Security Requirements
API Key
All requests from the partner to Gotadi's system must include the following headers to support security operations and data statistics for Gotadi:
apikey: <api_key>
x-ibe-req-name: <access_code>
Note
The <api_key> and <access_code> values are provided by Gotadi to the Partner.
Digital signature
Some important APIs require a digital signature to be attached to the request and response for authentication.
Generating a Digital Signature
The sender applies the RSA-SHA256 algorithm combined with their own Private Key to sign the digital signature on the signature data.
Note: The schema for constructing the signature data will be specifically described in each API.
Java example code
public static String signRSA(String signatureData, String xmlPrivateKey) throws Exception {
PrivateKey privateKey = getPrivateKeyFromXML(xmlPrivateKey);
Signature instance = Signature.getInstance("SHA256withRSA");
instance.initSign(privateKey);
instance.update(signatureData.getBytes("UTF-8"));
byte[] signature = instance.sign();
return Base64.encodeBase64String(signature);
}Digital signature verification
The receiver uses the RSA-SHA256 algorithm and the sender's Public Key to verify the signature created by the sender.a.
Java example code
public static boolean verifyRSA(String signedData, String signature, String xmlPublicKey) throws Exception {
PublicKey publicKey = getPublicKeyFromXML(xmlPublicKey);
Signature instance = Signature.getInstance("SHA256withRSA");
instance.initVerify(publicKey);
instance.update(signedData.getBytes("UTF-8"));
return instance.verify(Base64.decodeBase64(signature));
}
Last updated