Payment Initiation APIs

Download
(0 reviews)

Payload Signing

This section provides steps for signing the payload and generating a valid x-jws-signature.

Step 1: Identify the private key and corresponding signing certificate to be used for signing

The signer must use a private key that has a corresponding digital certificate (that contains the corresponding public key) issued by OB. The signing certificate must be valid at the time of creating the JWS.

Step 2: Form the JOSE Header

The JOSE Header for the signature must contain the following fields

ClaimDescription
algPS256 and RS256 are the supported algorithms used for signing JWS
typThis is an optional claim. If it is specified, it must be set to the value "JOSE"
ctyThis is an optional claim. If it is specified, it must be set to the value "json" or "application/json".
kidThis must match the certificate id of the certificate selected in step 1.
b64This must have the boolean value false. This indicates that the message payload is not base64 url encoded. (See RFC 7797 - The "b64" header Parameter)
http://openbanking.org.uk/iatThis must be a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time. This is a private header parameter name. (See RFC 7515 - Private Header Parameter Names)
http://openbanking.org.uk/issThis must be a string containing the id of the TPP. This must match the dn of the signing certificate. This is a private header parameter name. (See RFC 7515 - Private Header Parameter Names)
critThis must be a string array consisting of the values "b64", "http://openbanking.org.uk/iat", "http://openbanking.org.uk/iss". This indicates that the JWS signature validator must understand and process the three additional claims.

Sample JOSE Header

{
  "b64": false,
  "http://openbanking.org.uk/iat": 1549011455,
  "crit": [
    "b64",
    "http://openbanking.org.uk/iat",
    "http://openbanking.org.uk/iss"
  ],
  "kid": "rt0rxv7lo86ohb6wNLDheQrEfyY",
  "cty": "application/json",
  "typ": "JOSE",
  "http://openbanking.org.uk/iss": "CN=5dW7abQ4EglkhhzDTiGjY2,OU=0015800000jfQ9aAAE,O=OpenBanking,C=GB",
  "alg": "PS256"
}
Step 3: Compute the JWS

The signer must compute the signature as a detached JWS as defined in RFC 7515.

detachedJWS = base64Encode( JOSEHeader) + ".." + base64Encode ( encrypt (privateKey, base64Encode(json)))
Step 4: Add the JWS as a HTTP header

The signer must include an HTTP header called x-jws-signature with its value set to the signature computed in Step 3.

x-jws-signature: V2hhdCBoYXRoIGdvZCB3cm91Z2h0ID8=..QnkgR2VvcmdlLCBzaGUncyBnb3QgaXQhIEJ5IEdlb3JnZSBzaGUncyBnb3QgaXQhIE5vdyBvbmNlIGFnYWluLCB3aGVyZSBkb2VzIGl0IHJhaW4/

Reviews

Payment Initiation APIs doesn't have any reviews yet