Solved

HTTP message signing


Userlevel 1
Badge +3
  • Vanguard
  • 19 replies

For a client we're currently scoping the development of a new integration to their system.

This platform offers data exchange services between multiple parties. Their service is API based with the actual message traffic being send in XML. Because of the type of data being processed security is extremely important to all parties involved.

It is therefor mandatory to sign all outgoing messages. Their documentation contains the following example on how to do this within the context op postman.

openssl dgst -sha256 -sign ‘[private_key_name].key’ -out ‘[signature_name].sha256’ ‘[message_name].xml’

If then asks you to base64 encode the signature_name.sha256 and message_name.xml before transmission.

How would we approach this from within a Thinkwise environment?

icon

Best answer by Mark Jongeling 25 May 2021, 08:23

View original

2 replies

Userlevel 7
Badge +23

Hi Bas,

Within the Thinkwise platform we currently don't have a way to do this. After some research of our own we found some interesting ways of approaching this.

  1. Maybe it's possible by using SQL Server certificates: https://docs.microsoft.com/en-us/sql/t-sql/statements/create-certificate-transact-sql?view=sql-server-ver15 and https://docs.microsoft.com/en-us/sql/t-sql/functions/signbycert-transact-sql?view=sql-server-ver15
  2. If that doesn't work a CLR procedure in SQL Server might be a solution. Although this is less than ideal.
  3. If the SQL Server crypto functions don't give the desired result, maybe it's possible with OLE Automation: https://www.example-code.com/sql/xmldsig_sign_dsa.asp

All of these suggestions need some more and deeper research. Does this help?

 

Userlevel 1
Badge +3

Because of another issue we had we already needed to use an AWS LAMDA function, it ended up being easier to have this lamda function expose an api that returned the required signature for a specific message.

I think we didn’t get it to work within SQL server because we lacked knowledge and authorisation to create and work with certificates.

Reply