCorrbmU-cq4yqyXtfZDTqlpj2abDyAapoHug9Tt93Rqjy2aE7KV3HtkVNH8tBXaSjAs6MQLLfWFz2Y0LcyjHggUHaPzyGn8ouIg_fstSIcoiibSYaHHzQSRce0SkBsg1e27QsVDAVhMKJZuQaG615oxFwjPXkw_v9HH2RY8JYXynJhu5ik4opfJuKnoRyGVrX6jou6bHrEkri_tp_VW_pWaaqGLMyQX_WXbMhNNm-mVtALWLJGlBLI-nld-A
e.g:
eyJhbGciOiJSUzI1NiIsImtpZCI6IjQyNzE5MTNlLTdiOTMtNDlkZC05OTQ5LTFjNzZmZjVmYzVjZiIsImI2NCI6ZmFsc2UsImNyaXQiOlsiYjY0Il19.eyJjb25zZW50U3RhcnQiOiIyMDE5LTEyLTA2VDExOjM5OjU3LjE1M1oiLCJjb25zZW50RXhwaXJ5IjoiMjAxOS0xMi0wNlQxMTozOTo1Ny4xNTNaIiwiY29uc2VudE1vZGUiOiJWSUVXIiwiZmV0Y2hUeXBlIjoiT05FVElNRSIsImZyZXF1ZW5jeSI6eyJ1bml0IjoiSE9VUiIsInZhbHVlIjoxLjB9LCJwdXJwb3NlIjp7ImNvZGUiOiIxMDEiLCJyZWZVcmkiOiJodHRwczovL2FwaS5yZWJpdC5vcmcuaW4vYWEvcHVycG9zZS8xMDEueG1sIiwidGV4dCI6IldlYWx0aCBtYW5hZ2VtZW50IHNlcnZpY2UiLCJjYXRlZ29yeSI6eyJ0eXBlIjoiY2F0ZWdvcnkgdHlwZSJ9fSwiZmlkYXRhUmFuZ2UiOnsiZnJvbSI6IjIwMTctMDctMTNUMTE6MzM6MzQuNTA5WiIsInRvIjoiMjAxNy0wNy0xM1QxMTozMzozNC41MDlaIn0sImRhdGFMaWZlIjp7InVuaXQiOiJEQVkiLCJ2YWx1ZSI6MC4wfSwiZGF0YVByb3ZpZGVyIjp7ImlkIjoiRFAxIiwidHlwZSI6IkZJUCJ9LCJjdXN0b21lciI6eyJpZCI6ImN1c3RvbWVyQGZpbnZ1LmluIn0sImRhdGFDb25zdW1lciI6eyJpZCI6IkRDMSIsInR5cGUiOiJBQSJ9fQ.jG6_lRYLsODqnbtzm3qfzb_Oqb_ssBzvSeQ2DN7W9YU4x-BOeSwic3MDJ_djAqE-vgPG2efvza7Dz-3MMImqDpdVBHCorrbmU-cq4yqyXtfZDTqlpj2abDyAapoHug9Tt93Rqjy2aE7KV3HtkVNH8tBXaSjAs6MQLLfWFz2Y0LcyjHggUHaPzyGn8ouIg_fstSIcoiibSYaHHzQSRce0SkBsg1e27QsVDAVhMKJZuQaG615oxFwjPXkw_v9HH2RY8JYXynJhu5ik4opfJuKnoRyGVrX6jou6bHrEkri_tp_VW_pWaaqGLMyQX_WXbMhNNm-mVtALWLJGlBLI-nld-A
e.g:
{
"ver" : "1.0",
"txnid" :"0b811819-9044-4856-b0ee-8c88035f8858",
"consentId" : "XXXX-XXXX-XXXX-XXXX",
"status" : "ACTIVE",
"createTimestamp" : "2018-12-06T11:39:57.153Z",
"consent" : {
"consentJWS" : " JWT_TOKEN "
},
"consentUse" : {
"logUri" : "loguri string",
"count" : 1.0,
"lastUseDateTime" : "2018-12-06T11:39:57.153Z"
}
}
Receiving side:
- Extract the consentJWS from body of the HTTP post request
- Verify the detached signature and if successful extract the consent.
Once extracted, the consent content of the JWS looks like this (formatted for readability):
e.g:
{"consentStart":"2019-12-06T11:39:57.153Z","consentExpiry":"2019-12-06T11:39:57.153Z","consentMode":"VIEW","fetchType":"ONETIME","frequency":{"unit":"HOUR","value":1.0},"purpose":{"code":"101","refUri":"https://api.rebit.org.in/aa/purpose/101.xml","text":"Wealth management service","category":{"type":"category type"}},"fidataRange":{"from":"2017-07-13T11:33:34.509Z","to":"2017-07-13T11:33:34.509Z"},"dataLife":{"unit":"DAY","value":0.0},"dataProvider":{"id":"DP1","type":"FIP"},"customer":{"id":"customer@finvu.in"},"dataConsumer":{"id":"DC1","type":"AA"}}