Obtaining Digital Signature using PKCS#1 Encryption in SAP Process Orchestration (PO) and Cloud Integration (CI)
Recently, we had a requirement to generate the digital signature of payment file using PKCS#1 algorithm and push the signed file from SAP to Bank Server. Let us see the steps involved for this process in both PO and CI.
RSA Key Pair Generation
Before that, let’s walkthrough the key generation procedure.
- We need to create an RSA key pair using any online tool, one of such is below.
- Note that it generates public key in PKCS#8 format and private key in PKCS#1 format. Copy the contents of both private and public key to local files (with pem extension). There are multiple blogs to understand the difference between PKCS#1 and PKCS#8. With respect to data representation, the difference is as below.
PKCS#1 Public Key PKCS#8 Public Key
PKCS#1 Private Key PKCS#8 Private Key
- We can share the Public key in same format(PKCS#8) to third party, whosoever is going to verify the signature.
Steps in PO
- In PO, we do not have a standard function or module to do the PKCS#1 encryption. So, we are going to use the necessary java library to achieve it.
- PKCS#1 and PKCS#8 are related to each other and we can convert the key from one format to equivalent another format.
- To use java function, we need to first convert the PKCS#1 private key to its equivalent PKCS#8 private key.
- For Key conversion, we need to have OpenSSL tool installed in our machine. We are going to convert the private key from PKCS1 to PKCS8 format by running the OpenSSL tool and providing the below command.pkcs8 -topk8 -in Key_PKCS1.pem -out Key_PKCS8.pem -nocryptwhere Key_PKCS1.pem= PKCS#1 Private Key (input)
Key_PKCS8.pem = PKCS#8 Private Key (output)
- We need to make sure that the input PKCS#1 key is in the same directory path in which we have the OpenSSL application. The output key will also be generated in same path.
- We need to copy the contents of output PKCS#8 Key, remove the new lines, make it as a single line concatenated String and use it as a parameter input for the PI UDF. The UDF is of below.
//Java Class to be Referenced
AbstractTrace trace = container.getTrace;
//Output Signature will be stored in this String signature
String signature = “”;
//str_PrivateKey is the parameter to this UDF that contains the PKCS#8 private Key
byte b1 = Base64.getDecoder().decode(str_PrivateKey);
PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(b1);
KeyFactory kf = KeyFactory.getInstance(“RSA”);
Signature privateSignature = Signature.getInstance(“SHA256withRSA”);
//str_Input is the input data to be digitally signed
byte s = privateSignature.sign();
signature = Base64.getEncoder().encodeToString(s);
trace.addInfo(“Signature of Input – ” +signature);
trace.addWarning(“Exception raised – ” +e.toString());
The above code can be enhanced to append the signature to the original input as per the requirement.
Steps in CI
- In CI, we need to navigate to CI Monitoring -> Keystore -> Add -> RSA Key. Provide the suitable alias name, browse through the saved PKCS#1 Private Key (this is done in RSA Key pair generation step above), fill the required details and click on Add.
- In the Integration flow, we should add the “Simple Signer” palette such that the input to this step is the message to be digitally signed.
- We need to add the below parameters under Simple Signer.
- Private Key Alias – The alias name provided in Step 1
- Signature Algorithm – Select the suitable option from dropdown.
- Signature Header Name – Custom name. The output of simple signer holds the signature value in the header parameter with this provided custom name.
- In the next palette of Iflow, we can get the signature value from the signature header and append it with the original file as per the need.
Hope this article is helpful to perform RSA PKCS#1 encryption and it illustrates the difference in steps involved in PO & CI (the latter being much easier to implement) Please feel free to add any comments/suggestions.