PhenixID DocumentationPhenixID Signing ServicesPhenixID Signing ServiceDeveloper integration guideUsing Trusted Central Signing Service - API - Document (pdf) signing

Using Trusted Central Signing Service - API - Document (pdf) signing

Overview

The api contains two functions, sign and verify.

Sign:

1. Send PDF file to be signed to the api. Api will return a id value

2. Create signed jwt token with payload attributes id=<value performed from previous step>, successURL=<URL where PhenixID Signing Service should redirect the browser after successful signing>, failURL=<URL where PhenixID Signing Service should redirect the browser after unsuccessful signing>

3. Redirect user browser to URL?Authorization=<jwt_token>

4. User perform sign against PhenixID Signing Services

5. After successful sign and redirect back, perform new call to API to fetch signed PDF file.

6. Store the signed pdf file.

 

Verify:

1. Send signed pdf file to API

 

2. API will return signature status and data about the signatory(ies)

Prerequisites

- PhenixID Signing Service - Trusted central signing service - API - Document signing configured.

- Username and password for API authentication

- Base URL for PhenixID Signing Services

- Keypair and certificate (.p12 file) for signing jwt tokens. This cert can be selfsigned.

Send unsigned file - api call

Request

Method: HTTP POST

Endpoint: /files/integration_dev (may vary depending on backend configuration

Headers:

Name Value
Mandatory Comment
Content-Type application/pdf Yes
Authorization <basic_auth_value> No If applicable, username and password must be given to you by PhenixID Signing Service admin.

Body:

The pdf file is sent as a binary file in the body.

Example request

 

POST /files/integration_dev HTTP/1.1
Host: demo.phenixid.net
Content-Type: application/pdf
Authorization: Basic c2lnbl9hcGk6c2VjcmV0

.....binary pdf file......

Response

Example response

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 154
{
    "id": "a981d731-730c-4cf3-9a04-ad4ff54aaeb1",
    "content_type": "application/pdf",
    "size": 85111,
    "created": "2018-10-29T19:24:38.532Z"
}

Create JWT token

Create keypair and certificate to be able to sign jwt token

Create a keypair and certificate for signing jwt token. The certificate (public crt) must be distributed to PhenixID Server administrator.

Populate jwt payload

Populate the jwt with these properties:

Key Value
jti Unique ID of token. Generate random unique key.
iat Issued at value. Now in epoch time.
nbf Not before value. Now in epoch time.
exp Expires value. Now + 10 minutes in epoch time.
id Id value. The id returned from the first api call.
successURL The url where PhenixID Signing Service should redirect the browser after successful sign.
failURL The url where PhenixID Signing Service should redirect the browser after unsuccessful sign. 
cancelURL
The url where PhenixID Signing Service should redirect the browser if user cancels during the signing process.

Example:

{
  "jti": "123123123123456456",
  "iat": 1521815800,
  "exp": 1521815830,
  "nbf": 1521815800,
  "id": "a981d731-730c-4cf3-9a04-ad4ff54aaeb1",
  "failURL": "https://example.org/callback/sign_failure",
  "successURL": "https://example.org/callback/sign_success",
"cancelURL": "https://example.org/callback/sign_cancel"
}

Sign jwt token

Sign the payload with the certificate created in previous step using this algorithm.

{

 "alg": "RS256",

 "typ": "JWT"

}

 

JWT token value

JWT token value should now look something like this:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6Ijk0YTg1MjMxLWZhYWMtNGQxZC1iZTk1LWY5ZGY2ZjA3ODI5YSIsImp0aSI6IjEyMzEyMzEyMzEyMzQ1NjQ1NiIsImlzcyI6IkV4YW1wbGUgb3JnIiwiaWF0IjoxNTIxODE1ODAwLCJleHAiOjE1MjE4MTU4MzAsImF1ZCI6ImludGVncmF0aW9uLnBoZW5peGlkLnNlIiwic3ViIjoibXl1c2VyIiwiZmFpbFVSTCI6Imh0dHBzOi8vZXhhbXBsZS5vcmcvc2lnbl9mYWlsdXJlIiwic3VjY2Vzc1VSTCI6Imh0dHBzOi8vZXhhbXBsZS5vcmcvc2lnbl9zdWNjZXNzP2lkPTY5N2QxNmM5LTI4MzYtNGY5Ni1iYTM4LTJiY2I1NzdmOTg0MiJ9.H9bqf0cEpOWvm8zWNcEflIwb6zCHx_bcxXfuQP71zOk

Fetch signature result - the signed PDF

When PhenixID Signing Services redirected the user agent back to the success URL, perform this callout to the API to fetch the signed PDF.

 

Fetch signed file - api call

Method: HTTP GET

Endpoint: /files/integration_dev/<id_fetched_in_first_api_call> (may vary depending on backend configuration

Headers:

Name Value Mandatory Comment
Content-Type application/pdf Yes
Authorization <basic_auth_value> No If applicable, username and password must be given to you by PhenixID Signing Service admin.

Example request

GET /files/integration_dev/a981d731-730c-4cf3-9a04-ad4ff54aaeb1 HTTP/1.1
Host: demo.phenixid.net
Content-Type: application/pdf
Authorization: Basic c2lnbl9hcGk6c2VjcmV0
Cache-Control: no-cache

Response

Response

The response contains the signed PDF.

 

Verify signature - api call

Method: HTTP PUT

Endpoint: /pipes/verifysign (may vary depending on backend configuration

Headers:

Name Value Mandatory Comment
Content-Type application/pdf Yes
Authorization <basic_auth_value> No If applicable, username and password must be given to you by PhenixID Signing Service admin.

Body:

The pdf file is sent as a binary file in the body.

 

Example request:

PUT /pipes/verifysign HTTP/1.1

Host: demo.phenixid.net

Content-Type: application/pdf

 

.....binary pdf file......

Example response:

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 154
{
    "success": true,
    "error_message": "",
    "error_detail_message": "",
    "items": [
        {
            "id": "verification_result",
            "properties": {
                "pdfreport": [
                    "{\"changedaftersigning\":\"false\",\"signatures\":[{\"who\":\"Robert Milestad\",\"when\":\"2018-06-29T06:58:36Z\",\"intact\":\"true\"}]}"
                ]
            }
        }
    ]
}

 

The pdfreport property will contain 1-n objects (1 object per signatory). Each object must have the property changedaftersigning=false AND intact=true.
If not, the signatures are not correct and can not be trusted.