Asymmetric Signature
Please Note
stringToSign component for Get Token and Transactional will be different!
For Get Token =
stringToSign
=client_ID + “|” + X- TIMESTAMP
For Transactional =
stringToSign
=HTTPMethod +":"+ EndpointUrl +":"+ Lowercase(HexEncode(SHA256(minify(RequestBody)))) + ":" + TimeStamp
Preparation
Before generating Signature
, merchant need to prepare all the component required.
privateKey
Merchant privateKey How to generate :
generate private key RSA : openssl genrsa -out private.key 2048
set passphrase your private key RSA : openssl pkcs8 -topk8 -inform PEM -outform PEM -in private.key -out pkcs8.key -v1 PBE-SHA1-3DES
generate public key RSA : openssl rsa -in private.key -outform PEM -pubout -out public.pem
HTTPMethod
The HTTP method that client use to hit the API
endpointURL
The path of the endpoint that will be hitted e.g: /bi-snap-va/v1/transfer-va/create-va
NOTE: For the HTTP Notification
from DOKU to merchant server, this will be the path of merchant Notification URL
. As for the Inquiry Request
, this will be the path of merchant Inquiry URL
Timestamp
Same with X-TIMESTAMP
stringToSign
HTTPMethod +":"+ EndpointUrl +":"+ Lowercase(HexEncode(SHA256(minify(RequestBody)))) + ":" + TimeStamp
Set stringToSign Component
Minify request Body
Calculate the result of {minify-request-body} using SHA-256
The result will be like this :
Hexencode the result of {SHA-256(minify-request-body)}
The result will be like this :
3274fab8dac896837b106a16da2a974e7e65142dcecb4b768ef0294102838977
Set the result of hexencode{SHA-256(minify-request-body)} to Lowercase
Generating StringtoSign
This is the formula for generating the string to Sign :
HTTPMethod +”:“+ EndpointUrl +":“+ Lowercase(HexEncode(SHA256(minify(RequestBody)))) + ":“ + TimeStamp
What is endpointURL
?
endpointURL
means Request Target.
The Request-Target is depending on who is sending the request:
When merchant hits DOKU endpoints: The Request-Target is the path of the DOKU API that merchant hits. For instance, if merchant wants to hit DOKU VA API:
https://api.doku.com/
bi-snap-va/v1/transfer-va/create-va. Therefore, the Request-Target value is /bi-snap-va/v1/transfer-va/create-vaWhen DOKU hits merchant endpoints (HTTP Notification / Inquiry Request): The Request-Target is the path of merchant
Notification URL
or theInquiry URL
. For instance, if merchant set theNotification URL
:https://yourdomain.com/payments/notifications
. Therefore, the Request-Target value is/payments/notifications
.
Generate Signature :
After all the stringToSign
component has been set, merchant can now generate the signature :
Calculate the result of
(privateKey , stringToSign)
using SHA256withRSAEx :
qd2m9ot+cfq48qJ68+8IYdfkNDMA2hhecM2XegsnZ1Z5Fur9zii8BVm6cI7g1gyhL5/+OFZqAO8Kp0XPMdipfg==
Put the value to each API in X-Signature component in Request Header
Last updated