Face Signature Verification

In the previous section we have seen how to sign a piece of data using a SensePrint, a face, and a purpose ID.

The signature is a standard Elliptic Curve Digital Signature Algorithm (ECDSA) and it is recommended that the signature be independently verified without calling the server API. As an example, the following steps describe how to verify the signature using OpenSSL:

1. Ensure the raw data for which the signature is being generated is saved to a file data.txt

2. Ensure that the signature generated through Face Signing is saved in a file called signature.b64

3. Convert the signature to raw bytes from base64: openssl base64 -d -in signature.b64 -out signature.der

4. Extract the public key from the Face Certificate (you can save the Face Certificate to a file called face-cert.pem after generating it) openssl x509 -in face-cert.pem -pubkey -noout > face-cert-pub-key.pem

5. Verify the signature using the public key: openssl dgst -sha256 -verify face-cert-pub-key.pem -signature signature.der data.txt

We have used OpenSSL as an example, but it should be possible to use a cryptographic library in a language of your choice to accomplish the same functionality.

However, for ease of development (in pre-production mode), we also provide an end-point to verify a face signature. Even though we provide an end-point, it is highly recommended that developers put in the effort to verify signatures on their own servers. This will not only decrease latency, but also preserve privacy.

As before, on the Swagger Docs page authorize using the API Key you setup earlier.

Expand the /verify-face-signature section and then click the Try it out button as shown below:

Upon clicking Try it out you should be able to submit the data as shown below:

{
  "data_sha256_base_64": "MHQCAQEEIKu0Xuf....",
  "ecdsa_der_signature_base_64": "MHQCAQEEIKu0Xuf....",
  "face_certificate_pem": "-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----"
}

The following summarizes the parameters for the request:

1. data_sha256_base_64 - given a piece of data (bytes), it should then be SHA256 hashed to obtain 256 bits. The hash should then be Base64 encoded to send it to the API.

2. ecdsa_der_signature_base_64 - this is the signature obtained from the SensePrint, face and purpose ID using the /face-sign end-point discussed in the previous section.

3. face_certificate_pem - this is the Face Certificate generated for the same purpose ID. When obtaining the certificate, the API returns the string with line breaks. However, line breaks are not valid JSON so when using the Swagger Docs page, be sure to replace line breaks in the certificate string with \n. When programatically calling the API this would not be required.