Asymmetric Signature

Please Note

stringToSign component for Get Token and Transactional will be different!

For Get Token = stringToSign = client_ID + “|” + X- TIMESTAMP
For Transactional = stringToSign = HTTPMethod +":"+ EndpointUrl +":"+ Lowercase(HexEncode(SHA256(minify(RequestBody)))) + ":" + TimeStamp

Preparation

Before generating Signature, merchant need to prepare all the component required.

Name Description

Name	Description
`privateKey`	Merchant privateKey How to generate : generate private key RSA : openssl genrsa -out private.key 2048 set passphrase your private key RSA : openssl pkcs8 -topk8 -inform PEM -outform PEM -in private.key -out pkcs8.key -v1 PBE-SHA1-3DES generate public key RSA : openssl rsa -in private.key -outform PEM -pubout -out public.pem
`HTTPMethod`	The HTTP method that client use to hit the API
`endpointURL`	The path of the endpoint that will be hitted e.g: `/bi-snap-va/v1/transfer-va/create-va` NOTE: For the `HTTP Notification` from DOKU to merchant server, this will be the path of merchant `Notification URL`. As for the `Inquiry Request`, this will be the path of merchant `Inquiry URL`
`Timestamp`	Same with `X-TIMESTAMP`
`stringToSign`	`HTTPMethod +":"+ EndpointUrl +":"+ Lowercase(HexEncode(SHA256(minify(RequestBody)))) + ":" + TimeStamp`

privateKey

Merchant privateKey How to generate :

generate private key RSA : openssl genrsa -out private.key 2048
set passphrase your private key RSA : openssl pkcs8 -topk8 -inform PEM -outform PEM -in private.key -out pkcs8.key -v1 PBE-SHA1-3DES
generate public key RSA : openssl rsa -in private.key -outform PEM -pubout -out public.pem

HTTPMethod

The HTTP method that client use to hit the API

endpointURL

The path of the endpoint that will be hitted e.g: /bi-snap-va/v1/transfer-va/create-va NOTE: For the HTTP Notification from DOKU to merchant server, this will be the path of merchant Notification URL. As for the Inquiry Request, this will be the path of merchant Inquiry URL

Timestamp

Same with X-TIMESTAMP

stringToSign

HTTPMethod +":"+ EndpointUrl +":"+ Lowercase(HexEncode(SHA256(minify(RequestBody)))) + ":" + TimeStamp

Set stringToSign Component

Minify request Body

Before After

Before	After
`{ "partnerServiceId":" 088899", "customerNo":"12345678901234567890", "virtualAccountNo":" 08889912345678901234567890", "virtualAccountName":"Jokul Doe", "virtualAccountEmail":"jokul@email.com", "virtualAccountPhone":"6281828384858", "trxId":"abcdefgh1234", "totalAmount":{ "value":"12345678.00", "currency":"IDR" } }`	`{"partnerServiceId":" 088899","customerNo":"12345678901234567890","virtualAccountNo":" 08889912345678901234567890","virtualAccountName":"Jokul Doe","virtualAccountEmail":"jokul@email.com","virtualAccountPhone":"6281828384858","trxId":"abcdefgh1234","totalAmount":{"value":"12345678.00","currency":"IDR"}}`

{
   "partnerServiceId":"  088899",
   "customerNo":"12345678901234567890",
   "virtualAccountNo":"  08889912345678901234567890",
   "virtualAccountName":"Jokul Doe",
   "virtualAccountEmail":"jokul@email.com",
   "virtualAccountPhone":"6281828384858",
   "trxId":"abcdefgh1234",
   "totalAmount":{
      "value":"12345678.00",
      "currency":"IDR"
   }
}

{"partnerServiceId":"  088899","customerNo":"12345678901234567890","virtualAccountNo":"  08889912345678901234567890","virtualAccountName":"Jokul Doe","virtualAccountEmail":"jokul@email.com","virtualAccountPhone":"6281828384858","trxId":"abcdefgh1234","totalAmount":{"value":"12345678.00","currency":"IDR"}}

Calculate the result of {minify-request-body} using SHA-256

The result will be like this :

3274fab8dac896837b106a16da2a974e7e65142dcecb4b768ef0294102838977

Hexencode the result of {SHA-256(minify-request-body)}

The result will be like this :

3274fab8dac896837b106a16da2a974e7e65142dcecb4b768ef0294102838977

Set the result of hexencode{SHA-256(minify-request-body)} to Lowercase

Generating StringtoSign

This is the formula for generating the string to Sign :

HTTPMethod +”:“+ EndpointUrl +":“+ Lowercase(HexEncode(SHA256(minify(RequestBody)))) + ":“ + TimeStamp

What is endpointURL ?

endpointURL means Request Target.

The Request-Target is depending on who is sending the request:

When merchant hits DOKU endpoints: The Request-Target is the path of the DOKU API that merchant hits. For instance, if merchant wants to hit DOKU VA API: https://api.doku.com/bi-snap-va/v1/transfer-va/create-va. Therefore, the Request-Target value is /bi-snap-va/v1/transfer-va/create-va
When DOKU hits merchant endpoints (HTTP Notification / Inquiry Request): The Request-Target is the path of merchant Notification URL or the Inquiry URL. For instance, if merchant set the Notification URL: https://yourdomain.com/payments/notifications. Therefore, the Request-Target value is /payments/notifications.

Generate Signature :

After all the stringToSign component has been set, merchant can now generate the signature :

Calculate the result of (privateKey , stringToSign) using SHA256withRSA
Ex : qd2m9ot+cfq48qJ68+8IYdfkNDMA2hhecM2XegsnZ1Z5Fur9zii8BVm6cI7g1gyhL5/+OFZqAO8Kp0XPMdipfg==
Put the value to each API in X-Signature component in Request Header

PreviousSymmetric Signature NextResponse Code

Last updated 4 months ago