How to sign your request payload

A short guide of signing a request is following using bash shell.

1. Open a bash shell and run the following command to define the base64UrlEncode function
    > base64UrlEncode() { printf $(base64 -w 0 - | tr +/ -_ | tr -d '='); }
2. Given that we need to sign the payload body {"Risk":{},"ProductIdentifiers":null}, type the following command to assign it to a variable. The value of the payload must be exactly the same with the payload in your code if you intend to use these steps to verify your calculation. Even whitespaces and new lines are important.
    > payload='{"Risk":{},"ProductIdentifiers":null}'
3. As described under the "Getting started" section of the Alpha Bank Group API Portal, the JOSE header must contain the subsequent fields. Please replace the "kid" value with the thumbprint value of your certificate and then submit it to your shell. The comment on the value of the payload, in the previous step above, also applies in this step, to the header value.
    > header='{"alg":"RS256","typ":"JOSE","cty":"application/json","kid":"d6bf9471dcb82e20954deea05efcc5758aa42bdb","b64":false,"iat":'$(echo $(date --utc +%s))'}'
4. Calculate the base64urlencoded value of the payload and header values.
    > payload_base64=$(printf $payload | base64UrlEncode )
> header_base64=$(printf $header | base64UrlEncode )
5. Concatenate the encoded values with a dot between the two strings.
    > signtarget=$header_base64.$payload_base64
6. At this point, using the private key of your certificate, save your private.key file into the current directory and apply the RSASHA256 algorithm to the “signtarget” value so as to calculate the raw signature using the following command. Please use your private key value as Private Key file (PKCS#8) which starts with the tag "-----BEGIN PRIVATE KEY-----". In this step you can see that the raw signature must be encoded again using base64UrlEncode.
    > signature=$(printf $signtarget | openssl dgst -sha256 -sign private.key | base64UrlEncode )
7. To generate the final "xjws-signature" value type the following command.
    > printf $header_base64..$signature

The final output can be used to verify the calculation of the signature.

References