Signature And Public/Private Key Pairs


Digital signatures can ensure the reliability and protect from forgery of the API data transmitted. Each qualified API caller, also called Merchant, is assigned a StoreID by myPOS. The API access is authenticated against the StoreID by the RSA signature.

 

Signatures are calculated using the following mechanism:

  • All data in POST request without the Signature property are concatenated with dash and then are Base64 encoded
  • The string is signed with the private key using the SHA-256 algorithm.
  • Then the signature needs to be Base64 encoded.
  • The signature property is added to the POST request.

After that, the opposite side should concatenate all data in the POST request without the Signature property, Base64-encode the string and then verify the obtained string with the sent signature property and the public key extracted from the myPOS public certificate.


The merchant should always verify the signature when receiving a call from myPOS Web Checkout!

 

 

Merchant and myPOS must exchange RSA keys before making API calls, and the length of RSA key must be 2048 bits. When making API call to myPOS, merchant uses the RSA private key to sign the API request. After receiving the API request, myPOS will use the merchant’s RSA public key to verify whether the signature is matched to the content of the API request. Similarly, when merchant receives the API response, it is highly recommended that merchant verifies the signature of API response by using myPOS’s RSA public key. The following figure illustrates the interaction flow:

 

 

For the signing process, both myPOS Checkout API and the merchant generate public/private key pairs and exchange the public certificate. Key pairs are generated using the RSA algorithm. The certificates must be PEM-encoded PKCS7 file. Each of the parties is using the private key to sign the message and the opposite side authenticate the sender with a corresponding public certificate.


A signature is supplied in every message!

 

The myPOS Web Checkout provides different myPOS public certificate to every online store of the merchant. 

myPOS Checkout API requires from merchant to generate/upload his public certificate so that his digital signature can be verified from the system. The merchant can generate/upload several public certificates. A key index is assigned to each certificate. For each of the merchant's public certificate, there is a certain myPOS public certificate. The merchant can download each myPOS public certificate by clicking on Download in the myPOS public certificate column.

 

 

RSA key pair

 


An RSA key pair contains the private key and the public key. The private key is required for generating the signature, while the public key is used for verifying the signature.

Generating an RSA key pair

Many tools can be used to generate the RSA key pair.


The easiest way to generate a key pair is by using our onsite generator.

 

If you prefer to generate the keys yourself you can do it using Open SSL. Then you can Upload the public certificate to myPOS

The following steps assume that you use OpenSSL to generate the RSA key pair.

 

1. Install OpenSSL.

 

For linux system, use the following command:

sudo apt-get install openssl

For windows system, download and then install OpenSSL from the official site.

 

2. Generate RSA key pair.

 

For linux system, use the following command:

 

$ openssl

OpenSSL> genrsa -out rsa_private_key.pem 2048 ##generate private key

OpenSSL> pkcs8 -topk8 -inform PEM -in store_private_key.pem  -outform PEM - nocrypt   ##transform private key into PKCS8 format

OpenSSL> rsa -in store_private_key.pem -pubout -out  store_public_key.pem        ##Generate public key

OpenSSL> exit        

 

For windows system, use the following command:

 

C:\Users\Hammer>cd C:\OpenSSL-Win32\bin ##enter OpenSSL directory

C:\OpenSSL-Win32\bin>openssl.exe ##enter OpenSSL

OpenSSL> genrsa -out store_private_key.pem 2048  ##Generate private key

OpenSSL> pkcs8 -topk8 -inform PEM -in store_private_key.pem  -outform PEM -nocrypt ##Transform private key into PKCS8 format

OpenSSL> rsa -in store_private_key.pem -pubout -out  store_public_key.pem ##Generate public key

OpenSSL> exit

 

After that, you can see two files under current folder, store_private_key.pem and store_public_key.pem. The former is the private key and the latter is the public key.

 

 

Uploading RSA public key


After the key pair is generated, you must exchange the public key with the myPOS server for signature verification by completing the following steps:

  • Upload your public key to myPOS
  • Obatin myPOS public key

 

 

Signature Š•xamples


 

Example for PHP 5.x.x

<?php

// The POST data array
$postData = array('IPCmethod'=>'IPCPurchase', ............); 

// This is an example of RSA private key
$privKey = '-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQCf0TdcTuphb7X+Zwekt1XKEWZDczSGecfo6vQfqvraf5VPzcnJ
2Mc5J72HBm0u98EJHan+nle2WOZMVGItTa/2k1FRWwbt7iQ5dzDh5PEeZASg2UWe
hoR8L8MpNBqH6h7ZITwVTfRS4LsBvlEfT7Pzhm5YJKfM+CdzDM+L9WVEGwIDAQAB
AoGAYfKxwUtEbq8ulVrD3nnWhF+hk1k6KejdUq0dLYN29w8WjbCMKb9IaokmqWiQ
5iZGErYxh7G4BDP8AW/+M9HXM4oqm5SEkaxhbTlgks+E1s9dTpdFQvL76TvodqSy
l2E2BghVgLLgkdhRn9buaFzYta95JKfgyKGonNxsQA39PwECQQDKbG0Kp6KEkNgB
srCq3Cx2od5OfiPDG8g3RYZKx/O9dMy5CM160DwusVJpuywbpRhcWr3gkz0QgRMd
IRVwyxNbAkEAyh3sipmcgN7SD8xBG/MtBYPqWP1vxhSVYPfJzuPU3gS5MRJzQHBz
sVCLhTBY7hHSoqiqlqWYasi81JzBEwEuQQJBAKw9qGcZjyMH8JU5TDSGllr3jybx
FFMPj8TgJs346AB8ozqLL/ThvWPpxHttJbH8QAdNuyWdg6dIfVAa95h7Y+MCQEZg
jRDl1Bz7eWGO2c0Fq9OTz3IVLWpnmGwfW+HyaxizxFhV+FOj1GUVir9hylV7V0DU
QjIajyv/oeDWhFQ9wQECQCydhJ6NaNQOCZh+6QTrH3TC5MeBA1Yeipoe7+BhsLNr
cFG8s9sTxRnltcZl1dXaBSemvpNvBizn0Kzi8G3ZAgc=
-----END RSA PRIVATE KEY-----'; 

// You need to concatenate all values from $postData and to Base64-encode the result
$concData = base64_encode(implode('-', $postData)); 
$privKeyObj = openssl_get_privatekey($privKey);

// Signed data in binary
openssl_sign($concData, $signature, $privKeyObj, OPENSSL_ALGO_SHA256); 

// Base64 encoding of the signature
$signature = base64_encode($signature); 

// Now you need to add the signature to the POST request
$postData['Signature'] = $signature; 
openssl_free_key($privKeyObj);

?>

 

Signature verification example for PHP 5.x.x

<?php

// Save POST request data in var $data
$data = $_POST;

// myPOS certificate
$cert = '-----BEGIN CERTIFICATE-----
MIIBkDCB+qADAgECAgAwDQYJKoZIhvcNAQEFBQAwDzENMAsGA1UEChMEaVBheTAe
Fw0xMzAzMTMxMTI1MTFaFw0yMzAzMTExMTI1MTFaMA8xDTALBgNVBAoTBGlQYXkw
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAML+VTmiY4yChoOTMZTXAIG/mk+x
f/9mjwHxWzxtBJbNncNK0OLI0VXYKW2GgVklGHHQjvew1hTFkEGjnCJ7f5CDnbgx
evtyASDGst92a6xcAedEadP0nFXhUz+cYYIgIcgfDcX3ZWeNEF5kscqy52kpD2O7
nFNCV+85vS4duJBNAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAFSfqJHH9Vp9Y4osJ
sLg1Um5LOoTgn6u4JepHMFoSiwYE0n/N3D3JIgqAzjdVJ+1rZV95VAf/+TKzWzvP
V8L01LJ8aRFkUaPGenVsGvBT2mtsbu34QUOlPgzCi3huidwk0ylMX7zo8uxu1cXv
/bg5jBGe5SjvJP8Tq257QcAGgkA=
-----END CERTIFICATE-----';

// Save signature
$signature = $data['Signature'];
// Remove signature from POST data array
unset($data['Signature']);
// Concatenate all values
$concData = base64_encode(implode('-', $data));

// Extract public key from certificate
$pubKeyId = openssl_get_publickey($cert);

// Verify signature
$res = openssl_verify($concData, base64_decode($signature), $pubKeyId, OPENSSL_ALGO_SHA256);
//Free key resource
openssl_free_key($pubKeyId);

if ($res == 1) {
	//success
} else {
	//not success
}

?>