Signatures

Some use cases of the Asset Administration Shell require the proof that data has not been changed and that it is still the original data of the AAS originator. An example is a device manufacturer supplying to an integrator supplying to a plant operator. The plant operator wants to check the remained integrity of the device manufacturer’s AAS.

The AASX package format includes the possibility of signing an AASX package, but this feature is not used very often. AASX packages can also not be protected by AAS security and access rules. This is why signatures are needed as part of the API.

Different levels of API signatures have been investigated by the IDTA TF Security, including JWS (JSON Web Signature) or JAdES (JSON advanced digital signature). This version explains and defines new endpoints /$signed for AAS, Submodel and ConceptDescription, which provide a plain text JWS.

JWS ist defined in RFC 7515 (https://datatracker.ietf.org/doc/html/rfc7515).

AAS signatures include the AAS JSON content as embedded payload in the JWS. The following header parameters are used:

  • alg: The "alg" (algorithm) Header Parameter identifies the cryptographic algorithm used to secure the JWS (see RFC 7515 4.1.1). Currently only RS256 is used.

  • typ: The "typ" (type) Header Parameter is used by JWS applications to declare the media type [IANA.MediaTypes] of this complete JWS (see RFC 7515 4.1.9). Currently only JWS is used.

  • x5c: The "x5c" (X.509 certificate chain) Header Parameter contains the X.509 public key certificate or certificate chain [RFC5280] corresponding to the key used to digitally sign the JWS (see RFC 7515 4.1.6). This may be a single certificate or certificate chain. The related root certificate must be exchanged by the business partners by an additional secure channel.

  • sigT: The "sigT" (signature timestamp) Header Parameter contains the ISO‑8601 timestamp when the JWS was created. This may be used to check for newer content and if certificates have been valid at signature time.

  • sid: The "sid" (signature identifier) Header Parameter contains a unique GUID to make the storage of JWS easier.

JWS can be decoded by jwt.io. A JWS example and its decoded content can be seen below.

JWS:

eyJhbGciOiJSUzI1NiIsInNpZCI6IjJiYjExNjg4LTg3M2EtNGJlMS1hYmYxLWVkMzRhZTdlYTI4ZCIsInNpZ1QiOiIyMDI2LTA2LTExVDEyOjM5OjI1WiIsInR5cCI6IkpXUyIsIng1YyI6WyJNSUlEbmpDQ0FnWUNDUURHMjhxaURncWFkVEFOQmdrcWhraUc5dzBCQVFzRkFEQVFNUTR3REFZRFZRUUREQVZpWVhONWVEQWdGdzB5TmpBeE1qRXhPVEF6TWpsYUdBOHlNVEkxTVRJeU9ERTVNRE15T1Zvd0VERU9NQXdHQTFVRUF3d0ZZbUZ6ZVhnd2dnR2lNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJqd0F3Z2dHS0FvSUJnUURCYUV5VFlVOTRaTjl4UE1GQTNwUUNUa0laT2QvZ09DMEJkWHFUM0JqNlkxb2VZVjZ6bjU0cXRDNDVKenZWTmZQUE9rQUN1WmlUZW9MT0pEd1MwcUZvckJJQk11clRXVzg2QW1UMzlhbW12eCtPTktQcEJJbnVKV3NYQ1N3dzJDdkNYVXNBM1hIUk5kV2NNYnJaVC9vbnpoM3RDcis5QW4zeFZuRWJqWFBqdjFIWEV5K0xGU094SHBSeklUT21tSmZEV0NoVFpVbm4wMFhNY2U3UnphT2NyaHRSNjhQM1BYSjdnRno0K0VSN0RhMWdiQmhXY1FQZDNOM01Yd1N1cjZBYXk3ZFl4MmROQW1JTmtQekxvRHdrS0dmL1BLK3hPTVQ2cEdQZDlwbDRYTTdQai83ZlRtKy9Ja2JrQ3orSG55UTZjUVZTdjAzS054Zlh3bmhPK3FuQVdvQVUrcmNnTTc3RnpMdkI3OENMYjRpRlA4QTNGTnBtZU5wSTBrSFRrL3ZkdVJaWDdrdlU3ZnVscDIvVUNwSzdIZm9YVEsycWFhYy94MXcvem9URk1wcVVRSWJ1MWFoZGRUUFJSaEx6VEZ3c1hkRTV4T1ZBdTJQSWU2aVB3b3A2dlhhTHUxTHA1Yjd6TXdxUVIweC9pL2NOZkpKSDg4c1lncW90WS9nRmtTOENBd0VBQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVlFQWVNNmcvZk91aExIOUJCTGFWN0dNenZIVVJBbnJSeTJnakh4S3NtVmQ3MkZYTFlra3RVbGVPZUE5UjNvenRCZ0h4Rytlb084Y1U0NDEvZkFqYjZQajIzc05YdDRwVGpTSDJuNlZXalFaaS91RmVsb0VIY0x0eTRxbm8xTGdvbm1ZK0xyQTFWcnVuZ01DS1BUYUJpcXEzb083emo3QUd5ZTJHMHVwMDdYVkkrbnlEMitiZ1IwR0VkQkkxdkRrOENlNVlMaGFXTFptVGYvZ2dLU0VEelFVYmpKaE9hSklTQVlQMWpta0IwNlFQcTRXc2NqTjVGNTY3MGFFcC9ZTWJWdWJKdTlQWDRlU1A1RS90LzFaWGJ4bTBTZVVBb3VXbEJVVC9Fa2JNc2xvTTQzUjE5dnlrV05DSEhnS0FZdkQyc0h6SCtmY1I2WjVrWDlBTThUVjBzRC9NTnl4Nmd5MWx5amQ2b3dRVFhPTVJmM0wxWk1hclFndXFyanlldG1kYVh0QkptVElKdS9yZllVRUFFZ0tHTGxTWVZ3aktzY2JoelRyRzEycWRncmdQMHJnZEZ2Wk5nV0pXSytsb0hlM3hMaUo1SmhMSGlBSXgzbjh4a213UUZVbnRGVlk2N0kwazdzRVJjdEROeDg2TEhScUZhUmZSejRHWjZCaWphOVhiSkhlIl19.eyJhZG1pbmlzdHJhdGlvbiI6eyJyZXZpc2lvbiI6IjAiLCJ2ZXJzaW9uIjoiMiJ9LCJkaXNwbGF5TmFtZSI6W3sibGFuZ3VhZ2UiOiJlbiIsInRleHQiOiJEZW1vIFN1Ym1vZGVsIn1dLCJpZCI6Imp3c0RlbW8iLCJpZFNob3J0IjoiRGVtb1N1Ym1vZGVsIiwia2luZCI6IlRlbXBsYXRlIiwibW9kZWxUeXBlIjoiU3VibW9kZWwiLCJzZW1hbnRpY0lkIjp7ImtleXMiOlt7InR5cGUiOiJTdWJtb2RlbCIsInZhbHVlIjoiTXlEZW1vU3VibW9kZWwifV0sInR5cGUiOiJNb2RlbFJlZmVyZW5jZSJ9LCJzdWJtb2RlbEVsZW1lbnRzIjpbeyJpZFNob3J0IjoiVGVtcGVyYXR1cmVWYWx1ZSIsIm1vZGVsVHlwZSI6IlByb3BlcnR5IiwidmFsdWUiOiIyMi40IiwidmFsdWVUeXBlIjoieHM6ZG91YmxlIn1dfQ.pjZZN8p10U_ywcyLKo0fnTtzVaa-OUV_b_TYuR1fMQCVZeZ1TeWbB9rZYpywVg6hxSCPK8YWN9rHJoJV6U_XbkmTOZdvwaIVTqp88vYtg4QMzonCj5VaXBZhp26PorPbZUDj4mck8KCbXRO3oHskIqQN4taRbvsVR6MvaoZWb6pPPuthIK_YUjbkPthepVqQqFtZTGoNtaRwxi7GVjeKmbWvcs3gL5vNzfOjt9Qf4g4CO2iR3P99PLegcMRV4X829sduRdDA-lWWf4f9TnslsBQJGZYiGE3Op6WliXc7TqtehzA1OSuR67v2HxQG0F2XwSZFfdSYthTOin9TOfGstLg9Zv_q28av26bprHV7K2hek5aZGuEZHCZsEVEnTszDEDGRgAu5LscYK0aQ73nbVfJkYs0gIT0T5StE5KdDo9LncJxySsBn8k_D-ua7VslHUr6IwRrnWMilvCnbUbfynE1ad-yBclFS5B7u3_IYtE_IWRNX9B0EUWx0pO3-k33H

Decoded JWS:

{
  "alg": "RS256",
  "sid": "2bb11688-873a-4be1-abf1-ed34ae7ea28d",
  "sigT": "2026-06-11T12:39:25Z",
  "typ": "JWS",
  "x5c": [
    "MIIDnjCCAgYCCQDG28qiDgqadTANBgkqhkiG9w0BAQsFADAQMQ4wDAYDVQQDDAViYXN5eDAgFw0yNjAxMjExOTAzMjlaGA8yMTI1MTIyODE5MDMyOVowEDEOMAwGA1UEAwwFYmFzeXgwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDBaEyTYU94ZN9xPMFA3pQCTkIZOd/gOC0BdXqT3Bj6Y1oeYV6zn54qtC45JzvVNfPPOkACuZiTeoLOJDwS0qForBIBMurTWW86AmT39ammvx+ONKPpBInuJWsXCSww2CvCXUsA3XHRNdWcMbrZT/onzh3tCr+9An3xVnEbjXPjv1HXEy+LFSOxHpRzITOmmJfDWChTZUnn00XMce7RzaOcrhtR68P3PXJ7gFz4+ER7Da1gbBhWcQPd3N3MXwSur6Aay7dYx2dNAmINkPzLoDwkKGf/PK+xOMT6pGPd9pl4XM7Pj/7fTm+/IkbkCz+HnyQ6cQVSv03KNxfXwnhO+qnAWoAU+rcgM77FzLvB78CLb4iFP8A3FNpmeNpI0kHTk/vduRZX7kvU7fulp2/UCpK7HfoXTK2qaac/x1w/zoTFMpqUQIbu1ahddTPRRhLzTFwsXdE5xOVAu2PIe6iPwop6vXaLu1Lp5b7zMwqQR0x/i/cNfJJH88sYgqotY/gFkS8CAwEAATANBgkqhkiG9w0BAQsFAAOCAYEAeM6g/fOuhLH9BBLaV7GMzvHURAnrRy2gjHxKsmVd72FXLYkktUleOeA9R3oztBgHxG+eoO8cU441/fAjb6Pj23sNXt4pTjSH2n6VWjQZi/uFeloEHcLty4qno1LgonmY+LrA1VrungMCKPTaBiqq3oO7zj7AGye2G0up07XVI+nyD2+bgR0GEdBI1vDk8Ce5YLhaWLZmTf/ggKSEDzQUbjJhOaJISAYP1jmkB06QPq4WscjN5F5670aEp/YMbVubJu9PX4eSP5E/t/1ZXbxm0SeUAouWlBUT/EkbMsloM43R19vykWNCHHgKAYvD2sHzH+fcR6Z5kX9AM8TV0sD/MNyx6gy1lyjd6owQTXOMRf3L1ZMarQguqrjyetmdaXtBJmTIJu/rfYUEAEgKGLlSYVwjKscbhzTrG12qdgrgP0rgdFvZNgWJWK+loHe3xLiJ5JhLHiAIx3n8xkmwQFUntFVY67I0k7sERctDNx86LHRqFaRfRz4GZ6Bija9XbJHe"
  ]
}

JSON Payload of example Submodel:

{
  "administration": {
    "revision": "0",
    "version": "2"
  },
  "displayName": [
    {
      "language": "en",
      "text": "Demo Submodel"
    }
  ],
  "id": "jwsDemo",
  "idShort": "DemoSubmodel",
  "kind": "Template",
  "modelType": "Submodel",
  "semanticId": {
    "keys": [
      {
        "type": "Submodel",
        "value": "MyDemoSubmodel"
      }
    ],
    "type": "ModelReference"
  },
  "submodelElements": [
    {
      "idShort": "TemperatureValue",
      "modelType": "Property",
      "value": "22.4",
      "valueType": "xs:double"
    }
  ]
}