Application between a Partner and itsme®
A Partner wants to sign and encrypt a message (JSON Object) and send it to itsme®.
After processing, itsme® will send a response which is also signed and encrypted.
Note that for JSON Object Signing and Encryption we use 2 keypairs, so each party creates 4 keys:
- 1 private/public keypair for signing and signature validation (Key ID (kid) starts with “s”)
- 1 private/public keypair for encryption/decryption (Key ID (kid) starts with “e”)
Production environment
For production use, Partner will need to create 2 keypairs:
- 1 public and private key for encryption/decryption
- 1 public and private key for signing/signature verification
You will need to send the 2 PUBLIC keys to itsme® which will be used to:
- Encrypt messages by itsme® towards you (with your public e1)
- Verify your signature when you send a message to itsme® (with your public s1)
These 2 keys will be contained on the JWKset endpoint provided by the Partner to itsme®.
Note: NEVER SEND US OR ANYONE ELSE YOUR PRIVATE KEYS! They should be stored in a safe and secure environment. Typically, this is a HSM (Hardware Security Module), KeyVault, KeyStore, or other secure Key Management System that is used by your application.
The PUBLIC keys of itsme® for PRODUCTION can be found on:
- for Belgian platform: https://merchant.itsme.be/oidc/jwkSet
- for International platform: https://idp.prd.itsme.services/v2/jwkSet
Complete flow on PRODUCTION environment
Step 1: sign the content with YOUR PRIVATE s1 (which ONLY YOU possess)
Step 2: encrypt the signed content with the PUBLIC e1 of itsme® from https://idp.prd.itsme.services/v2/jwkSet
Step 3: itsme® will decrypt the message with its own private encryption key
Step 4: itsme® will verify the signature with YOUR PUBLIC s1 (which we have to receive from you after you created your production keys)
Step 5: itsme® will sign a response message with its own private signing key
Step 6: itsme® will encrypt the response message with your PUBLIC e1 (which we have to receive from you after you created your production keys)
Step 7: you decrypt the response with your PRIVATE e1 (which ONLY YOU possess)
Step 8: you verify the signature with the PUBLIC s1 from itsme® from https://idp.prd.itsme.services/v2/jwkSet