The content digest signature that is used to validate the HTTP message content. A hashing algorithm is used to create a digest of the message body.
With the algorithm you can then rehash the message body and validate it against the pre-computed content-digest.
The content digest should only be computed for requests where message body is
present
Generate Content Digest
Although sha-256 generated digests are considered secure, we recommend using sha-512.
Compute Content Digest
import crypto from "crypto";
// Define the algorithm
let algorithm = "sha512";
// Define the message
let message = JSON.stringify({
firstName: "John",
...
});
// Create the digest in base64 encoding
const digestBase64 = crypto.createHash(algorithm).update(message).digest("base64");
// Create content digest string
const contentDigest = `sha-512=:${digestBase64}:`;
import hashlib
import json
# Define the message
message = json.dumps({
"firstName": "John",
...
})
# Create the sha512 Digest
digest_sha = hashlib.sha512()
# Update the message
digest_sha.update(message)
# Base64 encode digest
digest_base64 = base64.b64encode(digest_sha)
# Create content digest string
content_digest = f'sha-512:{digest_base64}:'
Make Signed Request
In the below example request:
sha-512: The algorithm used to hash the content messageRK/0...abDg=: Base64 representation resulting from the hashed content message
curl --request POST \
--url https://api.pipevest.com/v1/customers?sort=ASC \
--header 'Content-Type: application/json' \
--header 'Content-Digest: sha-512=:RK/0qy18MlBSVnWgjwz6lZEWjP/lF5HF9bvEF8FabDg=:' \
--header 'Content-Length: 18' \
--header 'Authorization: Bearer 123456' \
--header 'X-Client-Id: 123456' \
--header 'X-Idempotency-Key: 123456' \
...
--data '{"firstName": "John", "lastName": "Doe"}'
Verify Content Digest
Re-compute Content Digest
Compare Digests
Compare computed-content-digest to the one that was passed along in the original http header (i.e. - header-content-digest).computed-content-digest === header-content-digest
In the example below, the header-content-digest equals RK/08...FabDg=
curl --request POST \
--url https://api.pipevest.com/v1/customers \
--header 'Content-Digest: sha-512=:RK/08...FabDg=:' \
....
Verify or Reject
Reject the message, if computed-content-digest does not equal header-content-digest.
