Creation of the X-Signature value

In order to sign the the credit-transfer, a header X-Signature must be provided. The content of the X-Signature header must be the detached JWS of the body.
JWS detached is a variation of JWS that allows you to sign content (body) of an HTTP request without its modification.

JWS detached generation algorithm happens as follow :

Generate a standard JWS using compact serialization using http body as payload
Turn the middle part of the JWS into an empty string
Put the final string (which is a JWS without the payload content) as value for the HTTP header X-Signature.

The result is the JWS being header.payload.signature being transformed to a JWS detached as header..signature (Note: there are now 2 dots).

The JWS detached expected by the application must contain the certificate used to sign in the x5c header of the JWS .

Obtain a certificate

In order to retrieve a certificate, a CSR must be sent to Finologee.

The CSR must contain the following information :

CN = Firstname Lastname of the user
O = tenant  (The tenant name of the user. Provided by finologee)
OU = REGULAR
C = LU  (country)
ST = Luxembourg (state)
L = Leudelange (locality)
emailAddress= jean-dupont@company.lu

A certificate will then be sent back and should be used as entry in the x5c array of the JWS (see example above).

Here an example for CSR creation given that a private key exists.

openssl req -new -key device-key.pem  -out device-csr.pem  -subj "/C=LU/ST=Luxembourg/L=Leudelange/O=tenant1/OU=REGULAR/CN=Jean Dupont/emailAddress=jean-dupont@finologee.com"

Signing Process

The credit-transfers will be created directly with a signature attached to them.

Therefore, the user authenticated and using the API must have the rights to sign all the transactions in the request.
The transactions requiring a single signature, will be sent to the bank according to cutt-off time.

The transactions requiring multiple signatures will need to wait until all signatures are gathered before being sent to the bank.
The status of each transaction can be retrieved at any time using the following API call Find credit transfers