Signing for Bulk APIs
Your requests contains data and to ensure its authenticity, you are required to sign the requests while using some Rabobank APIs.
Reference: Signature draft
Start with sandbox
We recommend that you first develop your application using the Sandbox environment in the Rabobank developer portal. Read Get Started to set up your account.
Get the signing certificate
Use the following certificates based on your API
- PSD2 - An eIDAS QSEAL certificate issued by the Qualified Trust Service Provider of your choice.
- Premium - An EV SSL certificate for transport and an EV SSL signing certificate for signing messages.
- Rabobank accepts:
- EV SSL certificates from the certificate issuers listed in the Mozilla CA Certificate report.
- X.509 format
- RSA: key length should be at least 2048-bit
- Certificate should be valid for a maximum of one year.
- Rabobank accepts:
In case you don't yet have an official certificate, you can use an example certificate for Sandbox.
You can use these certificates to recreate the code example as shown below.
The signing certificate is sent with a signing request but not stored on the Rabobank developer portal. If you want to change/replace you can make changes on your own system.
You can also choose to have two valid certificates when allowed by your system.
Below we have shown an example of a signature using the above certificate to reproduce the resulting values.
Create the digest
The digest is a base64 encoded hash of the body, example: Base64(SHA512(body))
- Take the body of your request and include the metadata of the file.
-
Pass the body of your request through a hashing algorithm.
We recommend using SHA 512 but you can also choose to use SHA 256 - Make sure the hashed output is Binary format.
- Base64encode the output.
- Add the result to your digest header declaring the used hashing algorithm, i.e. (RSA-SHA512/RSA-SHa256).
- The boundary value is dynamically generated while making an HTTP request. This boundary value is a mandatory to the part of metadata.
Example
Example of metadata (including SampleFile):
PSD2
--WebKitFormBoundaryOEFsgWLJCyxInJHO\r\nContent-Disposition: form-data; name="xml_sct"; filename="SampleFile.xml"\r\nContent-Type: application/xml\r\n\r\n<-content of SampleFile.xml->\r\n--WebKitFormBoundaryOEFsgWLJCyxInJHO--\r\n
Premium - Business Bulk Payment Initiation (BBPI)
--WebKitFormBoundaryOEFsgWLJCyxInJHO\r\nContent-Disposition: form-data; name="xml_sct"; filename="SampleFile.xml"\r\nContent-Type: application/xml\r\n\r\n<-content of SampleFile.xml->\r\n--WebKitFormBoundaryOEFsgWLJCyxInJHO--\r\n
Premium - Business Direct Debit (BDD)
--WebKitFormBoundaryOEFsgWLJCyxInJHO\r\nContent-Disposition: form-data; name="xml_dd"; filename="SampleFile.xml"\r\nContent-Type: application/xml\r\n\r\n<-content of SampleFile.xml->\r\n--WebKitFormBoundaryOEFsgWLJCyxInJHO--\r\n
Download and use the sample XML file below to reproduce the example values in this document.
PSD2 - ⤓ SampleFile.xml
Premium
- BBPI - ⤓ SampleFile.xml
- BDD - ⤓ SampleFile.xml
Due to security regulation, spaces or line breaks between JSON elements cause incorrect digest error.
Example
An example of the digest header with the examples above using SHA-512:
PSD2
digest: sha-512=CwpW0kD24czZzJkjcqBTZnADBlOUdDxQpH5dhdCPMHZTd1W+HbmUQPbKYpguvgmvZosvSEUI4taIJeujn3Npig==
Premium - Business Bulk Payment Initiation
digest: sha-512=j36brqM2uQlpXw7CvhiTiefid4MV9hWTJ8iD9L8XF3CoOG6pp5dhZOAybZOdXvildAfX0yzvlcTzeJc/MK3Xhg==
Premium - Business Direct Debit
digest: sha-512=06EL+s99pvPWCCPY1KsCdqSpOHrPbjWh5mDC3zk2I+F4v20cPlY+04rgkWB5waE11tZv1uYVGFnCagJEgwqyuA==
Create the signing string
The signing string contains several headers (depending on the API) separated by line breaks.
The order is not crucial, as long as you define them in the same order in the signature header.
Example
PSD2
date: Tue,15Dec202010:34:45GMTdigest: sha-512=CwpW0kD24czZzJkjcqBTZnADBlOUdDxQpH5dhdCPMHZTd1W+HbmUQPbKYpguvgmvZosvSEUI4taIJeujn3Npig==x-request-id: fb88b462-60cc-48f8-b710-bd1620135d52tpp-redirect-uri: https://www.rabobank.nl
Premium - Business Bulk Payment Initiation
date: Fri,30Jul202110:30:00GMTdigest: sha-512=j36brqM2uQlpXw7CvhiTiefid4MV9hWTJ8iD9L8XF3CoOG6pp5dhZOAybZOdXvildAfX0yzvlcTzeJc/MK3Xhg==x-request-id: d65d4172-03fe-41f7-afd5-6f4ae50f73c4
Premium - Business Direct Debit
date: Fri,30Jul202110:30:00GMTdigest: sha-512=06EL+s99pvPWCCPY1KsCdqSpOHrPbjWh5mDC3zk2I+F4v20cPlY+04rgkWB5waE11tZv1uYVGFnCagJEgwqyuA==x-request-id: d65d4172-03fe-41f7-afd5-6f4ae50f73c4
Sign using your Private key
The signature is the signing string signed with the private key: Base64(RSA-SHA512(signing_string))
- Create the signing string.
- Sign it using the hashing algorithm you used (RSA-SHA512/RSA-SHa256) and the private key of the signing certificate.
- Base64 encode the output.
Example
An example of the signature using the above information:
PSD2
Q+deIM5k+OPvy0+eIdh7ZvRmvB9cu/TW88Ni1C3jfIk2C+y9QkNuKP7olkCNALY5XexTkfYLJlpbcZWkQ0OipT05Mb7LNbbN91bl3bRTjEHIlJ0XCJzORHRlYWpY/HsaKrF8PfuQBM/i6xkbH1eGWaiRxV/lMChsXYRcw9ncVieRMLP1QGfyBKgF/ZbvSuXdjwvcD3BewL7U3O60mL/1BxqJRoXZRlvMPpO34/Tl8XDRccaW7hAA7+X46f57Ath1wqo6PxJZ4CTauAVWeUjJMGaGXcIyviYXWE4wFKZEaTFd28Jq7E5ZhOPrLYRDY+7fajOkQGg7TAeenIKnQ7oT5w==
Premium - Business Bulk Payment Initiation
JDuhqHy+aiJHg06zWkxmlAP4MT7xNpOh3JS2IW6WRk5dMIHB4VS0jyzxoYYwBUiSrl7TAoi4vnFp2O6iL5OjOE6t8vFgF8hW7Xb/2uri1uoPqzB6WvGXi+ji6f3oVPt5QGCwLp7a9Z+yA38DBHUwrwbziQqITWnvYvoxH/Y9VS/L50aBytRm+fyi4TlJFNXK2zcsf1kk8ttY/EgSns9JqRzcNUwj8Cy5Q136d81vg2aiYD+NVj+ae2h8ua/xzqQHIsHZ0HQzwLo3C03tGGG6Io1A2bJUN7xd191+ije63rbyrWsK+5RUZXGwqR9OZEA25V+FYDlr+gCojQ7TXkY4fw==
Premium - Business Direct Debit
Q2BRgXsdG5JML30HiYbIffvW0Id+Wj+XPPh25HlxFIECO52RsGZW4rUyNuUiXpwQn3xozZxeNV9y1BdeHv6WX0Tc0jjabcZkU4ts4SNau9kpGXRwyGoJ1VYlRTw48OEt5J1zqDQhlCX4HxRMksG9AvTxWzPPoLDbJAFD1id9kKRouKKcJhgGYsP6mLep6J9dvwpagS46/0WbbODxpUsRq3tvc7xH4Eq2JBc/3LB3Ree6kwDl0B4dtV+mdk86RYx1So5qYGFbAclDXVeuLjzfUGGHp3uqkpzIKN58FErKyJiRXpEKhfOT7otoESCXbuI45M/1x/c+1eMKj9sZlXYq4g==
Create the Signature header
The signature header consists of the following components:
|
component |
description |
|---|---|
| keyId | The serial number of the certificate as defined in 'TPP-Signing-Certificate' header, the format should be Integer not hex. You can use the openssl command line tool to find the serial number. For example:$ openssl x509 -in cert.pem -noout -text |
| algorithm | Specify which algorithm was used when generating the signature: rsa-sha512 or rsa-sha256. |
| headers |
The list of headers contained in the signature:
|
| signature | The result after signing the created string using your private key. |
The resulting signature header for our example:
Example
PSD2
signature: keyId="1523433508",algorithm="rsa-sha512",headers="date digest x-request-id tpp-redirect-uri",signature="Q+deIM5k+OPvy0+eIdh7ZvRmvB9cu/TW88Ni1C3jfIk2C+y9QkNuKP7olkCNALY5XexTkfYLJlpbcZWkQ0OipT05Mb7LNbbN91bl3bRTjEHIlJ0XCJzORHRlYWpY/HsaKrF8PfuQBM/i6xkbH1eGWaiRxV/lMChsXYRcw9ncVieRMLP1QGfyBKgF/ZbvSuXdjwvcD3BewL7U3O60mL/1BxqJRoXZRlvMPpO34/Tl8XDRccaW7hAA7+X46f57Ath1wqo6PxJZ4CTauAVWeUjJMGaGXcIyviYXWE4wFKZEaTFd28Jq7E5ZhOPrLYRDY+7fajOkQGg7TAeenIKnQ7oT5w=="
Premium - Business Bulk Payment Initiation
signature: keyId="1523433508",algorithm="rsa-sha512",headers="date digest x-request-id",signature="JDuhqHy+aiJHg06zWkxmlAP4MT7xNpOh3JS2IW6WRk5dMIHB4VS0jyzxoYYwBUiSrl7TAoi4vnFp2O6iL5OjOE6t8vFgF8hW7Xb/2uri1uoPqzB6WvGXi+ji6f3oVPt5QGCwLp7a9Z+yA38DBHUwrwbziQqITWnvYvoxH/Y9VS/L50aBytRm+fyi4TlJFNXK2zcsf1kk8ttY/EgSns9JqRzcNUwj8Cy5Q136d81vg2aiYD+NVj+ae2h8ua/xzqQHIsHZ0HQzwLo3C03tGGG6Io1A2bJUN7xd191+ije63rbyrWsK+5RUZXGwqR9OZEA25V+FYDlr+gCojQ7TXkY4fw=="
Premium - Business Direct Debit
signature: keyId="1523433508",algorithm="rsa-sha512",headers="date digest x-request-id",signature="Q2BRgXsdG5JML30HiYbIffvW0Id+Wj+XPPh25HlxFIECO52RsGZW4rUyNuUiXpwQn3xozZxeNV9y1BdeHv6WX0Tc0jjabcZkU4ts4SNau9kpGXRwyGoJ1VYlRTw48OEt5J1zqDQhlCX4HxRMksG9AvTxWzPPoLDbJAFD1id9kKRouKKcJhgGYsP6mLep6J9dvwpagS46/0WbbODxpUsRq3tvc7xH4Eq2JBc/3LB3Ree6kwDl0B4dtV+mdk86RYx1So5qYGFbAclDXVeuLjzfUGGHp3uqkpzIKN58FErKyJiRXpEKhfOT7otoESCXbuI45M/1x/c+1eMKj9sZlXYq4g=="
Create a header containing the certificate
In order to verify your signature, you are required to send us a public certificate in a request Header.
To do so:
- Strip the pem certificate from its begin and end tags.
- Remove all the line breaks.
Example
The result with our example certificate would be:
PSD2
TPP-Signature-Certificate: MIIDkDCCAnigAwIBAgIEWs3AJDANBgkqhkiG9w0BAQsFADCBiTELMAkGA1UEBhMCTkwxEDAOBgNVBAgMB1V0cmVjaHQxEDAOBgNVBAcMB1V0cmVjaHQxETAPBgNVBAoMCFJhYm9iYW5rMRwwGgYDVQQLDBNPbmxpbmUgVHJhbnNhY3Rpb25zMSUwIwYDVQQDDBxQU0QyIEFQSSBQSSBTZXJ2aWNlcyBTYW5kYm94MB4XDTE4MDQxMTA3NTgyOFoXDTIzMDQxMTA3NTgyOFowgYkxCzAJBgNVBAYTAk5MMRAwDgYDVQQIDAdVdHJlY2h0MRAwDgYDVQQHDAdVdHJlY2h0MREwDwYDVQQKDAhSYWJvYmFuazEcMBoGA1UECwwTT25saW5lIFRyYW5zYWN0aW9uczElMCMGA1UEAwwcUFNEMiBBUEkgUEkgU2VydmljZXMgU2FuZGJveDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANoAjqGWUgCIm2F+0sBSEwLal+T3u+uldLikpxHCB8iL1GD7FrRjcA+MVsxhvHly7vRsHK+tQyMSaeK782RHpY33qxPLc8LmoQLb2EuiQxXj9POYkYBQ74qkrZnvKVlR3WoyQWeDOXnSY2wbNFfkP8ET4ElwyuIIEriwYhab0OIrnnrO8X82/SPZxHwEd3aQjQ6uhiw8paDspJbS5WjEfuwY16KVVUYlhbtAwGjvc6aK0NBm+LH9fMLpAE6gfGZNy0gzMDorVNbkQK1IoAGD8p9ZHdB0F3FwkILEjUiQW6nK+/fKDNJ0TBbpgZUpY8bR460qzxKdeZ1yPDqX2Cjh6fkCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAYL4iD6noMJAt63kDED4RB2mII/lssvHhcxuDpOm3Ims9urubFWEpvV5TgIBAxy9PBinOdjhO1kGJJnYi7F1jv1qnZwTV1JhYbvxv3+vk0jaiu7Ew7G3ASlzruXyMhN6t6jk9MpaWGl5Uw1T+gNRUcWQRR44g3ahQRIS/UHkaV+vcpOa8j186/1X0ULHfbcVQk4LMmJeXqNs8sBAUdKU/c6ssvj8jfJ4SfrurcBhY5UBTOdQOXTPY85aU3iFloerx7Oi9EHewxInOrU5XzqqTz2AQPXezexVeAQxP27lzqCmYC7CFiam6QBr06VebkmnPLfs76n8CDc1cwE6gUl0rMA==
Premium - Business Bulk Payment Initiation
Signature-Certificate: MIIDkDCCAnigAwIBAgIEWs3AJDANBgkqhkiG9w0BAQsFADCBiTELMAkGA1UEBhMCTkwxEDAOBgNVBAgMB1V0cmVjaHQxEDAOBgNVBAcMB1V0cmVjaHQxETAPBgNVBAoMCFJhYm9iYW5rMRwwGgYDVQQLDBNPbmxpbmUgVHJhbnNhY3Rpb25zMSUwIwYDVQQDDBxQU0QyIEFQSSBQSSBTZXJ2aWNlcyBTYW5kYm94MB4XDTE4MDQxMTA3NTgyOFoXDTIzMDQxMTA3NTgyOFowgYkxCzAJBgNVBAYTAk5MMRAwDgYDVQQIDAdVdHJlY2h0MRAwDgYDVQQHDAdVdHJlY2h0MREwDwYDVQQKDAhSYWJvYmFuazEcMBoGA1UECwwTT25saW5lIFRyYW5zYWN0aW9uczElMCMGA1UEAwwcUFNEMiBBUEkgUEkgU2VydmljZXMgU2FuZGJveDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANoAjqGWUgCIm2F+0sBSEwLal+T3u+uldLikpxHCB8iL1GD7FrRjcA+MVsxhvHly7vRsHK+tQyMSaeK782RHpY33qxPLc8LmoQLb2EuiQxXj9POYkYBQ74qkrZnvKVlR3WoyQWeDOXnSY2wbNFfkP8ET4ElwyuIIEriwYhab0OIrnnrO8X82/SPZxHwEd3aQjQ6uhiw8paDspJbS5WjEfuwY16KVVUYlhbtAwGjvc6aK0NBm+LH9fMLpAE6gfGZNy0gzMDorVNbkQK1IoAGD8p9ZHdB0F3FwkILEjUiQW6nK+/fKDNJ0TBbpgZUpY8bR460qzxKdeZ1yPDqX2Cjh6fkCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAYL4iD6noMJAt63kDED4RB2mII/lssvHhcxuDpOm3Ims9urubFWEpvV5TgIBAxy9PBinOdjhO1kGJJnYi7F1jv1qnZwTV1JhYbvxv3+vk0jaiu7Ew7G3ASlzruXyMhN6t6jk9MpaWGl5Uw1T+gNRUcWQRR44g3ahQRIS/UHkaV+vcpOa8j186/1X0ULHfbcVQk4LMmJeXqNs8sBAUdKU/c6ssvj8jfJ4SfrurcBhY5UBTOdQOXTPY85aU3iFloerx7Oi9EHewxInOrU5XzqqTz2AQPXezexVeAQxP27lzqCmYC7CFiam6QBr06VebkmnPLfs76n8CDc1cwE6gUl0rMA==
Premium - Business Direct Debit
Signature-Certificate: MIIDkDCCAnigAwIBAgIEWs3AJDANBgkqhkiG9w0BAQsFADCBiTELMAkGA1UEBhMCTkwxEDAOBgNVBAgMB1V0cmVjaHQxEDAOBgNVBAcMB1V0cmVjaHQxETAPBgNVBAoMCFJhYm9iYW5rMRwwGgYDVQQLDBNPbmxpbmUgVHJhbnNhY3Rpb25zMSUwIwYDVQQDDBxQU0QyIEFQSSBQSSBTZXJ2aWNlcyBTYW5kYm94MB4XDTE4MDQxMTA3NTgyOFoXDTIzMDQxMTA3NTgyOFowgYkxCzAJBgNVBAYTAk5MMRAwDgYDVQQIDAdVdHJlY2h0MRAwDgYDVQQHDAdVdHJlY2h0MREwDwYDVQQKDAhSYWJvYmFuazEcMBoGA1UECwwTT25saW5lIFRyYW5zYWN0aW9uczElMCMGA1UEAwwcUFNEMiBBUEkgUEkgU2VydmljZXMgU2FuZGJveDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANoAjqGWUgCIm2F+0sBSEwLal+T3u+uldLikpxHCB8iL1GD7FrRjcA+MVsxhvHly7vRsHK+tQyMSaeK782RHpY33qxPLc8LmoQLb2EuiQxXj9POYkYBQ74qkrZnvKVlR3WoyQWeDOXnSY2wbNFfkP8ET4ElwyuIIEriwYhab0OIrnnrO8X82/SPZxHwEd3aQjQ6uhiw8paDspJbS5WjEfuwY16KVVUYlhbtAwGjvc6aK0NBm+LH9fMLpAE6gfGZNy0gzMDorVNbkQK1IoAGD8p9ZHdB0F3FwkILEjUiQW6nK+/fKDNJ0TBbpgZUpY8bR460qzxKdeZ1yPDqX2Cjh6fkCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAYL4iD6noMJAt63kDED4RB2mII/lssvHhcxuDpOm3Ims9urubFWEpvV5TgIBAxy9PBinOdjhO1kGJJnYi7F1jv1qnZwTV1JhYbvxv3+vk0jaiu7Ew7G3ASlzruXyMhN6t6jk9MpaWGl5Uw1T+gNRUcWQRR44g3ahQRIS/UHkaV+vcpOa8j186/1X0ULHfbcVQk4LMmJeXqNs8sBAUdKU/c6ssvj8jfJ4SfrurcBhY5UBTOdQOXTPY85aU3iFloerx7Oi9EHewxInOrU5XzqqTz2AQPXezexVeAQxP27lzqCmYC7CFiam6QBr06VebkmnPLfs76n8CDc1cwE6gUl0rMA==
Get examples
To see Get examples, see Signing for APIs - Get
To see Get examples, see Signing for APIs - Get
More information on signatures
See:
https://tools.ietf.org/html/draft-cavage-http-signatures-10
https://tools.ietf.org/html/rfc3230