Payment Initiation APIs
Payload Signing
This section provides steps for signing the payload and generating a valid x-jws-signature.
Step 1: Identify the private key and corresponding signing certificate to be used for signing
The signer must use a private key that has a corresponding digital certificate (that contains the corresponding public key) issued by OB. The signing certificate must be valid at the time of creating the JWS.
Step 2: Form the JOSE Header
The JOSE Header for the signature must contain the following fields
Claim | Description |
---|---|
alg | PS256 is the supported algorithms used for signing JWS |
typ | This is an optional claim. If it is specified, it must be set to the value "JOSE" |
cty | This is an optional claim. If it is specified, it must be set to the value "json" or "application/json". |
kid | This must match the certificate id of the certificate selected in step 1. |
b64 | This must have the boolean value false. This indicates that the message payload is not base64 url encoded. (See RFC 7797 - The "b64" header Parameter) |
http://openbanking.org.uk/iat | This must be a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time. This is a private header parameter name. (See RFC 7515 - Private Header Parameter Names) |
http://openbanking.org.uk/iss | This must be a string containing the id of the TPP. This must match the dn of the signing certificate. This is a private header parameter name. (See RFC 7515 - Private Header Parameter Names) |
crit | This must be a string array consisting of the values "b64", "http://openbanking.org.uk/iat", "http://openbanking.org.uk/iss". This indicates that the JWS signature validator must understand and process the three additional claims. |
Sample JOSE Header
{
"b64": false,
"http://openbanking.org.uk/iat": 1549011455,
"crit": [
"b64",
"http://openbanking.org.uk/iat",
"http://openbanking.org.uk/iss"
],
"kid": "rt0rxv7lo86ohb6wNLDheQrEfyY",
"cty": "application/json",
"typ": "JOSE",
"http://openbanking.org.uk/iss": "CN=5dW7abQ4EglkhhzDTiGjY2,OU=0015800000jfQ9aAAE,O=OpenBanking,C=GB",
"alg": "PS256"
}
Step 3: Compute the JWS
The signer must compute the signature as a detached JWS as defined in RFC 7515.
detachedJWS = base64Encode( JOSEHeader) + ".." + base64Encode ( encrypt (privateKey, base64Encode(json)))
Step 4: Add the JWS as a HTTP header
The signer must include an HTTP header called x-jws-signature with its value set to the signature computed in Step 3.
x-jws-signature: V2hhdCBoYXRoIGdvZCB3cm91Z2h0ID8=..QnkgR2VvcmdlLCBzaGUncyBnb3QgaXQhIEJ5IEdlb3JnZSBzaGUncyBnb3QgaXQhIE5vdyBvbmNlIGFnYWluLCB3aGVyZSBkb2VzIGl0IHJhaW4/