Go to content

Pix

The Pix module APIs are designed to use Pix's HTTP request signing, verification, sending and receiving functionalities.

Network

The HSM does not make direct access to the Pix/DICT servers, but is positioned on the network for use by the PSP's internal servers.

---
title: Diagrama físico de rede
---

%%{ init: { 'flowchart': { 'curve': 'basis' } } }%%
flowchart LR
    psp[Aplicação PSP]
    hsm[HSM fa:key]
    fw[Firewall]
    rsfn{{RSFN}}
    spi["SPI (Pix/Dict)"]

    subgraph redepsp [Rede PSP]
      hsm <--> psp
      psp <--> fw
    end
    fw <--> rsfn
    rsfn <--> spi

Signature and verification

The Pix signature and verification APIs are based on the ISO 20.022 standard, and the DICT APIs follow the XMLDSig format, both defined by SPI in the document "Annex IV - Security Manual".

The API functions for use with Pix and DICT signing require the internal storage in the HSM of the digital certificates for digital signing and the complete chain of trust of the certificates for verification.

To write a digital certificate (or file) to the HSM, use the remote management console or the DWriteFile() API.

The digital certificate for signing must be encoded in ASN1 DER binary format and also follow the X.509 standard. The file containing the chain of trust for verifying the digital signature must be encoded in PKCS#7 format (Public Key Cryptography Standard #7 - Cryptographic Message Syntax Standard).

The JWS Pix signing and validation functions follow RFC 7515 and the SPI documentation.

HTTP requests

The Pix HTTP request APIs provide secure HTTP communication with Pix or DICT servers, using the keys and certificates protected by the HSM.

The Pix standard secure communication functions that follow the definitions described in the following documents: "Annex IV - Security Manual", "Technical and business specifications of the Brazilian instant payment ecosystem" and "Annex III - Communication Interfaces Manual" defined in the SPI.

Operation

The secure connection is made between the PSP server and the Pix/DICT server, the HSM is only used to use PSP objects and private keys.

Access to the HSM only occurs during the TLS handshake. After the tunnel is closed, communication is only maintained between the PSP server and the Pix/DICT server.

---
title: Visão geral handshake TLS utilizando o HSM
---

%%{ init: { 'flowchart': { 'curve': 'basis' }} }%%
sequenceDiagram
    participant hsm as HSM
    participant psp as PSP
    participant spi as SPI (Pix/Dict)

    Note over hsm: certificado TLS
    psp ->> spi: Inicia handshake TLS
    spi ->> psp: Requisita<br>credenciais do PSP
    psp ->> psp: Autentica SPI
    psp ->> hsm: Requisita informações<br>de autenticação
    hsm ->> hsm: Gera assinatura<br>para autenticação TLS
    destroy hsm
    hsm ->> psp: Envia assinatura
    psp ->> spi: Envia dados<br>de autenticação
    spi ->> spi: Autentica PSP
    loop Canal TLS
        %% necessário manter o espaço após o spi: (ou usar um text)
        psp-->spi: 
        psp ->> spi: Requisição<br>Pix/Dict
        spi ->> psp: Resposta
    end

An HTTP connection is associated with the HSM session handle that was used to open the HTTP session. This makes it possible to maintain the association and access to the connection objects (private key, certificate and certificate chain) within the HSM.

---
title: Handle de sessão do HSM
---

%%{ init: { 'flowchart': { 'curve': 'basis' } } }%%
flowchart TB
    hsm[Sessão HSM]
    http[Sessão HTTP]
    %% necessário manter os espaços após o subpgraph (ou usar um text)
    subgraph  
      hsm
      http
    end
  • The HTTP session is only opened in Pix HTTP request calls.
  • The HTTP session is closed when its respective HSM session is physically closed (session closure with cache disabled or explicitly set to physically close the session).
  • A closed session (with no explicit definition of physical closure and no cache disabled) does not close the associated HTTP session because there is no physical closure of the session.
  • The HTTP session is reused in subsequent HTTP calls, regardless of the type of HTTP operation (POST, GET, DELETE or PUT) used.
  • The HTTP session is not reused when the connection parameters (IP, port) are changed.

For example: suppose a POST operation is performed, the HTTP session is kept open within the HSM session handle. When you close the HSM session (without disabling the session cache) the session is stored in the session cache along with the HTTP session. If a new session is requested, the cached session will be returned. When reusing the HSM session handle for a GET operation, the HTTP session is reused because it was stored in the HSM session handle.

JWS

The Pix module provides APIs to help you use the Pix dynamic QR Code. APIs are available for signing and checking JWS (JSON Web Signature).