Signature
BBMSL online API provides the payment functions. Client and BBMSL must exchange RSA keys before making API calls, and the length of RSA key must be 2048 bits. When making API call to BBMSL, client uses the RSA private key to sign the API request. After receiving the API request, BBMSL will use the client’s RSA public key to verify whether the signature is matched to the content of API request.
About the sign:
- Please use RSA2, SHA256WithRSA algorithm to sign the data.
- The secretkey is following the PKCS8 spec.
- Please use PKCS8 format private key to sign the data. (header: -----BEGIN PRIVATE KEY----- -----END PRIVATE KEY-----)
- The sign string format is using string, please convert object to string.
- Please note that signature is not a independent api. It is a cryptography to ensure the non-repudiation.
- The content to be signed must be the same as api request content.
- Each api request may contain signature.
#
RSA key pairAn RSA key pair contains the private key and the public key. The private key is required for generating the signature, while the public key is used for verifying the signature.
#
Generating an RSA key pairMany tools can be used to generate the RSA key pair. The following steps assume that you use OpenSSL to generate the RSA key pair.
- Install OpenSSL.
- For linux system, use the following command:
- Generate RSA key pair.
- For linux system, use the following command:
- For windows system, use the following command:
After that, you can see two files under current folder, rsaprivatekey.pem and rsapublickey.pem. The former is the private key and the latter is the public key.
#
Uploading RSA public keyAfter the RSA2 key pair is generated, you must exchange the public key with the BBMSL server for signature verification by completing the following steps:
- Upload your public key to BBMSL merchant portal
- Obatin BBMSL public key
#
Signing the requestThe following figure illustrates a sample API request. The content enclosed by the two curly braces (inclusive) is what needs to be signed to create the RSA signature. And the generated signature is put in the signature parameter.
Perform the following steps to sign the message:
- Extract the content to be signed. For example:
- Hash the JSON content by using the SHA256withRSA algorithm. Then use the client's RSA private key to sign the value to obtain the signature. To achieve a better security level, the length of the RSA key/pairs must be 2048 bits. The following sample illustrates a raw signature:
- Base64-encode the signature. A sample result is listed below:
- Use the obtained string as the value of the Signature parameter. The following sample shows a whole API request:
The sign code snippet in Java:
How to use the sign method:
The sign code snippet in PHP: