Sign hashes

Hash signature allows the signing of document hashes instead of the actual documents. These hashes are signed by fidentity and can subsequently be embedded into a PDF outside of the fidentity flow.

Procedure

To sign hashes instead of documents, the initial call is made based on the QES variations. The documentUris array is set to empty and replaced by the hashesToSign array. Other than this difference, the calls for signing PDFs and hashes are identical.

Example request

  "documentUris": [],
  "hashesToSign": [{
      "id": "hash-id-{{$guid}}",
      "type": "signature",
      "title": "hash signature",
      "hash": "91951BA09F5213ADE633434681DFACC5F1C2F49920040AAEB451799037E40A3C",
      "hashAlgorithm": "sha256",
      "documentLink": ""
  }]

Example respond

At the end of the successful Process, you can get the process Object and in the field "signedHashes", there are 3 properties that are important:

• signature -> Signature of CMS object

• cmsObject -> CMS Object to integrate to pdf (pkcs7)

• certificate -> Public certificate of signing party (DER encoded)

"signedHashes": [
        {
            "id": "test-hash-1",
            "title": "QesSignature-cypress-test",
            "type": "contract",
            "hash": "538a54e1480b6...",
            "cmsObject": "MIIz+AYJK...",
            "preparedDigest": "17bd1...",
            "signature": "d181cffd28e...",
            "certificate": "MIIH2zCCBY...
        }
    ],```

PDF handling with Hash Signing

Our TSP Partner Swisscom has created a step-by-step guide for developers wishing to integrate hashes into PDF files by themselves. There are also references to some tools that provide this feature as well as github examples.