- Created by Karolin Hemmingsson on Oct 09, 2018
A signing request follow the exact same process flow as an authentication request. For more information, see Example: Personal Desktop authentication.
Prerequisites
Prerequisites
- Installed Hermod, see here.
Step-by-step instruction
Create signing request in Hermod
Create a signing request in Hermod with the
POST/rest/command/signcommand. See example:Example: Signing commandPOST /rest/command/sign { "commandHeader":{ "lifespan":30, "timeout":30, "to":[ "@tmp" ] }, "signCommand":{ "params":{ "description":[ { "content_encoding":"base64", "content_type":"text/plain", "data":"UGVyc29uYWw=", "description":"Signing request from", "key":"requester", "visible":true } ], "filter":{ "op":"eq", "param":"key.type", "value":"RSA" }, "format":"pkcs7", "mechanism":"CKM_SHA256_RSA_PKCS", "tbs":[ { "content_encoding":"base64", "content_type":"text/plain", "data":"VHJhbnNmZXIgNTAwIFVTRCBmcm9tIENheW1hbiBJc2xhbmQgdG8gSG9sZWJyb29rIEx0ZC4=", "description":"Text to sign", "key":"tbs", "visible":true } ] } } }Example: Signing responseResponse 200 OK { "commandId": "688", "destinations": [ { "to": "@tmp", "bid": "11318956-2040-4360-941d-437e4ddd810c", "uri": "com.nexusgroup.plugout:///?url=http%3a%2f%2fnexus-cod1.ad.nexusgroup.com%3A20401%2fhermod%2Frest%2Fms%2F11318956-2040-4360-941d-437e4ddd810c&token=0464297b-8406-4f94-a734-628d071069d8", "mid": "14fc191a-a0a3-4ae3-929a-e37efafdb510", "location": "http://nexus-cod1.ad.nexusgroup.com:20401/hermod/rest/ms/11318956-2040-4360-941d-437e4ddd810c/14fc191a-a0a3-4ae3-929a-e37efafdb510" } ], "commandType": "SIGN", "state": "IN_PROGRESS", "fqdn": "nexus-cod1.ad.nexusgroup.com" }
Start Personal Desktop
Add the URI from the response as a link.
The protocol handler for personal desktop will open the plugout dialog:Example URIcom.nexusgroup.plugout:///?url=http%3a%2f%2fnexus-cod1.ad.nexusgroup.com%3A20401%2fhermod%2Frest%2Fms%2F11318956-2040-4360-941d-437e4ddd810c&token=0464297b-8406-4f94-a734-628d071069d8
Validate signing response
When the user has provided the smart card and entered the PIN then personal will sign the request and send the response to Hermod which sends the response to the application server in a callback.
Validate the response:
Example: Signing callback commandPOST https://my-registered-callbackserver/rest/callback/sign
Example: Signing callback responseResponse 200 OK { "responseHeader" : { "inReplyTo" : "https://nexus-cod1.test.nexusgroup.com:20400/hermod/rest/ms/1557ac95-5c1c-4dff-a9aa-f1176744f5a6/31a10af2-8fe5-4847-b4e5-5272bdaee07b", "status" : 200 }, "signResponse" : { "code" : 0, "result" : { "signature" : "MIIIEAYJKoZIhvcNAQcCoIIIATCCB/0CAQExDzANBglghkgBZQMEAgEFADBEBgkqhkiG9w0BBwGgNwQ1VHJhbnNmZXIgNTAwIFVTRCBmcm9tIENheW1hbiBJc2xhbmQgdG8gSG9sZWJyb29rIEx0ZC6gggXEMIIFwDCCA6igAwIBAgICQhcwDQYJKoZIhvcNAQELBQAwPDELMAkGA1UEBhMCU0UxFDASBgNVBAoTC05leHVzIEdyb3VwMRcwFQYDVQQDEw5OZXh1cyBHcm91cCBDQTAeFw0xNzA1MjkxMDM0NDZaFw0yMDA1MjkxMDM0NDZaMF0xFDASBgNVBAoTC05leHVzIEdyb3VwMRcwFQYDVQQDEw5BbmRlcnMgV2FsbGJvbTEsMCoGCSqGSIb3DQEJARYdYW5kZXJzLndhbGxib21AbmV4dXNncm91cC5jb20wggEhMA0GCSqGSIb3DQEBAQUAA4IBDgAwggEJAoIBAQCaWqeX9BvG4Xj6myqHQ5+LKkAbAZsW5H+9WNuD+ByenS3HjtzS6Ab0CkZBMNKA1pLIXiAAd0V0WGQ60BJ9rfiAcWiFivdNMLwo/r49NipvdmIgS51T3sBmqt/BvhHY+4j55VXYCKz0dA9Jc1fEGFnM6wBEGjmLgcMPRTp6mgsBJYNoWb4YO/Rt9KpdeD/DslX0olw/eGroMioRgAvvJaC3IN3TKJAeSfejN0yeUBOudeXcWGYf+K76Thzadw8DpLyMNKp580V0mF7XCTGgxlGu2W/OFmHYMN9z2Av4ZVsUH95KsXzJlbBLZ4EOwpJSGv/Do2mVY8djn0d2F7f0m+PJAgIBAaOCAaowggGmMBEGA1UdDgQKBAhJaM/A6anEczA7BgNVHREENDAyoDAGCisGAQQBgjcUAgOgIgwgYW5kZXJzLndhbGxib21AYWQubmV4dXNncm91cC5jb20wEwYDVR0jBAwwCoAISF3B26nf72AwRwYIKwYBBQUHAQEEOzA5MDcGCCsGAQUFBzABhitodHRwOi8vb2NzcC5oc3MubmV4dXNncm91cC5jb20vTmV4dXNHcm91cENBMA4GA1UdDwEB/wQEAwIGQDCB5QYDVR0fBIHdMIHaMIHXoIHUoIHRhoGNbGRhcDovL29jc3AuaHNzLm5leHVzZ3JvdXAuY29tOjM4OS9DTj1OZXh1cyUyMEdyb3VwJTIwQ0EsTz1OZXh1cyUyMEdyb3VwLEM9U0U/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPUNSTERpc3RyaWJ1dGlvblBvaW50hj9odHRwOi8vd3d3Lmhzcy5uZXh1c2dyb3VwLmNvbS9jcmxzL05leHVzJTIwR3JvdXAlMjBDQSUyMENSTC5jcmwwDQYJKoZIhvcNAQELBQADggIBAByrtqo684kS2KywDnADytF18LOS+2kRw8VbJxvnp95aEQ/uLSh/JCHsnJhn0qBMaXLB/dLYJ7St6PckakoS4mEOJ4myGH65WqhZiMtvgSdxTNdTJCrODBt+3cufzkTW1K+0G6r3UONmCgGGsDJ5fxHZesNvDuDzk9l6ST7HahA8PY5de3/yNlOWTkzCprf6I15hj/skozjw2oDYkw2WwN5Pu2wKhDVcBskgdOkFwoAKTT9ab2E9xRHOgvh5rCVxgVrQ22qvyG6kcJMXOQKR5UN1m2bU25y6a0WpYvTNwb4Dq7p9+hH0rS/aBrQOiAQawr7oyFi6tJFulDnWXiIaxKgl6MvjSLqvnkUQ0QpTrkFPtLBwjUPFaCIN+9rBcq9vexaDKQm0YXdMNGOiiQaqxxvg5OhQBahGgFyFL+2zgl3Ip0oAWj1ys2JrmO7DOjYBKUrUe93BQSDX5CeeMSTTO0592nEbyeYApy9ovgMdO0CSWKWsEo1MPz60IP1EgzIkz4+Ca/4Nofxm/8BHyg6kMhj5oE9+NSor7k4tY9e3w41Cl/5GmXA+VcAIWslpwqYsqkQgAyELcutk0WxbfBuyOoNtqsh07jqtYM+mlYVloLvcVpeRqxx9y0eOuPTpkn+ES1lywJgK5GsuLMZqrUmzjQTSctmWMDv3Qmfexb4msXRLMYIB1zCCAdMCAQEwQjA8MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLTmV4dXMgR3JvdXAxFzAVBgNVBAMTDk5leHVzIEdyb3VwIENBAgJCFzANBglghkgBZQMEAgEFAKBoMAkGA1UEDTECDAAwEAYKKoZIhvcNAQkZAzECBAAwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAvBgkqhkiG9w0BCQQxIgQgRDUmD1f94cSdDINiH415YwjEqdSLds5x5k/+HFemZO8wDQYJKoZIhvcNAQELBQAEggEARdx5wC/xa8kt0CxZiFVpRigkuw4vD6ZykHwY4wx5co9pUm0ezjiCz5qZCNhRHxnULb4R8rJeI5+F87p85lWRovrsbfWZqXM0/vgugnGXfdOVamenADDxmFV57lCpetea100FYSP5rb6qYOcg8bWrDt9+/4HQihY6FMhIM3DDArIe+mmXIuHOAk140MC27wU+dk0eajyLE2pWc7Nf9/nOEosVw9BokoE/HbppVp++hhVewhhTGSkfZNZ4jSUWIGbJjlARR6MsMtdwAV1xj9QvWgW4f7O+dJ9wXM0ZtPhiJeptPNXFC5PYq3smIzJ+W6+Q71HnsebzamuEVmdoEf2yHw==", "mechanism" : "CKM_SHA256_RSA_PKCS", "format" : "pkcs7", "signer" : { "certificate" : "MIIFwDCCA6igAwIBAgICQhcwDQYJKoZIhvcNAQELBQAwPDELMAkGA1UEBhMCU0UxFDASBgNVBAoTC05leHVzIEdyb3VwMRcwFQYDVQQDEw5OZXh1cyBHcm91cCBDQTAeFw0xNzA1MjkxMDM0NDZaFw0yMDA1MjkxMDM0NDZaMF0xFDASBgNVBAoTC05leHVzIEdyb3VwMRcwFQYDVQQDEw5BbmRlcnMgV2FsbGJvbTEsMCoGCSqGSIb3DQEJARYdYW5kZXJzLndhbGxib21AbmV4dXNncm91cC5jb20wggEhMA0GCSqGSIb3DQEBAQUAA4IBDgAwggEJAoIBAQCaWqeX9BvG4Xj6myqHQ5+LKkAbAZsW5H+9WNuD+ByenS3HjtzS6Ab0CkZBMNKA1pLIXiAAd0V0WGQ60BJ9rfiAcWiFivdNMLwo/r49NipvdmIgS51T3sBmqt/BvhHY+4j55VXYCKz0dA9Jc1fEGFnM6wBEGjmLgcMPRTp6mgsBJYNoWb4YO/Rt9KpdeD/DslX0olw/eGroMioRgAvvJaC3IN3TKJAeSfejN0yeUBOudeXcWGYf+K76Thzadw8DpLyMNKp580V0mF7XCTGgxlGu2W/OFmHYMN9z2Av4ZVsUH95KsXzJlbBLZ4EOwpJSGv/Do2mVY8djn0d2F7f0m+PJAgIBAaOCAaowggGmMBEGA1UdDgQKBAhJaM/A6anEczA7BgNVHREENDAyoDAGCisGAQQBgjcUAgOgIgwgYW5kZXJzLndhbGxib21AYWQubmV4dXNncm91cC5jb20wEwYDVR0jBAwwCoAISF3B26nf72AwRwYIKwYBBQUHAQEEOzA5MDcGCCsGAQUFBzABhitodHRwOi8vb2NzcC5oc3MubmV4dXNncm91cC5jb20vTmV4dXNHcm91cENBMA4GA1UdDwEB/wQEAwIGQDCB5QYDVR0fBIHdMIHaMIHXoIHUoIHRhoGNbGRhcDovL29jc3AuaHNzLm5leHVzZ3JvdXAuY29tOjM4OS9DTj1OZXh1cyUyMEdyb3VwJTIwQ0EsTz1OZXh1cyUyMEdyb3VwLEM9U0U/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPUNSTERpc3RyaWJ1dGlvblBvaW50hj9odHRwOi8vd3d3Lmhzcy5uZXh1c2dyb3VwLmNvbS9jcmxzL05leHVzJTIwR3JvdXAlMjBDQSUyMENSTC5jcmwwDQYJKoZIhvcNAQELBQADggIBAByrtqo684kS2KywDnADytF18LOS+2kRw8VbJxvnp95aEQ/uLSh/JCHsnJhn0qBMaXLB/dLYJ7St6PckakoS4mEOJ4myGH65WqhZiMtvgSdxTNdTJCrODBt+3cufzkTW1K+0G6r3UONmCgGGsDJ5fxHZesNvDuDzk9l6ST7HahA8PY5de3/yNlOWTkzCprf6I15hj/skozjw2oDYkw2WwN5Pu2wKhDVcBskgdOkFwoAKTT9ab2E9xRHOgvh5rCVxgVrQ22qvyG6kcJMXOQKR5UN1m2bU25y6a0WpYvTNwb4Dq7p9+hH0rS/aBrQOiAQawr7oyFi6tJFulDnWXiIaxKgl6MvjSLqvnkUQ0QpTrkFPtLBwjUPFaCIN+9rBcq9vexaDKQm0YXdMNGOiiQaqxxvg5OhQBahGgFyFL+2zgl3Ip0oAWj1ys2JrmO7DOjYBKUrUe93BQSDX5CeeMSTTO0592nEbyeYApy9ovgMdO0CSWKWsEo1MPz60IP1EgzIkz4+Ca/4Nofxm/8BHyg6kMhj5oE9+NSor7k4tY9e3w41Cl/5GmXA+VcAIWslpwqYsqkQgAyELcutk0WxbfBuyOoNtqsh07jqtYM+mlYVloLvcVpeRqxx9y0eOuPTpkn+ES1lywJgK5GsuLMZqrUmzjQTSctmWMDv3Qmfexb4msXRL" } } }, "commandId" : "687", "destinations" : [ { "to" : "@tmp", "bid" : "1557ac95-5c1c-4dff-a9aa-f1176744f5a6", "uri" : "com.nexusgroup.plugout:///?url=https%3a%2f%2fnexus-cod1.test.nexusgroup.com%3A20400%2fhermod%2Frest%2Fms%2F1557ac95-5c1c-4dff-a9aa-f1176744f5a6&token=98dab581-6bf6-4c9d-8c78-dac98f5b899f", "mid" : "31a10af2-8fe5-4847-b4e5-5272bdaee07b", "location" : "https://nexus-cod1.test.nexusgroup.com:20400/hermod/rest/ms/1557ac95-5c1c-4dff-a9aa-f1176744f5a6/31a10af2-8fe5-4847-b4e5-5272bdaee07b" } ], "commandType" : "SIGN", "state" : "COMPLETED", "fqdn" : "nexus-cod1.test.nexusgroup.com" }