CVT1 Request Verification

The Delta service will process all requests to establish authenticity and set the identity for the actions requested. The following elements are extracted from the Authorization header:

• identityId
• signedHeaders
• signature

Using these elements, the following actions are performed on the request to ensure the signature is valid:

1. Create a canonical request, consisting of:
   • The HTTP request method
   • The canonical path
   • The canonical query string
   • The canonical headers, as determined by the list of signedHeaders
   • The signedHeaders list
   • The hashed payload
2. Create a string to sign, using the canonical request from step 1.
3. Calculate a SHA256 digest of the string to sign from step 2. The output must be hex-encoded and be lowercase, as defined by Section 8 of RFC 4648.
4. Retrieve the public signing (verification) key of the identity matching the identifierId.
5. Decrypt the signature with the public signing (verification) key using RSASSA-PSS with the following parameters:
   • SHA256 as the digest function
   • MGF1 with SHA256 as the mask generator function
   • 32 bytes as the salt value for MGF1
6. Check the decrypted signature (from step 5) matches the digested string to sign (from step 3)- if match, then the request is allowed to continue, otherwise a HTTP status 403 is returned