Digital signature validation

Purpose

This page designed to describe main validations of Digital Signature

Validate DS

1. Validate request is signed

   1. in case of error - return 422 (“Invalid signature” OR “Invalid signed content” for medical_events requests)

2. Check DS is valid and not expired

3. Validate that DS belongs to the user

   1. Check that DRFO from DS and party.tax_id matches

      1. in case of error - return 422 (“Does not match the signer drfo“)

Cases with more then 1 signature

If more then 1 signature is needed for request:

• Validate request is signed

  • in case of error - return 422 (“Invalid signature”)

• If 1 signature present (or more) - check other signatures / stamps

  • in case of error - return 422 (“document must contain <number> signature and <number> stamps but contains <number> signatures and <number> stamps”)

• If all signatures / stamps are present, valid and not expired - validate that DS belongs to the user

  1. Check that DRFO from DS and party.tax_id matches

     1. in case of error - return 422 (“Does not match the signer drfo“)

Additional cases

In some cases DS timestamp check present (now is actual for PIS auth endpoints):

• Check that the difference in minutes between the current datetime and datetime of signed_content signature timestamp (created_at field, in EET format) is less than the SIGNED_CONTENT_SIGNATURE_TIMESTAMP_VALID_MINUTES config parameter

  • in case of error - return 401 ('Digital signature timestamp is expired')

In some cases (for example Process Medication dispense) signer last_name check present:

• Check that Last Name from DS and party.last_name matches

  • in case of error - return 422 (“Does not match the signer last name“)