Signature

Introduction

The signature with private and public keys is done to ensure the identity of the parties sending and receiving the information.

  • All requests from the merchant shall be signed with the merchant's private key, Trustly will verify the signature of the request using the merchants public key.
  • All responses from Trustly are signed with Trustly's private key and should be verified by the merchant using Trustly's public key.

Key generation

You can generate your private and public keys with openssl:

openssl genrsa -out private.pem 2048
openssl rsa -pubout -in private.pem -out public.pem -outform PEM

The file public.pem should then be sent to your integration manager at Trustly ([email protected]).

Trustly's public keys

Trustly's public keys for TEST and LIVE:

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy7h/yX8DEA2m588SrWye
AC8rTMbErwHt2hoTiP9fte/iOo0FXIZSmNsNu422L+iJyvZQu19ebeL7XgB0UXqt
zA6KtXBMXIKwuMCZhbdeR8sb7OKbX2nlWM+e2Hmrr9CTfkZkFBeSC+iN9fAU6PoR
X0i5PWm0uZnaoWXcZnk5CxQCgnfYgsx7xsd8Au+mrqE8SHeT8zi/Inw0Xp6ba25G
YsZhHfIPD2rcZQOpWbmHRS4Jk4aGzSOBHbAZhKlP97PxoVfUcPI3iCA1+3jMs1l2
PYsHUbP60NMVwkGPjFOTv4m1a1wKsue0mhspDdvswZUeKE+POGOuewqTQJ+gIhXw
mQIDAQAB
-----END PUBLIC KEY-----
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoZhnqiELeoX3QNSg7jpU
kbLV4BU32LoSMuABAaPdxhpZaccFYud2z4QUlMq/j46vdVDpaCFaCZ+qNT5+tHbQ
BFgcrx82u7r+aMHvKy4FEczT5aev0NxRlQKHmNQygvp3hNkqeOw4nJy3PoD4cgCp
SlLTiPOBy2ZsWUHQpSVJdDUiLwAQfNV90jMqa3zq1nTfmTBmd6NR1XAjg5eS6SWr
to1nVS1b7XKGv7Cc1kt0RVd54tWqoCMDHwEiU0st66BCKdYk3r5woDZxGZUUjVdm
g9O2xpqRRDcdJGm8HIOVHGSNT9R7LMucH/PGwrfpdWmBDjy0BkuDlssuBgh731l2
cwIDAQAB
-----END PUBLIC KEY-----

Serializing and signing your request

The Signature is a Base64 encoding of the RSA signature of [Method concatenated with UUID concatenated with a serialization of the Data object]. The serialization is done by concatenating all scalars, hash keys, hash values and array values together, sorted ASCIIbetically. ("Null" is treated as an empty string.)

Please see the simple PHP example below for clarification, and try our signature tester, it will show you how to serialize and sign any data.

function serialize_data($object) {
    $serialized = '';
    if( is_array($object) ) {
        ksort($object); //Sort keys
        foreach($object as $key => $value) {
            if(is_numeric($key)) { //Array
                $serialized .= serialize_data($value);
            } else { //Hash
                $serialized .= $key . serialize_data($value);
            }
        }
    } else return $object; //Scalar
    return $serialized;
}

function sign($method, $uuid, $data) {
    $merchant_private_key = openssl_get_privatekey(file_get_contents(
                                'merchant_private_key.pem'
                            ));
    $plaintext = $method . $uuid . serialize_data($data);
    openssl_sign($plaintext, $signature, $merchant_private_key);
    return base64_encode($signature);
}

function verify($method, $uuid, $data, $signature_from_trustly) {
    $trustly_public_key = openssl_get_publickey(file_get_contents(
                                'trustly_public_key.pem'
                            ));
    $plaintext = $method . $uuid . serialize_data($data);
    return openssl_verify($plaintext,
                            base64_decode($signature_from_trustly),
                            $trustly_public_key
                         );
}

See example of serialization structure:

{
    "MyKey": "MyValue",
    "MyArray": [
        "Element1",
        "Element2",
        {
            "mykey2": "myvalue2"
        }
    ]
}

Above structure would result in below serialized string:

MyArrayElement1Element2mykey2myvalue2MyKeyMyValue