Skip to main content

Signature

Asymmetric Signature

Asymmetric Signature used in Finnet is to verify that your access token request is not temper or altered by attackers.

The outline of the HMAC validation process are as follows :

  1. Retrieve Timestamp from HTTP Header (X-TIMESTAMP).
  2. Retrieve the Client Key form HTTP Header (X-CLIENT-KEY).
  3. Lookup the API Secret corresponding to the received key in internal store.
  4. Retrieve client HMAC from HTTP Header lowercase hexadecimal format (X-SIGNATURE).
  5. Calculate HMAC using the API Secret as the HMAC secret key.
  6. Compare client HMAC with calculated HMAC.

If HMAC hash comparison is invalid API Gateway will return a HTTP 401 error code along with the following error message on JSON format:

{
"responseCode" : "4017300",
"responseMessage" : "Unauthorized. Invalid Signature"
}

If the HMAC calculation is successful and the calculated value matches the value received from the client, the signature is considered valid.

Generate Asymmetric Signature

SHA256withRSA is used to generate the signature with your Private Key as the key :

X-SIGNATURE = SHA256withRSA(PrivateKey, StringToSign)

Note = X-SIGNATURE should be encoded by Base64

The StringToSign will be a colon-separated list derived from some request data as below :

StringToSign = client_ID+"|"+X-TIMESTAMP
Note

Partner need to send their public key in x.509 format for Finnet to use when verifying signature

Sample public key in x.509 format :

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAomV+Vm1xlRXanmh108Kusls7SSKec0oCejtc9QG
Obpd4RnQ+7gihm2k6etnSNP7b+XrpY+fBkiQNaBInii9M10kW9Bhf/M9GH/edL3IqnzDNSi7tcoQgnO7h8x
mzLNWHTjtR6bkrsdBS5dry6htotaF5KXomuoYgztCdGDOa0W20aeLzYSXIoW7s/Ay5yIXt0xaXTll3/bmez
leguFPnwQZq5EqZFWlUZvutDi+f2l9rTRY0Fb64y+VAf+mnIbEovGqsPEeF/p97YWxcY7CWm8NsT0lwBVOt
kmEl967Brz5yvEObF5bJgVodi6mNVsN1ki0MCitIhYO8shcE7eUilQIDAQAB
-----END PUBLIC KEY-----

Symmetric Signature

Symmetric Signature is used by Finnet to verify that your open api service request is not tempered or altered by attackers.

The outline of the HMAC validation process is as follows:

  1. Retrieve Timestamp from HTTP Header (X-TIMESTAMP)
  2. Retrieve the Client Key form HTTP Header (X-CLIENT-KEY)
  3. Lookup the API Secret corresponding to the received key in internal store
  4. Retrieve client HMAC from HTTP Header lowercase hexadecimal format (X-SIGNATURE)
  5. Calculate HMAC using the API Secret as the HMAC secret key
  6. Compare client HMAC with calculated HMAC

If HMAC hash comparison is invalid API Gateway will return a HTTP 401 error code together with the following error message on JSON format:

{
"responseCode" : "401xx00",
"responseMessage" : " Unauthorized. Invalid Signature"
}

Note : xx corresponding service code.

If the HMAC calculation is successful and the calculated value matches the value received from the client, the signature is considered valid.

Generate Symmetric Signature

SHA-512 HMAC is used to generate the signature with your Client Secret as the key :

X-SIGNATURE = HMAC-SHA512(ClientSecret, StringToSign)

Note = X-SIGNATURE should be encoded by Base64

The StringToSign will be a colon-separated list derived from some request data as below :

StringToSign = HTTPMethod+":"+RelativeUrl+":"+AccessToken+":"+Lowercase(HexEncode(SHA-256(MinifyJson(RequestBody))))+":"+Timestamp

HexEncode are optional to use, use it if the SHA-256 returns a binary stream.