Digital signature validation

Purpose

This page designed to describe main validations of Digital Signature

Validate request is signed
1. in case of error - return 422 (“Invalid signature” OR “Invalid signed content” for medical_events requests)
Check DS is valid and not expired
Validate that DS belongs to the user
1. Check that DRFO from DS and party.tax_id matches
  1. in case of error - return 422 (“Does not match the signer drfo“)

If more then 1 signature is needed for request:

Validate request is signed
- in case of error - return 422 (“Invalid signature”)
If 1 signature present (or more) - check other signatures / stamps
- in case of error - return 422 (“document must contain <number> signature and <number> stamps but contains <number> signatures and <number> stamps”)
If all signatures / stamps are present, valid and not expired - validate that DS belongs to the user
1. Check that DRFO from DS and party.tax_id matches
  1. in case of error - return 422 (“Does not match the signer drfo“)

In some cases DS timestamp check present (now is actual for PIS auth endpoints):

Check that the difference in minutes between the current datetime and datetime of signed_content signature timestamp (created_at field, in EET format) is less than the SIGNED_CONTENT_SIGNATURE_TIMESTAMP_VALID_MINUTES config parameter
- in case of error - return 401 ('Digital signature timestamp is expired')

In some cases (for example Process Medication dispense) signer last_name check present:

Check that Last Name from DS and party.last_name matches
- in case of error - return 422 (“Does not match the signer last name“)