Authentication
Barcode Generation UI Authentication
Client Authentication and Digital Signatures
The implementation of the eCash website should be fairly very straightforward. However, some observations should be made:
- Authentication with the partner is achieved by the use of client-certificate authentication as below demonstrated diagram.
- The Partner provides Green Dot with their client certificate (and Certificate Authority information, if necessary). This certificate is registered within the Partner and will recognize and authorize the requests. Since Green Dot trusts the partner to manage end-user authentication, the GDN partner ID is required to be sent (as one of the parameters with every function call, see interface specification) for validation purposes. If a valid partner ID provided is not configured at Green Dot, an appropriate error message is returned.
- Partner is required to send the encrypted and signed message that contains the user account and other information such as email address, mobile number, and timestamp of the request (see fields list below) through HTTP POST method.
- Green Dot will verify the message signature by shared certificate and decrypt the message using GD private key. Time stamp value should be used to define the message expiration period.
- Decrypt data using GD's Private Key to confirm data integrity.
- Check signature using shared certificate to confirm post is coming from the partner.
- Green Dot will check time stamp to validate the message expiration.
Encryption and Signature Example
Here is a sample of steps when we run through the meta data using .net libraries to encode and encrypt.
-
Data to Encrypt
strdata=”accountno=5C3895C9&accountnickname=95C9&[email protected]&firstname=t&lastname=duck&transactionid=03856F55-28FF-BA8A-873F-B4AD4975B952&redirecturl=develop.dev.tvg.com/ecashDeposits/&sessiontimestamp=1425059031”
-
UTF8 encode and get byte[]
-
Use the byte array from the previous step to Sign it
For this we are using SignedCms from PKCS7. We call ComputeSignature and use a signed certificate. This will be Partner’s certificate. SignedCMS.Encode returns a byte array. The c# sample code as below:ContentInfo contentInfo = new ContentInfo(bData); SignedCms signedCMS = new SignedCms(contentInfo); signedCMS.ComputeSignature(new CmsSigner(partnerSignedCert), true); byte[] byteData = signedCMS.Encode();
-
Convert the byte array to Base64 string and have "-----BEGIN PKCS7-----\n" before and "\n-----END PKCS7-----" after the string.
"-----BEGIN PKCS7-----\nMIIFawYJKoZIhvcNAQcCoIIFXDCCBVgCAQExCzAJBgUrDgMCGgUAMIHpBgkqhkiG9w0BBwGggdsEgdhhY2NvdW50bm89NUMzODk1QzkmYWNjb3VudG5pY2tuYW1lPTk1QzkmZW1haWxhZGRyPWR0b2xlc0B0dmcuY29tJmZpcnN0bmFtZT10Jmxhc3RuYW1lPWR1Y2smdHJhbnNhY3Rpb25pZD0wMzg1NkY1NS0yOEZGLUJBOEEtODczRi1CNEFENDk3NUI5NTImcmVkaXJlY3R1cmw9ZGV2ZWxvcC5kZXYudHZnLmNvbS9lY2FzaERlcG9zaXRzLyZzZXNzaW9udGltZXN0YW1wPTE0MjUwNTkwMzGgggL1MIIC8TCCAd2gAwIBAgIQANrxvZFOnLFOrYlAXeJuZTAJBgUrDgMCHQUAMCQxIjAgBgNVBAMTGVRWRy1HRC1BZGRDYXNoLVFBLnR2Zy5jb20wHhcNMTUwMTI3MTc1OTM3WhcNMTgwMTI2MTc1OTM3WjAkMSIwIAYDVQQDExlUVkctR0QtQWRkQ2FzaC1RQS50dmcuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0VDcHOFlosczr5UdlIbA1+uF0pz0Xrn/DVRmyquRWaxUdtxmwry+Fp+tWXobc/uGHrjUhYQ4J2+XRbw/Bnmwmw8zikR5Hg0j9/r5/8Ww3Y5VVCScX3cQxrGTBTF0jrEO20GXZZ//aSesmVqarosUb5FjfkMa3Cd+vBpd7XVucSA6CZFaYh7I1ty4w24rsRuqD0LJsebYMvVJlmBsCDVrB/S2wsJ7HihOT/aIdI8mbcbZx8yrgqB4gv4/HuxzX1yLHOx6J/S/Qlmo3gJvt6hkC6TEGmytCS8PS+rJc85MHmLbduC4oBF7j16R9Q95atGu6kX+y3vKJeiH691ggu9lSQIDAQABoycwJTATBgNVHSUEDDAKBggrBgEFBQcDATAOB gNVHQ8EBwMFALAAAAAwCQYFKw4DAh0FAAOCAQEAe5v9Y1pWdS3awYjs6MrwJeSMQ8w6PM9ml8qw1FXZA9BaUz3aVurlb7zdVxbOuPWrWb3Xd6BP6zUqIcDLnqVLK1+LOteU/wUMh9j+7pDlJO+vfoy58jthqz/KKy32XMRE3Drl9p95tpnTLLejtBnUHfYDFtW+5BL6gpBdzyWDXSKctIppr6B+CqRE2EC3FSx9H0upK9DMMzLiSWI36/6PiaIj7RZon1Qr2O8JfdFlg6KRNihhmQYM7TU/QGDwVeH3aWI5hULPDYn2WHFnIk/BuFI0OrVBK0adc9CYg+1sISZRSwSGAfxPDbhFJftl4Wg2R51ARXj2YbvfsEBbO3ZBCDGCAV8wggFbAgEBMDgwJDEiMCAGA1UEAxMZVFZHLUdELUFkZENhc2gtUUEudHZnLmNvbQIQANrxvZFOnLFOrYlAXeJuZTAJBgUrDgMCGgUAMA0GCSqGSIb3DQEBAQUABIIBAFQUL7o7xn7e+bPqyZMEkooD0Be9mtPRickH/fHzRWkmyMrIWcyk0EpPbu3hZpMwZWjjjymaipTneqL/uM2qIPhlMtxxrJNqjnM5fkrqxEvySmpX0KjaHmFor2XskswM9NIghKpdDRXctPREMGpEOJc3AZhNpZch6DFc8mrzcHiLNqBI49gmqbZoAfsAHyfGZS49u0ukJKU0WZXhkIZo4qf4JSNDPa+KMV1ySPPGchSkm513ekOfQXtGhzoMuFd+8QwioArwD7dXk+O8raR3V2ela7ugDTd7jtN2UZVgr2QTmne6cdJ087Php3QzqXuoVmwtAR8cnxPDBkyulJLfY6A=\n-----END PKCS7-----"
-
The character Array from the previous step is encoded to UTF8 to get byte array.
-
Encrypt the envelope.
For this we use EnvelopedCms in.net and call Encrypt. I am using GDCAddCashQA certificate that I sent to Sonney for troubleshooting. We get back bytearray by calling EnvelopedCMS.Encode. The c# sample code as below:ContentInfo contentInfo = new ContentInfo(bData); EnvelopedCms envelopedCms = new EnvelopedCms(contentInfo); CmsRecipient recipient = new CmsRecipient(gdnEncryptCert); envelopedCms.Encrypt(recipient); envelopedCms.Encode();
-
Next step is to convert the byte array to Base64 string and have "-----BEGIN PKCS7-----\n" before and "\n-----END PKCS7-----" after the string. Result from this step is as follows:
"-----BEGIN PKCS7-----\nMIIJRwYJKoZIhvcNAQcDoIIJODCCCTQCAQAxggGUMIIBkAIBADB4MGsxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTERMA8GA1UEBwwIUGFzYWRlbmExGDAWBgNVBAoMD0dyZWVuIERvdCBDb3JwLjELMAkGA1UECwwCSVQxFTATBgNVBAMMDEdEQ0FkZENhc2hRQQIJAIrLqV91tt9pMA0GCSqGSIb3DQEBAQUABIIBALTMYwWkMMmobywFSYt354i7EiKoa/48x1PL3nY3bMroWUn1N09dgtW9Tp2TBSpqrOucjcFcmaaxX6N95nt8jhxtzjNjnkd60bsm4YFD+EOUpskgzVuxpck0Vly+RVH/aJGAu9BjkWTo6w3PQyQQbpzrPQuxKI8IMksdAMXdAxz5vAFsBvYEPB9A+z6TGqY9d6dTousEuD1DhPZRH9S+ISAG/wncRfPbzVsdna9WkrUlG4nM+ZciWZ72ICexocwhl9k1w+7anoqB3QFw1mB2l+D4rgSCl4GBfzJ2wlIvVAa+PBDC1n3RWhYWoXg55prGWGGqveiKr42QLHyq08Ao+dIwggeVBgkqhkiG9w0BBwEwFAYIKoZIhvcNAwcECK8EEGMaY1O6gIIHcNpQABV/AZHVHB4zs7Hrl7xGHkhGrae2Yeb7srVC5DvGSoq4hz5+Hfy1Cr6w0/cf6NpkCvo9794Swi1aCBEpZ6E8VjhHZ1LjefoxSz5euMRz0mAV31UVgZr4EXOsr+VRjOv9yVj+a18FFrlBTgGrrcSfw/bYa4sZqAcfKhEH2Hey8M7J9CB3RO6h1mhUYR49kgl4+i7SYYq7Wf57toHXxN/D1l7YuBWXOB1djd9bJbpbuBGMhod8MGsSXQntuG8Ly8b9UidAnCKuEknhmTlhYxHr0PcCrd4JUx+pPH9gDmLoHoSbQQW/BqAj4URURDUFICNu73m3W+hkk7yfwBLzje+lDMbcwM81+LJI9mq2tbkbc1NdKKD4eLVd92cgcYVRPPH9QIzoke9hsQwAzz2pk3vO4UbVEVVpvFNKiQJKEBBGCp7DEULrDqMi40OHGiWqK56KoxDSjdYa0GGegfJFuhPJEc/YE1qufHVNeD4b/iRCGwXmcD04xXxIsLsdBUJ9HLNBD92AObkFBnI8LAMCXX2PvSYRkPpckWmt1+PXaDw0t/QrLEzRyu4OsjA90m6mRt18OalQMwm+2BwkiHsBo1IVguGq52OfoYLbEE9u8hhORzWIswDIat0/stFEnEQ0ynf3H/4bGyuwyUiksoUDTRpV7TH/M5wh2x+aCY3XtWG7H2gcPuDIUmyO5UT4Q7EN/pxhTdiqkNK8DqPBKSCITmG5afGC4soOLSEFqw7/XoVbP/s65ttP26TkXJtqviSat9At1Qw2HcubOzoNk9uKxs4Xo6Orz4vXNS1AHUriNcG+YIYjx8zw04LKb6OubhJZ/gU7ze5mVFVyxZcFx/eu9GBsH/exwktpDjy9g2TibwmPaauQmkBmVRb40LeeWG8yUT8vWlfdVn3bJNqbgo9B6f9qAApS5ShWfAr3Qvo8CLgxehXzGaG+x4dD0fFcvE3XG34g3QERYRyPkS1CfCoPIhHGuSNmYulbUYNTq1ivm4vBtfPwRkDV7ri6k2JJWLwK8yfhZkAOgDJ7NUPKvbBNPLrrpl/RtEIKg0yyY3zXfglUDj/jtCuKWMYTv9YI/2vBJCRpYrL5krf79FWWhAfylW8r/HwYwIljpOmnAb/IM2cpOUAtlAELlzqSY1qSOhsemyiLnCHdTVkDu0STbdLawrGMAxrVc88NqOREBxAQ5IOeEpOz7mVMxc46XIsTVF3wa22wLFdOZ2wqmXztEF6pzYAQ1dx5/mNDt/LxjoMHE7+m/65xObBQ8cXA2Igh/lOIPsFOW9o861CywTw7PXJ4wBd+WyrqNlaQ+FcbTo1Aq30vS2dAm001iMUItSgDr6kML0PG+QLo7ZCGrn56Cr+Fg5KGp2yi4EtA6bHy19xWvWI3bfW3CeCYGcj0MgM5BTddGu7YJWM21fCpvDBzbs1wArFdY+4hmxnx0wU1KZQK7RPo1KIRFsSPT2mZKQHo1NWdrFJaInqjrYxKNklvEMhJMSwnkRgWuQymVIg3H8zBcJ7Desa9FVtnN9oZT7tNT1JKimOZi89CKLUkzUKNU6HrKZoJ/Srqlf7qInVCIdVB/fcz7Gf4VYyYHdxBSxhMWlBHg51BYyfgsT3H+tckTvwPFeCaPEyRB3vz2bbt4cXcjqccjsU9k1qfnFY6hYxO+t5x5FK07c6J5pLgJpHGsR8SP9huNwFG2/EjcAOMNJ3JZ1mXpLS2a646cSGzZPEioEdlfI8klkfqDK3xMaJ2Ms0sUXrjLCBxAdhiM1RVA6MoDJrTX+W6CjRbM6/B4Vv9cgHESFNBpReeY/YnbAtYtCxQfIUeRr0o2lotsdjKhPjk0EVBQZxceKItHZ82qAFeRGVlErJLdvn+JLZkkHG0qRisF+L1Qm+1NcyGk3XpmlretKWEVHHxA9mDnWqGZ04eQQxA/OwBmH2pzz2PFhsBdRapECJxG0AIhKLZu9fwnH2ScUW4AvA8ZVPS0a9zJxTamJSLCBc3AIUC79E8YfMusfHoYEjOxV0tr9L0dV8FnX/5dplLsn60+RmScPyrPMpqSBzoJgSp3QpvtfCIcXkvLOR8T+wjp/EkD7uoV7Ct5hNNC9q3T+Jd5dcm+fiF8Q3+QZHU0dYTHonCosVpouBpYcUWLt4yhztqosBhQ63PH6SugLL52nWJOjdEvbkoZeWSAA+vgre8n9469KsFN376uV0mn+anq+DP81e/aX07H5eGBOJsl3oqd0K+XYRJAnZQNw/Zd3GRPp4AXEAAhJ0S0GdFeLLi6xwxkJC0eL0WjvbhO2HN8G501gHzdvFcwQpeYsdtmNT9AJS0l95u5PaVz3jVXCREo9eNDDkVlxQwwfc/mgOY7TpAh5ym0k6ErbR/WO5yve84HaVzWH6LHEX30f+njz0MfGZH8AFhBBGVnJGU/ejgiyjBhXa9U5xqkeJAYIIIbe7a1AKJ/inW0cBY5OZTWLyzAniFj6RkxjDD0DvwrcmjGZQlPojjZr9cgQRxxOCG6HcpVd+XalSfGvSNajDn3SB1Fvs62MhGKsc7MUvXB3Wq\n-----END PKCS7-----"
-
URL Encode the string before you post the entire string to GDN. This is the string GDN will get in post encrypted_data along with your partner ID. PartnerID will be a separate unencrypted value and encrypted_data variable with contain the following string.
"-----BEGIN+PKCS7-----%0aMIIJRwYJKoZIhvcNAQcDoIIJODCCCTQCAQAxggGUMIIBkAIBADB4MGsxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTERMA8GA1UEBwwIUGFzYWRlbmExGDAWBgNVBAoMD0dyZWVuIERvdCBDb3JwLjELMAkGA1UECwwCSVQxFTATBgNVBAMMDEdEQ0FkZENhc2hRQQIJAIrLqV91tt9pMA0GCSqGSIb3DQEBAQUABIIBALTMYwWkMMmobywFSYt354i7EiKoa%2f48x1PL3nY3bMroWUn1N09dgtW9Tp2TBSpqrOucjcFcmaaxX6N95nt8jhxtzjNjnkd60bsm4YFD%2bEOUpskgzVuxpck0Vly%2bRVH%2faJGAu9BjkWTo6w3PQyQQbpzrPQuxKI8IMksdAMXdAxz5vAFsBvYEPB9A%2bz6TGqY9d6dTousEuD1DhPZRH9S%2bISAG%2fwncRfPbzVsdna9WkrUlG4nM%2bZciWZ72ICexocwhl9k1w%2b7anoqB3QFw1mB2l%2bD4rgSCl4GBfzJ2wlIvVAa%2bPBDC1n3RWhYWoXg55prGWGGqveiKr42QLHyq08Ao%2bdIwggeVBgkqhkiG9w0BBwEwFAYIKoZIhvcNAwcECK8EEGMaY1O6gIIHcNpQABV%2fAZHVHB4zs7Hrl7xGHkhGrae2Yeb7srVC5DvGSoq4hz5%2bHfy1Cr6w0%2fcf6NpkCvo9794Swi1aCBEpZ6E8VjhHZ1LjefoxSz5euMRz0mAV31UVgZr4EXOsr%2bVRjOv9yVj%2ba18FFrlBTgGrrcSfw%2fbYa4sZqAcfKhEH2Hey8M7J9CB3RO6h1mhUYR49kgl4%2bi7SYYq7Wf57toHXxN%2fD1l7YuBWXOB1djd9bJbpbuBGMhod8MGsSXQntuG8Ly8b9UidAnCKuEknhmTlhYxHr0PcCrd4JUx%2bpPH9gDmLoHoSbQQW%2fBqAj4URURDUFICNu 73m3W%2bhkk7yfwBLzje%2blDMbcwM81%2bLJI9mq2tbkbc1NdKKD4eLVd92cgcYVRPPH9QIzoke9hsQwAzz2pk3vO4UbVEVVpvFNKiQJKEBBGCp7DEULrDqMi40OHGiWqK56KoxDSjdYa0GGegfJFuhPJEc%2fYE1qufHVNeD4b%2fiRCGwXmcD04xXxIsLsdBUJ9HLNBD92AObkFBnI8LAMCXX2PvSYRkPpckWmt1%2bPXaDw0t%2fQrLEzRyu4OsjA90m6mRt18OalQMwm%2b2BwkiHsBo1IVguGq52OfoYLbEE9u8hhORzWIswDIat0%2fstFEnEQ0ynf3H%2f4bGyuwyUiksoUDTRpV7TH%2fM5wh2x%2baCY3XtWG7H2gcPuDIUmyO5UT4Q7EN%2fpxhTdiqkNK8DqPBKSCITmG5afGC4soOLSEFqw7%2fXoVbP%2fs65ttP26TkXJtqviSat9At1Qw2HcubOzoNk9uKxs4Xo6Orz4vXNS1AHUriNcG%2bYIYjx8zw04LKb6OubhJZ%2fgU7ze5mVFVyxZcFx%2feu9GBsH%2fexwktpDjy9g2TibwmPaauQmkBmVRb40LeeWG8yUT8vWlfdVn3bJNqbgo9B6f9qAApS5ShWfAr3Qvo8CLgxehXzGaG%2bx4dD0fFcvE3XG34g3QERYRyPkS1CfCoPIhHGuSNmYulbUYNTq1ivm4vBtfPwRkDV7ri6k2JJWLwK8yfhZkAOgDJ7NUPKvbBNPLrrpl%2fRtEIKg0yyY3zXfglUDj%2fjtCuKWMYTv9YI%2f2vBJCRpYrL5krf79FWWhAfylW8r%2fHwYwIljpOmnAb%2fIM2cpOUAtlAELlzqSY1qSOhsemyiLnCHdTVkDu0STbdLawrGMAxrVc88NqOREBxAQ5IOeEpOz7mVMxc46XIsTVF3wa22wLFdOZ2wqmXztEF6pzYAQ1dx5%2fmNDt%2fLxjoMHE7%2bm%2f65xObBQ8cXA2Igh%2flOIPsFOW9o86 1CywTw7PXJ4wBd%2bWyrqNlaQ%2bFcbTo1Aq30vS2dAm001iMUItSgDr6kML0PG%2bQLo7ZCGrn56Cr%2bFg5KGp2yi4EtA6bHy19xWvWI3bfW3CeCYGcj0MgM5BTddGu7YJWM21fCpvDBzbs1wArFdY%2b4hmxnx0wU1KZQK7RPo1KIRFsSPT2mZKQHo1NWdrFJaInqjrYxKNklvEMhJMSwnkRgWuQymVIg3H8zBcJ7Desa9FVtnN9oZT7tNT1JKimOZi89CKLUkzUKNU6HrKZoJ%2fSrqlf7qInVCIdVB%2ffcz7Gf4VYyYHdxBSxhMWlBHg51BYyfgsT3H%2btckTvwPFeCaPEyRB3vz2bbt4cXcjqccjsU9k1qfnFY6hYxO%2bt5x5FK07c6J5pLgJpHGsR8SP9huNwFG2%2fEjcAOMNJ3JZ1mXpLS2a646cSGzZPEioEdlfI8klkfqDK3xMaJ2Ms0sUXrjLCBxAdhiM1RVA6MoDJrTX%2bW6CjRbM6%2fB4Vv9cgHESFNBpReeY%2fYnbAtYtCxQfIUeRr0o2lotsdjKhPjk0EVBQZxceKItHZ82qAFeRGVlErJLdvn%2bJLZkkHG0qRisF%2bL1Qm%2b1NcyGk3XpmlretKWEVHHxA9mDnWqGZ04eQQxA%2fOwBmH2pzz2PFhsBdRapECJxG0AIhKLZu9fwnH2ScUW4AvA8ZVPS0a9zJxTamJSLCBc3AIUC79E8YfMusfHoYEjOxV0tr9L0dV8FnX%2f5dplLsn60%2bRmScPyrPMpqSBzoJgSp3QpvtfCIcXkvLOR8T%2bwjp%2fEkD7uoV7Ct5hNNC9q3T%2bJd5dcm%2bfiF8Q3%2bQZHU0dYTHonCosVpouBpYcUWLt4yhztqosBhQ63PH6SugLL52nWJOjdEvbkoZeWSAA%2bvgre8n9469KsFN376uV0mn%2banq%2bDP81e%2faX07H5eGBOJsl3oqd0K%2bXYRJAnZQNw%2fZd3GRPp4AXEAAhJ 0S0GdFeLLi6xwxkJC0eL0WjvbhO2HN8G501gHzdvFcwQpeYsdtmNT9AJS0l95u5PaVz3jVXCREo9eNDDkVlxQwwfc%2fmgOY7TpAh5ym0k6ErbR%2fWO5yve84HaVzWH6LHEX30f%2bnjz0MfGZH8AFhBBGVnJGU%2fejgiyjBhXa9U5xqkeJAYIIIbe7a1AKJ%2finW0cBY5OZTWLyzAniFj6RkxjDD0DvwrcmjGZQlPojjZr9cgQRxxOCG6HcpVd%2bXalSfGvSNajDn3SB1Fvs62MhGKsc7MUvXB3Wq%0a-----END+PKCS7-----"
Follow this link for reference.
Updated 2 months ago