3. Signing operation

1) Obtain Authorization code

Request

🚧

urn:safelayer:eidas:sign:identity:use:server scope shall be used

GET /trustedx-authserver/oauth/lvrtc-eipsign-as?response_type=code&  
   client_id=...&  
   state=...&  
   redirect_uri=...&  
   scope=...&  
   prompt=...&  
   acr_values=...&  
   ui_locales=...&  
   sign_identity_id = ...&  
   digests_summary = ...&  
   digests_summary_algorithm = ...&

🚧

sign_identity_id value is previously received value

digests_summary value ir signable data calculated by using received signing certificate

At this point end-user with active SSO session enters HSM password in redirected page

Response

GET {redirection_uri_path}?code={code}&state={state}  
HTTP/1.1  
Host: {redirection_uri_host}

2) Obtain a access token

Request

🚧

Using "code" value received from previous operation

POST /trustedx-authserver/oauth/lvrtc-eipsign-as/token HTTP/1.1  
Host: eidas.eparaksts.lv  
Authorization: Basic cG9ydCVDNCU4MWxzOmRybyVDNSVBMSVDNCVBQmJh  
Content-Type: application/x-www-form-urlencoded;  
charset=UTF-8  
grant_type=authorization_code&  
     redirect_uri=<https://www.demoapp.lv/oauth/back&>  
     code=4515...e0ban

Response

{  
"access_token" : "{string}",  
"token_type" : "Bearer",  
"expires_in" : "{number}"  
}

3) Create a Digital Signature on the Server

Request

🚧

Using "sign_identity_id" value received from previous operations and "digest_value" value calculated by using received signing certificate.

If you are using SignAPI service, then received "diggest" property value from the calculateDigest operation response shall be used as "digest_value" value

POST /trustedx-resources/esigp/v1/signatures/server/raw  
Host: eidas.eparaksts.lv  
Content-Type: application/json  
Authorization: Bearer cbc...6daf  
Content-Length: 213  
{  
"digest_value" :  
"n4bQgYhMfWWaL+qgxVrQFaO/TxsrC4Is0V1sFbDwCgg",  
"signature_algorithm" : "ecdsa",  
"sign_identity_id" : "nio...omq"  
}

Response

📘

Response contains the binary value of the PKCS #1 signature.