Signing API
An Access Token is required to authorize all API requests, as explained at the following link:
DIGITAL SIGNATURE REQUEST
REST service specs:
Method: POST
URL: {viafirma_fortress_url}/api/v1/signature
Security:
Authorization: Bearer {access_token}
Where:
viafirma_fortress_url: URL of the Fortress implementation, for example https://sandbox.viafirma.com/fortress or https://fortress.viafirma.com/fortress
Sample Request
Method: POST
URL: {viafirma_fortress_url}/api/v1/signature
Security Header: Authorization: Bearer 0b79bab50daca910b000d4f1a2b675d604257e42
Request Params
The request body contains information such as signature format, document to be signed, etc.
application/json format is used:
{
"signatureConfigurations": [
{
"ref": "#1",
"document": {
"bytesB64": "JVBERi0xLjMKJcTl8uXrp/Og0MTGCjQ...",
"name": "contract.pdf"
},
"signatureType": "PADES_LTA",
"signatureAlgorithm": "RSA_SHA256",
"packaging": "ENVELOPED",
"reason": " test PAdES signature ",
"padesConfiguration": {
"stamper": {
"csvPath": "http://<someURL>/v#",
"logoB64": "iVBORw0KGgoAAAANSUhEUgAAAWYAAABsCAYAAABZyhj...",
"page": 1,
"type": "QR_BARCODE128",
"xAxis": 80,
"yAxis": 700
}
}
}
]
}
Note: params for padesConfiguration, xadesConfiguration, references,cadesConfiguration, tsa and policy are described later.
Where:
| Param | Type | Desc |
|---|---|---|
| userCode | string | OPTIONAL, used to to specify the signer user. If null, user will be requested to authenticate before signing. |
| certificateCode | string | OPTIONAL, used to specify which certificate will be used to sign. If null, user will be requested to select any of the active certificates belonging to the user. |
| certificatePassword | string | OPTIONAL, used to specify which certificate password will be used to sign, this field is only allowed for the unattended signature. |
| multifactorAuth | boolean | OPTIONAL, if true , forces the use of 2 authentication factors. |
| async | string | Set value to true for asynchronous execution. |
| callbackUrl | string | Fortress will do a POST with the final status to the specified URL after a asynchronous execution. |
| certificateFilter | string | Attributes by which to filter the certificate. Enter which filters you want the certificate to meet to be used. |
| signatureConfigurations/document/name | string | Name of the document to be signed |
| signatureConfigurations/document/bytesB64 | string | Document to be signed (Base64) |
| signatureConfigurations/document/url | string | URL of document to be signed |
| signatureConfigurations/signatureType | string | Signature format: - CADES_B- CADES_T- CADES_LT- CADES_LTA- PADES_B- PADES_T- PADES_LT- PADES_LTA- XADES_B - XADES_T - XADES_LT - XADES_LTA - PKCS1 |
| signatureConfigurations/signatureAlgorithm | string | signature algorithm: - RSA_SHA1- RSA_SHA224- RSA_SHA256- RSA_SHA384- RSA_SHA512 |
| signatureConfigurations/packaging | string | signature type: - ENVELOPED- ENVELOPING- DETACHED |
| signatureConfigurations/reason | string | OPTIONAL, signature reason |
| signatureConfigurations/location | string | OPTIONAL, signature location |
| signatureConfigurations/ref | string | OPTIONAL, if present, his value will be returned in the signature certificateRequestEntity. |
Si se informa una URL y la firma se realiza de forma asíncrona, al finalizar la firma Fortress realiza una petición POST a dicha URL con el estado final de ejecución. |
Configuración de los filtros de certificados
Esta configuración hace que a la hora de firmar, el usuario solo pueda firmar con los certificados que cumplan todos los requisitos.
{
"certificateFilter": {
"issuer.cn": [
"AC FNMT Usuarios"
],
"subject.cn": [
"ZAMORANO DE EJEMPLO JOSE LUIS - 71121212M"
],
"subject.serialnumber": [
"99999999R",
"71121212M"
],
"oid": [
"2.5.29.14",
"2.5.29.15"
]
}
}
Podemos filtrar de varias formas.
| Parámetro | Tipo | Descripción |
|---|---|---|
| oid | List - String | List of oids that the certificate must have to be valid |
| serialnumber | List - String | List of serialnumber that the certificate must have to be valid |
| issuer.C | Single list - String | (Only one is allowed, starting with version 6.2.5 of Viafirma Fortress, this restriction is removed) CountryName -> ES |
| issuer.OU | Single list - String | (Only one is allowed, starting with version 6.2.5 of Viafirma Fortress, this restriction is removed) OrganizationalUnit -> Ceres |
| issuer.CN | Single list - String | (Only one is allowed, starting with version 6.2.5 of Viafirma Fortress, this restriction is removed) CommonName -> AC FNMT Usuarios |
| issuer.O | Single list - String | (Only one is allowed, starting with version 6.2.5 of Viafirma Fortress, this restriction is removed) Organization -> FNMT-RCM |
| subject.SURNAME | Single list - String | (Only one is allowed, starting with version 6.2.5 of Viafirma Fortress, this restriction is removed) Surname -> ZAMORANO DE EJEMPLO |
| subject.C | Single list - String | (Only one is allowed, starting with version 6.2.5 of Viafirma Fortress, this restriction is removed) CountryName -> ES |
| subject.SERIALNUMBER | Single list - String | (Only one is allowed, starting with version 6.2.5 of Viafirma Fortress, this restriction is removed) Serial number -> IDCES-71121212M |
| subject.CN | Single list - String | (Only one is allowed, starting with version 6.2.5 of Viafirma Fortress, this restriction is removed) CommonName -> ZAMORANO DE EJEMPLO JOSE LUIS - 71121212M |
| subject.GIVENNAME | Single list - String | (Only one is allowed, starting with version 6.2.5 of Viafirma Fortress, this restriction is removed) Givenname -> JOSE LUIS |
PAdES Configuration
Params only applicable to signatureType PAdES (PAdES B, PAdES T, PAdES LT, PAdES LTA).
"padesConfiguration": {
"stamper": { }
}
The stamper object is optional, and it defines a visual stamp associated with the signature PAdES.
{
"stamper": {
"csvPath": "https://sandbox.viafirma.com/fortress/v#",
"imageB64": "JVBERi0xLjMKJcTl8uXlRU9GC...",
"logoB64": "JVBERi0xLjMKJcTl8uXlRU9GC...",
"page": 1,
"rotation": "ROTATE_90",
"textLine1": "Sample line 1",
"textLine2": "Sample line 2",
"textLine3": "Sample line 3",
"type": "QR_BARCODE128",
"xAxis": 100,
"yAxis": 100
}
}
| Param | Type | Desc |
|---|---|---|
| stamper/csvPath | string | public URL for validating signed documents |
| stamper/xAxis | int | Stamper position on PDF; X-coordinates |
| stamper/yAxis | int | Stamper position on PDF; Y-coordinates |
| stamper/width | int | OPTIONAL. Stamper width |
| stamper/height | int | OPTIONAL. Stamper height |
| stamper/imageB64 | string | Stamper watermark (Base64) |
| stamper/imageUrl | string | Stamper watermark (URL) |
| stamper/logoB64 | string | Logo to be printed (Base64) |
| stamper/page | int | Page number where stamper will be embedded. Value -1 for last page, 0 for all pages. |
| stamper/rotation | string | OPTIONAL. Rotation degrees: - ROTATE_90- ROTATE_270 |
| stamper/textLine1 | string | OPTIONAL. Text included in the stamper (line 1). |
| stamper/textLine2 | string | OPTIONAL. Text included in the stamper (line 2). |
| stamper/textLine3 | string | OPTIONAL. Text included in the stamper (line 3). |
| stamper/type | string | Stamper type: - PDF417- QR_BARCODE128- QR- BARCODE128- IMAGE- TEXT- QR_NO_TEXT- QR_SCALED- CUSTOM_TEXT- QR_REDUCED- CSV- CSV_QR- IMAGE_TEXT- DEFAULT |
| stamper/timeZoneId | string | Set the Time Zone. for stamper date to be printed |
| stamper/hideSigningDate | *boolean | Optional. If true, the date the stamp was signed will be hidden |
If the timeZoneId value is NOT specified in the API call, we will apply the following criteria:
- If the request belongs to a user, we will use the user's timezone. If the user does not have one, but belongs to a group that does, we will use the timezone of the first group that does. Otherwise, we will apply the default configured in the system.
For the IMAGE stamp type, the stamp background image must be specified in Base64 format using the imageB64 attribute or by specifying a URL in the imageUrl attribute.
XAdES Configuration
Params only applicable to signatureType XAdES (XAdES B, XAdES T, XAdES LT, XAdES LTA)
{
"signedInfoCanonicalizationMethod": "http://www.w3.org/TR/2001/REC-xml-c14n-20010315",
"signedPropertiesCanonicalizationMethod": "http://www.w3.org/TR/2001/REC-xml-c14n-20010315",
"xPathLocationString": "//book[@id='bk101-1']",
"claimedSignerRoles": [
"role1",
"role2"
],
"transformAlgorithms": [
"http://www.w3.org/TR/2001/REC-xml-c14n-20010315"
],
"dssReferenceUri": "http://dsa-reference.example.com/",
"manifestSignature": false
}
Where:
| Param | Type | Desc |
|---|---|---|
| signedInfoCanonicalizationMethod | string | Canonicalization Method of node signedInfo |
| signedPropertiesCanonicalizationMethod | string | Canonicalization Method of node signedProperties |
| xPathLocationString | string | XPath of ID node (XML) to be signed |
| claimedSignerRoles | array | Signer role |
| transformAlgorithms | array | Transform Algorithm of signed node: - "http://www.w3.org/TR/2001/REC-xml-c14n-20010315"- "http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"- "http://www.w3.org/2001/10/xml-exc-c14n#"- "http://www.w3.org/2001/10/xml-exc-c14n#WithComments"- "http://www.w3.org/2006/12/xml-c14n11"- "http://www.w3.org/2006/12/xml-c14n11#WithComments"- "http://santuario.apache.org/c14n/physical" |
| dssReferenceUri | string | ID node (XML) to be signed |
| manifestSignature | boolean | Optional. If true is indicated, instead of passing the document object, a list of references is provided. |
| hashSignature | boolean | Optional. If true is indicated, the information provided in the Base64 of the document should be the digest of the document, and not the entire document. |
| hashDigestAlgorithm | string | Optional. Algorithm that has been used to obtain the digest of the document. Available values: - 'SHA1' - 'SHA224' - 'SHA256' - 'SHA384' - 'SHA512' |
References
This setting only applies to signatures whose signatureType is of type XADES (XAdES B, XAdES T, XAdES LT, XAdES LTA) and has been indicated to be a signature of type manifest xadesConfiguration.manifestSignature.
{
"uri":"src/test/examples/manifest/a_documento.pdf",
"digestValue":"GQBXsIg1NFp6IYYeAFuH6l7sjLv3FbvnpvvTX6f8ZEEr1TwgOuXFuEl9IVn1hseZJG+S1a6LDhIJcKS1sCfJ/w=="
}
Where:
| Parameter | Type | Description |
|---|---|---|
| uri | boolean | Path or URL where the original document is located. |
| digestValue | string | Digest of the document. |
CAdES Configuration
This setting only applies to signatures whose signatureType is of type CAdES (CAdES B, CAdES T, CAdES LT, CAdES LTA).
{
"hashSignature" : true,
"hashDigestAlgorithm" : "SHA256"
}
Where:
| Parameter | Type | Description |
|---|---|---|
| cadesConfiguration/hashSignature | boolean | If true, the information provided in the Base64 of the document should be the digest of the document, and not the entire document. |
| cadesConfiguration/hashDigestAlgorithm | string | Algorithm that has been used to obtain the digest of the document. Available values: - 'SHA1' - 'SHA224' - 'SHA256' - 'SHA384' - 'SHA512' |
TSA Configuration
TSA configuration is mandatory if a signature format that requires timestamp is used:
{
"url": "http://tsa.example.com/",
"user": "tsa_user",
"password": "tsa_pass",
"type": "USER",
"certificateCode": "tsa_certificate_code"
}
| Param | Type | Desc |
|---|---|---|
| type | string | Authentication type: USER CERTIFICATE CERTIFICATE_TLS of URL (if authentication is not required) |
| user | string | OPTIONAL. Only when USER type is used |
| password | string | OPTIONAL. Only when USER or CERTIFICATE or CERTIFICATE_TLS type is used |
| url | string | TSA url |
| certificateCode | string | OPTIONAL. Only when CERTIFICATE or CERTIFICATE_TLS type is used |
POLICIES Configuration
Only applicable to XAdES EPES format; a Signature Policy can be defined:
{
"id": "102039485-10283757-102837575",
"description": "Sample policy",
"digestAlgorithm": "SHA256",
"digestValueB64": "JVBERi0xLjMKJcTl8uXlRU9GC",
"url" : "https://sample/lorem_ipsum_dolor_sit_amet.pdf",
"contentHintsDescription": "Lorem ipsum dolor sit amet",
"contentHintsType": "Lorem ipsum dolor sit amet"
}
<<<<<<< HEAD
| Param | Type | Desc |
|-----------------------------|----------|-------------------------------------------------------------------------------------------------------------------------------|
| id | string | Policy id |
| description | string | Policy description |
| digestAlgorithm | string | Cipher Algorithm:
- SHA1
- SHA224
- SHA256
- SHA384
- SHA512
- RIPEMD160
- MD2
- MD5 |
| digestValueB64 | string | Policy Digest value (Base64) |
| contentHintsDescription | string | Help Description |
| contentHintsType | string | Help content type |
| Param | Type | Desc |
|---|---|---|
| id | string | Policy id |
| description | string | Policy description |
| digestAlgorithm | string | Cipher Algorithm: - SHA1- SHA224- SHA256- SHA384- SHA512- RIPEMD160- MD2- MD5 |
| digestValueB64 | string | Policy Digest value (Base64) |
| url | string | The SpURI (signature policy qualifier). The spURI qualifier will contain a URL value where a copy of the signing policy document can be obtained. |
| contentHintsDescription | string | Help Description |
| contentHintsType | string | Help content type |
26367b52051e0e30d23d28b90480e0e025b5537d
Response
Response in application/json format:
{
"authCode": "1aeb979ddcf247e9ad46ee73e19a326d",
"exeCode": "f116305e7f7c44f3a29385028c5374ba"
}
Where:
| Param | Type | Desc |
|---|---|---|
| authCode | string | Authorization code |
| exeCode | string | Execution code |
API Errors
Errors are returned using application/json format:
{
"error": "error_code",
"error_description": "error_description"
}
Where:
| Param | Type | Desc |
|---|---|---|
| error | string | Error code |
| error_description | string | Error description |
Errors:
| Error code | Error desc |
|---|---|
| invalid_request | Bad request. Incorrect of insufficient request params. (HTTP Status: 400) |
| invalid_token | Invalid access_token (HTTP Status: 401) |
| user_not_found | Incorrect or inactive user (HTTP Status: 404) |
USER AUTHENTICATION AND CERTIFICATE SELECTION
Please review the following User Authentication and Signature Authorization section to find more details.
SIGNATURE EXECUTION
REST service specs:
Method: POST
URL: {viafirma_fortress_url}/api/v1/signature/{executionCode}/execute
Where:
viafirma_fortress_url: URL of the Fortress implementation, for example https://sandbox.viafirma.com/fortress or https://fortress.viafirma.com/fortressexecutionCode: authorization code returned by signature request method
Sample Request
Method: POST
URL: {viafirma_fortress_url}/api/v1/signature/f116305e7f7c44f3a29385028c5374ba/execute
Params
The request body must be an empty JSON:
{
}
Sample Response
[
{
"bytesB64": "a910b000d4f1a2b...",
"signatureCode": "e2470412-33cc-467a-b357-880fe621920f",
"mimeType": "application/pdf",
"ref": "#1"
},
...
]
Where:
| Param | Type | Desc |
|---|---|---|
| bytesB64 | string | Signed document (Base64). In case of asynchronous signature it will be empty and the signed document must be downloaded using the obtained signatureCode. |
| signatureCode | string | Signature ID |
| mimeType | string | MIME type |
| ref | string | It have the same value if present in the signature request |
API Errors
{
"error": "error_code",
"error_description": "error_description"
}
Where:
| Param | Type | Desc |
|---|---|---|
| error | string | Error code |
| error_description | string | Error description |
Errors:
| Error code | Error desc |
|---|---|
| invalid_request | Bad request. Incorrect on insufficient params. (HTTP Status: 400) |
| invalid_token | Invalid access_token (HTTP Status: 401) |
| user_not_found | Invalid or inactive user (HTTP Status: 404) |
| certificate_not_found | The certificate is not inactive or authorized, or has not been found (HTTP Status: 404) |
| signature_error | Problems found in signature process (HTTP Status: 500) |
DOWNLOAD SIGNED DOCUMENT
Download signed document.
Service specs:
Method: GET
URL: {viafirma_fortress_url}/api/v1/signature/download/{signature_code}
Where:
viafirma_fortress_url: URL of the Fortress implementation, for example https://sandbox.viafirma.com/fortress or https://fortress.viafirma.com/fortresssignature_code: signature code returned by fortress in the signature execution service
Sample Request
Method: GET
URL: {viafirma_fortress_url}/api/v1/signature/download/C0XJ-XOAK-OF1O-TYJ7-S164-3197-3571-05
Response
Document in application/octet-stream format.
API Errors
{
"error": "error_code",
"error_description": "error_description"
}
Where:
| Param | Type | Desc |
|---|---|---|
| error | string | Error code |
| error_description | string | Error description |
Errors:
| Error code | Error desc |
|---|---|
| document_not_found | Signed document ID not found (HTTP Status: 404). |
results matching ""
No results matching ""