README.md

Signing with SmartID

Main documentation sources:

• Technical overview: https://github.com/SK-EID/smart-id-documentation/wiki/Technical-overview
• API: https://github.com/SK-EID/smart-id-documentation

Contents

• Authentication
• Signing
• API Endpoints
• Calculate Verification Code

Authentication

Generic action sequence:

1. Call the SmartID start authentication session endpoint, with a randomly generated hash value.

   API endpoint docs: https://github.com/SK-EID/smart-id-documentation#239-authentication-session

   The endpoint returns a session identifier

2. Using the same hash value, calculate and display to the user a verification code.

3. Repeatedly poll the SmartID session status endpoint, passing the session identifier obtained at step 1 as a parameter, until the endpoint returns a response with status COMPLETE.

4. If the previous step's response was not an error, there is a user certificate attached to it. The user authentication information is obtained from the certificate.

Signing

Generic action sequence:

1. Get user's signing certificate from SmartID (aka certificate selection).

   This endpoint also returns document number for later use.

2. Prepare the XAdES signature structure for signing, aka XmlSignature.

3. Get the actual signature from the SmartID service.

   1. Start a signing session using the document number and certificate from the certificate selection response.
   2. Present a Verification Code in the response, which user is expected to see on his device before entering PIN2
   3. Poll the server for signing status, which returns the signature when successful.

4. Finalize the XmlSignature and the ASiC-E container

   1. Update the XmlSignature structure with the received signature.
      1. Ensure Long-Term signature validity for compliance with XAdES-LT profile (as per the BDOC v2.1 spec)
      2. Perform an OCSP request for user's certificate validity confirmation, and embed the response in the XmlSignature. It's possible to stop at this point but only if the OCSP service is qualified for a Time-Mark response (for a so-called XAdES-LT-TM signature), and apparently the one we use is not qualified.
      3. Perform a TimeStamp request -- a feature of an XAdES-LT-TS document
      4. Embed the received responses in the XmlSignature object.
   2. Build a new BDOC container, or update an existing one, with the resulting XmlSignature XML content.

API Endpoints

Initialize the signing session: https://github.com/SK-EID/smart-id-documentation#2310-signing-session

Poll session status: https://github.com/SK-EID/smart-id-documentation#2311-session-status

Successful result structure:

{
    "signature": {
        "value": "B+C9XVjIAZnCHH9vfBSv...",
        "algorithm": "sha512WithRSAEncryption"
    },
    "cert": {
        "value": "B+C9XVjIAZnCHH9vfBSv...",
        "assuranceLevel": "http://eidas.europa.eu/LoA/substantial",
		"certificateLevel": "QUALIFIED"
    }
}

Calculate Verification Code

from esteid.smartid.utils import get_verification_code
get_verification_code(signed_data) 

Open Questions

• How/where to get an OCSP TM qualified response? The demo OCSP service doesn't return one.