diff options
authorFlorian Dold <>2019-10-28 15:05:19 +0100
committerFlorian Dold <>2019-10-28 15:05:19 +0100
commit009aa08ad528ae40e5878126c7df16827cba6f8d (patch)
parent7530d03623c9cbd3a04454203074bf7c440d3f83 (diff)
ebics crypto
1 files changed, 52 insertions, 0 deletions
diff --git a/libeufin/ebics.rst b/libeufin/ebics.rst
index 605bd97..731882f 100644
--- a/libeufin/ebics.rst
+++ b/libeufin/ebics.rst
@@ -342,6 +342,21 @@ The following order types are, for now, not relevant for LibEuFin:
HAC order type.
+EBICS Message Format
+The following elements are the allowed root elements of EBICS request/response messages:
+* ``ebicsHEVRequest`` / ``ebicsHEVResponse``: Always unauthenticated and unencrypted. Used
+ **only** for query/response of the host's EBICS version.
+* ``ebicsKeyManagementResponse``: Unauthenticated response. Used for key management responses and
+ sometimes **also** to deliver error messages that are not signed by the bank (such as "invalid request").
+* ``ebicsNoPubKeyDigestsRequest``: Signed request that *does not* contain the hash of the bank's
+ public key that the client expects. Used for key management, specifically only the HPB order type.
+* ``ebicsRequest`` / ``ebicsResponse``
EBICS Transaction
@@ -491,6 +506,43 @@ HypoVereinsbank
See `this document <>`__.
+EBICS uses the XML Signature standard for signatures. It does *not* use XML encryption.
+The EBICS specification doesn't directly reference the standardized URIs for the various
+signing algorithms. Some of these URIs are defined in `<>`__.
+* A005 is
+ * the ``RSASSA-PKCS1-v1_5`` signature scheme contains the ``EMSA-PKCS1-v1_5`` encoding scheme
+ mentioned in the EBICS spec.
+* A006 is `<>`__ as defined in RFC 6931.
+XML Signatures
+XML Signatures can be a combination of:
+* detached (referencing another document)
+* enveloping (signs over ``Object`` tags *within* the ``Signature`` elements)
+* enveloped (signs over arbitrary data (via XPath expression) in other parts of the document
+ that contains the signature).
+In EBICS, only **enveloped** signatures are used.
+In the XML Signature standard, the element for a signature is ``Signature``. EBICS violates this
+standard by always mandating ``AuthSignature`` as the name. ``AuthSignature`` is an alias to
+the ``SignatureType`` xsd type in the XML Schema.
+Canonicalization vs transforms:
+ * Canonicalization refers to the processing of the ``SignedInfo`` element.
+ * Transformations apply to the data that ``Reference`` elements reference. Canonicalization
+ algorithms can be used as a transformation on referenced data.
Standards and Resources