Signature
Asymmetric Signature
Asymmetric Signature used in Finnet is to verify that your access token request is not temper or altered by attackers.
The outline of the HMAC validation process are as follows :
- Retrieve Timestamp from HTTP Header (X-TIMESTAMP).
- Retrieve the Client Key form HTTP Header (X-CLIENT-KEY).
- Lookup the API Secret corresponding to the received key in internal store.
- Retrieve client HMAC from HTTP Header lowercase hexadecimal format (X-SIGNATURE).
- Calculate HMAC using the API Secret as the HMAC secret key.
- Compare client HMAC with calculated HMAC.
If HMAC hash comparison is invalid API Gateway will return a HTTP 401 error code along with the following error message on JSON format:
{
"responseCode" : "4017300",
"responseMessage" : "Unauthorized. Invalid Signature"
}
If the HMAC calculation is successful and the calculated value matches the value received from the client, the signature is considered valid.
Generate Asymmetric Signature
SHA256withRSA is used to generate the signature with your Private Key as the key :
X-SIGNATURE = SHA256withRSA(PrivateKey, StringToSign)
Note = X-SIGNATURE
should be encoded by Base64
The StringToSign will be a colon-separated list derived from some request data as below :
StringToSign = client_ID+"|"+X-TIMESTAMP
Partner need to send their public key in x.509 format for Finnet to use when verifying signature
Sample public key in x.509 format :
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAomV+Vm1xlRXanmh108Kusls7SSKec0oCejtc9QG
Obpd4RnQ+7gihm2k6etnSNP7b+XrpY+fBkiQNaBInii9M10kW9Bhf/M9GH/edL3IqnzDNSi7tcoQgnO7h8x
mzLNWHTjtR6bkrsdBS5dry6htotaF5KXomuoYgztCdGDOa0W20aeLzYSXIoW7s/Ay5yIXt0xaXTll3/bmez
leguFPnwQZq5EqZFWlUZvutDi+f2l9rTRY0Fb64y+VAf+mnIbEovGqsPEeF/p97YWxcY7CWm8NsT0lwBVOt
kmEl967Brz5yvEObF5bJgVodi6mNVsN1ki0MCitIhYO8shcE7eUilQIDAQAB
-----END PUBLIC KEY-----
Symmetric Signature
Symmetric Signature is used by Finnet to verify that your open api service request is not tempered or altered by attackers.
The outline of the HMAC validation process is as follows:
- Retrieve Timestamp from HTTP Header (X-TIMESTAMP)
- Retrieve the Client Key form HTTP Header (X-CLIENT-KEY)
- Lookup the API Secret corresponding to the received key in internal store
- Retrieve client HMAC from HTTP Header lowercase hexadecimal format (X-SIGNATURE)
- Calculate HMAC using the API Secret as the HMAC secret key
- Compare client HMAC with calculated HMAC
If HMAC hash comparison is invalid API Gateway will return a HTTP 401 error code together with the following error message on JSON format:
{
"responseCode" : "401xx00",
"responseMessage" : " Unauthorized. Invalid Signature"
}
Note : xx corresponding service code.
If the HMAC calculation is successful and the calculated value matches the value received from the client, the signature is considered valid.
Generate Symmetric Signature
SHA-512 HMAC is used to generate the signature with your Client Secret as the key :
X-SIGNATURE = HMAC-SHA512(ClientSecret, StringToSign)
Note = X-SIGNATURE
should be encoded by Base64
The StringToSign will be a colon-separated list derived from some request data as below :
StringToSign = HTTPMethod+":"+RelativeUrl+":"+AccessToken+":"+Lowercase(HexEncode(SHA-256(MinifyJson(RequestBody))))+":"+Timestamp
HexEncode are optional to use, use it if the SHA-256 returns a binary stream.