CSC signing
Last updated
Was this helpful?
Last updated
Was this helpful?
To perform CSC signatures via API using server-side signing, follow the steps mentioned below. These steps outline the necessary API calls and conditions to successfully complete a single document signing operation through the server.
1. The signatory is identified via the access token provided in the API call, which means is required before initiating the signing process. The access token must be issued directly to the signatory through API .
2. If modifications are needed before signing, the API should be called beforehand. Note that any mandatory input fields must be completed for the signing process to succeed.
3. To determine which Signing Servers should be displayed based on a signature field’s level of assurance, the signature application must call the API. This API provides details of all available signing servers along with their corresponding levels of assurance.
4. The signature application uses the "" API to get the RSSP (Remote Signing Service Provider) information that is needed to perform CSC Signing.
5. The signature application uses the "" API which returns the information about the RSSP (Remote Signing Service Provider) and the list of API methods it has implemented. This method shall be implemented by any RSSP conforming to this specification.
6. The signature application gets the access token using the "" API, Server will itself decide the grant_type (client_credentials / authorization_code) depending on its configurations.
7. The signature application gets the list of credentials associated using the "" API. if the RUT filtration is required this API will filter the credentials as per the RUT values. A user may have one or multiple credentials hosted by a single remote signing service provider.
8. The signature application gets the information on a signing credential, its associated certificate, and a description of the supported authorization mechanism using the "" API.
9. If the "authorization_required" parameter is true, in response to the "" API, the "" API shall be used to get the account_token which will be used to hit the "oauth2/authorize" CSC Server endpoint.
10. Use the "" API to get the hash of the document.
Signature application can use any one of the following API for authorization of credential ID, based on the response of the "" API of the CSC server:
"" API to start the online OTP mechanism associated with a credential ID for Explicit (OTP) authorization.
"" API to authorize access to the credential ID for signing for Explicit (OTP/PIN) or Implicit authorization. The SAD received in response shall be used in the "" API request.
"oauth2/authorize" API to initiate an OAuth 2.0 authorization flow for the OAuth 2.0 authorization. The authorization is returned in the form of an authorization code, which the signature application shall then use to obtain the SAD via "" API. The SAD received in response shall be used in the "" API request.
12. The signature application uses one of the following APIs of the CSC server for revoking access tokens, as per the requirement:
1-Step Sign:
2-Step Sign:
Process: Follow the below steps:
7. The signature application requests authorization for the user to access the RSSP resources using the "oauth2/authorize" API of the CSC server. The authorization is returned in the form of an authorization code, which the signature application shall then use to obtain an access token.
13. The signature application uses one of the following APIs of the CSC server for revoking access tokens, as per the requirement:
1-Step Sign:
2-Step Sign:
Process:
11. Use the "" API to embed signatures in the document.
"" API to revoke the service access token or refresh token.
"" API to revoke an OAuth 2.0 access token or refresh token.
13. After the signing process is complete, if the signatory is the final signer, the API must be invoked. Without this step, the document will remain in an "In Progress" state for the owner. Once the API is called, the status updates to "Completed."
Finally, after signing, the API can be used to retrieve the verification response.
The CSC Signing process can be a one-step or two-step operation, depending on the SCAL value returned by the "" API response. The distinction lies in how the document hash is calculated and how the signature is embedded.
Condition: If SCAL is 1 in the "" API response, the signature application does not need to call the "" API to calculate the document hash.
Process: The application simply collects the necessary data to call the "" API. This API will automatically calculate the document hash, sign it using the CSC server, and embed the signature directly into the document.
Condition: If SCAL is 2 in the "" API response, the following steps are required:
First, the signature application must call the "" API to retrieve the document’s hash.
Next, the application must call the "" API to embed the signature into the document.
1. The signatory is identified via the access token provided in the API call, which means is required before initiating the signing process. The access token must be issued directly to the signatory through API.
2. If modifications are needed before signing, the API should be called beforehand. Note that any mandatory input fields must be completed for the signing process to succeed.
3. To determine which Signing Servers should be displayed based on a signature field’s level of assurance, the signature application must call the API. This API provides details of all available signing servers along with their corresponding levels of assurance.
4. The signature application uses the "" API to get the RSSP (Remote Signing Service Provider) information that is needed to perform CSC Signing.
5. The signature application uses the "" API which returns the information about the RSSP (Remote Signing Service Provider) and the list of API methods it has implemented. This method shall be implemented by any RSSP conforming to this specification.
6. If the "authorization_required" parameter is true, in response to the "" API, the "" API shall be used to get the account_token which will be used to hit the "oauth2/authorize" CSC Server endpoint.
8. The signature application gets the access token using the "" API which returns the Bearer/SAD token.
9. The signature application gets the list of credentials associated using the "" API. if the RUT filtration is required this API will filter the credentials as per the RUT values. A user may have one or multiple credentials hosted by a single remote signing service provider.
10. The signature application gets the information on a signing credential, its associated certificate, and a description of the supported authorization mechanism using the "" API.
11. Use the "" API to get the hash of the document.
11. Signature application can use any one of the following APIs for authorization of credential ID, based on the response of the "" API of the CSC server:
"" API to start the online OTP mechanism associated with a credential ID for Explicit (OTP) authorization.
"" API to authorize access to the credential ID for signing for Explicit (OTP/PIN) or Implicit authorization. The SAD received in response shall be used in the "" API request.
"oauth2/authorize" API to initiate an OAuth 2.0 authorization flow for the OAuth 2.0 authorization. The authorization is returned in the form of an authorization code, which the signature application shall then use to obtain the SAD via "" API. The SAD received in response shall be used in the "" API request.
12. Use the "" API to embed signatures in the document.
o "" API to revoke the service access token or refresh token.
o "" API to revoke an OAuth 2.0 access token or refresh token.
14. After the signing process is complete, if the signatory is the final signer, the API must be invoked. Without this step, the document will remain in an "In Progress" state for the owner. Once the API is called, the status updates to "Completed."
Finally, after signing, the API can be used to retrieve the verification response.
The CSC Signing process can be a one-step or two-step operation, depending on the SCAL value returned by the "" API response. The distinction lies in how the document hash is calculated and how the signature is embedded.
Condition: If SCAL is 1 in the "" API response, the signature application does not need to call the "" API to calculate the document hash.
Process: The application simply collects the necessary data to call the "" API. This API will automatically calculate the document hash, sign it using the CSC server, and embed the signature directly into the document.
Condition: If SCAL is 2 in the "" API response, the following steps are required.
First, the signature application must call the "" API to retrieve the document’s hash.
Next, the application must call the "" API to embed the signature into the document.