NET API
HSM Dinamo
Loading...
Looking for...
No entries found
Functions
Pix

Detailed description

Operations destined for the Pix of the SPI (Instant Payment System).

Pix

The Pix module APIs are designed to use Pix's HTTP request signing, verification, sending and receiving functionalities.

Network

The HSM does not make direct access to the Pix/DICT servers, but is positioned on the network for use by the PSP's internal servers.

--- title: Diagrama físico de rede --- %%{ init: { 'flowchart': { 'curve': 'basis' } } }%% flowchart LR psp[Aplicação PSP] hsm[HSM] fw[Firewall] rsfn{{RSFN}} spi["SPI (Pix/Dict)"] subgraph redepsp [Rede PSP] hsm <--> psp psp <--> fw end fw <--> rsfn rsfn <--> spi

Signature and verification

The Pix signature and verification APIs are based on the ISO 20.022 standard, and the DICT APIs follow the XMLDSig format, both defined by SPI in the document "Annex IV - Security Manual".

The API functions for use with Pix and DICT signing require the internal storage in the HSM of the digital certificates for digital signing and the complete chain of trust of the certificates for verification.

To write a digital certificate (or file) to the HSM, use the remote management console or the DWriteFile() API.

The digital certificate for signing must be encoded in ASN1 DER binary format and also follow the X.509 standard. The file containing the chain of trust for verifying the digital signature must be encoded in PKCS#7 format (Public Key Cryptography Standard #7 - Cryptographic Message Syntax Standard).

The JWS Pix signing and validation functions follow RFC 7515 and the SPI documentation.

HTTP requests

The Pix HTTP request APIs provide secure HTTP communication with Pix or DICT servers, using the keys and certificates protected by the HSM.

The Pix standard secure communication functions that follow the definitions described in the following documents: "Annex IV - Security Manual", "Technical and business specifications of the Brazilian instant payment ecosystem" and "Annex III - Communication Interfaces Manual" defined in the SPI.

Operation

The secure connection is made between the PSP server and the Pix/DICT server, the HSM is only used to use PSP objects and private keys.

Access to the HSM only occurs during the TLS handshake. After the tunnel is closed, communication is only maintained between the PSP server and the Pix/DICT server.

--- title: Visão geral handshake TLS utilizando o HSM --- %%{ init: { 'flowchart': { 'curve': 'basis' }} }%% sequenceDiagram participant hsm as HSM participant psp as PSP participant spi as SPI (Pix/Dict) Note over hsm: certificado TLS psp ->> spi: Inicia handshake TLS spi ->> psp: Requisita
credenciais do PSP psp ->> psp: Autentica SPI psp ->> hsm: Requisita informações
de autenticação hsm ->> hsm: Gera assinatura
para autenticação TLS destroy hsm hsm ->> psp: Envia assinatura psp ->> spi: Envia dados
de autenticação spi ->> spi: Autentica PSP loop Canal TLS %% necessário manter o espaço após o spi: (ou usar um text) psp-->spi: psp ->> spi: Requisição
Pix/Dict spi ->> psp: Resposta end

An HTTP connection is associated with the HSM session handle that was used to open the HTTP session. This makes it possible to maintain the association and access to the connection objects (private key, certificate and certificate chain) within the HSM.

--- title: Handle de sessão do HSM --- %%{ init: { 'flowchart': { 'curve': 'basis' } } }%% flowchart TB hsm[Sessão HSM] http[Sessão HTTP] %% necessário manter os espaços após o subpgraph (ou usar um text) subgraph hsm http end

For example: suppose a POST operation is performed, the HTTP session is kept open within the HSM session handle. When the HSM session is closed (without disabling the session cache), the session is stored in the session cache along with the HTTP session. If a new session is requested, the cached session will be returned. When reusing the HSM session handle for a GET operation, the HTTP session is reused because it was stored in the HSM session handle.

Good practices

General

  1. Reuse sessions (benefit from session caching). Use the HSM session cache and gain performance by reusing HSM and HTTP sessions. In this case, it is recommended that you open a session, perform the operations you want and then close it, allowing the session to be reused quickly, thus reducing downtime.
  2. Ensuring that sessions are closed. Closing sessions guarantees the release of the resource, both in the HSM and on the client. Make sure that sessions are closed even for operations with a return code other than success.
  3. Use concurrent sessions. Using concurrent/parallel sessions with the HSM helps to extract maximum performance. Attention should be paid to using too many sessions with HSMs, so as not to cause unnecessary use of resources. The throughput curve tends to rise and find a plateau.

Pix HTTP requests

  1. Define a connection object reload interval. You can optimize the number of times HSM keys and objects are loaded by setting a reload interval for HSM objects. As the institution's key/certificate/chain update is done infrequently and on a scheduled basis, it is advantageous to define a reload interval for these objects. Pay attention to network asset timeouts that are shorter than this value to avoid premature disconnections and unnecessary errors. See more details and how to configure here.

Important settings

General
  1. Set the HSM connection timeouts. When the HSM timeout is not set, the default is that of the operating system. In the event of a connection failure, the application may wait too long. It is important to ALWAYS set the HSM's send and receive timeouts. Other connection parameters can be found here.

Pix HTTP requests
  1. Define the HTTP operation timeouts. When not defined, the default HTTP operation timeout is unlimited. In the event of an HTTP connection failure, the application may be put on hold indefinitely. It is important to ALWAYS set the timeout in HTTP request calls.

Functions

byte[] SignPIX (string KeyId, string CertId, int Flags, byte[] byUnsignedPIXEnvelope)
 Digitally signs an XML in ISO 20.022 format following the PIX standard defined in the SPI (Instant Payment System).
 
byte[] SignPIX (string KeyId, string CertId, byte[] byUnsignedPIXEnvelope)
 Digitally signs an XML in ISO 20.022 format following the PIX standard defined in the SPI (Instant Payment System).
 
bool VerifyPIX (string ChainId, string CRL, string SignedPIXEnvelope)
 Checks the signature of a digitally signed XML document in ISO 20.022 format following the PIX standard defined in the SPI (Instant Payment System).
 
byte[] SignPIXDict (string KeyId, string CertId, int Flags, byte[] byUnsignedDictEnvelope)
 Digitally signs an XML in XMLDSig format following the DICT standard defined in the SPI (Instant Payment System).
 
byte[] SignPIXDict (string KeyId, string CertId, byte[] byUnsignedDictEnvelope)
 Digitally signs an XML in XMLDSig format following the DICT standard defined in the SPI (Instant Payment System).
 
bool VerifyPIX (string ChainId, string CRL, int Flags, byte[] SignedPIXEnvelope)
 Checks the signature of a digitally signed XML document in ISO 20.022 format following the PIX standard defined in the SPI (Instant Payment System).
 
bool VerifyPIX (string ChainId, string CRL, byte[] SignedPIXEnvelope)
 Checks the signature of a digitally signed XML document in ISO 20.022 format following the PIX standard defined in the SPI (Instant Payment System).
 
bool VerifyPIXDict (string ChainId, string CRL, int Flags, byte[] SignedDictEnvelope)
 Checks the signature of a digitally signed XML document in XMLDSig format following the DICT standard defined in the SPI (Instant Payment System).
 
bool VerifyPIXDict (string ChainId, string CRL, byte[] SignedDictEnvelope)
 Checks the signature of a digitally signed XML document in XMLDSig format following the DICT standard defined in the SPI (Instant Payment System).
 
byte[] SignPIXJWS (string KeyId, byte[] byHeader, byte[] byPayload)
 It makes a JWS RFC 7515 signature following the PIX standard defined in the SPI (Instant Payment System).
 
string SignPIXJWS (string KeyId, string Header, string Payload)
 It makes a JWS RFC 7515 signature following the PIX standard defined in the SPI (Instant Payment System).
 
JwsComponents CheckPIXJWS (string Chain, string CRL, byte[] byJWS, Int32 flags)
 Validates an RFC 7515 signed JWS following the PIX standard defined in the SPI (Instant Payment System).
 
JwsComponents CheckPIXJWS (string Chain, string CRL, string JWS, Int32 flags)
 Validates an RFC 7515 signed JWS following the PIX standard defined in the SPI (Instant Payment System).
 
bool CheckPIXJWS (string Chain, string CRL, byte[] byJWS)
 Validates an RFC 7515 signed JWS following the PIX standard defined in the SPI (Instant Payment System).
 
bool CheckPIXJWS (string Chain, string CRL, string JWS)
 Validates an RFC 7515 signed JWS following the PIX standard defined in the SPI (Instant Payment System).
 
PIXResponse postPIX (string KeyId, string CertId, string PIXCertChainId, string URL, string[] RequestHeaderList, byte[] RequestData, Int32 TimeOut, bool UseGzip, bool VerifyHostName)
 It makes a secure HTTP POST request following the PIX standard defined in SPI (Instant Payment System). Uses the basic initial HTTP header.
 
PIXResponse postPIX (string KeyId, string CertId, string PIXCertChainId, string URL, string[] RequestHeaderList, byte[] RequestData, Int32 TimeOut, Int32 Param)
 It makes a secure HTTP POST request following the PIX standard defined in SPI (Instant Payment System).
 
PIXResponse putPIX (string KeyId, string CertId, string PIXCertChainId, string URL, string[] RequestHeaderList, byte[] RequestData, Int32 TimeOut, bool UseGzip, bool VerifyHostName)
 It makes a secure HTTP PUT request following the PIX standard defined in the SPI (Instant Payment System). Uses the basic initial HTTP header.
 
PIXResponse putPIX (string KeyId, string CertId, string PIXCertChainId, string URL, string[] RequestHeaderList, byte[] RequestData, Int32 TimeOut, Int32 Param)
 It makes a secure HTTP PUT request following the PIX standard defined in the SPI (Instant Payment System).
 
PIXResponse getPIX (string KeyId, string CertId, string PIXCertChainId, string URL, string[] RequestHeaderList, Int32 TimeOut, bool UseGzip, bool VerifyHostName)
 It makes a secure HTTP GET request following the PIX standard defined in the SPI (Instant Payment System). Uses the basic initial HTTP header.
 
PIXResponse getPIX (string KeyId, string CertId, string PIXCertChainId, string URL, string[] RequestHeaderList, Int32 TimeOut, Int32 Param)
 It makes a secure HTTP GET request following the PIX standard defined in the SPI (Instant Payment System).
 
PIXResponse deletePIX (string KeyId, string CertId, string PIXCertChainId, string URL, string[] RequestHeaderList, Int32 TimeOut, bool UseGzip, bool VerifyHostName)
 Makes a secure HTTP DELETE request following the PIX standard defined in SPI (Instant Payment System). Uses the basic initial HTTP header.
 
PIXResponse deletePIX (string KeyId, string CertId, string PIXCertChainId, string URL, string[] RequestHeaderList, Int32 TimeOut, Int32 Param)
 It makes a secure HTTP DELETE request following the PIX standard defined in SPI (Instant Payment System).
 
DinamoApi.PIXHTTPReqDetails getPIXHTTPReqDetails ()
 Retrieves the details of the last PIX HTTP request (POST, GET...) made in this session. This operation must be called immediately after calling the PIX request API. It must be called using the same session. Do not perform other operations between these calls.
 
Int64 getPIXHTTPReqCode ()
 Retrieves the return code of the last PIX HTTP request (POST, GET...) made in this session. This operation must be called immediately after calling the PIX request API. It must be called using the same session. Do not perform any other operations between these calls.
 

Functions

SignPIX() [1/2]

byte[] SignPIX ( string  KeyId,
string  CertId,
int  Flags,
byte[]  byUnsignedPIXEnvelope 
)
inline

Digitally signs an XML in ISO 20.022 format following the PIX standard defined in the SPI (Instant Payment System).

Parameters
KeyIdName of the private key used for signing. Corresponding to a CPIA certificate.
CertIdName of the digital certificate used for signing. Digital certificate of the PSP registered with SPI for signing, also known as CPIA or CERTPIA.
FlagsSubscription options. Pass 0. If you need any additional options, the following values are accepted.
Value Meaning
DinamoAPI.PIX_SIGN_RNS Enables the use of relative namespaces.
Parameters
byUnsignedPIXEnvelopeParameter containing the XML to be signed.
Return
The signed XML document.
Exceptions
DinamoExceptionThrows exception in case of signature errors

We recommend using the signature tag using the full closure, as seen below, for performance reasons.

<Sgntr></Sgntr>

The tag with a simple closing is also accepted, see below.

<Sgntr/>
Examples
sign_verify_pix.cs.

SignPIX() [2/2]

byte[] SignPIX ( string  KeyId,
string  CertId,
byte[]  byUnsignedPIXEnvelope 
)
inline

Digitally signs an XML in ISO 20.022 format following the PIX standard defined in the SPI (Instant Payment System).

Parameters
KeyIdName of the private key used for signing. Corresponding to a CPIA certificate.
CertIdName of the digital certificate used for signing. Digital certificate of the PSP registered with SPI for signing, also known as CPIA or CERTPIA.
byUnsignedPIXEnvelopeParameter containing the XML to be signed.
Return
The signed XML document.
Exceptions
DinamoExceptionThrows exception in case of signature errors

We recommend using the signature tag using the full closure, as seen below, for performance reasons.

<Sgntr></Sgntr>

The tag with a simple closing is also accepted, see below.

<Sgntr/>

VerifyPIX() [1/3]

bool VerifyPIX ( string  ChainId,
string  CRL,
string  SignedPIXEnvelope 
)
inline

Checks the signature of a digitally signed XML document in ISO 20.022 format following the PIX standard defined in the SPI (Instant Payment System).

Parameters
ChainIdName of the PKCS#7 chain (stored internally in the HSM) of the certificate used in the signature. The chain must be complete, from the root CA to the actual certificate used in the signature. This formatting is necessary because the Pix XML message does not contain the certificate used in the signature. Optionally, only the X.509 certificate used for signing can be passed instead of the complete chain. As of version 5.0.23 of the HSM firmware, it is possible to use a PKCS#7 object that contains several chains. It is important to note that in the case of an HSM PKCS#7 object containing multiple chains, the presence of an expired certificate in any of the chains will generate a valid signature return code with an expired certificate (non-zero code) in the verification, even if the signature was made with a certificate from a non-expired chain; it is up to the application to handle this correctly according to local policy.
CRLName of the Certificate Revocation List (CRL) - stored internally in the HSM - where the digital certificate will be verified. It is possible to pass NULL indicating that there is no CRL to check.
SignedPIXEnvelopeDigitally signed XML
Return
True if the check was successful.
Exceptions
DinamoExceptionThrows exception in case of error.
Examples
sign_verify_pix.cs.

SignPIXDict() [1/2]

byte[] SignPIXDict ( string  KeyId,
string  CertId,
int  Flags,
byte[]  byUnsignedDictEnvelope 
)
inline

Digitally signs an XML in XMLDSig format following the DICT standard defined in the SPI (Instant Payment System).

Parameters
KeyIdName of the private key used for signing. Corresponding to a CPIA certificate.
CertIdName of the digital certificate used for signing. Digital certificate of the PSP registered with SPI for signing, also known as CPIA or CERTPIA.
FlagsReserved for future use (must be 0).
byUnsignedDictEnvelopeParameter containing the XML to be signed.
Return
The signed XML document.
Exceptions
DinamoExceptionThrows exception in case of signature errors

Do not include the signature tag, it will be added automatically.

SignPIXDict() [2/2]

byte[] SignPIXDict ( string  KeyId,
string  CertId,
byte[]  byUnsignedDictEnvelope 
)
inline

Digitally signs an XML in XMLDSig format following the DICT standard defined in the SPI (Instant Payment System).

Parameters
KeyIdName of the private key used for signing. Corresponding to a CPIA certificate.
CertIdName of the digital certificate used for signing. Digital certificate of the PSP registered with SPI for signing, also known as CPIA or CERTPIA.
byUnsignedDictEnvelopeParameter containing the XML to be signed.
Return
The signed XML document.
Exceptions
DinamoExceptionThrows exception in case of signature errors

Do not include the signature tag, it will be added automatically.

VerifyPIX() [2/3]

bool VerifyPIX ( string  ChainId,
string  CRL,
int  Flags,
byte[]  SignedPIXEnvelope 
)
inline

Checks the signature of a digitally signed XML document in ISO 20.022 format following the PIX standard defined in the SPI (Instant Payment System).

Parameters
ChainIdName of the PKCS#7 chain (stored internally in the HSM) of the certificate used in the signature. The chain must be complete, from the root CA to the actual certificate used in the signature. This formatting is necessary because the Pix XML message does not contain the certificate used in the signature. Optionally, only the X.509 certificate used for signing can be passed instead of the complete chain. As of version 5.0.23 of the HSM firmware, it is possible to use a PKCS#7 object that contains several chains. It is important to note that in the case of an HSM PKCS#7 object containing multiple chains, the presence of an expired certificate in any of the chains will generate a valid signature return code with an expired certificate (non-zero code) in the verification, even if the signature was made with a certificate from a non-expired chain; it is up to the application to handle this correctly according to local policy.
CRLName of the Certificate Revocation List (CRL) - stored internally in the HSM - where the digital certificate will be verified. It is possible to pass NULL indicating that there is no CRL to check.
FlagsReserved for future use (must be 0).
SignedPIXEnvelopeDigitally signed XML
Return
True if the check was successful.
Exceptions
DinamoExceptionThrows exception in case of error.

VerifyPIX() [3/3]

bool VerifyPIX ( string  ChainId,
string  CRL,
byte[]  SignedPIXEnvelope 
)
inline

Checks the signature of a digitally signed XML document in ISO 20.022 format following the PIX standard defined in the SPI (Instant Payment System).

Parameters
ChainIdName of the PKCS#7 chain (stored internally in the HSM) of the certificate used in the signature. The chain must be complete, from the root CA to the actual certificate used in the signature. This formatting is necessary because the Pix XML message does not contain the certificate used in the signature. Optionally, only the X.509 certificate used for signing can be passed instead of the complete chain. As of version 5.0.23 of the HSM firmware, it is possible to use a PKCS#7 object that contains several chains. It is important to note that in the case of an HSM PKCS#7 object containing multiple chains, the presence of an expired certificate in any of the chains will generate a valid signature return code with an expired certificate (non-zero code) in the verification, even if the signature was made with a certificate from a non-expired chain; it is up to the application to handle this correctly according to local policy.
CRLName of the Certificate Revocation List (CRL) - stored internally in the HSM - where the digital certificate will be verified. It is possible to pass NULL indicating that there is no CRL to check.
SignedPIXEnvelopeDigitally signed XML
Return
True if the check was successful.
Exceptions
DinamoExceptionThrows exception in case of error.

VerifyPIXDict() [1/2]

bool VerifyPIXDict ( string  ChainId,
string  CRL,
int  Flags,
byte[]  SignedDictEnvelope 
)
inline

Checks the signature of a digitally signed XML document in XMLDSig format following the DICT standard defined in the SPI (Instant Payment System).

Parameters
ChainIdName of the PKCS#7 chain (stored internally in the HSM) of the certificate used in the signature. The chain must be complete, from the root CA to the actual certificate used in the signature. This formatting is necessary because the Pix XML message does not contain the certificate used in the signature. Optionally, only the X.509 certificate used for signing can be passed instead of the complete chain. As of version 5.0.23 of the HSM firmware, it is possible to use a PKCS#7 object that contains several chains. It is important to note that in the case of an HSM PKCS#7 object containing multiple chains, the presence of an expired certificate in any of the chains will generate a valid signature return code with an expired certificate (non-zero code) in the verification, even if the signature was made with a certificate from a non-expired chain; it is up to the application to handle this correctly according to local policy.
CRLName of the Certificate Revocation List (CRL) - stored internally in the HSM - where the digital certificate will be verified. It is possible to pass NULL indicating that there is no CRL to check.
FlagsReserved for future use (must be 0).
SignedDictEnvelopeDigitally signed XML
Return
True if the check was successful.
Exceptions
DinamoExceptionThrows exception in case of error.

VerifyPIXDict() [2/2]

bool VerifyPIXDict ( string  ChainId,
string  CRL,
byte[]  SignedDictEnvelope 
)
inline

Checks the signature of a digitally signed XML document in XMLDSig format following the DICT standard defined in the SPI (Instant Payment System).

Parameters
ChainIdName of the PKCS#7 chain (stored internally in the HSM) of the certificate used in the signature. The chain must be complete, from the root CA to the actual certificate used in the signature. This formatting is necessary because the Pix XML message does not contain the certificate used in the signature. Optionally, only the X.509 certificate used for signing can be passed instead of the complete chain. As of version 5.0.23 of the HSM firmware, it is possible to use a PKCS#7 object that contains several chains. It is important to note that in the case of an HSM PKCS#7 object containing multiple chains, the presence of an expired certificate in any of the chains will generate a valid signature return code with an expired certificate (non-zero code) in the verification, even if the signature was made with a certificate from a non-expired chain; it is up to the application to handle this correctly according to local policy.
CRLName of the Certificate Revocation List (CRL) - stored internally in the HSM - where the digital certificate will be verified. It is possible to pass NULL indicating that there is no CRL to check.
SignedDictEnvelopeDigitally signed XML
Return
True if the check was successful.
Exceptions
DinamoExceptionThrows exception in case of error.

SignPIXJWS() [1/2]

byte[] SignPIXJWS ( string  KeyId,
byte[]  byHeader,
byte[]  byPayload 
)
inline

It makes a JWS RFC 7515 signature following the PIX standard defined in the SPI (Instant Payment System).

Parameters
KeyIdName of the private key used for signing. As defined in the PIX security manual
byHeaderJWS header for signature. At least the header parameter alg must be informed. Accepted values for alg.
Value Meaning
RS256 RSA 2048 PKCS#1v5
RS384 RSA 3072 PKCS#1v5
RS512 RSA 4096 PKCS#1v5
PS256 RSA 2048 PSS
PS384 RSA 3072 PSS
PS512 RSA 4096 PSS
ES256 ECC SECP256R1
ES384 ECC SECP384R1
ES512 ECC SECP521R1
byPayloadJWS payload for subscription.
Return
JWS signed.
Exceptions
DinamoExceptionThrows exception in case of signature errors

It uses the Compact Serialization format described in Section-3.1 of RFC 7515.

Examples
sign_check_jws.cs.

SignPIXJWS() [2/2]

string SignPIXJWS ( string  KeyId,
string  Header,
string  Payload 
)
inline

It makes a JWS RFC 7515 signature following the PIX standard defined in the SPI (Instant Payment System).

Parameters
KeyIdName of the private key used for signing. As defined in the PIX security manual
HeaderJWS header for signature. At least the header parameter alg must be informed. Accepted values for alg.
Value Meaning
RS256 RSA 2048 PKCS#1v5
RS384 RSA 3072 PKCS#1v5
RS512 RSA 4096 PKCS#1v5
PS256 RSA 2048 PSS
PS384 RSA 3072 PSS
PS512 RSA 4096 PSS
ES256 ECC SECP256R1
ES384 ECC SECP384R1
ES512 ECC SECP521R1
PayloadJWS payload for subscription.
Return
JWS signed.
Exceptions
DinamoExceptionThrows exception in case of signature errors

It uses the Compact Serialization format described in Section-3.1 of RFC 7515.

CheckPIXJWS() [1/4]

JwsComponents CheckPIXJWS ( string  Chain,
string  CRL,
byte[]  byJWS,
Int32  flags 
)
inline

Validates an RFC 7515 signed JWS following the PIX standard defined in the SPI (Instant Payment System).

Parameters
ChainName of the PKCS#7 chain (stored internally in the HSM) of the certificate used in the signature. The chain must be complete, from the root CA to the actual certificate used in the signature. This formatting is necessary because the Pix XML message does not contain the certificate used in the signature. Optionally, only the X.509 certificate used for signing can be passed instead of the complete chain. As of version 5.0.23 of the HSM firmware, it is possible to use a PKCS#7 object that contains several chains. It is important to note that in the case of an HSM PKCS#7 object containing multiple chains, the presence of an expired certificate in any of the chains will generate a valid signature return code with an expired certificate (non-zero code) in the verification, even if the signature was made with a certificate from a non-expired chain; it is up to the application to handle this correctly according to local policy.
CRLName of the Certificate Revocation List (CRL) - stored internally in the HSM - where the digital certificate will be verified. It is possible to pass NULL indicating that there is no CRL to check.
byJWSJWS signed.
flagsCheck options. It should be 0.
Return
JwsComponents class that will contain the return code, the Header and the Payload of the signed message.
Exceptions
DinamoExceptionThrows exception in case of verification errors
Examples
sign_check_jws.cs.

CheckPIXJWS() [2/4]

JwsComponents CheckPIXJWS ( string  Chain,
string  CRL,
string  JWS,
Int32  flags 
)
inline

Validates an RFC 7515 signed JWS following the PIX standard defined in the SPI (Instant Payment System).

Parameters
ChainName of the PKCS#7 chain (stored internally in the HSM) of the certificate used in the signature. The chain must be complete, from the root CA to the actual certificate used in the signature. This formatting is necessary because the Pix XML message does not contain the certificate used in the signature. Optionally, only the X.509 certificate used for signing can be passed instead of the complete chain. As of version 5.0.23 of the HSM firmware, it is possible to use a PKCS#7 object that contains several chains. It is important to note that in the case of an HSM PKCS#7 object containing multiple chains, the presence of an expired certificate in any of the chains will generate a valid signature return code with an expired certificate (non-zero code) in the verification, even if the signature was made with a certificate from a non-expired chain; it is up to the application to handle this correctly according to local policy.
CRLName of the Certificate Revocation List (CRL) - stored internally in the HSM - where the digital certificate will be verified. It is possible to pass NULL indicating that there is no CRL to check.
JWSJWS signed.
flagsCheck options. It should be 0.
Return
JwsComponents class that will contain the return code, the Header and the Payload of the signed message.
Exceptions
DinamoExceptionThrows exception in case of verification errors

CheckPIXJWS() [3/4]

bool CheckPIXJWS ( string  Chain,
string  CRL,
byte[]  byJWS 
)
inline

Validates an RFC 7515 signed JWS following the PIX standard defined in the SPI (Instant Payment System).

Parameters
ChainName of the PKCS#7 chain (stored internally in the HSM) of the certificate used in the signature. The chain must be complete, from the root CA to the actual certificate used in the signature. This formatting is necessary because the Pix XML message does not contain the certificate used in the signature. Optionally, only the X.509 certificate used for signing can be passed instead of the complete chain. As of version 5.0.23 of the HSM firmware, it is possible to use a PKCS#7 object that contains several chains. It is important to note that in the case of an HSM PKCS#7 object containing multiple chains, the presence of an expired certificate in any of the chains will generate a valid signature return code with an expired certificate (non-zero code) in the verification, even if the signature was made with a certificate from a non-expired chain; it is up to the application to handle this correctly according to local policy.
CRLName of the Certificate Revocation List (CRL) - stored internally in the HSM - where the digital certificate will be verified. It is possible to pass NULL indicating that there is no CRL to check.
byJWSJWS signed.
Return
True if the check was successful.
Exceptions
DinamoExceptionThrows exception in case of verification errors

CheckPIXJWS() [4/4]

bool CheckPIXJWS ( string  Chain,
string  CRL,
string  JWS 
)
inline

Validates an RFC 7515 signed JWS following the PIX standard defined in the SPI (Instant Payment System).

Parameters
ChainName of the PKCS#7 chain (stored internally in the HSM) of the certificate used in the signature. The chain must be complete, from the root CA to the actual certificate used in the signature. This formatting is necessary because the Pix XML message does not contain the certificate used in the signature. Optionally, only the X.509 certificate used for signing can be passed instead of the complete chain. As of version 5.0.23 of the HSM firmware, it is possible to use a PKCS#7 object that contains several chains. It is important to note that in the case of an HSM PKCS#7 object containing multiple chains, the presence of an expired certificate in any of the chains will generate a valid signature return code with an expired certificate (non-zero code) in the verification, even if the signature was made with a certificate from a non-expired chain; it is up to the application to handle this correctly according to local policy.
CRLName of the Certificate Revocation List (CRL) - stored internally in the HSM - where the digital certificate will be verified. It is possible to pass NULL indicating that there is no CRL to check.
JWSJWS signed.
Return
True if the check was successful.
Exceptions
DinamoExceptionThrows exception in case of verification errors

postPIX() [1/2]

PIXResponse postPIX ( string  KeyId,
string  CertId,
string  PIXCertChainId,
string  URL,
string[]  RequestHeaderList,
byte[]  RequestData,
Int32  TimeOut,
bool  UseGzip,
bool  VerifyHostName 
)
inline

It makes a secure HTTP POST request following the PIX standard defined in SPI (Instant Payment System). Uses the basic initial HTTP header.

Observation
Make the timeout settings. See more details in the Best practices section.
Parameters
KeyIdName of the private key used to close the tunnel. Corresponds to a CPIC certificate.
CertIdName of the certificate used to close the tunnel. Digital certificate of the PSP registered in the SPI for connection, also known as CPIC or CERTPIC.
PIXCertChainIdName of the PKCS#7 string used to check the PIX server (ICOM or DICT). As of version 5.0.23 of the HSM firmware, it is possible to use a PKCS#7 object that contains several strings.
URLURL of the PIX server (ICOM or DICT).
RequestHeaderListLines containing the customized HTTP headers that will be used in the request. Can be passed null if you want to use the default header without changes.
This option will overwrite the default headers if they overlap.
To remove a header, pass the name of the header without a value (e.g. Accept:).
To include a header without content, use ; instead of : (Ex. Accept;).
Do NOT use CRLF terminators in headers. Passing these terminators may cause unwanted behavior. Formatting will be done internally.
This option cannot be used to change the first line of the request (e.g. POST, PUT, GET, DELETE), which is not a header. You must use the corresponding API, described in this manual.
The standard initial header includes Host, User-Agent and Content-Length.
RequestDataData sent in the request.
TimeOutOperation timeout time in milliseconds. Can be set to 0 for no timeout.
UseGzipAutomatically gzips the request data. Automatically includes the necessary headers (Content-Encoding and Accept-Encoding).
VerifyHostNameChecks certificate with host name.
Return
The response to the request.
Exceptions
DinamoExceptionThrows exception in case of request errors

It executes a secure request following the PIX standard defined in the SPI in the documents: "Annex IV - Security Manual", "Technical and business specifications of the Brazilian instant payment ecosystem" and "Annex III - Communication Interfaces Manual" defined in the SPI.
The negotiated tunnel is TLS version 1.2 with mutual authentication, using the HTTP protocol version 1.1 with a minimum Cipher Suite of ECDHE-RSA-AES-128-GCM-SHA256.

This API will automatically decompress a response that comes compressed in the gzip standard. If you choose to compress the sending data, the API caller must do so in gzip format.

This request uses the following headers by default.
"Accept-Encoding: gzip"
"User-Agent: DNLC/0.0.0.0", where 0.0.0.0 is the version of the HSM client library used.

Certificate validation with the host name is done by checking that the Common Name field or Subject Alternate Name field of the certificate matches the host name of the URL passed as a parameter.

When making an HTTP request, 2 operations are performed, one to use the HSM objects (private key, certificate and chain, used for tunnel authentication) and the other to open the HTTP session with the HTTP server.
To optimize resources, the session with the HTTP server is kept open and cached; likewise, the session with the HSM is cached by default (the HSM session can optionally be set not to be cached).
The HTTP session is associated with the session opened with the HSM, which means that to reuse an HTTP session you must use the same HSM session that was previously used to open the HTTP session.
The HTTP session is physically closed when the session with the HSM is physically closed.
The HSM session and the HTTP session have thread-session affinity and cannot be used simultaneously by several threads.

Long Polling is adjusted by setting the HTTP operation timeout (POST/GET/DELETE) according to the HTTP server settings.

Examples
basic_post_put_get_delete_pix.cs and post_put_get_delete_pix.cs.

postPIX() [2/2]

PIXResponse postPIX ( string  KeyId,
string  CertId,
string  PIXCertChainId,
string  URL,
string[]  RequestHeaderList,
byte[]  RequestData,
Int32  TimeOut,
Int32  Param 
)
inline

It makes a secure HTTP POST request following the PIX standard defined in SPI (Instant Payment System).

Observation
Make the timeout settings. See more details in the Best practices section.
Parameters
KeyIdName of the private key used to close the tunnel. Corresponds to a CPIC certificate.
CertIdName of the certificate used to close the tunnel. Digital certificate of the PSP registered in the SPI for connection, also known as CPIC or CERTPIC.
PIXCertChainIdName of the PKCS#7 string used to check the PIX server (ICOM or DICT). As of version 5.0.23 of the HSM firmware, it is possible to use a PKCS#7 object that contains several strings.
URLURL of the PIX server (ICOM or DICT).
RequestHeaderListLines containing the customized HTTP headers that will be used in the request. Can be passed null if you want to use the default header without changes.
This option will overwrite the default headers if they overlap.
To remove a header, pass the name of the header without a value (e.g. Accept:).
To include a header without content, use ; instead of : (Ex. Accept;).
Do NOT use CRLF terminators in headers. Passing these terminators may cause unwanted behavior. Formatting will be done internally.
This option cannot be used to change the first line of the request (e.g. POST, PUT, GET, DELETE), which is not a header. You must use the corresponding API, described in this manual.
The standard initial header includes Host, User-Agent, Accept, Accept-Encoding, Content-Type, Expect and Content-Length.
RequestDataData sent in the request.
TimeOutOperation timeout time in milliseconds. Can be set to 0 for no timeout.
Param
Value Meaning
0 Default option. Does not check the certificate with the host name.
DinamoApi.PIX_VERIFY_HOST_NAME Checks certificate with host name.
DinamoApi.PIX_BASIC_HTTP_HEADER Uses the basic initial HTTP header. Includes Host, User-Agent and Content-Length.
DinamoApi.PIX_GZIP Automatically gzips the request data. Automatically includes the necessary headers (Content-Encoding and Accept-Encoding).
Return
The response to the request.
Exceptions
DinamoExceptionThrows exception in case of request errors

It executes a secure request following the PIX standard defined in the SPI in the documents: "Annex IV - Security Manual", "Technical and business specifications of the Brazilian instant payment ecosystem" and "Annex III - Communication Interfaces Manual" defined in the SPI.
The negotiated tunnel is TLS version 1.2 with mutual authentication, using the HTTP protocol version 1.1 with a minimum Cipher Suite of ECDHE-RSA-AES-128-GCM-SHA256.

This API will automatically decompress a response that comes compressed in the gzip standard. If you choose to compress the sending data, the API caller must do so in gzip format.

This request uses the following headers by default.
"Accept-Encoding: gzip"
"User-Agent: DNLC/0.0.0.0", where 0.0.0.0 is the version of the HSM client library used.

Certificate validation with the host name is done by checking that the Common Name field or Subject Alternate Name field of the certificate matches the host name of the URL passed as a parameter.

When making an HTTP request, 2 operations are performed, one to use the HSM objects (private key, certificate and chain, used for tunnel authentication) and the other to open the HTTP session with the HTTP server.
To optimize resources, the session with the HTTP server is kept open and cached; likewise, the session with the HSM is cached by default (the HSM session can optionally be set not to be cached).
The HTTP session is associated with the session opened with the HSM, which means that to reuse an HTTP session you must use the same HSM session that was previously used to open the HTTP session.
The HTTP session is physically closed when the session with the HSM is physically closed.
The HSM session and the HTTP session have thread-session affinity and cannot be used simultaneously by several threads.

Long Polling is adjusted by setting the HTTP operation timeout (POST/GET/DELETE) according to the HTTP server settings.

putPIX() [1/2]

PIXResponse putPIX ( string  KeyId,
string  CertId,
string  PIXCertChainId,
string  URL,
string[]  RequestHeaderList,
byte[]  RequestData,
Int32  TimeOut,
bool  UseGzip,
bool  VerifyHostName 
)
inline

It makes a secure HTTP PUT request following the PIX standard defined in the SPI (Instant Payment System). Uses the basic initial HTTP header.

Observation
Make the timeout settings. See more details in the Best practices section.
Parameters
KeyIdName of the private key used to close the tunnel. Corresponds to a CPIC certificate.
CertIdName of the certificate used to close the tunnel. Digital certificate of the PSP registered in the SPI for connection, also known as CPIC or CERTPIC.
PIXCertChainIdName of the PKCS#7 string used to check the PIX server (ICOM or DICT). As of version 5.0.23 of the HSM firmware, it is possible to use a PKCS#7 object that contains several strings.
URLURL of the PIX server (ICOM or DICT).
RequestHeaderListLines containing the customized HTTP headers that will be used in the request. Can be passed null if you want to use the default header without changes.
This option will overwrite the default headers if they overlap.
To remove a header, pass the name of the header without a value (e.g. Accept:).
To include a header without content, use ; instead of : (Ex. Accept;).
Do NOT use CRLF terminators in headers. Passing these terminators may cause unwanted behavior. Formatting will be done internally.
This option cannot be used to change the first line of the request (e.g. POST, PUT, GET, DELETE), which is not a header. You must use the corresponding API, described in this manual.
The standard initial header includes Host, User-Agent and Content-Length.
RequestDataData sent in the request.
TimeOutOperation timeout time in milliseconds. Can be set to 0 for no timeout.
UseGzipAutomatically gzips the request data. Automatically includes the necessary headers (Content-Encoding and Accept-Encoding).
VerifyHostNameChecks certificate with host name.
Return
The response to the request.
Exceptions
DinamoExceptionThrows exception in case of request errors

It executes a secure request following the PIX standard defined in the SPI in the documents: "Annex IV - Security Manual", "Technical and business specifications of the Brazilian instant payment ecosystem" and "Annex III - Communication Interfaces Manual" defined in the SPI.
The negotiated tunnel is TLS version 1.2 with mutual authentication, using the HTTP protocol version 1.1 with a minimum Cipher Suite of ECDHE-RSA-AES-128-GCM-SHA256.

This API will automatically decompress a response that comes compressed in the gzip standard. If you choose to compress the sending data, the API caller must do so in gzip format.

This request uses the following headers by default.
"Accept-Encoding: gzip"
"User-Agent: DNLC/0.0.0.0", where 0.0.0.0 is the version of the HSM client library used.

Certificate validation with the host name is done by checking that the Common Name field or Subject Alternate Name field of the certificate matches the host name of the URL passed as a parameter.

When making an HTTP request, 2 operations are performed, one to use the HSM objects (private key, certificate and chain, used for tunnel authentication) and the other to open the HTTP session with the HTTP server.
To optimize resources, the session with the HTTP server is kept open and cached; likewise, the session with the HSM is cached by default (the HSM session can optionally be set not to be cached).
The HTTP session is associated with the session opened with the HSM, which means that to reuse an HTTP session you must use the same HSM session that was previously used to open the HTTP session.
The HTTP session is physically closed when the session with the HSM is physically closed.
The HSM session and the HTTP session have thread-session affinity and cannot be used simultaneously by several threads.

Long Polling is adjusted by setting the HTTP operation timeout (POST/GET/DELETE) according to the HTTP server settings.

Examples
basic_post_put_get_delete_pix.cs and post_put_get_delete_pix.cs.

putPIX() [2/2]

PIXResponse putPIX ( string  KeyId,
string  CertId,
string  PIXCertChainId,
string  URL,
string[]  RequestHeaderList,
byte[]  RequestData,
Int32  TimeOut,
Int32  Param 
)
inline

It makes a secure HTTP PUT request following the PIX standard defined in the SPI (Instant Payment System).

Observation
Make the timeout settings. See more details in the Best practices section.
Parameters
KeyIdName of the private key used to close the tunnel. Corresponds to a CPIC certificate.
CertIdName of the certificate used to close the tunnel. Digital certificate of the PSP registered in the SPI for connection, also known as CPIC or CERTPIC.
PIXCertChainIdName of the PKCS#7 string used to check the PIX server (ICOM or DICT). As of version 5.0.23 of the HSM firmware, it is possible to use a PKCS#7 object that contains several strings.
URLURL of the PIX server (ICOM or DICT).
RequestHeaderListLines containing the customized HTTP headers that will be used in the request. Can be passed null if you want to use the default header without changes.
This option will overwrite the default headers if they overlap.
To remove a header, pass the name of the header without a value (e.g. Accept:).
To include a header without content, use ; instead of : (Ex. Accept;).
Do NOT use CRLF terminators in headers. Passing these terminators may cause unwanted behavior. Formatting will be done internally.
This option cannot be used to change the first line of the request (e.g. POST, PUT, GET, DELETE), which is not a header. You must use the corresponding API, described in this manual.
The standard initial header includes Host, User-Agent, Accept, Accept-Encoding, Expect and Content-Length.
RequestDataData sent in the request.
TimeOutOperation timeout time in milliseconds. Can be set to 0 for no timeout.
Param
Value Meaning
0 Default option. Does not check the certificate with the host name.
DinamoApi.PIX_VERIFY_HOST_NAME Checks certificate with host name.
DinamoApi.PIX_BASIC_HTTP_HEADER Uses the basic initial HTTP header. Includes Host, User-Agent and Content-Length.
DinamoApi.PIX_GZIP Automatically gzips the request data. Automatically includes the necessary headers (Content-Encoding and Accept-Encoding).
Return
The response to the request.
Exceptions
DinamoExceptionThrows exception in case of request errors

It executes a secure request following the PIX standard defined in the SPI in the documents: "Annex IV - Security Manual", "Technical and business specifications of the Brazilian instant payment ecosystem" and "Annex III - Communication Interfaces Manual" defined in the SPI.
The negotiated tunnel is TLS version 1.2 with mutual authentication, using the HTTP protocol version 1.1 with a minimum Cipher Suite of ECDHE-RSA-AES-128-GCM-SHA256.

This API will automatically decompress a response that comes compressed in the gzip standard. If you choose to compress the sending data, the API caller must do so in gzip format.

This request uses the following headers by default.
"Accept-Encoding: gzip"
"User-Agent: DNLC/0.0.0.0", where 0.0.0.0 is the version of the HSM client library used.

Certificate validation with the host name is done by checking that the Common Name field or Subject Alternate Name field of the certificate matches the host name of the URL passed as a parameter.

When making an HTTP request, 2 operations are performed, one to use the HSM objects (private key, certificate and chain, used for tunnel authentication) and the other to open the HTTP session with the HTTP server.
To optimize resources, the session with the HTTP server is kept open and cached; likewise, the session with the HSM is cached by default (the HSM session can optionally be set not to be cached).
The HTTP session is associated with the session opened with the HSM, which means that to reuse an HTTP session you must use the same HSM session that was previously used to open the HTTP session.
The HTTP session is physically closed when the session with the HSM is physically closed.
The HSM session and the HTTP session have thread-session affinity and cannot be used simultaneously by several threads.

Long Polling is adjusted by setting the HTTP operation timeout (POST/GET/DELETE) according to the HTTP server settings.

getPIX() [1/2]

PIXResponse getPIX ( string  KeyId,
string  CertId,
string  PIXCertChainId,
string  URL,
string[]  RequestHeaderList,
Int32  TimeOut,
bool  UseGzip,
bool  VerifyHostName 
)
inline

It makes a secure HTTP GET request following the PIX standard defined in the SPI (Instant Payment System). Uses the basic initial HTTP header.

Observation
Make the timeout settings. See more details in the Best practices section.
Parameters
KeyIdName of the private key used to close the tunnel. Corresponds to a CPIC certificate.
CertIdName of the certificate used to close the tunnel. Digital certificate of the PSP registered in the SPI for connection, also known as CPIC or CERTPIC.
PIXCertChainIdName of the PKCS#7 string used to check the PIX server (ICOM or DICT). As of version 5.0.23 of the HSM firmware, it is possible to use a PKCS#7 object that contains several strings.
URLURL of the PIX server (ICOM or DICT).
RequestHeaderListLines containing the customized HTTP headers that will be used in the request. Can be passed null if you want to use the default header without changes.
This option will overwrite the default headers if they overlap.
To remove a header, pass the name of the header without a value (e.g. Accept:).
To include a header without content, use ; instead of : (Ex. Accept;).
Do NOT use CRLF terminators in headers. Passing these terminators may cause unwanted behavior. Formatting will be done internally.
This option cannot be used to change the first line of the request (e.g. POST, PUT, GET, DELETE), which is not a header. You must use the corresponding API, described in this manual.
The default initial header includes Host and User-Agent.
TimeOutOperation timeout time in milliseconds. Can be set to 0 for no timeout.
UseGzipIncludes the Accept-Encoding: gzip header if basic header is enabled.
VerifyHostNameChecks certificate with host name.
Return
The response to the request.
Exceptions
DinamoExceptionThrows exception in case of request errors

It executes a secure request following the PIX standard defined in the SPI in the documents: "Annex IV - Security Manual", "Technical and business specifications of the Brazilian instant payment ecosystem" and "Annex III - Communication Interfaces Manual" defined in the SPI.
The negotiated tunnel is TLS version 1.2 with mutual authentication, using the HTTP protocol version 1.1 with a minimum Cipher Suite of ECDHE-RSA-AES-128-GCM-SHA256.

This API will automatically decompress a response that comes compressed in the gzip standard. If you choose to compress the sending data, the API caller must do so in gzip format.

This request uses the following headers by default.
"Accept-Encoding: gzip"
"User-Agent: DNLC/0.0.0.0", where 0.0.0.0 is the version of the HSM client library used.

Certificate validation with the host name is done by checking that the Common Name field or Subject Alternate Name field of the certificate matches the host name of the URL passed as a parameter.

When making an HTTP request, 2 operations are performed, one to use the HSM objects (private key, certificate and chain, used for tunnel authentication) and the other to open the HTTP session with the HTTP server.
To optimize resources, the session with the HTTP server is kept open and cached; likewise, the session with the HSM is cached by default (the HSM session can optionally be set not to be cached).
The HTTP session is associated with the session opened with the HSM, which means that to reuse an HTTP session you must use the same HSM session that was previously used to open the HTTP session.
The HTTP session is physically closed when the session with the HSM is physically closed.
The HSM session and the HTTP session have thread-session affinity and cannot be used simultaneously by several threads.

Long Polling is adjusted by setting the HTTP operation timeout (POST/GET/DELETE) according to the HTTP server settings.

Examples
basic_post_put_get_delete_pix.cs and post_put_get_delete_pix.cs.

getPIX() [2/2]

PIXResponse getPIX ( string  KeyId,
string  CertId,
string  PIXCertChainId,
string  URL,
string[]  RequestHeaderList,
Int32  TimeOut,
Int32  Param 
)
inline

It makes a secure HTTP GET request following the PIX standard defined in the SPI (Instant Payment System).

Observation
Make the timeout settings. See more details in the Best practices section.
Parameters
KeyIdName of the private key used to close the tunnel. Corresponds to a CPIC certificate.
CertIdName of the certificate used to close the tunnel. Digital certificate of the PSP registered in the SPI for connection, also known as CPIC or CERTPIC.
PIXCertChainIdName of the PKCS#7 string used to check the PIX server (ICOM or DICT). As of version 5.0.23 of the HSM firmware, it is possible to use a PKCS#7 object that contains several strings.
URLURL of the PIX server (ICOM or DICT).
RequestHeaderListLines containing the customized HTTP headers that will be used in the request. Can be passed null if you want to use the default header without changes.
This option will overwrite the default headers if they overlap.
To remove a header, pass the name of the header without a value (e.g. Accept:).
To include a header without content, use ; instead of : (Ex. Accept;).
Do NOT use CRLF terminators in headers. Passing these terminators may cause unwanted behavior. Formatting will be done internally.
This option cannot be used to change the first line of the request (e.g. POST, PUT, GET, DELETE), which is not a header. You must use the corresponding API, described in this manual.
The standard initial header includes Host, User-Agent, Accept, Accept-Encoding.
TimeOutOperation timeout time in milliseconds. Can be set to 0 for no timeout.
Param
Value Meaning
0 Default option.Does not check the certificate with the host name.
DinamoApi.PIX_VERIFY_HOST_NAME Checks certificate with host name.
DinamoApi.PIX_BASIC_HTTP_HEADER Uses the basic initial HTTP header. Includes Host and User-Agent.
DinamoApi.PIX_GZIP Includes the Accept-Encoding: gzip header if basic header is enabled.
Return
The response to the request.
Exceptions
DinamoExceptionThrows exception in case of request errors

It executes a secure request following the PIX standard defined in the SPI in the documents: "Annex IV - Security Manual", "Technical and business specifications of the Brazilian instant payment ecosystem" and "Annex III - Communication Interfaces Manual" defined in the SPI.
The negotiated tunnel is TLS version 1.2 with mutual authentication, using the HTTP protocol version 1.1 with a minimum Cipher Suite of ECDHE-RSA-AES-128-GCM-SHA256.

This API will automatically decompress a response that comes compressed in the gzip standard. If you choose to compress the sending data, the API caller must do so in gzip format.

This request uses the following headers by default.
"Accept-Encoding: gzip"
"User-Agent: DNLC/0.0.0.0", where 0.0.0.0 is the version of the HSM client library used.

Certificate validation with the host name is done by checking that the Common Name field or Subject Alternate Name field of the certificate matches the host name of the URL passed as a parameter.

When making an HTTP request, 2 operations are performed, one to use the HSM objects (private key, certificate and chain, used for tunnel authentication) and the other to open the HTTP session with the HTTP server.
To optimize resources, the session with the HTTP server is kept open and cached; likewise, the session with the HSM is cached by default (the HSM session can optionally be set not to be cached).
The HTTP session is associated with the session opened with the HSM, which means that to reuse an HTTP session you must use the same HSM session that was previously used to open the HTTP session.
The HTTP session is physically closed when the session with the HSM is physically closed.
The HSM session and the HTTP session have thread-session affinity and cannot be used simultaneously by several threads.

Long Polling is adjusted by setting the HTTP operation timeout (POST/GET/DELETE) according to the HTTP server settings.

deletePIX() [1/2]

PIXResponse deletePIX ( string  KeyId,
string  CertId,
string  PIXCertChainId,
string  URL,
string[]  RequestHeaderList,
Int32  TimeOut,
bool  UseGzip,
bool  VerifyHostName 
)
inline

Makes a secure HTTP DELETE request following the PIX standard defined in SPI (Instant Payment System). Uses the basic initial HTTP header.

Observation
Make the timeout settings. See more details in the Best practices section.
Parameters
KeyIdName of the private key used to close the tunnel. Corresponds to a CPIC certificate.
CertIdName of the certificate used to close the tunnel. Digital certificate of the PSP registered in the SPI for connection, also known as CPIC or CERTPIC.
PIXCertChainIdName of the PKCS#7 string used to check the PIX server (ICOM or DICT). As of version 5.0.23 of the HSM firmware, it is possible to use a PKCS#7 object that contains several strings.
URLURL of the PIX server (ICOM or DICT).
RequestHeaderListLines containing the customized HTTP headers that will be used in the request. Can be passed null if you want to use the default header without changes.
This option will overwrite the default headers if they overlap.
To remove a header, pass the name of the header without a value (e.g. Accept:).
To include a header without content, use ; instead of : (Ex. Accept;).
Do NOT use CRLF terminators in headers. Passing these terminators may cause unwanted behavior. Formatting will be done internally.
This option cannot be used to change the first line of the request (e.g. POST, PUT, GET, DELETE), which is not a header. You must use the corresponding API, described in this manual.
The default initial header includes Host and User-Agent.
TimeOutOperation timeout time in milliseconds. Can be set to 0 for no timeout.
UseGzipIncludes the Accept-Encoding: gzip header if basic header is enabled.
VerifyHostNameChecks certificate with host name.
Return
The response to the request.
Exceptions
DinamoExceptionThrows exception in case of request errors

It executes a secure request following the PIX standard defined in the SPI in the documents: "Annex IV - Security Manual", "Technical and business specifications of the Brazilian instant payment ecosystem" and "Annex III - Communication Interfaces Manual" defined in the SPI.
The negotiated tunnel is TLS version 1.2 with mutual authentication, using the HTTP protocol version 1.1 with a minimum Cipher Suite of ECDHE-RSA-AES-128-GCM-SHA256.

This API will automatically decompress a response that comes compressed in the gzip standard. If you choose to compress the sending data, the API caller must do so in gzip format.

This request uses the following headers by default.
"Accept-Encoding: gzip"
"User-Agent: DNLC/0.0.0.0", where 0.0.0.0 is the version of the HSM client library used.

Certificate validation with the host name is done by checking that the Common Name field or Subject Alternate Name field of the certificate matches the host name of the URL passed as a parameter.

When making an HTTP request, 2 operations are performed, one to use the HSM objects (private key, certificate and chain, used for tunnel authentication) and the other to open the HTTP session with the HTTP server.
To optimize resources, the session with the HTTP server is kept open and cached; likewise, the session with the HSM is cached by default (the HSM session can optionally be set not to be cached).
The HTTP session is associated with the session opened with the HSM, which means that to reuse an HTTP session you must use the same HSM session that was previously used to open the HTTP session.
The HTTP session is physically closed when the session with the HSM is physically closed.
The HSM session and the HTTP session have thread-session affinity and cannot be used simultaneously by several threads.

Long Polling is adjusted by setting the HTTP operation timeout (POST/GET/DELETE) according to the HTTP server settings.

Examples
basic_post_put_get_delete_pix.cs and post_put_get_delete_pix.cs.

deletePIX() [2/2]

PIXResponse deletePIX ( string  KeyId,
string  CertId,
string  PIXCertChainId,
string  URL,
string[]  RequestHeaderList,
Int32  TimeOut,
Int32  Param 
)
inline

It makes a secure HTTP DELETE request following the PIX standard defined in SPI (Instant Payment System).

Observation
Make the timeout settings. See more details in the Best practices section.
Parameters
KeyIdName of the private key used to close the tunnel. Corresponds to a CPIC certificate.
CertIdName of the certificate used to close the tunnel. Digital certificate of the PSP registered in the SPI for connection, also known as CPIC or CERTPIC.
PIXCertChainIdName of the PKCS#7 string used to check the PIX server (ICOM or DICT). As of version 5.0.23 of the HSM firmware, it is possible to use a PKCS#7 object that contains several strings.
URLURL of the PIX server (ICOM or DICT).
RequestHeaderListLines containing the customized HTTP headers that will be used in the request. Can be passed null if you want to use the default header without changes.
This option will overwrite the default headers if they overlap.
To remove a header, pass the name of the header without a value (e.g. Accept:).
To include a header without content, use ; instead of : (Ex. Accept;).
Do NOT use CRLF terminators in headers. Passing these terminators may cause unwanted behavior. Formatting will be done internally.
This option cannot be used to change the first line of the request (e.g. POST, PUT, GET, DELETE), which is not a header. You must use the corresponding API, described in this manual.
The standard initial header includes Host, User-Agent, Accept, Accept-Encoding.
TimeOutOperation timeout time in milliseconds. Can be set to 0 for no timeout.
Param
Value Meaning
0 Default option.Does not check the certificate with the host name.
DinamoApi.PIX_VERIFY_HOST_NAME Checks certificate with host name.
DinamoApi.PIX_BASIC_HTTP_HEADER Uses the basic initial HTTP header. Includes Host and User-Agent.
DinamoApi.PIX_GZIP Includes the Accept-Encoding: gzip header if basic header is enabled.
Return
The response to the request.
Exceptions
DinamoExceptionThrows exception in case of request errors

It executes a secure request following the PIX standard defined in the SPI in the documents: "Annex IV - Security Manual", "Technical and business specifications of the Brazilian instant payment ecosystem" and "Annex III - Communication Interfaces Manual" defined in the SPI.
The negotiated tunnel is TLS version 1.2 with mutual authentication, using the HTTP protocol version 1.1 with a minimum Cipher Suite of ECDHE-RSA-AES-128-GCM-SHA256.

This API will automatically decompress a response that comes compressed in the gzip standard. If you choose to compress the sending data, the API caller must do so in gzip format.

This request uses the following headers by default.
"Accept-Encoding: gzip"
"User-Agent: DNLC/0.0.0.0", where 0.0.0.0 is the version of the HSM client library used.

Certificate validation with the host name is done by checking that the Common Name field or Subject Alternate Name field of the certificate matches the host name of the URL passed as a parameter.

When making an HTTP request, 2 operations are performed, one to use the HSM objects (private key, certificate and chain, used for tunnel authentication) and the other to open the HTTP session with the HTTP server.
To optimize resources, the session with the HTTP server is kept open and cached; likewise, the session with the HSM is cached by default (the HSM session can optionally be set not to be cached).
The HTTP session is associated with the session opened with the HSM, which means that to reuse an HTTP session you must use the same HSM session that was previously used to open the HTTP session.
The HTTP session is physically closed when the session with the HSM is physically closed.
The HSM session and the HTTP session have thread-session affinity and cannot be used simultaneously by several threads.

Long Polling is adjusted by setting the HTTP operation timeout (POST/GET/DELETE) according to the HTTP server settings.

getPIXHTTPReqDetails()

DinamoApi.PIXHTTPReqDetails getPIXHTTPReqDetails ( )
inline

Retrieves the details of the last PIX HTTP request (POST, GET...) made in this session. This operation must be called immediately after calling the PIX request API. It must be called using the same session. Do not perform other operations between these calls.

Return
Details of the last PIX HTTP request for this session.
Exceptions
DinamoExceptionThrows exception in case of error.
Examples
post_put_get_delete_pix.cs.

getPIXHTTPReqCode()

Int64 getPIXHTTPReqCode ( )
inline

Retrieves the return code of the last PIX HTTP request (POST, GET...) made in this session. This operation must be called immediately after calling the PIX request API. It must be called using the same session. Do not perform any other operations between these calls.

Return
HTTP return code.
Exceptions
DinamoExceptionThrows exception in case of error.
Generated by Doxygen / Doxygen Awesome