To secure and to verify the authenticity of the data sent by SPS-SIGNATURE, it is possible to activate the use of a security token «Token» (requires the explicit request of the creditor). This «Token» is a string that will allow to verify the integrity of the POST request thanks to the « Seal ».
Calculation of the SEAL
The « Seal » is a hash code that is generated from a Token to which is added the “Secret Key” of the creditor. The received “Token” is an indication of what the Token must be. In order to ensure the integrity of the request, the creditor must recompute this Token based on the fields in the request, in the correct order.
Before calculating the Seal, the creditor must demand the SPS-SIGNATURE team the secret key that will be used.
The algorithm that is used to calculate the seal is the following:
- Compute the token based on the fields in the request (except “Token” and “Seal” fields), in the order mentioned in
End-Ticket Parameters. - Add the token to the secret key.
- Hash the Token and the secret key in SHA-256
- Convert it to hexadecimal.
The Token provided in the request can be used to verify the Token computation during implementation phase.
Example of seal calculation on JAVA
To verify the authenticity of the received data, the creditor must:
- Re-compute the token
- Re-compute the seal based on the re-computed token
- Compare the computed seal to the received seal
MessageDigest md = MessageDigest.getInstance("SHA-256");
md.update((token + secretkey).getBytes());
byte() hash = md.digest();
String sealVerification = DatatypeConverter.printHexBinary(hash).toLowercase();
Boolean validToken = sealVerification.equals(sealReceived);