-
Notifications
You must be signed in to change notification settings - Fork 12
Datafiles API description
This document describes the methods used for datafile container manipulation.
- Creating container
- Upload container
- Add datafiles to unsigned container
- Get data files list
- Delete datafile from unsigned container
- Remote signing
- Mobile-ID signing
- Smart-ID signing
- Request signature list of given container
- Request signer info on given signature
Method for creating container structure. The default size limit of the request (not just the data file!) is 4 MB.
Method | URL |
---|---|
POST | /containers |
Parameter | Type | Mandatory | Description |
---|---|---|---|
containerName | String | + | Name of the container. |
dataFiles | Array | + | Array containing dataFile objects. |
dataFiles[].fileName | String | + | Name of the data file. Limitations:
|
dataFiles[].fileContent | String | + | Base64 encoded data file content. |
Example request:
{
"containerName": "containerTest.asice",
"dataFiles": [
{
"fileName": "testFile.txt",
"fileContent": "dGVzdGZhaWw="
}
]
}
Parameter | Type | Mandatory | Description |
---|---|---|---|
containerId | String | + | Container ID that is used to identify the container in use. |
Example response
{
"containerId": "72aae27c-540d-4324-9dd9-6732b2bc8252"
}
Method for uploading datafile container.
Method | URL |
---|---|
POST | /upload/containers |
Parameter | Type | Mandatory | Description |
---|---|---|---|
containerName | String | + | Name of the container. |
container | String | + | Base64 encoded container. |
Example request:
{
"containerName": "container.asice",
"container": "RnKZobNWVy8u92sDL4S2j1BUzMT5qTgt6hm90TfAGRo="
}
Parameter | Type | Mandatory | Description |
---|---|---|---|
containerId | String | + | Container ID that is used to identify the container in use. |
Example response
{
"containerId": "72aae27c-540d-4324-9dd9-6732b2bc8252"
}
Method for adding data files to container. NB! It is possible to add data files only to unsigned container!
Method | URL |
---|---|
POST | /containers/{containerId}/datafiles |
Parameter | Type | Mandatory | Description |
---|---|---|---|
dataFiles | Array | - | Array containing dataFile objects. |
dataFiles[].fileName | String | + | Name of the data file. Limitations:
|
dataFiles[].fileContent | String | + | Base64 encoded data file content. |
Example request:
{
"dataFiles": [
{
"fileName": "testFile.txt",
"fileContent": "dGVzdGZhaWw="
}
]
}
Parameter | Type | Mandatory | Description |
---|---|---|---|
result | String | + | OK on success. |
Example response
{
"result": "OK"
}
Method for retrieving container data file list.
Method | URL |
---|---|
GET | /containers/{containerId}/datafiles |
Parameter | Type | Mandatory | Description |
---|---|---|---|
dataFiles | Array | - | Array containing dataFile objects. |
dataFiles[].fileName | String | + | Name of the data file. |
dataFiles[].fileContent | String | + | Base64 encoded data file content. |
Example response
{
"dataFiles": [
{
"fileName": "testFile.txt",
"fileContent": "dGVzdGZhaWw="
}
]
}
Method for deleting data files from container. NB! It is possible to remove data files only from unsigned container!
Method | URL |
---|---|
DELETE | /containers/{containerId}/datafiles/{datafileName} |
Parameter | Type | Mandatory | Description |
---|---|---|---|
result | String | + | OK on success. |
Example response
{
"result": "OK"
}
Method for generating data to be signed externally
Method | URL |
---|---|
POST | /containers/{containerId}/remotesigning |
Parameter | Type | Mandatory | Description |
---|---|---|---|
signingCertificate | String | + | DER encoded X.509 signers certificate in Base64. |
signatureProfile | String | + | Profile of the signature. Available value LT - TimeStamp based signature. |
roles | Array | - | Array of strings describing the signer role. |
signatureProductionPlace | object | - | Object containing signing location. |
signatureProductionPlace.countryName | String | - | Signing country. |
signatureProductionPlace.city | String | - | Signing city. |
signatureProductionPlace.stateOrProvince | String | - | Signing state or province. |
signatureProductionPlace.postalCode | String | - | Signing postal code. |
Example request:
{
"signingCertificate": "MIID..",
"signatureProfile": "LT"
}
Parameter | Type | Mandatory | Description |
---|---|---|---|
generatedSignatureId | String | + | Signature ID needed for finalization of signature. |
dataToSign | String | + | Data to be signed on client side. XML structure to be signed encoded in Base64. |
digestAlgorithm | String | + | Digest algorithm used to calculate dataToSign. Service uses SHA512. |
{
"generatedSignatureId": "5df71690-dc2a-4906-8ceb-f5e7b3036ce3",
"dataToSign": "PGRz...",
"digestAlgorithm": "SHA512"
}
Method for returning signature value to service
Method | URL |
---|---|
PUT | /containers/{containerId}/remotesigning/{generatedSignatureId} |
Parameter | Type | Mandatory | Description |
---|---|---|---|
signatureValue | String | + | Signature value created by client encoded in Base64. Signature must be created using the algorithm returned in POST /containers/{containerId}/remotesigning response (SHA512). |
{
"signatureValue": "MGQC..."
}
Parameter | Type | Mandatory | Description |
---|---|---|---|
result | String | + | OK is returned. |
{
"result": "OK"
}
Method for starting Mobile-ID signing of container
Method | URL |
---|---|
POST | /containers/{containerId}/mobileidsigning |
Parameter | Type | Mandatory | Description |
---|---|---|---|
personIdentifier | String | + | Signers personal national identification code. |
phoneNo | String | + | Signers phone number with +372 prefix. |
language | String | + | Language for user dialog in mobile phone. 3-character capitalized acronyms are used. Possible values: ENG, EST, RUS, LIT. |
messageToDisplay | String | - | Text displayed in addition to ServiceName and before asking PIN2. Maximum length is 40 bytes. In case of Latin letters, this means also a 40 character long text, but Cyrillic characters may be encoded by two bytes and you will not be able to send more than 20 symbols. |
signatureProfile | String | + | Profile of the signature. Available value LT - TimeStamp based signature. |
roles | Array | - | Array of strings describing the signer role. |
signatureProductionPlace | object | - | Object containing signing location. |
signatureProductionPlace.countryName | String | - | Signing country. |
signatureProductionPlace.city | String | - | Signing city. |
signatureProductionPlace.stateOrProvince | String | - | Signing state or province. |
signatureProductionPlace.postalCode | String | - | Signing postal code. |
Example request
{
"signatureProfile": "LT",
"personIdentifier": "60001019906",
"language": "EST",
"messageToDisplay": "Test",
"phoneNo": "+37200000766"
}
Parameter | Type | Mandatory | Description |
---|---|---|---|
generatedSignatureId | String | + | Signature ID needed for finalization of signature. |
challengeId | String | + | 4-character control code calculated on basis of the Challenge value to be signed. This code is displayed on mobile phone's screen and must be also displayed by integrating web service in order to ensure the user on authenticity of the query. |
Example response:
{
"generatedSignatureId": "81b1c675-abc7-4752-9ee2-89d80b3ab7ef",
"challengeId": "3664"
}
In case of not MID user and revoked/suspended certificate error is returned.
For testing in Demo environment TEST Mobile-ID number can be found here
Method for requesting status of the signing process (signer to enter a PIN on the mobile device). This method should be polled with interval while the status is OUTSTANDING_TRANSACTION in all other statuses polling should be stopped.
Method | URL |
---|---|
GET | /containers/{containerId}/mobileidsigning/{generatedSignatureId}/status |
Parameter | Type | Mandatory | Description |
---|---|---|---|
midStatus | String | + |
|
Example response:
{
"midStatus": "SIGNATURE"
}
Smart-ID users may have several active accounts (devices) for signing. These accounts are identified by unique documentNumber which is tied to specific certificate. This endpoint is used to trigger device selection prompt on user devices. When user selects device, certificate is retrieved for signing. In case user has only one active account, no prompt is given to user and certificate is retrieved immediately.
NB! Only certificates with QSCD level are accepted.
See Smart-ID documentation for additional information.
If Smart-ID documentNumber was received in some other way (e.g by authentication process) then certificate selection step can be omitted.
Method | URL |
---|---|
POST | /containers/{containerId}/smartidsigning/certificatechoice |
Parameter | Type | Mandatory | Description |
---|---|---|---|
personIdentifier | String | + | Signers personal national identification code. |
country | String | + | Signers country of residence. 2 character ISO 3166-1 alpha-2 country code. |
{
"country": "EE",
"personIdentifier": "30303039914"
}
Parameter | Type | Mandatory | Description |
---|---|---|---|
generatedCertificateId | String | + | Certfificate id required to poll the status. |
{
"generatedCertificateId": "4acd9982-21c6-4626-a4fe-9e544fe2e981"
}
Method for requesting status of the certificate selection process. In case of multiple Smart-ID accounts user has around 90 seconds to choose correct device before timeout is given. This request should be polled with interval while the status is OUTSTANDING_TRANSACTION, in all other statuses polling should be stopped.
Method | URL |
---|---|
GET | /containers/{containerId}/smartidsigning/certificatechoice/{generatedCertificateId}/status |
Parameter | Type | Mandatory | Description |
---|---|---|---|
sidStatus | String | + |
|
documentNumber | String | - | Value is present in case of CERTIFICATE sidStatus. This number is used to initiate signing process in device selected by user. |
Example response
{
"sidStatus": "CERTIFICATE",
"documentNumber": "PNOEE-30303039914-MOCK-Q"
}
In case of not Smart-ID user and revoked/suspended certificate, error is returned.
Method for starting Smart-ID signing of container.
Method | URL |
---|---|
POST | /containers/{containerId}/smartidsigning/ |
Parameter | Type | Mandatory | Description |
---|---|---|---|
documentNumber | String | + | Document number identifying device selected by user. If Smart-ID was used for authentication then this number can be received from authentication process and certificate choice step in signing can be skipped. |
messageToDisplay | String | - | Text displayed in addition to ServiceName. Maximum length is 60 characters. |
signatureProfile | String | + | Profile of the signature. Available value LT - TimeStamp based signature. |
roles | Array | - | Array of strings describing the signer role. |
signatureProductionPlace | Object | - | Object containing signing location. |
signatureProductionPlace.countryName | String | - | Signing country. |
signatureProductionPlace.city | String | - | Signing city. |
signatureProductionPlace.stateOrProvince | String | - | Signing state or province. |
signatureProductionPlace.postalCode | String | - | Signing postal code. |
Example request:
{
"documentNumber": "PNOEE-30303039914-MOCK-Q",
"signatureProfile": "LT",
"messageToDisplay": "Test"
}
Parameter | Type | Mandatory | Description |
---|---|---|---|
generatedSignatureId | String | + | Signature ID needed for finalization of signature. |
challengeId | String | + | 4-character control code calculated on basis of the Challenge value to be signed. This code is displayed on device screen and must be also displayed by integrating web service in order to ensure the user on authencity of the query. |
Example response:
{
"generatedSignatureId": "b5b68c92-6243-4d92-851f-89bb9ce64c3e",
"challengeId": "6702"
}
Method for requesting status of the signing process.
Method | URL |
---|---|
GET | /containers/{containerId}/smartidsigning/{generatedSignatureId}/status |
Parameter | Type | Mandatory | Description |
---|---|---|---|
sidStatus | String | + |
|
Example response:
{
"sidStatus": "SIGNATURE"
}
In case of not Smart-ID user and revoked/suspended certificate, error is returned. This should not happen as this status should be received in certificate choice process or in authentication.
Method for returning all the signers of the container.
Method | URL |
---|---|
GET | /containers/{containerId}/signatures |
Parameter | Type | Mandatory | Description |
---|---|---|---|
signatures | Array | - | Array of signature objects. |
signatures[].id | String | + | Signature id taken from signature. |
signatures[].generatedSignatureId | String | + | Unique signature id generated by the service to enable manipulation of signatures. |
signatures[].signerInfo | String | + | Signers certificate DN field. Example "SERIALNUMBER=PNOEE-38001085718, GIVENNAME=JAAK-KRISTJAN, SURNAME=JÕEORG, CN="JÕEORG,JAAK-KRISTJAN,38001085718", C=EE". |
signatures[].signatureProfile | String | + | Signature profile. |
Example response:
{
"signatures": [
{
"id": "id-d6194c14681afa58fbd521780f6ceb1b",
"generatedSignatureId": "208d667a-816e-4309-be6a-36dcebc30602",
"signerInfo": "SERIALNUMBER=PNOEE-38001085718, GIVENNAME=JAAK-KRISTJAN, SURNAME=JÕEORG, CN=\"JÕEORG,JAAK-KRISTJAN,38001085718\", C=EE",
"signatureProfile": "LT"
}
]
}
Method of returning information on a specific signer of the container.
Method | URL |
---|---|
GET | /containers/{containerId}/signatures/{generatedSignatureId} |
Parameter | Type | Mandatory | Description |
---|---|---|---|
id | String | + | Signature id taken from signature |
signerInfo | String | + | Signers certificate DN field. Example "SERIALNUMBER=PNOEE-38001085718, GIVENNAME=JAAK-KRISTJAN, SURNAME=JÕEORG, CN="JÕEORG,JAAK-KRISTJAN,38001085718", C=EE". |
signatureProfile | String | + | Signature profile. |
ocspCertificate | String | - | Certificate of OCSP provider. |
timeStampTokenCertificate | String | - | Certificate of timestamp provider. |
ocspResponseCreationTime | String | - | OCSP creation time. |
timeStampCreationTime | String | - | Timestamp creation time. |
trustedSigningTime | String | - | Time considered as trusted signature creation time. Can be either timestamp or OCSP time, depending on signature profile. |
signingCertificate | String | + | Signers certificate. |
claimedSigningTime | String | + | Computer time on signature creation. This is not trusted signing time! |
roles | Array | - | Array of strings describing the signer role. |
signatureProductionPlace | object | - | Object containing signing location. |
signatureProductionPlace.countryName | String | - | Signing country. |
signatureProductionPlace.city | String | - | Signing city. |
signatureProductionPlace.stateOrProvince | String | - | Signing state or province. |
signatureProductionPlace.postalCode | String | - | Signing postal code. |
Example response:
Method for retrieving validation report (simple report from SIVA service is returned).
Method | URL |
---|---|
GET | /containers/{containerId}/validationreport |
Parameter | Type | Mandatory | Description |
---|---|---|---|
validationConclusion | Object | + | Check SIVA validationConclusion block |
Method for validating a container.
Method | URL |
---|---|
POST | /containers/validationreport |
Parameter | Type | Mandatory | Description |
---|---|---|---|
containerName | String | + | Name of the container. |
container | String | + | Base64 encoded container. ASIC-E, BDOC and DDOC forms are supported. |
Parameter | Type | Mandatory | Description |
---|---|---|---|
validationConclusion | Object | + | Object containinig validation information |
validationConclusion.policy | Object | + | Object containing information of the SiVa signature validation policy that was used for validation. |
validationConclusion.policy.policyName | String | + | Name of the validation policy |
validationConclusion.policy.policyDescription | String | + | Short description of the validation policy. |
validationConclusion.policy.policyUrl | String | + | URL where the signature validation policy document can be downloaded. The validation policy document shall include information about validation of all the document formats, including the different validation policies that are used in case of different file formats and base libraries. |
validationConclusion.signaturesCount | Number | + | Number of signatures found inside digitally signed file. |
validationConclusion.validSignaturesCount | Number | + | Signatures count that have validated to TOTAL-PASSED . See also Signature.Indication field. |
validationConclusion.validationLevel | Date | - | Validation process against what the document is validated, only applicable on DSS based validations. Possible values: ARCHIVAL_DATA |
validationConclusion.validationTime | Date | + | Time of validating the signature by the service. |
validationConclusion.validationWarnings | Array | - | Array of SiVa validation warnings that do not affect the overall validation result. See also signatures.warnings parameter. |
validationConclusion.validationWarnings[].content | String | + | Description of the warning. |
validationConclusion.validatedDocument | Object | - | Object containing information about validated document. |
validationConclusion.validatedDocument.filename | String | - | Digitally signed document`s file name. Not present for hashcode validation. |
validationConclusion.validatedDocument.fileHash | String | - | Calculated hash for validated document in Base64. Present when report signing is enabled. |
validationConclusion.validatedDocument.hashAlgo | String | - | Hash algorithm used. Present when report signing is enabled. |
validationConclusion.signatureForm | - | String | Format (and optionally version) of the digitally signed document container. In case of documents in DIGIDOC-XML (DDOC) format, the "hashcode" suffix is used to denote that the container was validated in hashcode mode, i.e. without original data files. Possible values: DIGIDOC_XML_1.0 DIGIDOC_XML_1.0_hashcode DIGIDOC_XML_1.1 DIGIDOC_XML_1.1_hashcode DIGIDOC_XML_1.2 DIGIDOC_XML_1.2_hashcode DIGIDOC_XML_1.3 DIGIDOC_XML_1.3_hashcode ASiC_E - used in case of all ASIC-E (BDOC) documents and X-Road simple containers that don`t use batch time-stamping (see specification document) ASiC_E_batchsignature - used in case of X-Road containers with batch signature (see specification document) ASiC_S - used in case of all ASIC-S documents |
validationConclusion.signatures | Array | - | Collection of signatures found in digitally signed document |
validationConclusion.signatures[].claimedSigningTime | Date | + | Claimed signing time, i.e. signer`s computer time during signature creation |
validationConclusion.signatures[].id | String | + | Signature ID attribute |
validationConclusion.signatures[].indication | String | + | Overall result of the signatures validation process, according to [ETSI EN 319 102-1](http://www.etsi.org/deliver/etsi_en/319100_319199/31910201/01.01.01_60/en_31910201v010101p.pdf) "Table 5: Status indications of the signature validation process". <br> Note that the validation results of different signatures in one signed document (signature container) may vary. <br> See also validSignaturesCountand SignaturesCount` fields. Possible values: TOTAL-PASSED TOTAL-FAILED INDETERMINATE |
validationConclusion.signatures[].subIndication | String | - | Additional subindication in case of failed or indeterminate validation result, according to ETSI EN 319 102-1 "Table 6: Validation Report Structure and Semantics" |
validationConclusion.signatures[].errors | Array | - | Information about validation error(s), array of error messages. |
validationConclusion.signatures[].errors[].content | String | + | Error message, as returned by the base library that was used for signature validation. |
validationConclusion.signatures[].info | Object | - | Object containing trusted signing time information. |
validationConclusion.signatures[].info.bestSignatureTime | Date | + | Time value that is regarded as trusted signing time, denoting the earliest time when it can be trusted by the validation application (because proven by some Proof-of-Existence present in the signature) that a signature has existed. The source of the value depends on the signature profile (see also SignatureFormat parameter):- Signature with time-mark (LT_TM level) - the producedAt value of the earliest valid time-mark (OCSP confirmation of the signer`s certificate) in the signature. - Signature with time-stamp (LT or LTA level) - the genTime value of the earliest valid signature time-stamp token in the signature. - Signature with BES or EPES level - the value is empty, i.e. there is no trusted signing time value available. |
validationConclusion.signatures[].signatureFormat | String | + | Format and profile (according to Baseline Profile) of the signature. See XAdES Baseline Profile, CAdES Baseline Profile and PAdES Baseline Profile for detailed description of the Baseline Profile levels. Levels that are accepted in SiVa validation policy are described in SiVa signature validation policy Possible values: XAdES_BASELINE_B XAdES_BASELINE_B_BES XAdES_BASELINE_B_EPES XAdES_BASELINE_T XAdES_BASELINE_LT - long-term level XAdES signature where time-stamp is used as a assertion of trusted signing time XAdES_BASELINE_LT_TM - long-term level XAdES signature where time-mark is used as a assertion of trusted signing time. Used in case of BDOC signatures with time-mark profile and DIGIDOC-XML (DDOC) signatures. XAdES_BASELINE_LTA CAdES_BASELINE_B CAdES_BASELINE_T CAdES_BASELINE_LT CAdES_BASELINE_LTA PAdES_BASELINE_B PAdES_BASELINE_T PAdES_BASELINE_LT PAdES_BASELINE_LTA |
validationConclusion.signatures[].signatureLevel | String | - | Legal level of the signature, according to Regulation (EU) No 910/2014. - Possible values on positive validation result: QESIG QESEAL QES ADESIG_QC ADESEAL_QC ADES_QC ADESIG ADESEAL ADES - Possible values on indeterminate validation result: prefix INDETERMINATE is added to the level described in positive result. For example INDETERMINATE_QESIG - Possible values on negative validation result: In addition to abovementioned NOT_ADES_QC_QSCD NOT_ADES_QC NOT_ADES NA - In case of DIGIDOC-XML 1.0..1.3 formats, value is missing as the signature level is not checked by the JDigiDoc base library that is used for validation. However, the signatures can be indirectly regarded as QES level signatures, see also SiVa Validation Policy - In case of XROAD ASICE containers the value is missing as the asicverifier base library do not check the signature level. |
validationConclusion.signatures[].signedBy | String | + | Signers name and identification number, i.e. value of the CN field of the signer`s certificate |
validationConclusion.signatures[].subjectDistinguishedName | Object | - | Object containing subject`s distinguished name information. |
validationConclusion.signatures[].subjectDistinguishedName.serialNumber | String | + | SERIALNUMBER value portion in signers certificate s subject distinguished name |
validationConclusion.signatures[].subjectDistinguishedName.commonName | String | + | CN (common name) value portion in signers certificate s subject distinguished name |
validationConclusion.signatures[].signatureScopes | Array | - | Contains information of the original data that is covered by the signature. |
validationConclusion.signatures[].signatureScopes[].name | String | + | Name of the signature scope. |
validationConclusion.signatures[].signatureScopes[].scope | String | + | Type of the signature scope. |
validationConclusion.signatures[].signatureScopes[].content | String | + | Description of the scope. |
validationConclusion.signatures[].warnings | Array | - | Validation warnings that do not affect the overall validation result. |
validationConclusion.signatures[].warnings[].content | String | + | Warning description, as retuned by the base library that was used for validation. |
Method for retrieving the container.
Method | URL |
---|---|
GET | /containers/{containerId} |
Parameter | Type | Mandatory | Description |
---|---|---|---|
containerName | String | + | Name of the container. |
container | String | + | Base64 encoded container. |
Method for deleting container in use. This closes the active "session". It is recommended to delete container after usage as unclosed sessions may max out allowed connections count for the service.
Method | URL |
---|---|
DELETE | /containers/{containerId} |
Parameter | Type | Mandatory | Description |
---|---|---|---|
result | String | + | OK is returned |
Parameter | Type | Mandatory | Description |
---|---|---|---|
errorCode | String | + | Error code |
errorMessage | String | + | Error description |