Process for Signing requests with StarSign

1

Calculate hash of HTTP Request Body

The digest algoritm to use is version specific. As of version 1 it is SHA256. The hash of the body are computed and compared “as-sent” and “as-recieved” which means there are no canonicalization of the body. Encoding must be UTF-8.hash(RequestBody)\text{hash}(\text{RequestBody})
2

Build signature payload

The payload is the string to be signed. It uses URL Encoding as representation with all values percent encoded. See payload specification. Example payload:
a=hmac-sha256&
d=GMuuPsaA4rCsGeMa56Ew4nu4ED79jkQ9kKS8UDUHYFv1&
id=clientID&
n=ETmr2tEpx691VS&
u=v1.SpaceParameterService%2FDescribeParameter&
t=20060102T150405Z
3

Compute HMAC signature

Compute the HMAC hash of the payload using the Client Secret.signature=HMAC(secret,payload)\text{signature} = \text{HMAC}(secret, payload)
4

Format Authorization header

Format the Authorization header. Base58 encode the HMAC hash and the payload using the BTC alphabet. The HeaderKey is version specific, as of version 1 it is starsign1.HeaderKey  ’ ’ (space)  Base58(signature)  ’;’  Base58(payload)\small\text{HeaderKey} \ || \ \text{' ' (space)} \ || \ \text{Base58}(\text{signature}) \ || \ \text{';'} \ || \ \text{Base58}(\text{payload})
5

Set Authorization header to request and send it

Authorization: starsign1 3CAR2hUPT9[...];wMX3EtvWaZ[...]

Signature Payload Parameters

The signature payload is metadata that gets signed and sent with the signature hash.
a
string
required
HMAC algoritm constant is version specific, as of version 1 it is hmac-sha256.
n
base58(BTC) encoded hash
required
Nonce must be at least 16 bytes and at most the same length as the client secret. Requests that reuse a previous nonce are denied.
u
URL Path
required
URL Path of the request with any leading slash trimmed. Example v1.SpaceParameterService/DescribeParameter
t
datetime
required
Time of signing the request. Time format is ISO 8601 (20060102T150405Z).
d
base58(BTC) encoded hash
Hash digest value of the HTTP body. The digest algoritm is version specific, as of version 1 it is SHA256.
b
datetime
The request is valid until and before the specified time. Time format is ISO 8601 (20060102T150405Z)

Extending validity of requests

The StarSign signature scheme allows for setting a payload field named b for Before. It allows for extending the request validity into the future.
Celestra Space offers APIs that supercharge your space software, unlocking the potential for truly captivating outcomes. Create your account today!