Main documentation sources:
- Technical overview: https://github.com/SK-EID/smart-id-documentation/wiki/Technical-overview
- API: https://github.com/SK-EID/smart-id-documentation
Generic action sequence:
-
Call the SmartID
start authentication session
endpoint, with a randomly generated hash value.API endpoint docs: https://github.com/SK-EID/smart-id-documentation#239-authentication-session
The endpoint returns a session identifier
-
Using the same hash value, calculate and display to the user a verification code.
-
Repeatedly poll the SmartID
session status
endpoint, passing the session identifier obtained at step 1 as a parameter, until the endpoint returns a response with statusCOMPLETE
. -
If the previous step's response was not an error, there is a user certificate attached to it. The user authentication information is obtained from the certificate.
Generic action sequence:
-
Get user's signing certificate from SmartID (aka certificate selection).
This endpoint also returns document number for later use.
-
Prepare the XAdES signature structure for signing, aka
XmlSignature
. -
Get the actual signature from the SmartID service.
- Start a signing session using the document number and certificate from the certificate selection response.
- Present a Verification Code in the response, which user is expected to see on his device before entering PIN2
- Poll the server for signing status, which returns the signature when successful.
-
- Update the
XmlSignature
structure with the received signature.- Ensure Long-Term signature validity for compliance with XAdES-LT profile (as per the BDOC v2.1 spec)
- Perform an OCSP request for user's certificate validity confirmation, and embed the response in the
XmlSignature
. It's possible to stop at this point but only if the OCSP service is qualified for a Time-Mark response (for a so-called XAdES-LT-TM signature), and apparently the one we use is not qualified. - Perform a TimeStamp request -- a feature of an XAdES-LT-TS document
- Embed the received responses in the
XmlSignature
object.
- Build a new BDOC container, or update an existing one, with the resulting
XmlSignature
XML content.
- Update the
Initialize the signing session: https://github.com/SK-EID/smart-id-documentation#2310-signing-session
Poll session status: https://github.com/SK-EID/smart-id-documentation#2311-session-status
Successful result structure:
{
"signature": {
"value": "B+C9XVjIAZnCHH9vfBSv...",
"algorithm": "sha512WithRSAEncryption"
},
"cert": {
"value": "B+C9XVjIAZnCHH9vfBSv...",
"assuranceLevel": "http://eidas.europa.eu/LoA/substantial",
"certificateLevel": "QUALIFIED"
}
}
from esteid.smartid.utils import get_verification_code
get_verification_code(signed_data)
- How/where to get an OCSP TM qualified response? The demo OCSP service doesn't return one.