CSC signing
To perform CSC signatures via API using server-side signing, follow the steps mentioned below. These steps outline the necessary API calls and conditions to successfully complete a single document signing operation through the server.
CSC Signing - Client Credentials Flow
1. The signatory is identified via the access token provided in the API call, which means authentication is required before initiating the signing process. The access token must be issued directly to the signatory through authentication API .
2. If modifications are needed before signing, the Fill Form Fields API should be called beforehand. Note that any mandatory input fields must be completed for the signing process to succeed.
3. To determine which Signing Servers should be displayed based on a signature field’s level of assurance, the signature application must call the Get Signature Settings API. This API provides details of all available signing servers along with their corresponding levels of assurance.
4. The signature application uses the "Get RSSP Information" API to get the RSSP (Remote Signing Service Provider) information that is needed to perform CSC Signing.
5. The signature application uses the "Get RSSP Info" API which returns the information about the RSSP (Remote Signing Service Provider) and the list of API methods it has implemented. This method shall be implemented by any RSSP conforming to this specification.
6. The signature application gets the access token using the "Get Access Token | SAD" API, Server will itself decide the grant_type (client_credentials / authorization_code) depending on its configurations.
7. The signature application gets the list of credentials associated using the "Get Filtered Credential List" API. if the RUT filtration is required this API will filter the credentials as per the RUT values. A user may have one or multiple credentials hosted by a single remote signing service provider.
8. The signature application gets the information on a signing credential, its associated certificate, and a description of the supported authorization mechanism using the "Get Credentials Info" API.
9. If the "authorization_required" parameter is true, in response to the "Get RSSP Information" API, the "Get Account Token" API shall be used to get the account_token which will be used to hit the "oauth2/authorize" CSC Server endpoint.
10. Use the "Get Document Hash" API to get the hash of the document.
Signature application can use any one of the following API for authorization of credential ID, based on the response of the "Get Credentials Info" API of the CSC server:
"Send OTP via RSSP" API to start the online OTP mechanism associated with a credential ID for Explicit (OTP) authorization.
"RSSP Credentials Authorization" API to authorize access to the credential ID for signing for Explicit (OTP/PIN) or Implicit authorization. The SAD received in response shall be used in the "Get Sign Hash from RSSP" API request.
"oauth2/authorize" API to initiate an OAuth 2.0 authorization flow for the OAuth 2.0 authorization. The authorization is returned in the form of an authorization code, which the signature application shall then use to obtain the SAD via "Get Access Token | SAD" API. The SAD received in response shall be used in the "Get Sign Hash from RSSP" API request.
11. Use the "Embed Signature" API to embed signatures in the document.
12. The signature application uses one of the following APIs of the CSC server for revoking access tokens, as per the requirement:
"Revoke Access Token" API to revoke the service access token or refresh token.
"Revoke OAuth2 Access Token" API to revoke an OAuth 2.0 access token or refresh token.
13. After the signing process is complete, if the signatory is the final signer, the Finish Processing API must be invoked. Without this step, the document will remain in an "In Progress" state for the owner. Once the API is called, the status updates to "Completed."
Finally, after signing, the Get Document Verification API can be used to retrieve the verification response.
The CSC Signing process can be a one-step or two-step operation, depending on the SCAL value returned by the "Get Credentials Info" API response. The distinction lies in how the document hash is calculated and how the signature is embedded.
1-Step Sign:
Condition: If SCAL is 1 in the "Get Credentials Info" API response, the signature application does not need to call the "Get Document Hash" API to calculate the document hash.
Process: The application simply collects the necessary data to call the "Sign Document via RSSP Directly" API. This API will automatically calculate the document hash, sign it using the CSC server, and embed the signature directly into the document.
2-Step Sign:
Condition: If SCAL is 2 in the "Get Credentials Info" API response, the following steps are required:
Process: Follow the below steps:
First, the signature application must call the "Get Document Hash" API to retrieve the document’s hash.
Next, the application must call the "Embed Signature" API to embed the signature into the document.
CSC Signing - Authorisation Code Flow
1. The signatory is identified via the access token provided in the API call, which means authentication is required before initiating the signing process. The access token must be issued directly to the signatory through authentication API.
2. If modifications are needed before signing, the Fill Form Fields API should be called beforehand. Note that any mandatory input fields must be completed for the signing process to succeed.
3. To determine which Signing Servers should be displayed based on a signature field’s level of assurance, the signature application must call the Get Signature Settings API. This API provides details of all available signing servers along with their corresponding levels of assurance.
4. The signature application uses the "Get RSSP Information" API to get the RSSP (Remote Signing Service Provider) information that is needed to perform CSC Signing.
5. The signature application uses the "Get RSSP Info" API which returns the information about the RSSP (Remote Signing Service Provider) and the list of API methods it has implemented. This method shall be implemented by any RSSP conforming to this specification.
6. If the "authorization_required" parameter is true, in response to the "Get RSSP Information" API, the "Get Account Token" API shall be used to get the account_token which will be used to hit the "oauth2/authorize" CSC Server endpoint.
7. The signature application requests authorization for the user to access the RSSP resources using the "oauth2/authorize" API of the CSC server. The authorization is returned in the form of an authorization code, which the signature application shall then use to obtain an access token.
8. The signature application gets the access token using the "Get Access Token | SAD" API which returns the Bearer/SAD token.
9. The signature application gets the list of credentials associated using the "Get Filtered Credential List" API. if the RUT filtration is required this API will filter the credentials as per the RUT values. A user may have one or multiple credentials hosted by a single remote signing service provider.
10. The signature application gets the information on a signing credential, its associated certificate, and a description of the supported authorization mechanism using the "Get Credentials Info" API.
11. Use the "Get Document Hash" API to get the hash of the document.
11. Signature application can use any one of the following APIs for authorization of credential ID, based on the response of the "Get Credentials Info" API of the CSC server:
"Send OTP via RSSP" API to start the online OTP mechanism associated with a credential ID for Explicit (OTP) authorization.
"RSSP Credentials Authorization" API to authorize access to the credential ID for signing for Explicit (OTP/PIN) or Implicit authorization. The SAD received in response shall be used in the "Get Sign Hash from RSSP" API request.
"oauth2/authorize" API to initiate an OAuth 2.0 authorization flow for the OAuth 2.0 authorization. The authorization is returned in the form of an authorization code, which the signature application shall then use to obtain the SAD via "Get Access Token | SAD" API. The SAD received in response shall be used in the "Get Sign Hash from RSSP" API request.
12. Use the "Embed Signature" API to embed signatures in the document.
13. The signature application uses one of the following APIs of the CSC server for revoking access tokens, as per the requirement:
o "Revoke Access Token" API to revoke the service access token or refresh token.
o "Revoke OAuth2 Access Token" API to revoke an OAuth 2.0 access token or refresh token.
14. After the signing process is complete, if the signatory is the final signer, the Finish Processing API must be invoked. Without this step, the document will remain in an "In Progress" state for the owner. Once the API is called, the status updates to "Completed."
Finally, after signing, the Get Document Verification API can be used to retrieve the verification response.
The CSC Signing process can be a one-step or two-step operation, depending on the SCAL value returned by the "Get Credentials Info" API response. The distinction lies in how the document hash is calculated and how the signature is embedded.
1-Step Sign:
Condition: If SCAL is 1 in the "Get Credentials Info" API response, the signature application does not need to call the "Get Document Hash" API to calculate the document hash.
Process: The application simply collects the necessary data to call the "Sign Document via RSSP Directly" API. This API will automatically calculate the document hash, sign it using the CSC server, and embed the signature directly into the document.
2-Step Sign:
Condition: If SCAL is 2 in the "Get Credentials Info" API response, the following steps are required.
Process:
First, the signature application must call the "Get Document Hash" API to retrieve the document’s hash.
Next, the application must call the "Embed Signature" API to embed the signature into the document.
Last updated
Was this helpful?