Page tree
Skip to end of metadata
Go to start of metadata

Elektroniskā paraksta pakalpojuma sniedzēja API

The Electronic signature API generates digital signatures (PKCS #1) with the signing identities managed by the platform.

Informācijas iegūšana par identitāti no elektroniskā paraksta

There is two types of signing identity, one for electronic signing and one for authentication

Request

GET /trustedx-resources/esigp/v1/sign_identities/{sign_identity_id}

Parameters

NameTypeUsageDescription
sign_identity_id
pathRequiredIdentifier of the signing identity information is being requested on.

Authorization

The request must contain a bearer access token generated by a trusted authorization server of the service from which the information on the signing identity is requested and that is associated to the domain to which the identity belongs. This token must be used as explained in RFC 6750. It must have the urn:safelayer:eidas:sign:identity:profile scope.

Basically, the token must be included in an HTTP Authorization header as follows:

Authorization: Bearer <token>

The access token can be obtained via an authorization code grant or Service provider's credentials grant OAuth 2.0 flow.

Example

GET /trustedx-resources/esigp/v1/sign_identities/12345678 HTTP/1.1
Authorization: Bearer mF_9.B5f-4.1JqM

Response

Response body representation in JSON as follows

{
 "id" : {string},
 "self" : {string},
 "description" : {string},
 "labels" : [ {string} ],
 "type" : {string},
 "device_id" : {string},
 "domain" : {string},
 "access" : [ {
     "user_id" : {string}
 } ]
 "details" : {
      "certificate" : {string},
      "activation_mode": {string},
      "public_key" : {string}
 },
 "links" :  {
      <operation_alias> : {
           "auth" : {
               "oauth2": {
                  "scopes": [ {string} ]
               }
           }
      }    
      },
 "status" : {
    "value" : {string},
    "reason" : {string}
 }
}

Property

Description
id
Identifier of the signing identity.
self
Access URL for the signing identity.
description
Description of the signing identity.
labels[ ]

List of tags associated to the signing identity.

type
Type of signing identity. This property currently always takes the pki:x509 value.
device_id
Device where the private part of the keys associated to the signing identity is located. Only the signing identities on mobile devices have this property.
domain
Domain the signing identity belongs to.
access[ ]
Information on access control to the signing identity.
access[ ].user_id
Identifier of a end-user with access to the signing identity.
details
Details for implementing the signing identity.
details.certificate
X.509 certificate encoded in DER and base64. Only pki:x509 signing identities have this property.
details.activation_mode

Activation mode of the signing identity. Only server signing identities have this property and it can take the following values:

  • "hsm-pwd": the signature identity is activated by a password entered by the owner and validated by the HSM.
details.public_key
Public part of the keys associated to the signing identity. PublicKeyInfo ASN.1 structure encoded in DER and base64. Only pki:x509 signing identities have this property.
links
Information on operations that use the signing identity.
links.<operation_alias>
Information on the <operation_alias> operation regarding the use of the signing identity. Currently the only value possible for <operation_alias> is Signatures.create.server.raw.
links.<operation_alias>.auth
Authorization information on the <operation_alias> operation regarding the use of the signing identity.
links.<operation_alias>.auth.oauth2
OAuth 2.0 authorization information on the <operation_alias> operation regarding the use of the signing identity.
links.<operation_alias>.auth.oauth2.scopes[ ]
Set of OAuth 2.0 scopes required for accessing the <operation_alias> operation so that this operation can use the signing identity.
status
Information on the status of the signing identity.
status.value

Status of the signing identity.

  • "enabled": The signing identity is enabled.
  • "disabled": The signing identity is disabled.
  • "locked": The signing identity is locked.
status.reason
Reason why the signing identity is in its current state. This property is optional and is normally used to indicate why a signing identity has been locked or disabled.

For receiving signing certificate, labels array shall contain serverid tag.

For receiving authentication certificate, labels array shall contain mobileid tag.

Elektroniskā paraksta izveidošana serverī

Description

Creates a digital signature (PKCS #1) of data using a signing identity on server. As input, the hash of the data or a byte string to be signed raw can be received.

The signature is created with the signing identity on server specified in the request. This identity must belong to the end-user on behalf of whom the operation is performed.

Request

POST /trustedx-resources/esigp/v1/signatures/server/raw

Content-Type Header

Content-Type: application/json

Body

{
 "digest_value" : {string},
 "signature_algorithm" : {string},
 "sign_identity_id" : {string}
}


PropertyDescription
digest_value
Hash of the data to be signed encoded in base64.
signature_algorithm
Algorithm that must be used to generate the digital signature ("rsa-sha1", "rsa-sha256", "rsa-sha384" and "rsa-sha512")
sign_identity_id
Identifier of the signing identity that must be used for generating the signature (it must be a server signing identity that belongs to the end-user on behalf of whom the signature is performed).

Example

POST /trustedx-resources/esigp/v1/signatures/server/raw
Host: eidas.eparaksts.lv
Content-Type: application/json
Authorization: Bearer cbc...6daf
Content-Length: 213
{
   "digest_value" : "n4bQgYhMfWWaL+qgxVrQFaO/TxsrC4Is0V1sFbDwCgg",
   "signature_algorithm" : "rsa-sha256",
   "sign_identity_id" : "nio...omq"
}

Response

Response contains the binary value of the PKCS #1 signature.

If you are using Sign API service, PKCS#1 shall be base64 encoded (hexToBase64)



Elektroniskā paraksta paketes izveidošana serverī

Description

Creates a batch of digital signatures from the hashes of the data to be signed using a server signing identity. 

The signature is created with the signing identity on server specified in the request. This identity must belong to the end-user on behalf of whom the operation is performed.

This method can be used for single signing as well. Main differences: Batch method response with base64 encoded Signed data, but single signing method response with PKCS#1 raw signature.

Request

POST /trustedx-resources/esigp/v1/signatures/server/raw/batch

Content-Type Header

Content-Type: application/json

Body

{
    "sign_identity_id" : {string},
    "signature_algorithm" : {string},
    "requests" : [
        {
            "digest_value" : {string},
			"signature_algorithm" : {string}
        }
    ]
}


PropertyDescription
sign_identity_id
Identifier of the signing identity that must be used for generating the signature (it must be a server signing identity that belongs to the end-user on behalf of whom the signature is performed).
signature_algorithm
Algorithm for obtaining the cryptographic hashes to be used for generating the signatures (rsa-sha1rsa-sha256rsa-sha384 and rsa-sha512) if no other algorithm is specified for each of them.
requests[ ]
Information on the cryptographic hashes to be used for generating the signatures.
requests[ ].digest_value
Base64 encoding of the cryptographic hash used to generate the signatures.
requests[ ].signature_algorithm
Algorithm that must be used to generate one of the digital signatures ("rsa-sha1", "rsa-sha256", "rsa-sha384" and "rsa-sha512").

Access Control

The request must contain a bearer access token generated by a trusted authorization server associated to the domain of the signing identity to be used for generating the signature. This token must have a scope that includes the value configured for the signing identity (by default, urn:safelayer:eidas:sign:identity:use:server) and must be used as explained in RFC 6750. Basically, the token must be included in an Authorization header as follows:

Authorization: Bearer <token>

The access token must be obtained via an authorization code grant OAuth 2.0 flow.

Example

POST /trustedx-resources/esigp/v1/signatures/server/raw/batch
Host: eidas.eparaksts.lv
Content-Type: application/json
Authorization: Bearer cbc...6daf
Content-Length: 213
{
	"sign_identity_id": "12345678",
    "signature_algorithm": "rsa-sha1",
	"requests": [
        {
            "digest_value": "RXN0byBlcyB1biBoYXNoIFNoYTE=",
            "signature_algorithm": "rsa-sha1"
       	},
       	{
            "digest_value": "siHZ27CDp/M0KNfCo8MZiuklYU1wIQ4ocWzKp81N23k",
            "signature_algorithm": "rsa-sha256"
        }
    ]
}

Response

Body

{
    "signatures" : [ {string} ]
}
PropertyDescription
signatures[]

Digital signatures encoded in base64. The signatures follow the same order as the cryptographic hashes from which they were created appear in the request.


  • No labels