How to validate hash and signature headers

When a document is returned from our API we also send three important headers in the response:

  • X-DocDigitizer-Hash, Hash of the produced response
  • X-DocDigitizer-Sign, Signature of the Hash Header value
  • X-DocDigitizer-Certificate, Url to get the certificate to validate the signature

These headers can be used to validate that the response was not tampered by a malicious third party that somehow hijacked the communication.

To check the hash, start by turning the payload to it's lowercase equivalent;

If you have any custom Salt Rule, append the respective chars from the returned document id based on your rule positions, note that the position is zero based;

After that, you should obtain the respective byte array using an UTF8 encoding;

The hash is finally produced using a SHA256 algorithm that is applied to that byte array and formated as an hexadecimal string;

For example, if the paylod is { "id": "bf2ec26f-30ff-451d-b834-7088e617ebe6",(...) } and your salt rule is: 4,2,7,4,9,5,12 then the payload that will be hashed is: { "id": "bf2ec26f-30ff-451d-b834-7088e617ebe6",(...) }c2fc32f

By now you should be able to access that the payload corresponds to the hash. For a further level of security you can check the signature of the Hash. To do so, you'll need to obtain the certificate available on the url that is returned as the value of the X-DocDigitizer-Certificate header, it is recommended that you only obtain it once and store it on your servers;

That certificate, the content of the X-DocDigitizer-Sign header and the hash itself can then be used to make sure that the hash was produced by DocDigitizer thus assuring no tampering was made.