Cryptographic Signing of Data

Cryptographic Signing of Data

The IBM Food Trust™ solution supports a cryptographic signature capability for all submitted XML documents, in order to verify document authenticity and chain of custody. Signing of XML documents should be done using a supported algorithm (rsa-sha256, ecdsa-sha256).

The submitter must register public keys for verification of signed data by submitting a key registration document to the IBM Food Trust solution. (The key registration document should itself be signed using the corresponding private key.)

Clients should ensure the removal of contact information fields from their XML documents before implementing cryptographic signing, because subsequent modification of the data by IBM Food Trust would invalidate the signature provided by the submitter.

Sample Public Signing Key XML:

<?xml version="1.0" encoding="UTF-8"?>
<ift:publicSigningKey xmlns:ift="urn:ibm:ift:xsd:1">
    <!-- XML message to communicate encoded public signing keys to IBM Food Trust.-->
    <!-- NOTE : Comments for a field appear BELOW the field. -->
    <keyID>12345</keyID>
    <!--Mandatory: Identifier for this public signing key. Should be unique (within your organization).-->
    <algorithm>rsa-sha256</algorithm>
    <!--Mandatory: Digital signing algorithm that this key should be used with.-->
    <!--Should be either rsa-sha256 or ecdsa-sha256.-->
    <encodedPublicKey>c7be1ed902fb8dd4d48997c6452f5d7e509fbcdbe2808b16bcf4edce4c07d14e</encodedPublicKey>
    <!--Mandatory: Encoded public signing key, represented as a base-64 encoded string.-->
</ift:publicSigningKey>

A Typescript code snippet showing how to generate a signature header is provided.