Using Trusted Central Signing Service - API - Document (pdf) signing
Overview
The api contains two functions, sign and verify.
Sign:
1. Send PDF file to be signed to the api. Api will return a id value
2. Create signed jwt token with payload attributes id=<value performed from previous step>, successURL=<URL where PhenixID Signing Service should redirect the browser after successful signing>, failURL=<URL where PhenixID Signing Service should redirect the browser after unsuccessful signing>
3. Redirect user browser to URL?Authorization=<jwt_token>
4. User perform sign against PhenixID Signing Services
5. After successful sign and redirect back, perform new call to API to fetch signed PDF file.
6. Store the signed pdf file.
Verify:
1. Send signed pdf file to API
2. API will return signature status and data about the signatory(ies)
Prerequisites
- PhenixID Signing Service - Trusted central signing service - API - Document signing configured.
- Username and password for API authentication
- Base URL for PhenixID Signing Services
- Keypair and certificate (.p12 file) for signing jwt tokens. This cert can be selfsigned.
Send unsigned file - api call
Request
Method: HTTP POST
Endpoint: /files/integration_dev (may vary depending on backend configuration
Headers:
| Name | Value |
Mandatory | Comment |
|---|---|---|---|
| Content-Type | application/pdf | Yes | |
| Authorization | <basic_auth_value> | No | If applicable, username and password must be given to you by PhenixID Signing Service admin. |
Body:
The pdf file is sent as a binary file in the body.
Example request
POST /files/integration_dev HTTP/1.1
Host: demo.phenixid.net
Content-Type: application/pdf
Authorization: Basic c2lnbl9hcGk6c2VjcmV0
.....binary pdf file......Response
Example response
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 154
{
"id": "a981d731-730c-4cf3-9a04-ad4ff54aaeb1",
"content_type": "application/pdf",
"size": 85111,
"created": "2018-10-29T19:24:38.532Z"
}Create JWT token
Create keypair and certificate to be able to sign jwt token
Create a keypair and certificate for signing jwt token. The certificate (public crt) must be distributed to PhenixID Server administrator.
Populate jwt payload
Populate the jwt with these properties:
| Key | Value |
|---|---|
| jti | Unique ID of token. Generate random unique key. |
| iat | Issued at value. Now in epoch time. |
| nbf | Not before value. Now in epoch time. |
| exp | Expires value. Now + 10 minutes in epoch time. |
| id | Id value. The id returned from the first api call. |
| successURL | The url where PhenixID Signing Service should redirect the browser after successful sign. |
| failURL | The url where PhenixID Signing Service should redirect the browser after unsuccessful sign. |
| cancelURL |
The url where PhenixID Signing Service should redirect the browser if user cancels during the signing process. |
Example:
{ "jti": "123123123123456456", "iat": 1521815800, "exp": 1521815830, "nbf": 1521815800, "id": "a981d731-730c-4cf3-9a04-ad4ff54aaeb1", "failURL": "https://example.org/callback/sign_failure", "successURL": "https://example.org/callback/sign_success","cancelURL": "https://example.org/}callback/sign_cancel"
Sign jwt token
Sign the payload with the certificate created in previous step using this algorithm.
{
"alg": "RS256",
"typ": "JWT"
}
JWT token value
JWT token value should now look something like this:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6Ijk0YTg1MjMxLWZhYWMtNGQxZC1iZTk1LWY5ZGY2ZjA3ODI5YSIsImp0aSI6IjEyMzEyMzEyMzEyMzQ1NjQ1NiIsImlzcyI6IkV4YW1wbGUgb3JnIiwiaWF0IjoxNTIxODE1ODAwLCJleHAiOjE1MjE4MTU4MzAsImF1ZCI6ImludGVncmF0aW9uLnBoZW5peGlkLnNlIiwic3ViIjoibXl1c2VyIiwiZmFpbFVSTCI6Imh0dHBzOi8vZXhhbXBsZS5vcmcvc2lnbl9mYWlsdXJlIiwic3VjY2Vzc1VSTCI6Imh0dHBzOi8vZXhhbXBsZS5vcmcvc2lnbl9zdWNjZXNzP2lkPTY5N2QxNmM5LTI4MzYtNGY5Ni1iYTM4LTJiY2I1NzdmOTg0MiJ9.H9bqf0cEpOWvm8zWNcEflIwb6zCHx_bcxXfuQP71zOk
Redirect user agent to PhenixID Signing Services
Now, redirect the user agent to the url: https://<phenixid_signing_service>/pdf_sign/?Authorization=<token_value>
Fetch signature result - the signed PDF
When PhenixID Signing Services redirected the user agent back to the success URL, perform this callout to the API to fetch the signed PDF.
Fetch signed file - api call
Method: HTTP GET
Endpoint: /files/integration_dev/<id_fetched_in_first_api_call> (may vary depending on backend configuration
Headers:
| Name | Value | Mandatory | Comment |
|---|---|---|---|
| Content-Type | application/pdf | Yes | |
| Authorization | <basic_auth_value> | No | If applicable, username and password must be given to you by PhenixID Signing Service admin. |
Example request
GET /files/integration_dev/a981d731-730c-4cf3-9a04-ad4ff54aaeb1 HTTP/1.1
Host: demo.phenixid.net
Content-Type: application/pdf
Authorization: Basic c2lnbl9hcGk6c2VjcmV0
Cache-Control: no-cacheResponse
Response
The response contains the signed PDF.
Verify signature - api call
Method: HTTP PUT
Endpoint: /pipes/verifysign (may vary depending on backend configuration
Headers:
| Name | Value | Mandatory | Comment |
|---|---|---|---|
| Content-Type | application/pdf | Yes | |
| Authorization | <basic_auth_value> | No | If applicable, username and password must be given to you by PhenixID Signing Service admin. |
Body:
The pdf file is sent as a binary file in the body.
Example request:
PUT /pipes/verifysign HTTP/1.1
Host: demo.phenixid.net
Content-Type: application/pdf
.....binary pdf file......
Example response:
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 154
{
"success": true,
"error_message": "",
"error_detail_message": "",
"items": [
{
"id": "verification_result",
"properties": {
"pdfreport": [
"{\"changedaftersigning\":\"false\",\"signatures\":[{\"who\":\"Robert Milestad\",\"when\":\"2018-06-29T06:58:36Z\",\"intact\":\"true\"}]}"
]
}
}
]
}
The pdfreport property will contain 1-n objects (1 object per signatory). Each object must have the property changedaftersigning=false AND intact=true.
If not, the signatures are not correct and can not be trusted.