...
[ISODIR2] - ISO/IEC Directives Part 2 [ISODIR2]: https://www.iso.org/sites/directives/current/part2/index.xhtml
[RFC5280] - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile: https://datatracker.ietf.org/doc/html/rfc5280
[RFC7519] - JSON Web Token (JWT) [RFC7519]:https://tools.ietf.org/html/rfc7519
[RFC7515] - JSON Web Signature (JWS) [RFC7515] :https://datatracker.ietf.org/doc/html/rfc7515
[RFC7591] - OAuth 2.0 Dynamic Client Registration Protocol [RFC7591]:https://tools.ietf.org/html/rfc7591
[RFC7592] - OAuth 2.0 Dynamic Client Registration Management Protocol [RFC7592]:https://tools.ietf.org/html/rfc7592
[BCP195] - Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) [BCP195]: https://tools.ietf.org/html/bcp195
[RFC8705] - OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens [RFC8705]: https://tools.ietf.org/html/rfc8705
[OFB-FAPI] - Open Finance Brasil Financial-grade API Security Profile 1.0 [OFB-FAPI]: https://github.com/OpenBanking-Brasil/specs-seguranca/open-banking-brasil-financial-api-1_ID3.html[EN] Open Finance Brasil Financial-grade API Security Profile 1.0 Implementers Draft 3
[OFB-FAPI-DCR] - Open Finance Brasil Financial-grade API Dynamic Client Registration Profile 1.0 [OFB-FAPI-DCR]: [EN] Open Finance Brasil Financial-grade API Dynamic Client Registration 1.0 Implementers Draft 3
[DOC-ICP-01] - DECLARAÇÃO DE PRÁTICAS DE CERTIFICAÇÃO DA AUTORIDADE CERTIFICADORA RAIZ DA ICP-BRASIL: https://www.gov.br/iti/pt-br/centrais-de-conteudo/doc-icp-01-v-5-2-dpc-da-ac-raiz-da-icp-brasil-pdf
[DOC-ICP-04] - REQUISITOS MÍNIMOS PARA AS POLÍTICAS DE CERTIFICADO NA ICP-BRASIL: https://www.gov.br/iti/pt-br/assuntos/legislacao/resolucoes/resolucoes-old/resolucao179_doc-icp-04_compilada.pdf
[RFC6749] - The OAuth 2.0 Authorization Framework [RFC6749]: https://tools.ietf.org/html/rfc6749
[BCB-IN134] - Manual de Segurança do Open Finance: https://www.in.gov.br/web/dou/-/instrucao-normativa-bcb-n-134-de-22-de-julho-de-2021-3345585364
[RFC2818] - HTTP Over TLS: https://datatracker.ietf.org/doc/html/rfc2818
[RFC5246] - The Transport Layer Security (TLS) Protocol Version 1.2 https://www.rfc-editor.org/rfc/rfc5246.txt
...
shall not use punctuation signs, umlauts or cedilla;
in addition to alphanumeric characters, only the following special characters may be used:
Character | Code NBR9611 (hexadecimal) | Character | Code NBR9611 (hexadecimal) |
White space | 20 | + | 2B |
! | 21 | , | 2C |
“ | 22 | - | 2D |
# | 23 | . | 2E |
$ | 24 | / | 2F |
% | 25 | : | 3A |
& | 26 | ; | 3B |
‘ | 27 | = | 3D |
( | 28 | ? | 3F |
) | 29 | @ | 40 |
* | 2A | \ | 5C |
Algorithms
All certificates issued by ICP-Brasil must have the following characteristics:
...
The Signature Certificate must be issued through the V5 chain, and must contain the following attributes:
Distinguished Name
UID (OID 0.9.2342.19200300.100.1.1): Participant Code associated with the CNPJ listed in the Directory Service of Open Finance Brazil
countryName (OID 2.5.4.6): BR
organizationName (OID 2.5.4.10): ICP-Brasil
organizationalUnitName (OID 2.5.4.11): Certificate Authority Name
organizationalUnitName (OID 2.5.4.11): CNPJ of the Registration Authority
organizationalUnitName (OID 2.5.4.11): Type of identification used (in person, videoconference or digital certificate)
commonName (OID 2.5.4.3): Company Name
...
keyUsage: critical,digitalSignature,nonRepudiation
Subject Alternative Name
otherName (OID 2.16.76.1.3.2 - ICP-Brasil): Name of the person responsible for the certificate
otherName (OID 2.16.76.1.3.3 - ICP-Brasil): National Register of Legal Entities (CNPJ) of the legal entity holding the certificate;
otherName (OID 2.16.76.1.3.4 - ICP-Brasil): Responsible for the certificate of legal entity holding the certificate (date of birth, CPF, PIS/PASEP/CI, RG);
otherName (OID 2.16.76.1.3.7 - ICP-Brasil): INSS Specific Registry Number (CEI) of the legal entity holding the certificate.
...
| Bloco de código |
|---|
oid_section = OIDs [req] default_bits = 2048 default_md = sha256 encrypt_key = yes prompt = no string_mask = nombstr distinguished_name = client_distinguished_name req_extensions = req_cert_extensions [ OIDs ] organizationIdentifier = 2.5.4.97 [ client_distinguished_name ] businessCategory = <type of organization>organization jurisdictionCountryName = BR serialNumber = <CNPJ> countryName = BR organizationName = <Company Name> stateOrProvinceName = <UF> localityName = <City> organizationIdentifier = OFBBR-<Participant Code> UID = <Software Statement ID issued by the Directory> commonName = <FQDN|Wildcard> [ req_cert_extensions ] basicConstraints = CA:FALSE subjectAltName = @alt_name keyUsage = critical,digitalSignature,keyEncipherment extendedKeyUsage = clientAuth [ alt_name ] DNS = <FQDN|Wildcard> |
...
ASPSP may choose the certificate that should be adopted for Open Data endpoints, which, by nature, are publicly accessible.
...
OFB Phase | group | endpoint | certificate type | mTLS |
NA | OIDC | .well-known/openid-configuration | EV or ICP WEB SSL | Not applicable |
NA | OIDC | jwks_uri | EV or ICP WEB SSL | Not applicable |
NA | OIDC | authorization_endpoint | EV | Not applicable |
NA | OIDC | token_endpoint | ICP WEB SSL | Required |
NA | OIDC | userinfo_endpoint | ICP WEB SSL | Required |
NA | OIDC | pushed_authorization_request_endpoint | ICP WEB SSL | Required |
NA | DCR | registration_endpoint | ICP WEB SSL | Required |
NA | OIDC | revocation_endpoint | ICP WEB SSL | Required |
2 | Consentimentos | /consents/* | ICP WEB SSL | Required |
2 | Resources | /resources/* | ICP WEB SSL | Required |
2 | Dados | /customers/* | ICP WEB SSL | Required |
2 | Cartão | /credit-cards-accounts/* | ICP WEB SSL | Required |
2 | Contas | /accounts/* | ICP WEB SSL | Required |
2 | Empréstimos | /loans/* | ICP WEB SSL | Required |
2 | Financiamentos | /financings/* | ICP WEB SSL | Required |
2 | Adiantamento | /unarranged-accounts-overdraft/* | ICP WEB SSL | Required |
2 | Direitos Creditórios | /invoice-financings/* | ICP WEB SSL | Required |
3 | Pagamentos | /payments/* | ICP WEB SSL | Required |
3 | Pagamentos Automáticos | /automatic-payments/* | ICP WEB SSL | Required |
3 | Webhook | /webhook/* | ICP WEB SSL | Required |
4 | Câmbio | /exchanges/* | ICP WEB SSL | Required |
4 | Investimentos | /credit-fixed-incomes/* | ICP WEB SSL | Required |
9. Open Finance Client Certificate Subject DN Pattern - After January 19, 2023 {#subjectDNtemplates}
...
check the JWKS of your software-id application
check the KID of the certificate you want the Subject DN for, customize the URL and access: https://keystore.directory.openbankingbrasil.org.br/<org-id>/<software-ID>/transport.jwks
search for the certificate’s KID, then search for the Claim: x5dn
9.1 Example:
9.1.1. JWKS with certificate’s information:
...
The table below presents the sequence in Relative Distinguished Name as per item 9.5. In order to check the sequential order of the subjectDN, refer to itens 9.2 and 5.2.2.1
RDN Order | OID | Attribute | ASN.1 - Bit String | Enconding |
1 | 2.5.4.3 | CN | #0C | UTF8 |
2 | 0.9.2342.19200300.100.1.1 | UID | #0C | UTF8 |
3 | 2.5.4.97 | organizationIdentifier | #0C | UTF8 |
4 | 2.5.4.7 | L | #0C | UTF8 |
5 | 2.5.4.8 | ST | #0C | UTF8 |
6 | 2.5.4.10 | O | #0C | UTF8 |
7 | 2.5.4.6 | C | #13 | PrintableString |
8 | 2.5.4.5 | serialNumber | #13 | PrintableString |
9 | 1.3.6.1.4.1.311.60.2.1.3 | jurisdictionCountryName | #13 | PrintableString |
10 | 2.5.4.15 | businessCategory | #0C | UTF8 |