API reference

Authorization

Cleverbase’s CSC hash signing application uses OAuth 2.0 for authorization.

GET /oauth2/authorize

Description

Starts the OAuth 2.0 authorization server using an Authorization Code flow, as described in Section 1.3.1 of RFC 6749, to request authorization for the user to access the remote service resources. The authorization is returned in the form of an authorization code, which the signature application SHALL then use to obtain an access token with the oauth2/token method.

The authorization server SHOULD support two access token scopes: “service” and “credential”. These scopes SHALL only be used separately to obtain an access token suitable for service and credential authorization respectively.

Input parameters

Parameter	Presence	Value	Description
response_type	REQUIRED	String	Must always be `"code"`
client_id	REQUIRED	String	Unique Client Identifier (see Client registration)
redirect_uri	REQUIRED	String	A registered redirect URL to redirect to after the authorization process
scope	REQUIRED	String	`"service"` or `"credential"`
state	REQUIRED	String	Up to 255 bytes of arbitrary data from the signature application that will be passed back to the redirect URI.
lang	OPTIONAL	String	Language
credentialID	REQUIRED conditional	String	Required if scope is `"credential"`
numSignatures	REQUIRED conditional	Int	Required if scope is `"credential"`. Must be `1`.
hash	REQUIRED conditional	String	Required if scope is `"credential"`. The to-be-signed hash value base64 url encoded.
account_token	OPTIONAL	String	An `account_token` as defined in Account tokens

Response

Parameter	Presence	Value	Description
code	REQUIRED	String	The authorization code generated by the authorization server
state	REQUIRED	String	Should match `state` given in request
error	OPTIONAL	String	A single error code string
error_description	OPTIONAL	String	Human-readable text providing additional error information

Examples

Service Scope Request

GET /oauth2/authorize?
response_type=code&
client_id=<OAuth2_client_id>&
redirect_uri=<OAuth2_redirect_uri>&
scope=service&
lang=en-US&
state=12345678

Service Scope Response

HTTP/1.1 302 Found
Location: <OAuth2_redirect_uri>?
code=FhkXf9P269L8g&
state=12345678

Credential Scope Request

GET /oauth2/authorize?
response_type=code&
client_id=<OAuth2_client_id>&
redirect_uri=<OAuth2_redirect_uri>&
scope=credential&
credentialID=GX0112348&
numSignatures=1&
hash=MTIzNDU2Nzg5MHF3ZXJ0enVpb3Bhc2RmZ2hqa2zDtnl4
&state=12345678

Credential Scope Response

HTTP/1.1 302 Found
Location: <OAuth2_redirect_uri>?code=HS9naJKWwp901hBcK348IUHiuH8374&
state=12345678

Error Response

HTTP/1.1 302 Found
Location: <OAuth2_redirect_uri>?error=invalid_request&
error_description=Invalid%20Authorization%20Code&state=12345678

Access tokens

POST /oauth2/token

Description

Obtain an OAuth 2.0 bearer access token from the authorization server by passing either the client credentials pre-assigned by the authorization server or the authorization code returned by the authorization server after a successful user authentication, along with the client ID and client secret in possession of the signature application.

Input parameters

Parameter	Presence	Value	Description
grant_type	REQUIRED	String	Must always be `"authorization_code"`
code	REQUIRED	String	Code obtained from result `oauth2/authorize`
client_id	REQUIRED	String	Unique Client Identifier (see Client registration)
redirect_uri	REQUIRED	String	A registered redirect URL where the user was redirected after the authorization process completed.

Input headers

Parameter	Presence	Value	Description
Authorization	REQUIRED	String	Must always be of type Basic Auth. e.g. `Basic Y2xpZW50SUQ6cGFzc3dvcmQ` (RFC 6749, Section 2.3.1)

Response

Parameter	Presence	Value	Description
access_token	REQUIRED	String	The short-lived access token to be used depending on the scope of the OAuth 2.0 authorization request. When the scope is `"service"`, then the authorization server returns a bearer token to be used as the value of `"Authorization: Bearer"`. When the scope is `"credential"`, then the authorization server returns a Signature Activation Data token (SAD) for signing authorization. Use this as the `SAD` parameter when invoking `/signatures/signHash`.
token_type	REQUIRED	String	Must be `Bearer` or `SAD`
expires_in	OPTIONAL	Int	The lifetime in seconds of the service access token.

Examples

Sample Request (Authorization code flow)

POST /oauth2/token HTTP/1.1
Authorization: Basic Y2xpZW50SUQ6cGFzc3dvcmQ
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&
code=FhkXf9P269L8g&
client_id=<OAuth2_client_id>&
redirect_uri=<OAuth2_redirect_uri>

Sample Response (for service scope)

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8

{
  "access_token": "4/CKN69L8gdSYp5_pwH3XlFQZ3ndFhkXf9P2_TiHRG-bA",
  "token_type": "Bearer",
  "expires_in": 3600
}

Sample Response (for credential scope)

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8

{
  "access_token": "3XlFQZ3ndFhkXf9P24/CKN69L8gdSYp5H3XlFQZ3ndFhkXf9P2",
  "token_type": "SAD",
  "expires_in": 300
}

Credentials

POST /csc/v1/credentials/list

CSC Chapter 11.4

Description

Returns the list of credentials associated with a user identifier.

Input Parameters

Parameter	Presence	Value	Description
maxResults	OPTIONAL	String	Maximum number of credentialIDs returned
pageToken	OPTIONAL	String	An opaque token to retrieve a new page of results
clientData	OPTIONAL	String	See CSC 7.5

Input headers

Parameter	Presence	Value	Description
Authorization	REQUIRED	String	Must be a Bearer token, obtained from the “service” scope OAuth flow. Example: `Bearer 4/CKN69L8gdSYp5_pwH3XlFQZ3ndFhkXf9P2_TiHRG-bA`

Response

Parameter	Presence	Value	Description
credentialIDs	REQUIRED	Array of String	Credential Identifiers

Sample Request

POST /csc/v1/credentials/list HTTP/1.1
Authorization: Bearer 4/CKN69L8gdSYp5_pwH3XlFQZ3ndFhkXf9P2_TiHRG-bA
Content-Type: application/json

{
  "maxResults": 10
}

Sample Response

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8

{
  "credentialIDs": [ "GX0112348", "HX0224685" ]
}

POST /csc/v1/credentials/info

CSC Chapter 11.5

Description

Returns the main identity information and public key certificate of the credential obtained with the /csc/v1/credentials/list endpoint.

Input Parameters

Parameter	Presence	Value	Description
credentialID	REQUIRED	String	The unique identifier associated to the credential

Input headers

Parameter	Presence	Value	Description
Authorization	REQUIRED	String	Must be a Bearer token, obtained from the “service” scope OAuth flow. Example: `Bearer 4/CKN69L8gdSYp5_pwH3XlFQZ3ndFhkXf9P2_TiHRG-bA`

Response

Parameter	Presence	Value	Description
key/status	REQUIRED	String	The status of the signing key of the credential: “enabled” (can be used for signing) or “disabled” (cannot be used for signing). This MAY occur when the owner has disabled it or when the RSSP has detected that the associated certificate is expired or revoked.
key/algo	REQUIRED	Array of String	The list of OIDs of the supported key algorithms
key/len	REQUIRED	String	The length of the cryptographic key in bits
cert/certificates	REQUIRED	Array of String	One or more Base64-encoded X.509v3 certificates from the certificate chain
authMode	REQUIRED	String	Specifies one of the authorization modes. Must be `"oauth2code"`

Sample Request

POST /csc/v1/credentials/info HTTP/1.1
Authorization: Bearer 4/CKN69L8gdSYp5_pwH3XlFQZ3ndFhkXf9P2_TiHRG-bA
Content-Type: application/json

{
  "credentialID": "GX0112348"
}

Sample Response

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8

{
  "key" : {
    "status" : "enabled",
    "algo" : [
      "1.2.840.113549.1.1.1"
    ],
    "len" : 2048
  },
  "cert" : {
    "certificates" : [
      "MIIGDSGDGSD...."
    ]
  },
  "authMode" : "oauth2code"
}

Signatures

POST /csc/v1/signatures/signHash

CSC Chapter 11.9

Description

Calculate the remote digital signature of one or multiple hash values provided in input. This method requires credential authorization in the form of Signature Activation Data (SAD).

Input Parameters

Parameter	Presence	Value	Description
credentialIDs	REQUIRED	String	Credential Identifiers
SAD	REQUIRED	String	Signature activation data (result from “credential” scope flow
hash	REQUIRED	Array of String	The to be signed data representation. Must be a SHA256 base64 encoded hash.
hashAlgo	REQUIRED	String	Hash algorithm identifier. Must be “2.16.840.1.101.3.4.2.1”
signAlgo	REQUIRED	String	Signing algorithm identifier. Must be “1.2.840.113549.1.1.1”
clientData	Optional	String	CSC 7.5

Input headers

Parameter	Presence	Value	Description
Authorization	REQUIRED	String	Must always be of type Bearer. Obtained from the “service” scope OAuth flow. e.g. Bearer 4/CKN69L8gdSYp5_pwH3XlFQZ3ndFhkXf9P2_TiHRG-bA

Response

Parameter	Presence	Value	Description
signatures	REQUIRED	Array of String	Signature(s) produced.

Sample Request

POST /csc/v1/signatures/signHash HTTP/1.1
Content-Type: application/json
Authorization: Bearer 4/CKN69L8gdSYp5_pwH3XlFQZ3ndFhkXf9P2_TiHRG-bA

{
  "credentialID": "GX0112348",
  "SAD": "3XlFQZ3ndFhkXf9P24/CKN69L8gdSYp5H3XlFQZ3ndFhkXf9P2",
  "hash": [
    "sTOgwOm+474gFj0q0x1iSNspKqbcse4IeiqlDg/HWuI="
  ],
  "hashAlgo": "2.16.840.1.101.3.4.2.1",
  "signAlgo": "1.2.840.113549.1.1.1"
}

Sample Response

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8

{
  "signatures": [
    "KedJuTob5gtvYx9qM3k3gm7kbLBwVbEQRl26S2tmXjqNND7MRGtoew=="
  ]
}

< Account tokens

Service stub >