Signature And Public/Private Key Pairs
Digital signatures can ensure the reliability and protect from forgery of the API data transmitted. Each qualified API caller, also called Merchant, is assigned a StoreID by myPOS. The API access is authenticated against the StoreID by the RSA signature.
Signatures are calculated using the following mechanism:
- All data in POST request without the Signature property are concatenated with dash and then are Base64 encoded
- The string is signed with the private key using the SHA-256 algorithm.
- Then the signature needs to be Base64 encoded.
- The signature property is added to the POST request.
After that, the opposite side should concatenate all data in the POST request without the Signature property, Base64-encode the string and then verify the obtained string with the sent signature property and the public key extracted from the myPOS public certificate.
The merchant should always verify the signature when receiving a call from myPOS Web Checkout!
Merchant and myPOS must exchange RSA keys before making API calls, and the length of RSA key must be 2048 bits. When making API call to myPOS, merchant uses the RSA private key to sign the API request. After receiving the API request, myPOS will use the merchant’s RSA public key to verify whether the signature is matched to the content of the API request. Similarly, when merchant receives the API response, it is highly recommended that merchant verifies the signature of API response by using myPOS’s RSA public key. The following figure illustrates the interaction flow:
For the signing process, both myPOS Checkout API and the merchant generate public/private key pairs and exchange the public certificate. Key pairs are generated using the RSA algorithm. The certificates must be PEM-encoded PKCS7 file. Each of the parties is using the private key to sign the message and the opposite side authenticates the sender with a corresponding public certificate.
A signature is supplied in every message!
The myPOS Web Checkout provides different myPOS public certificate to every online store of the merchant.
myPOS Checkout API requires the merchant to generate a public certificate so that his digital signature can be verified from the system. The merchant can generate several public certificates. A key index is assigned to each certificate. The merchant can download each myPOS public certificate by clicking on Download myPOS public certificate in the Action column.
RSA key pair
An RSA key pair contains the private key and the public key. The private key is required for generating the signature, while the public key is used for verifying the signature.
Generating an RSA key pair
You can generate a key pair by using our onsite generator within the Integration process. Select the custom integration method from the wizard and then Generate Pair Keys.
Then copy the keys in your code as part of the parameters which will then be used to generate the signature.
Generating a Configuration pack
Alternatively, you can use the new and easy setup which combines all the mandatory settings you need - the Key pair, the Key Index, the Store ID and the Client number into one String called Configuration pack. You can save the time to look around for each setting by using the configuration pack directly and everything will be set up for you.
Signature Examples
Example for PHP 5.x.x
<?php
// The POST data array
$postData = array('IPCmethod'=>'IPCPurchase', ............);
// This is an example of RSA private key
$privKey = '-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQCf0TdcTuphb7X+Zwekt1XKEWZDczSGecfo6vQfqvraf5VPzcnJ
2Mc5J72HBm0u98EJHan+nle2WOZMVGItTa/2k1FRWwbt7iQ5dzDh5PEeZASg2UWe
hoR8L8MpNBqH6h7ZITwVTfRS4LsBvlEfT7Pzhm5YJKfM+CdzDM+L9WVEGwIDAQAB
AoGAYfKxwUtEbq8ulVrD3nnWhF+hk1k6KejdUq0dLYN29w8WjbCMKb9IaokmqWiQ
5iZGErYxh7G4BDP8AW/+M9HXM4oqm5SEkaxhbTlgks+E1s9dTpdFQvL76TvodqSy
l2E2BghVgLLgkdhRn9buaFzYta95JKfgyKGonNxsQA39PwECQQDKbG0Kp6KEkNgB
srCq3Cx2od5OfiPDG8g3RYZKx/O9dMy5CM160DwusVJpuywbpRhcWr3gkz0QgRMd
IRVwyxNbAkEAyh3sipmcgN7SD8xBG/MtBYPqWP1vxhSVYPfJzuPU3gS5MRJzQHBz
sVCLhTBY7hHSoqiqlqWYasi81JzBEwEuQQJBAKw9qGcZjyMH8JU5TDSGllr3jybx
FFMPj8TgJs346AB8ozqLL/ThvWPpxHttJbH8QAdNuyWdg6dIfVAa95h7Y+MCQEZg
jRDl1Bz7eWGO2c0Fq9OTz3IVLWpnmGwfW+HyaxizxFhV+FOj1GUVir9hylV7V0DU
QjIajyv/oeDWhFQ9wQECQCydhJ6NaNQOCZh+6QTrH3TC5MeBA1Yeipoe7+BhsLNr
cFG8s9sTxRnltcZl1dXaBSemvpNvBizn0Kzi8G3ZAgc=
-----END RSA PRIVATE KEY-----';
// You need to concatenate all values from $postData and to Base64-encode the result
$concData = base64_encode(implode('-', $postData));
$privKeyObj = openssl_get_privatekey($privKey);
// Signed data in binary
openssl_sign($concData, $signature, $privKeyObj, OPENSSL_ALGO_SHA256);
// Base64 encoding of the signature
$signature = base64_encode($signature);
// Now you need to add the signature to the POST request
$postData['Signature'] = $signature;
openssl_free_key($privKeyObj);
?>
Signature verification example for PHP 5.x.x
<?php
// Save POST request data in var $data
$data = $_POST;
// myPOS certificate
$cert = '-----BEGIN CERTIFICATE-----
MIIBkDCB+qADAgECAgAwDQYJKoZIhvcNAQEFBQAwDzENMAsGA1UEChMEaVBheTAe
Fw0xMzAzMTMxMTI1MTFaFw0yMzAzMTExMTI1MTFaMA8xDTALBgNVBAoTBGlQYXkw
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAML+VTmiY4yChoOTMZTXAIG/mk+x
f/9mjwHxWzxtBJbNncNK0OLI0VXYKW2GgVklGHHQjvew1hTFkEGjnCJ7f5CDnbgx
evtyASDGst92a6xcAedEadP0nFXhUz+cYYIgIcgfDcX3ZWeNEF5kscqy52kpD2O7
nFNCV+85vS4duJBNAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAFSfqJHH9Vp9Y4osJ
sLg1Um5LOoTgn6u4JepHMFoSiwYE0n/N3D3JIgqAzjdVJ+1rZV95VAf/+TKzWzvP
V8L01LJ8aRFkUaPGenVsGvBT2mtsbu34QUOlPgzCi3huidwk0ylMX7zo8uxu1cXv
/bg5jBGe5SjvJP8Tq257QcAGgkA=
-----END CERTIFICATE-----';
// Save signature
$signature = $data['Signature'];
// Remove signature from POST data array
unset($data['Signature']);
// Concatenate all values
$concData = base64_encode(implode('-', $data));
// Extract public key from certificate
$pubKeyId = openssl_get_publickey($cert);
// Verify signature
$res = openssl_verify($concData, base64_decode($signature), $pubKeyId, OPENSSL_ALGO_SHA256);
//Free key resource
openssl_free_key($pubKeyId);
if ($res == 1) {
//success
} else {
//not success
}
?>