Application between a Partner and itsme®
A Partner wants to sign and encrypt a message (JSON Object) and send it to itsme®.
After processing, itsme® will send a response which is also signed and encrypted.
Note that for JSON Object Signing and Encryption we use 2 keypairs, so each party creates 4 keys:
- 1 private/public keypair for signing and signature validation (Key ID (kid) starts with “s”)
- 1 private/public keypair for encryption/decryption (Key ID (kid) starts with “e”)
Example:
{"keys":[{"kty":"RSA","e":"AQAB","use":"sig","kid":"s1","n":"psOL91wYWYyxFY9HRDfuppqkRcWpMzySY-qYpvmHM8j1-7XwDvTa5ls5Z0rEpe_cvL_yr75wwcvHzvilTQ1esmcZzp68ynhm4z9cm7HBV-JsSd7Ostpp5BJ3pRr76QiZYPj-yd3LquwTu3c5GrFq9ZjgPeq1jyrYfHnDLkRzp3CL86h1fJa4zdySU95oyVVLH1TCZCDT7uWASqaNQxoDo-rFthnNX87_GWK_SsBn3DASnxHgduFqiZ4Uxk_AgyiN6dbgpcPgrW6eW8y8FIY8ItDmLW_JtQnMmh5mvzEDMmt90nAWtXZ7NvIONdAPNB7eUrpod8ZQrWIzHzRpaSdYiw"},{"kty":"RSA","e":"AQAB","use":"enc","kid":"e1","n":"lD0n3CWJ68RUutXndkkVb3MnJ4WqeMqTiJji9Ohp-gLd44WoQKMWPTWFqasyDrrH5DNmFi3WArhUdIQIe7rbhZFJdcFiT4bDPcUSpHyo4Yiwq99Jou-aJ5YwZa4Q3VFUBGvu-95Bt_CQSPyjiXRNWzZ4sWBdHOkYUect6WCzTfXlN-cBMjlm9_yqODA1_TXqHJLkFuyioyMaobxn5vwsvpXeTOxOMfacamM2QIsH4xxlWCm8Etr7iMLUQAZoMyCrVVj6kmYesEhzeerxgdWkadKbvKc08xBqfsdgqR65dbgYtI7O3sQbWxYfnhvebaBa34ZZ2c9RR2eOXYe14Tl-7Q"}]}
Table below shows which keys are used by each party.
|
Partner |
itsme® |
Keys used for encryption/decryption (e) |
Private Key Partner enc Public Key Partner enc Public Key itsme® enc |
Private Key itsme® enc Public Key itsme® enc Public Key Partner enc |
Keys used for signing and signature validation (s) |
Private Key Partner sig Public Key Partner sig Public Key itsme® sig |
Private Key itsme® sig Public Key itsme® sig Public Key Partner sig |
Start on E2E Sandbox environment
Where to find the keys
In order to start testing, itsme® created 4 keys for you.
You will find YOUR PUBLIC KEYS on following link: https://belgianmobileid.github.io/slate/jwks.json
You will find YOUR PRIVATE KEYS on following link: https://belgianmobileid.github.io/slate/private_jwks.json
Note that these are for testing purposes only and that you will need to create these yourself for production.
You will find the PUBLIC KEYS of itsme® on following link:
- for Belgian platform: https://e2emerchant.itsme.be/oidc/jwkSet
- for International platform: https://idp.e2e.itsme.services/v2/jwkSet
Complete flow on E2E SANDBOX environment
Step 1: sign the content with YOUR PRIVATE s1 from https://belgianmobileid.github.io/slate/private_jwks.json
Step 2: encrypt the signed content with the PUBLIC e1 of itsme® from
- for Belgian platform https://e2emerchant.itsme.be/oidc/jwkSet
- for International platform https://idp.e2e.itsme.services/v2/jwkSet
Step 3: itsme® will decrypt the message with its own private encryption key
Step 4: itsme® will verify the signature with YOUR PUBLIC s1 from https://belgianmobileid.github.io/slate/jwks.json
Step 5: itsme® will sign a response message with its own private signing key
Step 6: itsme® will encrypt the response message with your PUBLIC e1 from https://belgianmobileid.github.io/slate/jwks.json
Step 7: you decrypt the response with your PRIVATE e1 from https://belgianmobileid.github.io/slate/private_jwks.json
Step 8: you verify the signature with the PUBLIC s1 from itsme® in
- for Belgian platform https://e2emerchant.itsme.be/oidc/jwkSet
- for International platform https://idp.e2e.itsme.services/v2/jwkSet