Instructions

Steps for signing request

  1. Prepare your valid QSeal PSD2 Certificate

  2. Create base64 data digest

  3. Create signing string

  4. Create signature header

  5. Add required headers fields


1. Prepare your valid QSeal PSD2 Certificate

Use your (PSD2) eIDAS QSEAL certificate issued by the Qualified Trust Service Provider of your choice.

2. Create base64 data digest

  • Get POST body parameters or empty string for GET requests

  • Generate binary SHA-512 (or SHA-256 also allowed) hash from this data

  • Generate base64 string from binary hash

  • Prepend hash algorithm

Example digest on empty string:

echo -n | openssl dgst -binary -sha512 | openssl base64

3. Create signing string

  • Get required header values and sign with private key

Example data be like (write temp data in to /tmp/data):

/tmp/data

date: Tue, 29 Jun 2021 13:06:04 GMT
digest: sha-512=z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg==
x-request-id: 08dcb900-215a-4cf7-ac48-ca7b3d4b56e6


openssl dgst -sha512 -sign private_qseal.pem /tmp/data | openssl base64

4. Create signature header

Signature header must contain following parts

Name

Value

keyId

Get certificate Serial Number

algorithm

Specify algorithm (sha-256 or sha-512)

headers

listed headers from signature (date digest x-request-id)

signature

signature from previous step

Example header must like this:


keyId="1523433508",algorithm="rsa-sha512",headers="date digest x-request-id",signature="sKeinXMguBeKVr+BtGdLr25ttZU/9XllXvMmwC7tvE2wCBYD87YZ2n8KdwJ7O58EDUaGxTF5LzMILxicG3pF6VBSBcyTMigoFTO+74dydBzoP5eyuYrzZNotizTCDfvCjdFvhlO9kZfKg9+buiHIfpcBBXdFTkS63vZHlRZqpj98yj1AUjhwsbmm/CJ01cLq1lj963Ky1kPsHlnW/xwnnzwapT4ATh/EArENcyvmH3hjF4ZsaPd4+U50Dc2fcl8SCUi+zoRNU4tWFxXdR7XoTeFdez+qQbQIAxWiVw+4uuurS3ZFmhnVnE5sKsx4ORMkeFLbqzipEMCE6n7Uugj3XQ=="

5. Add all required headers


Authorization: Bearer Token from OAuth2

X-Request-ID: Generate unique UUID for all requests

X-Consent-ID: Specify consent ID (Optional, in other case use consent from token)

X-Client-ID: Client ID from application

Date: Current GMT date

Digest: Base64 from sha256/512 POST body or empty string for GET request

Signature: Generate from last step

TPP-Signature-Certificate: QSeal Public Certificate without all line breaks


Example headers:

Authorization:Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6ImZjNWExMDYxZGRiZDUzZTk3OGUzODY2MzM0ZjIyMWZhIiwidHlwIjoiSldUIn0.eyJuYmYiOjE2MjQ5NzYzNTYsImV4cCI6MTYyNDk3OTk1NiwiaXNzIjoiaHR0cDovLzEyNy4wLjAuMTo3ODg0IiwiYXVkIjpbImh0dHA6Ly8xMjcuMC4wLjE6Nzg4NC9yZXNvdXJjZXMiLCJBSVMiXSwiY2xpZW50X2lkIjoiMDZiYjAzZDUtZmIwMS00ODcwLTlkMjEtYTdiMWQyMTM1ZDY4Iiwic3ViIjoiMTE3Nzg4OCIsImF1dGhfdGltZSI6MTYyNDk3MTk1OCwiaWRwIjoibG9jYWwiLCJzY29wZSI6WyJhaXMuc2FuZGJveCIsIm9mZmxpbmVfYWNjZXNzIl0sImFtciI6WyJwd2QiXX0.qPoRY7BBLMaNEZyzgISSC81G1FxnCneS64EFq7-L65qLgZplBybfTbgGXROnL_MrEuD7oIYMgk_ytw58BGYJ4YQZa4ppCQCwgtSQncgX9SIhGnGFqGNTjCiLcVv68AuEVeDBze2EdwYtPTP3z2laqQ8ofpEfsINJ7GyQm2RNRXAtAAaY1bSIrBgm770jixhDaYA3Ou55R4mTTz_qLTt0CJtnMYMf7hCSVpgmiaW8OKpwC1cLmLl5PAaNjKEculMUjKbT_nf7M8tbmIv49dQ_M25X4GlRCt3PEwUXMkiZfDS2bb3TK3fB8wf_Lnle59l0Nl57_2hkU8PEOJ1fBpFqtg
X-Request-ID:f1b01e9e-6256-44d8-9cb8-696429530147
X-Client-ID:06bb03d5-fb01-4870-9d21-a7b1d2135d68
Date:Tue, 29 Jun 2021 14:19:16 GMT
Digest:sha-512=z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg==
Signature:keyId="1523433508",algorithm="rsa-sha512",headers="date digest x-request-id",signature="sKeinXMguBeKVr+BtGdLr25ttZU/9XllXvMmwC7tvE2wCBYD87YZ2n8KdwJ7O58EDUaGxTF5LzMILxicG3pF6VBSBcyTMigoFTO+74dydBzoP5eyuYrzZNotizTCDfvCjdFvhlO9kZfKg9+buiHIfpcBBXdFTkS63vZHlRZqpj98yj1AUjhwsbmm/CJ01cLq1lj963Ky1kPsHlnW/xwnnzwapT4ATh/EArENcyvmH3hjF4ZsaPd4+U50Dc2fcl8SCUi+zoRNU4tWFxXdR7XoTeFdez+qQbQIAxWiVw+4uuurS3ZFmhnVnE5sKsx4ORMkeFLbqzipEMCE6n7Uugj3XQ=="
TPP-Signature-Certificate:MIIDkDCCAnigAwIBAgIEWs3AJDANBgkqhkiG9w0BAQsFADCBiTELMAkGA1UEBhMCTkwxEDAOBgNVBAgMB1V0cmVjaHQxEDAOBgNVBAcMB1V0cmVjaHQxETAPBgNVBAoMCFJhYm9iYW5rMRwwGgYDVQQLDBNPbmxpbmUgVHJhbnNhY3Rpb25zMSUwIwYDVQQDDBxQU0QyIEFQSSBQSSBTZXJ2aWNlcyBTYW5kYm94MB4XDTE4MDQxMTA3NTgyOFoXDTIzMDQxMTA3NTgyOFowgYkxCzAJBgNVBAYTAk5MMRAwDgYDVQQIDAdVdHJlY2h0MRAwDgYDVQQHDAdVdHJlY2h0MREwDwYDVQQKDAhSYWJvYmFuazEcMBoGA1UECwwTT25saW5lIFRyYW5zYWN0aW9uczElMCMGA1UEAwwcUFNEMiBBUEkgUEkgU2VydmljZXMgU2FuZGJveDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANoAjqGWUgCIm2F+0sBSEwLal+T3u+uldLikpxHCB8iL1GD7FrRjcA+MVsxhvHly7vRsHK+tQyMSaeK782RHpY33qxPLc8LmoQLb2EuiQxXj9POYkYBQ74qkrZnvKVlR3WoyQWeDOXnSY2wbNFfkP8ET4ElwyuIIEriwYhab0OIrnnrO8X82/SPZxHwEd3aQjQ6uhiw8paDspJbS5WjEfuwY16KVVUYlhbtAwGjvc6aK0NBm+LH9fMLpAE6gfGZNy0gzMDorVNbkQK1IoAGD8p9ZHdB0F3FwkILEjUiQW6nK+/fKDNJ0TBbpgZUpY8bR460qzxKdeZ1yPDqX2Cjh6fkCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAYL4iD6noMJAt63kDED4RB2mII/lssvHhcxuDpOm3Ims9urubFWEpvV5TgIBAxy9PBinOdjhO1kGJJnYi7F1jv1qnZwTV1JhYbvxv3+vk0jaiu7Ew7G3ASlzruXyMhN6t6jk9MpaWGl5Uw1T+gNRUcWQRR44g3ahQRIS/UHkaV+vcpOa8j186/1X0ULHfbcVQk4LMmJeXqNs8sBAUdKU/c6ssvj8jfJ4SfrurcBhY5UBTOdQOXTPY85aU3iFloerx7Oi9EHewxInOrU5XzqqTz2AQPXezexVeAQxP27lzqCmYC7CFiam6QBr06VebkmnPLfs76n8CDc1cwE6gUl0rMA==