Computes the DigitalSignature header value required by ClearBank for
all POST / PATCH / PUT requests.
Algorithm
- UTF-8 encode the raw request body.
- SHA-256 digest the encoded body.
- Sign the digest with the RSA private key using PKCS#1 v1.5 padding.
- Base64-encode the resulting signature bytes.
The private key must be stored in a FIPS 140-2 level 2 compliant HSM in production. In simulation, any RSA key pair works.
Usage
body_json = Jason.encode!(payload)
pem_bin = File.read!("/path/to/private.pem")
{:ok, signature} = ClearBank.Auth.Signer.sign(body_json, pem_bin)
# => "Base64EncodedSignature..."Summary
Types
Functions
Signs a request body and returns the Base64-encoded signature.
Returns {:ok, signature} or {:error, reason}.
Like sign/2 but raises on failure.
@spec verify(body :: iodata(), signature_b64 :: String.t(), public_key_pem :: pem()) :: :ok | {:error, :invalid_signature | :bad_encoding}
Verifies a DigitalSignature using ClearBank's public key.
Used for verifying inbound webhook signatures.
Returns :ok or {:error, :invalid_signature}.