To access these APIs a PSD2 Qualified TPP will need to fullfill the following requirements:
In Sandbox environment: https://tpp.ob.sandbox.meowallet.pt:8443/login/adesao.
In Production environment: https://tpp.ob.wallet.pt/login/adesao.
On all APIs requests, the TPP must provide his Qualified Website Authentication Certificate (QWAC). The certificate must be valid for the API scope (aisp or pisp) of the request.
Requests to service (AISP or PISP) APIs must be signed with your QSEAL certificate. Furthermore the TPP must provide on the tpp-signing-certificate HTTP Header his own public QSEAL certificate. Below, there’s a list of the basic steps to create the signature. For further clarification you can check the following reference.
To create a valid signature to be used in the PSD2 services, you must follow these steps:
1.TPP-Signing-Certificate Header
Use your (PSD2) eIDAS QSEAL certificate issued by the Qualified Trust Service Provider of your choice.
TPP-Signing-Certificate: The PEM-formatted certificate of the QSeal used for signing the request, after having removed the prefix line
-----BEGIN CERTIFICATE-----
, the postfix line -----END CERTIFICATE-----
and any newline characters, leaving the Base64 part.2.Create the Digest Header
The digest is a base64 encoded hash of the body: Base64(SHA512(body))
Take the body of your request or an empty string if there is no body. Pass the body through the SHA-512 hashing algorithm (SHA-256 is also allowed). Make sure the hashed output is binary. In other words; do not convert it to a string. Base64encode the output. Add the result to your digest header and make sure that you declare which hashing algorithm you have used.
An example of the digest header for an empty body using SHA-256 or SHA-512:
sha-256=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=
sha-512=z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg==
Known issue: due to security regulation, spaces or line breaks between JSON elements will cause incorrect digest error.
More information: RFC 3230
3.Create the signing string
The signing string contains several headers depending on which API you are using, separated by line breaks (\n)
. The order is not important as long as you define them in the same order in the signature header.
For example:
Headers included in the signing:
4.Sign with your private key
The signature is the signing string signed with the private key: Base64(RSA-SHA512(signing_string))
An example of the signature using the above information:
5.Signature Header
The signature header consists of the following components:
5.1. keyId - Serial Number of the TPP’s certificate. This should match the serial number in the TPP-Signature-Certificate
header of this request. This number can be found executing the following command: openssl x509 -in qseal-cert.pem -noout -text
.
The serial number can be found under Serial Number
, eg: 6a:a3:…..19:03. Pass the value removing colon punctuation marks.
5.2. algorithm - Specifies which algorithm was used when generating the signature: rsa-sha512 or rsa-sha256
5.3. headers - The list of headers contained in the signature:
The resulting signature header for our example: