eParaksts mobile signing certificates will use the ECC key standard
The changes will be introduced on the night from April 26 to April 27, 2024 at 00:00
With the transition to a new technological platform (on the night from April 26 to April 27, 2024 at 00:00), eParaksts mobile signing certificates will use the ECC key standard. For organizations that have integrated document signing with eParaksts mobile into their systems, it is necessary to ensure that their information systems support the ECC key format and, if necessary, make changes to ensure support for the new key algorithm.
For users of e-Identity platform or Java EDOC libraries
During the eParaksts mobile signing process, when obtaining the client's signing certificate using the /trustedx-resources/esigp/v1/sign_identities/nio...omq method, it is necessary to verify the key algorithm used in the certificate (RSA or ECDSA) and specify the correct signature algorithm accordingly in the methods /trustedx-resources/esigp/v1/signatures/server/raw/batch and /trustedx-resources/esigp/v1/signatures/server/raw.
Examples of the above methods in the case of ECDSA keys:
POST /trustedx-resources/esigp/v1/signatures/server/raw
Host: eidas.eparaksts.lv
Content-Type: application/json
Authorization: Bearer cbc...6daf
Content-Length: 213
{
"digest_value" : "n4bQgYhMfWWaL+qgxVrQFaO/TxsrC4Is0V1sFbDwCgg",
"signature_algorithm" : "ecdsa",
"sign_identity_id" : "nio...omq"
}
POST /trustedx-resources/esigp/v1/signatures/server/raw/batch
Host: eidas.eparaksts.lv
Content-Type: application/json
Authorization: Bearer cbc...6daf
Content-Length: 213
{
"sign_identity_id": "12345678",
"signature_algorithm": "ecdsa",
"requests": [
{
"digest_value": "siHZ27CDp/M0KNfCo8MZiuklYU1wIQ4ocWzKp81N23k",
"signature_algorithm": "ecdsa"
},
{
"digest_value": "siHZ27CDp/M0KNfCo8MZiuklYU1wIQ4ocWzKp81N23k",
"signature_algorithm": "ecdsa"
}
]
}
In the event that the RSA algorithm is specified in the signing process, but the certificate issued to the client uses the ECDSA key algorithm, you will receive the following error message:
{
"error": "IncorrectSignatureAlgorithmException",
"error_description": "rsa-sha256",
"error_details": {}
}
Please be aware that during the migration to the new platform in the beginning of 2024, existing signing identities for eParaksts mobile users will be deleted. If a user has not yet created a new signing identity when trying to sign in to your system, the integration method /trustedx-resources/openid/v1/users/me will not return any identity with the "serverid" label, and the separate integration call /trustedx-resources/esigp/v1/sign_identities?labels=serverid will return an empty array of identities. In these cases, clients should display a message indicating that they need to create an eParaksts mobile signing password and explain how to do it.
For users of Signing platform (SignAPI)
In order to facilitate the implementation of the necessary changes for the customers of Signing platform (SignAPI), we inform you that an improved version of the Signing platform is available in the test environment, which ensures the return of the signing certificate key algorithm.
The new functionality in the method /api-sign/v1.0/calculateDigest returns an additional field signature_algorithm with possible values rsa and ecdsa
In the affected methods of the Identity Platform
/trustedx-resources/esigp/v1/signatures/server/raw/batch
and
/trustedx-resources/esigp/v1/signatures/server/raw
For RSA: when receiving "signature_algorithm: "rsa"" in the /api-sign/v1.0/calculateDigest response, the signature_algorithm field value returned by the Signature Platform has to be appended with "-sha256" to the end (example: "rsa- sha256”).
For ECDSA: when receiving “signature_algorithm: "ecdsa"” in the /api-sign/v1.0/calculateDigest response, the signature_algorithm field value must use the value returned by the Signature Platform without modification (example: “ecdsa”).
Test environment
If you don't have eParaksts test environment yet, don't hesistate to apply for it! Test environment provides the opportunity to perform secure functional and non-functional testing of eParaksts and e-Identity services without affecting the production environment. In the test environment, all trust services provided by LVRTC can be tested.
The test environment is available free of charge. The eParaksts smart cards for the test environment are produced by LVRTC (price 14.23 EUR excluding VAT), while the Citizenship and Migration Affairs Office (email: [email protected]) provides eID cards for testing purposes.
More information can be found at eparaksts.lv.
Updated 8 months ago