Comparação de Páginas

...

Este documento também está disponível em português.

The Open Finance Brasil Initial Structure is responsible for creating standards and specifications necessary to meet the requirements and obligations of the Brasil Open Finance Legislation as originally outlined by the Brasil Central Bank. There is a possibility that some of the elements of this document may be the subject to patent rights. OFBIS shall not be held responsible for identifying any or all such patent rights.

...

[ISODIR2] - ISO/IEC Directives Part 2 [ISODIR2]: https://www.iso.org/sites/directives/current/part2/index.xhtml
[RFC5280] - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile: https://datatracker.ietf.org/doc/html/rfc5280
[RFC7519] - JSON Web Token (JWT) [RFC7519]:https://tools.ietf.org/html/rfc7519
[RFC7515] - JSON Web Signature (JWS) [RFC7515] :https://datatracker.ietf.org/doc/html/rfc7515
[RFC7591] - OAuth 2.0 Dynamic Client Registration Protocol [RFC7591]:https://tools.ietf.org/html/rfc7591
[RFC7592] - OAuth 2.0 Dynamic Client Registration Management Protocol [RFC7592]:https://tools.ietf.org/html/rfc7592
[BCP195] - Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) [BCP195]: https://tools.ietf.org/html/bcp195
[RFC8705] - OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens [RFC8705]: https://tools.ietf.org/html/rfc8705
[OFB-FAPI] - Open Finance Brasil Financial-grade API Security Profile 1.0 [OFB-FAPI]: https://github.com/OpenBanking-Brasil/specs-seguranca/open-banking-brasil-financial-api-1_ID3.html
[OFB-FAPI-DCR] - Open Finance Brasil Financial-grade API Dynamic Client Registration Profile 1.0 [OFB-FAPI-DCR]: [EN] Open Finance Brasil Financial-grade API Dynamic Client Registration 1.0 Implementers Draft 3
[DOC-ICP-01] - DECLARAÇÃO DE PRÁTICAS DE CERTIFICAÇÃO DA AUTORIDADE CERTIFICADORA RAIZ DA ICP-BRASIL: https://www.gov.br/iti/pt-br/centrais-de-conteudo/doc-icp-01-v-5-2-dpc-da-ac-raiz-da-icp-brasil-pdf
[RFC6749] - The OAuth 2.0 Authorization Framework [RFC6749]: https://tools.ietf.org/html/rfc6749
[BCB-IN134] - Manual de Segurança do Open Finance: https://www.in.gov.br/web/dou/-/instrucao-normativa-bcb-n-134-de-22-de-julho-de-2021-3345585364
[RFC2818] - HTTP Over TLS: https://datatracker.ietf.org/doc/html/rfc2818
[RFC5246] - The Transport Layer Security (TLS) Protocol Version 1.2 https://www.rfc-editor.org/rfc/rfc5246.txt

...

The certificates used by Open Finance Brasil are also required to authenticate applications through oAuth 2.0 mTLS or private_key_jwt, in addition to being used to perform the payload signature using JWS. Another important attribution of certificates is to authenticate and present a secure channel to the end user in the act of authentication and use of services provided by the participating organizations.

...

Client Application Certificates (Transport) are used to authenticate the mTLS channel and to authenticate the client application through oAuth2.0 mTLS or private_key_jwt, according to the application registration performed by the Dynamic Client Registration process with the transmitting organization. Regarding mTLS, the client certificate shall be sent with the intermediate chain, according to RFC5246.

...

serialNumber: National Register of Legal Personnel (CNPJ) of the legal entity holding the certificate and associated with the UID attribute and Software Statement ID, during validation with the Directory Service of Open Finance Brasil;
organizationIdentifier: Participant Code associated with the CNPJ listed in the Directory Service of Open Finance Brasil; For certificates issued until August 31 the field used for this information is organizationalUnitName.
UID: Software Statement ID registered in the Directory Service of Open Finance Brasil and belonging to the CNPJ and Participant Code.

The Client Certificate must be issued through the V10 chain, and must contain the following attributes:

Distinguished Name

businessCategory (OID 2.5.4.15): Type of business category, which must contain: "Private Organization" or "Government Entity" or "Business Entity" or "Non-Commercial Entity"
jurisdictionCountryName (OID: 1.3.6.1.4.1.311.60.2.1.3): BR
serialNumber (OID 2.5.4.5): CNPJ
countryName (OID 2.5.4.6): BR
organizationName (OID 2.5.4.10): Company Name
stateOrProvinceName (OID 2.5.4.8): Federation unit of the certificate holder's physical address
localityName (OID 2.5.4.7): City of the holder's physical address
organizationIdentifier (OID 2.5.4.97): Participant Code associated with the CNPJ listed in the Directory Service of Open Finance Brasil. *For certificates issued until August 31: organizationalUnitName (OID 2.5.4.11): Participant Code associated with the CNPJ listed in the Directory Service of Open Finance Brasil*
UID (OID 0.9.2342.19200300.100.1.1): Software Statement ID generated by Open Finance Brasil Directory
commonName (OID 2.5.4.3): FQDN or Wildcard

...

keyUsage: critical,digitalSignature,keyEncipherment
extendedKeyUsage: clientAuth

Subject Alternative Name

dNSName: FQDN or Wildcard

5.2.3. Signature Certificate

...

UID (OID 0.9.2342.19200300.100.1.1): Participant Code associated with the CNPJ listed in the Directory Service of Open Finance Brazil
countryName (OID 2.5.4.6): BR
organizationName (OID 2.5.4.10): ICP-Brasil
organizationalUnitName (OID 2.5.4.11): Certificate Authority Name
organizationalUnitName (OID 2.5.4.11): CNPJ of the Registration Authority
organizationalUnitName (OID 2.5.4.11): Type of identification used (in person, videoconference or digital certificate)
commonName (OID 2.5.4.3): Company Name

Certificate Extensions

keyUsage: critical,digitalSignature,nonRepudiation

Subject Alternative Name

otherName (OID 2.16.76.1.3.2 - ICP-Brasil): Name of the person responsible for the certificate
otherName (OID 2.16.76.1.3.3 - ICP-Brasil): National Register of Legal Entities (CNPJ) of the legal entity holding the certificate;
otherName (OID 2.16.76.1.3.4 - ICP-Brasil): Responsible for the certificate of legal entity holding the certificate (date of birth, CPF, PIS/PASEP/CI, RG);
otherName (OID 2.16.76.1.3.7 - ICP-Brasil): INSS Specific Registry Number (CEI) of the legal entity holding the certificate.

...

In accordance with §2 of Art. 10 of Provisional Measure 2200-2 of August 24, 2001 and with the provisions of item 3.12 in BCB Normative Instruction No. 134, for bilateral communication between institutions and partners, the use is authorized, by mutual agreement between the parties, of a private PKI, provided that the requirements of this profile for security certificates are observed, including their formatting, algorithms and established attributes.

...

Bloco de código

[req]
default_bits = 2048
default_md = sha256
encrypt_key = yes
prompt = no
string_mask = nombstr
distinguished_name = client_distinguished_name
req_extensions = req_cert_extensions

[ client_distinguished_name ]
businessCategory = <type of organization>
jurisdictionCountryName = BR
serialNumber = <CNPJ>
countryName = BR
organizationName = <Company Name>
stateOrProvinceName = <UF>
localityName = <City>
organizationalUnitName = <Participant Code>
UID = <Software Statement ID issued by the Directory>
commonName = <FQDN|Wildcard>

[ req_cert_extensions ]
basicConstraints = CA:FALSE
subjectAltName = @alt_name
keyUsage = critical,digitalSignature,keyEncipherment
extendedKeyUsage = clientAuth

[ alt_name ]
DNS = <FQDN|Wildcard>

8.2. Configuration Template for Client Certificate - OpenSSL - For certificates issued after August 31, 2022

Bloco de código

oid_section = OIDs

[req]
default_bits = 2048
default_md = sha256
encrypt_key = yes
prompt = no
string_mask = nombstr
distinguished_name = client_distinguished_name
req_extensions = req_cert_extensions

[ OIDs ]
organizationIdentifier = 2.5.4.97

[ client_distinguished_name ]
businessCategory = <type of organization>
jurisdictionCountryName = BR
serialNumber = <CNPJ>
countryName = BR
organizationName = <Company Name>
stateOrProvinceName = <UF>
localityName = <City>
organizationIdentifier = OFBBR-<Participant Code>
UID = <Software Statement ID issued by the Directory>
commonName = <FQDN|Wildcard>

[ req_cert_extensions ]
basicConstraints = CA:FALSE
subjectAltName = @alt_name
keyUsage = critical,digitalSignature,keyEncipherment
extendedKeyUsage = clientAuth

[ alt_name ]
DNS = <FQDN|Wildcard>

8.3. Configuration Template for Signature Certificate - OpenSSL

Bloco de código

[req]

default_bits = 2048
default_md = sha256
encrypt_key = yes
prompt = no
string_mask = nombstr
distinguished_name = client_distinguished_name
req_extensions = req_cert_extensions

[ client_distinguished_name ]
UID = <Participant Code>
countryName = BR
organizationName = ICP-Brasil
0.organizationalUnitName = <Certificate Authority>
1.organizationalUnitName = <CNPJ of the Registration Authority>
2.organizationalUnitName = <Validation type>
commonName = <Company Name>

[ req_cert_extensions ]
basicConstraints = CA:FALSE
subjectAltName = @alt_name
keyUsage = critical,digitalSignature,nonRepudiation

[ alt_name ]
otherName.0 = 2.16.76.1.3.2;PRINTABLESTRING:<Name of the person responsible for the organization>
otherName.1 = 2.16.76.1.3.3;PRINTABLESTRING:<CNPJ>
otherName.2 = 2.16.76.1.3.4;PRINTABLESTRING:<CPF/PIS/RF of the responsible person>
otherName.3 = 2.16.76.1.3.7;PRINTABLESTRING:<INSS Number>

8.4. Endpoints vs Certificate type and mTLS requirements

...

ASPSP may choose the certificate that should be adopted for Open Data endpoints, which, by nature, are publicly accessible.

Table 1
OFB Phase	group	endpoint	certificate type	mTLS
NA	OIDC	.well-known/openid-configuration	EV or ICP WEB SSL
NA	OIDC	jwks_uri	EV or ICP WEB SSL
NA	OIDC	authorization_endpoint	EV
NA	OIDC	token_endpoint	ICP WEB SSL	Required
NA	OIDC	userinfo_endpoint	ICP WEB SSL	Required
NA	OIDC	pushed_authorization_request_endpoint	ICP WEB SSL	Required
NA	DCR	registration_endpoint	ICP WEB SSL	Required
NA	OIDC	revocation_endpoint	ICP WEB SSL	Required
2	Consentimentos	/consents/*	ICP WEB SSL	Required
2	Resources	/resources/*	ICP WEB SSL	Required
2	Dados	/customers/*	ICP WEB SSL	Required
2	Cartão	/credit-cards-accounts/*	ICP WEB SSL	Required
2	Contas	/accounts/*	ICP WEB SSL	Required
2	Empréstimos	/loans/*	ICP WEB SSL	Required
2	Financiamentos	/financings/*	ICP WEB SSL	Required
2	Adiantamento	/unarranged-accounts-overdraft/*	ICP WEB SSL	Required
2	Direitos Creditórios	/invoice-financings/*	ICP WEB SSL	Required
3	Pagamentos	/payments/*	ICP WEB SSL	Required
4	Câmbio	/exchanges/*	ICP WEB SSL	Required
4	Investimentos	/credit-fixed-incomes/*	ICP WEB SSL	Required

9. Open Finance Client Certificate Subject DN Pattern - After January 19, 2023 {#subjectDNtemplates}

...

Example: https://keystore.directory.openbankingbrasil.org.br/9c721898-9ce0-50f1-bf85-05075557850b/793c382e-edb1-4a64-b5c5-9e27366099b9/transport.jwks

search for the KID of the certificate, then search for Claim: x5dn

9.1. Public Key of Certificate Example:

...

Bloco de código

subject=businessCategory = Private Organization, jurisdictionC = BR, serialNumber = 43142666000197, C = BR, O = Chicago Advisory Partners, ST = SP, L = Sao Paulo, organizationIdentifier = OFBBR-d7384bd0-842f-43c5-be02-9d2b2d5efc2c, UID = bc97b8f0-cae0-4f2f-9978-d93f0e56a833, CN = web.conftpp.directory.openbankingbrasil.org.br

9.3. Relative Distinguished Name (RDN) - Human readable:

Bloco de código

subject=CN=web.conftpp.directory.openbankingbrasil.org.br,UID=bc97b8f0-cae0-4f2f-9978-d93f0e56a833,organizationIdentifier=OFBBR-d7384bd0-842f-43c5-be02-9d2b2d5efc2c,L=Sao Paulo,ST=SP,O=Chicago Advisory Partners,C=BR,serialNumber=43142666000197,jurisdictionC=BR,businessCategory=Private Organization

9.4. Relative Distinguished Name (RDN) using OID - ANS.1:

Bloco de código

subject=2.5.4.3=#0C2E7765622E636F6E667470702E6469726563746F72792E6F70656E62616E6B696E6762726173696C2E6F72672E6272,0.9.2342.19200300.100.1.1=#0C2462633937623866302D636165302D346632662D393937382D643933663065353661383333,2.5.4.97=#0C2A4F464242522D64373338346264302D383432662D343363352D626530322D396432623264356566633263,2.5.4.7=#0C0953616F205061756C6F,2.5.4.8=#0C025350,2.5.4.10=#0C194368696361676F2041647669736F727920506172746E657273,2.5.4.6=#13024252,2.5.4.5=#130E3433313432363636303030313937,1.3.6.1.4.1.311.60.2.1.3=#13024252,2.5.4.15=#0C1450726976617465204F7267616E697A6174696F6E

9.5. Subject DN in RDN - According to RFC4514 - Open Finance Brazil Ecosystem Standard:

Bloco de código

CN=web.conftpp.directory.openbankingbrasil.org.br,UID=bc97b8f0-cae0-4f2f-9978-d93f0e56a833,2.5.4.97=#0c2a4f464242522d64373338346264302d383432662d343363352d626530322d396432623264356566633263,L=Sao Paulo,ST=SP,O=Chicago Advisory Partners,C=BR,2.5.4.5=#130e3433313432363636303030313937,1.3.6.1.4.1.311.60.2.1.3=#13024252,2.5.4.15=#0c1450726976617465204f7267616e697a6174696f6e

9.6. Table with RDN and details of the OIDs and Encodings.

RDN Order	OID	Attribute	ASN.1 - Bit String	Enconding
1	2.5.4.3	CN	#0C	UTF8
2	0.9.2342.19200300.100.1.1	UID	#0C	UTF8
3	2.5.4.97	organizationIdentifier	#0C	UTF8
4	2.5.4.7	L	#0C	UTF8
5	2.5.4.8	ST	#0C	UTF8
6	2.5.4.10	O	#0C	UTF8
7	2.5.4.6	C	#13	PrintableString
8	2.5.4.5	serialNumber	#13	PrintableString
9	1.3.6.1.4.1.311.60.2.1.3	jurisdictionCountryName	#13	PrintableString
10	2.5.4.15	businessCategory	#0C	UTF8

Versões comparadas

Versão antiga 8

Nova versão 9

Chave

5.2.3. Signature Certificate

8.2. Configuration Template for Client Certificate - OpenSSL - For certificates issued after August 31, 2022

8.3. Configuration Template for Signature Certificate - OpenSSL

8.4. Endpoints vs Certificate type and mTLS requirements

9. Open Finance Client Certificate Subject DN Pattern - After January 19, 2023 {#subjectDNtemplates}

9.1. Public Key of Certificate Example:

9.3. Relative Distinguished Name (RDN) - Human readable:

9.4. Relative Distinguished Name (RDN) using OID - ANS.1:

9.5. Subject DN in RDN - According to RFC4514 - Open Finance Brazil Ecosystem Standard:

9.6. Table with RDN and details of the OIDs and Encodings.