This strategy strictly follows the Signature Exclusion Principle: the signature or digest is always calculated over the message content, explicitly excluding the signature itself.
This strategy uses RFC 8785 canonicalization and JWS (RFC 7515) to sign ISO 20022 payment messages in JSON format. The signature is embedded in the AppHdr.Signature property and is preserved across format conversions.
- Prepare JSON: Ensure consistent field ordering and no extraneous whitespace.
- Canonicalize: Apply RFC 8785 to produce canonical UTF-8 bytes.
- Sign: Use a JWS implementation (e.g., Nimbus JOSE + JWT) to create a JWS (e.g., ES256 or EdDSA) over the canonicalized JSON (excluding the signature property).
- Embed: Insert the JWS compact serialization into
AppHdr.Signature. - Transmit: Deliver as JSON or convert to XML, mapping the Signature property to an XML element.
- Verify:
- Extract JWS from Signature property or XML element.
- Reconstruct JSON via XML→JSON mapping if needed.
- Canonicalize (RFC 8785).
- Verify JWS using the sender's public key.
- Canonicalization: Uses RFC 8785 for deterministic JSON byte representation.
- Signature Algorithm: ES256, EdDSA, or RS256 (as supported by the JWS library).
- Signature Embedding: The JWS string is placed in the AppHdr.Signature property.
- Signature Exclusion: The signature property is always excluded from the canonicalization and signing process.
- Libraries: Nimbus JOSE + JWT (Java), or any RFC 7515-compliant JWS library.