API Signing and Authentication

Your digital signature validates the authenticity and integrity of your message. As the digital equivalent of a handwritten signature or stamped seal, a digital signature, used appropriately, should obviate tampering and impersonation. Digital signatures also provide evidence of origin, identity and the status of the message, acknowledging informed consent by the signer.

Digital signatures are based on public key cryptography, also known as asymmetric cryptography. Using a public key algorithm, such as RSA, one can generate two keys that are mathematically linked: one private and one public. Digital signatures work through public key cryptography's two mutually-authenticating cryptographic keys. The individual who is creating the digital signature uses their own private key to encrypt signature-related data; the only way to decrypt that data is with the signer's public key. This is how digital signatures are authenticated.

Generating Key Pairs

Here's an example of a command line script for generating ES256 key pairs:

// Generate the key in pem format

openssl ecparam -genkey -name secp521r1 -noout -out key.pem

 

// Get the PKCS8 private key in pem format

openssl pkcs8 -topk8 -inform pem -in key.pem -outform pem -nocrypt -out private.pem

 

// Extract the public key

openssl ec -in private.pem -pubout -out public.pem

 

// Print the private key in base64 URL encoded

cat private.pem | sed -E "s/(-----[^-]* KEY-----)//" | sed 's/+/-/g' | sed 's/\//_/g' | tr -d '\n='

 

// Print the public key in base64 URL encoded. This is the string you will upload to Soldo Dashboard

cat public.pem | sed -E "s/(-----[^-]* KEY-----)//" | sed 's/+/-/g' | sed 's/\//_/g' | tr -d '\n='

Example command line prompts for RS256 might look like this:

// Generate the key in pem format

openssl genkey -algorithm RSA -out privat.pem -pkeyopt rsa_keygen_bits: 2048

 

// Get the private key in pem format

openssl rsa -in private.pem -outform pem -nocrypt -out private.pem

 

// Extract the public key

openssl rsa -in private.pem -outform PEM -pubout -out public.pem

 

// Print the private key in base64 URL encoded

cat private.pem | sed -E "s/(-----[^-]* KEY-----)//" | sed 's/+/-/g' | sed 's/\//_/g' | tr -d '\n='

 

// Print the public key in base64 URL encoded. This is the string you will upload to Soldo Dashboard

cat public.pem | sed -E "s/(-----[^-]* KEY-----)//" | sed 's/+/-/g' | sed 's/\//_/g' | tr -d '\n='

These are just a couple of examples. There are a number command variations you can use to generate and extract your keys based on your own preference and security policy.