Alias
Description
Request
- Content-Type Header
Body
- Access Control
  - Additional Requirements If the Signing Identity Is Enabled Via Password in the HSM or Via the SAM
- Example
Response

Alias

SignatureWithServerBatchCreation

Description

Creates a batch of digital signatures from the hashes of the data to be signed using a server signing identity.

Request

POST /trustedx-resources/esigp/v1/signatures/server/raw/batch

Content-Type Header

Content-Type: application/json

Body

The body of the request contains the following JSON object:

{
    "sign_identity_id" : {string},
    "signature_algorithm" : {string},
    "requests" : [
        {
            "digest_value" : {string},
			"data": {string},
            "signature_algorithm" : {string}
        }
    ]
}

Property	Use	Description
`sign_identity_id`	Required	Identifier of the signing identity to be used for creating the digital signatures.
`signature_algorithm`	Optional	Algorithm for obtaining the cryptographic hashes to be used for generating the signatures (`rsa-sha1`, `rsa-sha256`, `rsa-sha384` and `rsa-sha512`) if no other algorithm is specified for each of them. This property is optional. If not used, the algorithm for obtaining each of the cryptographic hashes must be specified separately.
`requests[]`	Required	Information on the cryptographic hashes to be used for generating the signatures.
`requests[].digest_value`	Optional	Base64 encoding of the cryptographic hash used to generate the signatures. This property can only be used if the value of the `requests[].signature_algorithm` property is something other than `"rsa-pkcs1"` (it is mandatory in that case).
`requests[].data`	Optional	Base64 encoding of the `DigestInfo` structure containing the hash of one data piece whose digital signature (`rsa-pkcs1`) is to be generated. This property can only be used if the value of the `requests[].signature_algorithm` property is `"rsa-pkcs1"` (it is mandatory in that case).
`requests[].signature_algorithm`	Optional	Algorithm that must be used to generate one of the digital signatures `("rsa-pkcs1"`, `"rsa-sha1"`, `"rsa-sha256"`, `"rsa-sha384",` `"rsa-sha512"` and `"ecdsa")`.The `"rsa-pkcs1"` value indicates that the hash to generate this signature is encapsulated in a `DigestInfo` structure. Therefore, the signature algorithm that is effectively requested is the one that results from combining RSA with the PKCS #1 v1.5 padding and the hash algorithm indicated by the `DigestInfo` structure.

Access Control

The request must contain a bearer access token generated by a trusted authorization server associated to the domain of the signing identity to be used for generating the signature. This token must have a scope that includes the value configured for the signing identity (by default, urn:safelayer:eidas:sign:identity:use:server) and must be used as explained in RFC 6750. Basically, the token must be included in an Authorization header as follows:

Authorization: Bearer <token>

The access token must be obtained via an authorization code grant OAuth 2.0 flow.

Additional Requirements If the Signing Identity Is Enabled Via Password in the HSM or Via the SAM

If the signing identity to be used to create the digital signature is enabled via a password validated by the HSM or via the SAM, the authorization request of the OAuth 2.0 flow:

The sign_identity_id parameter and its value must be the identifier of the signing identity to be used for creating the digital signatures.
The digests_summary parameter and its value must be the base64 encoded cryptographic hash of the concatenation of data and cryptographic hashes to be used to create the digital signatures. The concatenation must be done in the same order and with the same data and hashes as specified later in the request for the operation.
The digests_summary_algorithm parameter and its value must be the algorithm for obtaining the previous cryptographic hash. Accepted values are "sha256", "sha384", and "sha512".

Example

POST /signatures/server/raw HTTP/1.1
Host: www.example.org
Content-Type: application/json
Authorization: Bearer mF_9.B5f-4.1JqM
 
{
	"sign_identity_id": "12345678",
    "signature_algorithm": "rsa-sha1",
	"requests": [
        {
            "digest_value": "RXN0byBlcyB1biBoYXNoIFNoYTE=",
            "signature_algorithm": "rsa-sha1"
       	},
       	{
            "digest_value": "siHZ27CDp/M0KNfCo8MZiuklYU1wIQ4ocWzKp81N23k=",
            "signature_algorithm": "rsa-sha256"
        }
    ]
}

Response

Status-Line

If the signatures are created successfully, the HTTP response will contain the following Status-Line (see Status of the HTTP Responses for all the possible cases).

HTTP/1.1 200 OK

Content-Type Header

Content-Type: application/json

Body

List of the digital signatures created.

{
    "signatures" : [ {string} ]
}

Property	Description
signatures[]	Digital signatures encoded in base64. The signatures follow the same order as the cryptographic hashes from which they were created appear in the request.