BCSS - person signing (eSigning)
Abstract
Buypass Remote eSignature Service implements parts of the REST API defined by the Cloud Signature Consortium (CSC) Protocol version 2.0 and supports the creation of advanced and qualified signatures using short-lived keys and certificates.
The intended audience for this document is service providers assuming the role of “Signature Application Provider” as defined in the CSC specification. This document should, together with the CSC specification, contain all the details needed to create a functioning client consuming the Buypass Remote eSignature Service API.
The API defined by the CSC specification contains a number of endpoints, few of which are mandatory. Buypass Remote eSignature Service only implements two of the optional endpoints.
The specification also allows for a number of different authorization mechanisms; Buypass Remote eSignature Service mandates the use of Oauth 2.0 through a dedicated Oauth2 provider. End-user authentication is delegated to an external Identity Provider.
Table of Contents
- 1 Abstract
- 2 Overview
- 2.1 Step description
- 3 Authentication/Authorization
- 3.1 Authorization Code Flow
- 3.1.1 Example request
- 3.1.2 Example response
- 3.2 Token exchange
- 3.2.1 Example request
- 3.2.2 Example response
- 3.3 Creating the client assertion
- 3.3.1 Assertion header
- 3.3.2 Assertion payload
- 3.3.3 Java example
- 3.4 Servers
- 3.5 For testing with client_credentials grant
- 3.5.1 Example request
- 3.5.2 Example response
- 3.1 Authorization Code Flow
- 4 CSC API
- 4.1 /info
- 4.1.1 Servers
- 4.1.2 Authorization
- 4.1.3 Request details
- 4.1.4 Response details
- 4.1.5 Example Request
- 4.1.6 Example Response
- 4.2 /credentials/list
- 4.3 Servers
- 4.3.1 Authorization
- 4.3.2 Request details
- 4.3.3 Response details
- 4.3.4 Example Request
- 4.3.5 Example Response
- 4.4 /signatures/signHash
- 4.5 Servers
- 4.5.1 Authorization
- 4.5.2 Request details
- 4.5.3 Response details
- 4.5.4 Example Request
- 4.5.5 Example Response
- 4.1 /info
- 5 Certificate Revocation Information
- 5.1 Servers
Overview
For reference in the following text, the figure below shows
The services involved in the creation of a signature, as well as the subsystems comprising Buypass Remote eSignature Service
The overall control flow and data exchange in the solution
Step description
User requests to sign a document
SCA sends an authentication request to the eSignature OIDC server
eSignature OIDC server delegates user authentication to an external IDP
The user presents an ID instrument and is authenticated
The external IDP returns tokens containing proof of authentication and ID claims to eSignature OIDC server
The eSignature OIDC server translates the (possibly IDP-specific) ID claims to a standard set of claims to be included in the signing certificate.
An access token authorizing certificate issuance and signing is then returned to the SCA.
The ID claims are retained in the OIDC server.The SCA sends a request to issue the signing certificate to the SSA.
The request uses the /credentials/list endpoint according to the CSC specification, and is authorized by the access token received by the SCA in the previous step.SSA requests claims about the authenticated user
SSA receives claims about the authenticated user
SSA requests the SAM to generate the user’s signing key pair.
SSA receives a blob with the key pair (public key and encrypted private key).
SSA constructs a CSR (Certificate Signing Request) containing
The ID attributes received from the OIDC server
The public key received from SAM
The CSR is then signed with the user’s private signing key by the SAM (not explicitly shown in the drawing), and the CSR is submitted to the CA.
SSA receives the user’s short-lived, qualified signing certificate from the CA.
The certificate and the (encrypted) signing key blob are then stored in a memory-based cache in the SSA.SSA returns the certificate to the SCA.
The SCA then prepares a set of attributes to be signed, including the document hash, certificate reference, signing time and possibly others.
The set of attributes is then hashed, and the resulting hash is submitted to SSA for signing through the CSC-specified /signature/signHash endpoint.
The signing operation is authorized withthe access token previously issued, which must then have both the service and credential scopes, or
a new access token having the credential scope
SSA sends a signing request to SAM. The request contains the hash value(s) to be signed as well as the signing algorithm to be used.
Use of the SAM’s signing endpoint is authorized by the SAD.The SAM verifies the SAD and creates the digital signature with the user’s private signing key in the HSM.
The signature is then returned to SSA.SSA returns the signature to SCA according to the CSC API specification.
The SCA then
collects the necessary elements for LTV (Long Term Validation), typically revocation information and a certified time stamp,
assembles the complete signature according to the format required by the document type,
returns the signed document to the user.
Authentication/Authorization
The end-user requesting a document to be signed must be authenticated, and the necessary access token authorizing use of the CSC API must be obtained by the SCA.
The SCA starts by sending an Oauth2 authentication request to the Buypass Oauth2 server. This should be done using the authorization code flow.
Authorization Code Flow
The request must include:
the scopes requested; these are
service for access to the CSC API
credential for access to the /signHash CSC API endpoint
client_id; provided by Buypass
response_type; determines what flow will be used in order to authenticate the end-user
code
redirect_uri; where to redirect the user after successful authentication, url encoded value
The request should include:
bp_signature_qualifier; the requested signature qualification level where possible values are
aes for advanced electronic signature. This is the default if signature qualification level is not specified
qes for qualified electronic signature. Note that fulfillment of the request is conditional and depends on the quality of the end-user’s ID instrument.
The request may include:
state; value used to maintain state between redirect/callback and authentication request from the SCA
Example request
https://auth.esign.qa-04.buypass.no/auth/realms/esignature/protocol/openid-connect/auth?
response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%3A4567%2F
&state=OWhHgUpEsgOPWKElcRMNMvtJ8fCwSbL7Z_wYHlOszdU
&client_id=remote-esignature-demo
&scope=openid+service+credential
&bp_signature_qualifier=aes
Example response
HTTP/1.1 302 Found
Location: http://localhost/4567?
code=xxxxx
&state=OWhHgUpEsgOPWKElcRMNMvtJ8fCwSbL7Z_wYHlOszdU
Token exchange
When the authentication is successful and the user is redirected back to the redirect_uri provided in the initial authentication request, the SCA needs to use the code returned in order to retrieve the access_token.
This will be done at the token endpoint. To do the exchange credentials are needed, and this is in the form of a client_assertion.
The token request must include:
a client_assertion in the form of a signed, Base64-URL-encoded JWT.
This authenticates the SCA to the Buypass Oauth2 server.
The JWT must be signed with the private key linked to a merchant certificate issued by Buypass.
Construction of the client_assertion is detailed in the section titled: Creating the client assertioncode; retrieved from the authentication response
client_assertion_type; the type of assertion provided
urn:ietf:params:oauth:client-assertion-type:jwt-bearer
grant_type;
authorization_code
Example request
POST https://auth.esign.qa-04.buypass.no/auth/realms/esignature/protocol/openid-connect/token
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&
code=xxxxx&
client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&
client_assertion=< jwt >
Example response
The response will be a JSON structure containing an access_token claim, the value of which is the access token to be submitted as Bearer token in the Authorization header in subsequent requests to the CSC API.
Creating the client assertion
The client needs to construct a valid client_assertion, which is a base 64 encoded signed jwt. There are numerous libraries that are capable to do this. Here are some details regarding the assertion:
Assertion header
These values are currently fixed. NOTE: Do not include a “kid” claim in the header.
Assertion payload
Java example
In java the client assertion can be created with the following code:
|
Servers
QA
https://auth.esign.qa-04.buypass.no/auth/realms/esignature/
Production
https://auth.esign.buypass.no/auth/realms/esignature/
well-known discovery path:
/.well-known/openid-configuration
For testing with client_credentials grant
(not available for all clients)
Example request
Example response
CSC API
Buypass Remote eSignature Service implements the following endpoints in the CSC specification:
info
credentials/list
signatures/signHash
NOTE : The CSC specification should be used as the primary source of information about the endpoints; this document provides only additional details particular to the Buypass implementation.
/info
This is the only mandatory endpoint in the CSC specification. Its most relevant use is to obtain the URL of the OAuth2 endpoint instead of configuring it.
Servers
Test environment
POST https://api.esign.qa-04.buypass.no/csc/v2/infoProduction
https://sign.tsp.buypass.no/remote-esignature-api/csc/v2/info
Authorization
None
Request details
The optional lang parameter in the request body is not interpreted and has no effect. The language used is en-US.
Response details
None
Example Request
Example Response
/credentials/list
The semantics of this endpoint differ somewhat from the CSC specification due to the use of short-lived keys and certificates. As specified by the CSC, the endpoint is supposed to return a list of the user’s existing (and presumably long-lived) credentials. In the Buypass implementation, calling this endpoint will trigger the following server-side actions:
The QSCD generates a signing key pair on behalf of the user
The CA issues a short-lived signing certificate containing
the public singing key
the user’s ID attributes resulting from the user authentication
The signing certificate is returned as part of the response
The response will therefore always contain one and only one credential which is valid for a short period of time.
Servers
Test environment
POST https://api.esign.qa-04.buypass.no/csc/v2/credentials/listProduction
https://sign.tsp.buypass.no/remote-esignature-api/csc/v2/credentials/list
Authorization
The access token with the “service” scope, received from the previously described Oauth2 endpoint, must be submitted as Bearer token in the Authorization header.
Request details
Parameter | Comment |
---|---|
userID | Ignored if present |
credentialInfo | MUST be set to “true”, otherwise the response will omit information necessary for the subsequent signHash request. |
certificates | “chain”or “single” |
certInfo | “true” if attributes extracted from the certificate should be returned. |
authInfo | “true” if information about available authentication methods should be returned. |
onlyValid | Ignored if present. Exactly one valid credential is always returned. |
lang | Ignored if present. The language is always as specified in the response from the /info endpoint. |
clientData | REQUIRED. This must be a UUID which will be used as log correlation ID throughout. |
Response details
Attribute | Comment |
---|---|
credentialIDs | The array always contains exactly one element. |
onlyValid | Always “true” |
credentialInfo/signatureQualifier | “eu_eidas_aes” or “eu_eidas_qes”, depending on the signature qualification level requested from the Oauth2 endpoint described above. |
credentialInfo/key/status | Always “enabled” |
credentialInfo/key/algo | “1.2.840.10045.4.3” (ecdsa-with-sha2) |
credentialInfo/cert/status | Always “valid” |
credentialinfo/cert/certificates | single certificate or complete chain, depending on the value of the “certificates” attribute in the request. |
credentialInfo/SCAL | “Sole Control Assurance Level”. Always 2. |
credentialInfo/auth/mode | Always “oauth2code” |
credentialInfo/multisign | Maximum number of hashes in a single signature request. |
Example Request
Example Response
/signatures/signHash
This endpoint has the same semantics as in the CSC specification, but must be invoked with a request referring to a credential created with an immediately preceding invocation of the credentials/list endpoint.
After performing the signing operation, the server will destroy the credential’s signing key. In other words, a credential may be used in only one call to signHash; however, in accordance with the CSC specification it is permitted to submit multiple hashes to be signed in the same request.
Servers
Test environment
POST https://api.esign.qa-04.buypass.no/csc/v2/signatures/signHashProduction
https://sign.tsp.buypass.no/remote-esignature-api/csc/v2/signatures/signHash
Authorization
The access token with the “credential” scope, received from the previously described Oauth2 endpoint, must be submitted as Bearer token in the Authorization header.
Request details
Parameter | Comment |
---|
Parameter | Comment |
---|---|
credentialID | The credentialID returned by /credentials/list |
SAD | Ignored if present. The SAD is generated by the SSA. |
hashes | Array of Base64-encoded hash values to be signed. |
hashAlgorithmOID | May be specified, but will be ignored for ECDSA. |
signAlgo | The following will be accepted:
|
operationMode | Must have the value “S” or be omitted. Asynchronous operation is not supported. |
|
|
clientData | REQUIRED. This must be the same UUID as was submitted in the preceding request to /credentials/list. |
Response details
Parameter | Comment |
---|---|
signatures | Array of Base64-encoded signatures. |
Example Request
Example Response
Certificate Revocation Information
The signing certificates issued are short-lived, hence revocation services are not implemented and revocation checks are not needed when validating signatures. Consequently, the certificates
do not include the CRL Distribution Points extension
do not include OCSP URL in the Authority Information Access extension
include the ocspNoCheck extension, indicating that the certificate is short-lived and revocation check is not needed
However, since signature validators may not support verification of short-lived certificates based only on these certificate attributes, Buypass provides a CRL service that enables the SCA to fetch a (presumably empty) CRL immediately after invoking the /signHash endpoint. The CRL may then be included in an LTV-enabled signature.
Servers
Test environment
GET http://crl.qa-04.buypassca.com/BPCl3CaG2HTPSBCSS.crlProduction
http://crl.buypassca.com/BPCl3CaG2HTPSBCSS.crl