Signing for APIs using Get (Bulk and Single)

Your requests contains data and to ensure its authenticity, you are required to sign the requests while using Rabobank APIs.

Reference: Signature draft

Start with sandbox

We recommend that you first develop your application using the Sandbox environment in the Rabobank developer portal. Read Get Started to set up your account.

Get the signing certificate

Use the following certificates based on your API

  • PSD2 - An eIDAS QSEAL certificate issued by the Qualified Trust Service Provider of your choice.
  • Premium - An EV SSL certificate for transport and an EV SSL signing certificate for signing messages. 
    • Rabobank accepts:
      • EV SSL certificates from the certificate issuers listed in the Mozilla CA Certificate report.
      • X.509 format
      • RSA: key length should be at least 2048-bit
      • Certificate should be valid for a maximum of one year.

In case you don't yet have an official certificate, you can use an example certificate for Sandbox.

⤓ cert.pem ⤓ key.pem

You can use these certificates to recreate the code example as shown below.

The signing certificate is sent with a signing request but not stored on the Rabobank developer portal. If you want to change/replace you can make changes on your own system.

You can also choose to have two valid certificates when allowed by your system.

Create the digest

The digest is a base64 encoded hash of the body, example: Base64(SHA512(body))

  1. Pass the body of your request (or an empty string if there is no body) through a hashing algorithm.

    We recommend using SHA 512 but you can also choose to use SHA 256
  2. Make sure the hashed output is Binary format.
  3. Base64encode the output.
  4. Add the result to your digest header declaring the used hashing algorithm, i.e. (RSA-SHA512/RSA-SHA256).

Example

An example of the digest header for an empty body using SHA-512:

PSD2 and Premium

digest: sha-512=z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg==

Due to security regulation, spaces or line breaks between JSON elements cause incorrect digest error.

Create the signing string

The signing string contains several headers separated by line breaks.

The order is not crucial, as long as you define them in the same order in the signature header.

Signing headers per API

Parameter

Required

Remark
date Yes -
digest Yes -
x-request-id Yes -
tpp-redirect-uri No Mandatory for HTTP POST requests
tpp-nok-redirect-uri No This field should be included as a header of the HTTP POST request

Example

PSD2

date: Tue, 13 Sep 2022 09:51:01 GMT
digest: sha-512=z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg==
x-request-id: 95126d8f-ae9d-4ac3-ac9e-c357dcd78811

Premium

date: Thu, 18 Mar 2021 15:10:46 GMT
digest: sha-512=z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg==
x-request-id: e9c96b7e-8470-410a-937c-396fe9512fea

Sign using your Private key

The signature is the signing string signed with the private key: Base64(RSA-SHA512(signing_string))

  1. Create the signing string.
  2. Sign it using the hashing algorithm you used (RSA-SHA512/RSA-SHa256) and the private key of the signing certificate.
  3. Base64 encode the output.

Example

PSD2

t7b3deOMrTmOs+mjuY43mMcgpttrIWrkEGRmdEXaiurqrl0BO9hPOk4k+7OKmPWbxqE8nBFFSVSDU7+t84cUdjB3VTsl94rPuPVj/4XKwrqzKcmPHQHZ87ENPHWSFEDuOnub0FrJ4pUImsZpbenkZX+I80MElJQ337jp904JzyA+WKi7SzPjgGTUGlujhRUu3kU4TDNkcLIaBrcok9mXFlJSZQuNaaKfz4kqeaBpG2p3ZjcICnuE1aYFu5VZoniJd3Bi3n0ygVyb/9BaGHYMYvDvKHHtw6So8YGTTO+LnLZmOTgjXKhDIdBOgtJ4PWxvrp0Iid/YaM+BHqZPu4N1bw==

Premium

aS6D/cKMgEnAES6yVpKs2AjkxbPReF760F8hDHXLZ2ic0OFI84eIjRl2DYLJc4EPjNcsYvxaSyPypJvMnOiU3gnj4vrs/PrR5A/x2COA9fe6OwJThfLTPxeXoRxxw6sGEjRCrF06sY/IKmRPdp4AjVzYfBeAeshjzr/icghp/Zzi4DOOBp+39bdWUJDCVHM9m0V/LRM18xdJtBKssP6Wzy5wncCmk7fHm1nLD31N+SARYcPuMutGHgIwQrNB/czR3e6g7o+2C8J0nC0kPM95VBWAyChTOqPsvcBHKcxreZe9aNywclpVOtXJit05q3O3PfLvJHH3QoPTRpzsP38pOw==

Create the Signature header

The signature header consists of the following components:

Component

Example

Description
keyId $ openssl x509 -in cert.pem -noout -text The serial number of the certificate as defined in 'TPP-Signing-Certificate' header. The format should be Integer not hex. You can use the openssl command line tool to find the serial number.
algorithm rsa-sha512

Specify which algorithm was used when generating the signature:

  • rsa-sha512 or
  • rsa-sha256.
headers "date digest x-request-id"

The list of headers contained in the signature:

  • lowercase
  • separated by a space
  • in the same order as they have in the signing string
signature   The result from step 4.

Example

The resulting signature header for our example:

PSD2

signature: keyId="1523433508",algorithm="rsa-sha512",headers="date digest x-request-id",signature="t7b3deOMrTmOs+mjuY43mMcgpttrIWrkEGRmdEXaiurqrl0BO9hPOk4k+7OKmPWbxqE8nBFFSVSDU7+t84cUdjB3VTsl94rPuPVj/4XKwrqzKcmPHQHZ87ENPHWSFEDuOnub0FrJ4pUImsZpbenkZX+I80MElJQ337jp904JzyA+WKi7SzPjgGTUGlujhRUu3kU4TDNkcLIaBrcok9mXFlJSZQuNaaKfz4kqeaBpG2p3ZjcICnuE1aYFu5VZoniJd3Bi3n0ygVyb/9BaGHYMYvDvKHHtw6So8YGTTO+LnLZmOTgjXKhDIdBOgtJ4PWxvrp0Iid/YaM+BHqZPu4N1bw=="

Premium

signature: keyId="1523433508",algorithm="rsa-sha512",headers="date digest x-request-id",signature="aS6D/cKMgEnAES6yVpKs2AjkxbPReF760F8hDHXLZ2ic0OFI84eIjRl2DYLJc4EPjNcsYvxaSyPypJvMnOiU3gnj4vrs/PrR5A/x2COA9fe6OwJThfLTPxeXoRxxw6sGEjRCrF06sY/IKmRPdp4AjVzYfBeAeshjzr/icghp/Zzi4DOOBp+39bdWUJDCVHM9m0V/LRM18xdJtBKssP6Wzy5wncCmk7fHm1nLD31N+SARYcPuMutGHgIwQrNB/czR3e6g7o+2C8J0nC0kPM95VBWAyChTOqPsvcBHKcxreZe9aNywclpVOtXJit05q3O3PfLvJHH3QoPTRpzsP38pOw=="

Create a header containing the certificate

In order to verify your signature, you are required to send us a public certificate in a request Header.

To do so:

  1. Strip the pem certificate from its begin and end tags.
  2. Remove all the line breaks.

Example

The result with our example certificate would be:

PSD2

TPP-Signature-Certificate: MIIDkDCCAnigAwIBAgIEWs3AJDANBgkqhkiG9w0BAQsFADCBiTELMAkGA1UEBhMCTkwxEDAOBgNVBAgMB1V0cmVjaHQxEDAOBgNVBAcMB1V0cmVjaHQxETAPBgNVBAoMCFJhYm9iYW5rMRwwGgYDVQQLDBNPbmxpbmUgVHJhbnNhY3Rpb25zMSUwIwYDVQQDDBxQU0QyIEFQSSBQSSBTZXJ2aWNlcyBTYW5kYm94MB4XDTE4MDQxMTA3NTgyOFoXDTIzMDQxMTA3NTgyOFowgYkxCzAJBgNVBAYTAk5MMRAwDgYDVQQIDAdVdHJlY2h0MRAwDgYDVQQHDAdVdHJlY2h0MREwDwYDVQQKDAhSYWJvYmFuazEcMBoGA1UECwwTT25saW5lIFRyYW5zYWN0aW9uczElMCMGA1UEAwwcUFNEMiBBUEkgUEkgU2VydmljZXMgU2FuZGJveDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANoAjqGWUgCIm2F+0sBSEwLal+T3u+uldLikpxHCB8iL1GD7FrRjcA+MVsxhvHly7vRsHK+tQyMSaeK782RHpY33qxPLc8LmoQLb2EuiQxXj9POYkYBQ74qkrZnvKVlR3WoyQWeDOXnSY2wbNFfkP8ET4ElwyuIIEriwYhab0OIrnnrO8X82/SPZxHwEd3aQjQ6uhiw8paDspJbS5WjEfuwY16KVVUYlhbtAwGjvc6aK0NBm+LH9fMLpAE6gfGZNy0gzMDorVNbkQK1IoAGD8p9ZHdB0F3FwkILEjUiQW6nK+/fKDNJ0TBbpgZUpY8bR460qzxKdeZ1yPDqX2Cjh6fkCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAYL4iD6noMJAt63kDED4RB2mII/lssvHhcxuDpOm3Ims9urubFWEpvV5TgIBAxy9PBinOdjhO1kGJJnYi7F1jv1qnZwTV1JhYbvxv3+vk0jaiu7Ew7G3ASlzruXyMhN6t6jk9MpaWGl5Uw1T+gNRUcWQRR44g3ahQRIS/UHkaV+vcpOa8j186/1X0ULHfbcVQk4LMmJeXqNs8sBAUdKU/c6ssvj8jfJ4SfrurcBhY5UBTOdQOXTPY85aU3iFloerx7Oi9EHewxInOrU5XzqqTz2AQPXezexVeAQxP27lzqCmYC7CFiam6QBr06VebkmnPLfs76n8CDc1cwE6gUl0rMA==

Premium

Signature-Certificate: MIIDkDCCAnigAwIBAgIEWs3AJDANBgkqhkiG9w0BAQsFADCBiTELMAkGA1UEBhMCTkwxEDAOBgNVBAgMB1V0cmVjaHQxEDAOBgNVBAcMB1V0cmVjaHQxETAPBgNVBAoMCFJhYm9iYW5rMRwwGgYDVQQLDBNPbmxpbmUgVHJhbnNhY3Rpb25zMSUwIwYDVQQDDBxQU0QyIEFQSSBQSSBTZXJ2aWNlcyBTYW5kYm94MB4XDTE4MDQxMTA3NTgyOFoXDTIzMDQxMTA3NTgyOFowgYkxCzAJBgNVBAYTAk5MMRAwDgYDVQQIDAdVdHJlY2h0MRAwDgYDVQQHDAdVdHJlY2h0MREwDwYDVQQKDAhSYWJvYmFuazEcMBoGA1UECwwTT25saW5lIFRyYW5zYWN0aW9uczElMCMGA1UEAwwcUFNEMiBBUEkgUEkgU2VydmljZXMgU2FuZGJveDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANoAjqGWUgCIm2F+0sBSEwLal+T3u+uldLikpxHCB8iL1GD7FrRjcA+MVsxhvHly7vRsHK+tQyMSaeK782RHpY33qxPLc8LmoQLb2EuiQxXj9POYkYBQ74qkrZnvKVlR3WoyQWeDOXnSY2wbNFfkP8ET4ElwyuIIEriwYhab0OIrnnrO8X82/SPZxHwEd3aQjQ6uhiw8paDspJbS5WjEfuwY16KVVUYlhbtAwGjvc6aK0NBm+LH9fMLpAE6gfGZNy0gzMDorVNbkQK1IoAGD8p9ZHdB0F3FwkILEjUiQW6nK+/fKDNJ0TBbpgZUpY8bR460qzxKdeZ1yPDqX2Cjh6fkCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAYL4iD6noMJAt63kDED4RB2mII/lssvHhcxuDpOm3Ims9urubFWEpvV5TgIBAxy9PBinOdjhO1kGJJnYi7F1jv1qnZwTV1JhYbvxv3+vk0jaiu7Ew7G3ASlzruXyMhN6t6jk9MpaWGl5Uw1T+gNRUcWQRR44g3ahQRIS/UHkaV+vcpOa8j186/1X0ULHfbcVQk4LMmJeXqNs8sBAUdKU/c6ssvj8jfJ4SfrurcBhY5UBTOdQOXTPY85aU3iFloerx7Oi9EHewxInOrU5XzqqTz2AQPXezexVeAQxP27lzqCmYC7CFiam6QBr06VebkmnPLfs76n8CDc1cwE6gUl0rMA==

More information on signatures

See:
https://tools.ietf.org/html/draft-cavage-http-signatures-10
https://tools.ietf.org/html/rfc3230