API Signing and Authentication

Your digital signature validates the authenticity and integrity of your message. As the digital equivalent of a handwritten signature or stamped seal, a digital signature, used appropriately, should obviate tampering and impersonation. Digital signatures also provide evidence of origin, identity and the status of the message, acknowledging informed consent by the signer.

Digital signatures are based on public key cryptography, also known as asymmetric cryptography. Using a public key algorithm, such as RSAClosedPublic-key cryptosystem for both encryption and authentication. Under RSA, the encryption key is public and it is always different from the decryption key which is kept secret (private). Anyone can use the public key to encrypt a message, but only someone with the private key can decode the message. The RSA acronym is derived from the initial letters of the surnames of Ron Rivest, Adi Shamir, and Leonard Adleman, who first publicly described the algorithm in 1977., one can generate two keys that are mathematically linked: one private and one public. Digital signatures work through public key cryptography's two mutually-authenticating cryptographic keys. The individual who is creating the digital signature uses their own private key to encrypt signature-related data; the only way to decrypt that data is with the signer's public key. This is how digital signatures are authenticated.

Generating Key Pairs

Here's an example of a command line script for generating ES256ClosedAsymmetric key cryptography algorithm combined with elliptic curve digiral signature algorithm (ECDSA) using P-256 and SHA-256. key pairs:

// Generate the key in pem format

openssl ecparam -genkey -name secp521r1 -noout -out key.pem

 

// Get the PKCS8 private key in pem format

openssl pkcs8 -topk8 -inform pem -in key.pem -outform pem -nocrypt -out private.pem

 

// Extract the public key

openssl ec -in private.pem -pubout -out public.pem

 

// Print the private key in base64 URL encoded

cat private.pem | sed -E "s/(-----[^-]* KEY-----)//" | sed 's/+/-/g' | sed 's/\//_/g' | tr -d '\n='

 

// Print the public key in base64 URL encoded. This is the string you will upload to Token developer dashboard

cat public.pem | sed -E "s/(-----[^-]* KEY-----)//" | sed 's/+/-/g' | sed 's/\//_/g' | tr -d '\n='

Example command line prompts for RS256ClosedAsymmetric algorithm using a public/private key pair. The identity provider has a private (secret) key used to generate the signature, and the consumer of the JWT gets a public key to validate the signature. Since the public key, as opposed to the private key, doesn’t need to be kept secured, most identity providers make it easily available for consumers to obtain and use (usually through a metadata URL). might look like this:

// Generate the key in pem format

openssl genkey -algorithm RSA -out privat.pem -pkeyopt rsa_keygen_bits: 2048

 

// Get the private key in pem format

openssl rsa -in private.pem -outform pem -nocrypt -out private.pem

 

// Extract the public key

openssl rsa -in private.pem -outform PEM -pubout -out public.pem

 

// Print the private key in base64 URL encoded

cat private.pem | sed -E "s/(-----[^-]* KEY-----)//" | sed 's/+/-/g' | sed 's/\//_/g' | tr -d '\n='

 

// Print the public key in base64 URL encoded. This is the string you will upload to Token developer dashboard

cat public.pem | sed -E "s/(-----[^-]* KEY-----)//" | sed 's/+/-/g' | sed 's/\//_/g' | tr -d '\n='

These are just a couple of examples. There are a number command variations you can use to generate and extract your keys based on your own preference and security policy.

Authenticating

With your key pairs in hand, Soldo supports two authentication methods:

JWTClosedJSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted. is recommended for production deployments. Click the respective authentication link above to determine the right method for you.