Changelog
Last updated
Last updated
Released 20/09/2022
Requires JS SDK 3.6.3
Released 19/08/2022
Requires JS SDK 3.6.3
Specifically in windows in the registry settings you can define proxy settings but also a autoconfiguration file (PAC). The library responsible for detecting proxy settings on windows would not return proxy information when a PAC file was defined.
As the Trust1Connector cannot parse PAC files we still need the windows registry proxy settings to find us the correct proxy URL, which is now fixed in this version.
Release 07/06/2022
Requires upgrade to Javacript SDK 3.6.2
After a couple of reboots/restarts or installing new versions the public key of the machine would change, now the DS accepts the new public key after validation
Previously the DS communication had 5 different calls to do all the needed actions. This has been consolidated to 1 call so that we reduce the stress on the DS.
Together with the reducing of the requests towards the DS, the connector will now randomise the sync towards the DS after startup and first sync. This is to reduce the amount of devices that start up at the same time to put a high load on the DS. This will reduce peak requests on the DS.
The Trust1Connector now has a s
ign_raw` method that allows to execute the sign operation sending the unhashed raw (base64 encoded) data. Then the Trust1Connector wil hash itself when the requested module needs hashing or not.
The module info endpoint also has an additional property that depicts if the module requires hashed or unhashed data.
Released 01/04/2022
Requires upgrade to Javacript SDK 3.6.1
The consent error code has been updated in the Javascript library, and t1c-sdk-js clients have no impact on that change.
When using different instances of the Trust1Connector (optionally from another partner) on a Windows system, a port collision could be possible due to a race condition in port assignment upon initialization. Ports are now protected with anti-collision and are salted to make a port less guessable.
When no LaunchAgents folder was present on the system, the installation procedure creates this folder implicitly.
Camerfima is a new PKCS11 token added to the modules of the Trust1Connector. The Camerfirma token pre-requisites the installation of the Carmerfirma middleware.
Chambersign is a new PKCS11 token added to the modules of the Trust1Connector. The Chambersign token pre-requisites the installation of the Chambersign middleware.
The token info endpoint has been implemented before only for identity tokens. We have added support for Token Info of the PKCS11 modules. As the response has a different data structure, an additional type has been added for clients to parse the response correctly.
The PKCS11 token info exposes information on the algorithms which can be used for different use cases (digital signature, validation, authentication, ...). In a future release additional functionality will be provided such as: encryption, decryption, key exchange,...
For the different notification types, many tokens share multiple certificates for a single type. The original interface supported only a single certificate response. To be backwards compatible, those certification function have been adapted to be behave the same as in v3.5.x.
New functions are available to support multiple certificate reponses, they are called: [certificateType]Extended. For PKCS11 tokens the certificate response also returns, besides the base64 encoded certificate and the certificate id, the following properties:
issuer
subject
serial number
hash sub pub key
hash iss pub key
exponent (payment modules)
remainder (payment modules)
parsed certificate (ASN1 format of the base64 encoded certificate)
A new function has been added for all PKCS11 modules called the 'validate' endpoint. This endpoint, when available, can be used to validate a signed hash received after calling the 'sign' function. In an next version a variant of the validation function using OpenSSL will be added for all tokens.
For the Trust1Connector to support more PKCS11 functionality, the intermediate PKCS11 layer has been removed in preference of a direct PKCS11 LIB integration. FFI is used in RUST to support any library which need to be loaded.
Additional guard has been implemented to prevent empty algorithms for the digital signature and validation endpoints. PKCS11 tokens will verify as well if the provided algortihm is exposed as an allowed mechanism for the targetted use case.
The Trust1Connector can now detec Java Card Object Platform 3 typed cards
When requesting for a signature or an authentication, the correct certificate must be provided. For PKCS11 tokens the certificate id (or reference) can be ommitted. The PKCS11 token will be default pick the first certificate (for the type needed) and use this with the specified mechanism to sign/authenticate.
Compatible with Javascript SDK v3.5.4
This version and previous versions contains a bug where windows TCP reservation has a race condition between Connectors of different clients which are installed on the same system.
If this occurs you need to restart 1 of the connectors. via the t1c-launch(.exe), with the command t1c-launch(.exe) --env {{environment}} --restart
Trust1Connector API must accept a JSON body limit of 2MB
Fix registry to start directly after dissapearing on shared environment
As a Integrator I would like to use a central registry hosted on the DS
Some use-cases require JSON payloads which are quite substantial. That is why we increased the maximum payload size to 2MB. This value can be changed to maximum 50MB if a client has a use-case for it.
When the user where the registry is running on logs out or shuts down its system it will also stop the registry. In the Trust1Connector there is a gossip mechanism so that a new registry starts.
In this version this has been improved so that the registry will now start on a new user almost instantly, preventing any downtime.
Up until now we only had the ability to have a local registry. Altough this is a perfect for almost all use-cases we have some use-cases where having a central registry is needed.
This means that the DS will take on most of the tasks of the local registry.
Compatible with Javascript SDK v3.5.4
This version and previous versions contains a bug where windows TCP reservation has a race condition between Connectors of different clients which are installed on the same system.
If this occurs you need to restart 1 of the connectors. via the t1c-launch(.exe), with the command t1c-launch(.exe) --env {{environment}} --restart
Macos, add uninstall shell script again to the installation
Latest Certigna middleware is not detected
New custom PKCS11 implementation
Low level Attribute mapping
Exposing all available token flags
Update to function handler to override PKCS11 config
Additional error handeling for PKCS11
[interface impact] PKCS11 Response object for TokenInfo has been updated to be able to hold all flags
The latest Certigna middleware gave the error middleware not detected
even when it was installed. This was because of a change in the Certigna middleware. This issue was the precursor to do a complete custom PKCS11 implementation which is explained below.
We've added the uninstall shell script again uninstall.sh
in 3.5.18 this was replaced by the .app
variant. We've decided to put this back because in certain environments where the MacOS devices are managed by administrators the shell script made it easy to script certain flows.
In this release we have created a custom PKCS11 implementation (CFR issue with Certigna). This implementation is a more robust and faster implementation than the previous one.
The PKCS11 interface has some new error codes and a new response object for TokenInfo. The updated TokenInfo will not work with the generic interface in this release but will be solved in the following one.
The error codes that have been added are;
The final error codes (PKCS11InitException and PKCS11ReaderException) are wrong and will be fixed in the following release
206047
PinChangeNeeded
(user) Pin needs to be updated
206046
PinBlockedError
(user) Pin is blocked
208071
InvalidPin1RetriesRemaining
Only 1 (user) pin try remains
206047
InvalidPinError
(user) Pin was wrong
800101
PKCS11InitException
Could not initialise the PKCS11 library
800101
PKCS11ReaderException
Could not correctly read the reader (PKCS11)
Compatible with Javascript SDK v3.5.4
This version and previous versions contains a bug where windows TCP reservation has a race condition between Connectors of different clients which are installed on the same system.
If this occurs you need to restart 1 of the connectors. via the t1c-launch(.exe)
, with the command t1c-launch(.exe) --env {{environment}} --restart
As a user, I want an easier way to uninstall T1C on Mac
Compatible with Javascript SDK v3.5.4
This version and previous versions contains a bug where windows TCP reservation has a race condition between Connectors of different clients which are installed on the same system.
If this occurs you need to restart 1 of the connectors. via the t1c-launch(.exe)
, with the command t1c-launch(.exe) --env {{environment}} --restart
Add proxy functionallity with basic auth to DS client in T1C-api
Compatible with Javascript SDK v3.5.4
Pinpad security context error when trying to sign with beid v1.8
Compatible with Javascript SDK v3.5.4
Consent flow, check if /info endpoint user matches the request user, if not new consent is needed, if present, ok
Compatible with Javascript SDK v3.5.4
Registry validate endpoint does not update the agent values
When the t1c.zip file is corrupt/not a zip the Trust1Connector gets into a restart launch
As a System I want to have log rotation
As a User I would like to have an universal installer for MacOS
As a Trust1Connector I want to make sure the Digests of my binaries are verified
As a System I would like to prevent CSRF attacks
As a System I would like to synchronise my transactions with the Distribution Service
As the Trust1Connector I want to validate the JWT token provided
Trust1Connector should be able to provide organization context when not requiring application tokens
Compatible with Javascript SDK v3.5.3
Cors list with domains including port numbers fail
As a DS admin I can update the DS cycle time to a value in seconds
MacOS pin popup not focused
Migration to Rust Luxtrust
Compatible with Javascript SDK v3.5.3
Enable the possibility to launch in sillent and non-silent mode on windows
Trust1Connector tries to catch up for the cycles it could not complete when coming back from sleep for a prolongued time
Trust1Connector API disappears/stops after a couple of seconds without any crash information
Compatible with Javascript SDK v3.5.3
Launcher have the capability to run in silent and non-silent mode
When updating it should clean-up the old versions files which are not needed anymore
Configure workers through CLI for actix web server
Launcher log its process logging to a log file
As a System I would like to log the panic output to a log-file
Implement NTLM compatibility
As the Trust1Connector I need to have my current time information exposed on the system/info endpoint
Launcher have a dynamic process and launchd configuration based on a per client configuration object
Add the option to enable the cURL functionality in the launcher configuration
Remove the need of a nightly build to enable quote interpolation in the launcher
Requires upgrade of JS SDK to v3.5.3
Consent flow, check if /info endpoint user matches the request user, if not new consent is needed, if present, ok
Support Citrix multi-host session management for consent flow
Compatible with JavaScript v3.5.1
Quovadis token does not work with the Safenet Library
Remove the use of TaskList in the launcher
LuxID card not working in Windows
Compatible with JavaScript v3.5.1
Cors list should always completely represent what is defined in the DS
Macos CORS sync towards registry is not immediate
Pin values cause validation to trigger when the encrypted value becomes to big
input validation on all endpoints of API and REG
Parameterize the range of free ports to run on
As a user I would like to have the possibility to receive a notification for a new version
Compatible with JavaScript v3.5.1
Dialogs on OSX should have binary names with ENV prefix/suffix
As a Mac user I would like to have a launcher to better manage the Trust1Connector
As the Trust1Connector I want my SSL certificate to be updated automatically when it has been updated in the DS
Component
Version
JavaScript
v3.5.0
Eherkenning middleware does not work properly with M1 hardware
Launcher should only stop component in its own user-context
Component
Version
JavaScript
v3.5.0
Support for Airbus token
Support for safenet token
Support for Eherkenning token
Component
Version
JavaScript
v3.5.0
File-exchange when folder does not exist the open dialog crashes
Migration to Rust Wacom
Component
Version
JavaScript
v3.5.0
Fix for Wacom App::data() Mutex issue
Update Error handling to reflect prior version of T1C (and map new once to existing error codes for ease of integration)
Added x-xsrf-token to CORS headers
Component
Version
JavaScript
v3.5.0
Registry and API Cors syncing does not happen in the first cycle when registration towards DS is done
Pin dialog does not give focus to the input field in Windows
Cors rules do not take into account the protocol
Pin dialog does not display on MacOS
Prepare registry cert does not find the certficates and tries to copy but fails
Provide launcher executable to start and manage the Trust1Connector
Add dialog timeout to CLI (for both win and mac)
Component
Version
JavaScript
v3.5.0-RC7
Application launcher does not check current installed files and folders properly
Component
Version
JavaScript
v3.5.0-RC7
DS public key should not be needed when no DS config is present
Unavailable DS makes the Trust1Connector crash
CMD.exe /c SET is executed by the sandbox with no apparent use-case
Device key rotation also needs to update the ds-txs.json
Trust1Connector with DS capabilities uses current dir as rootfolder
File exchange download create folders write authorization error
File exchange List Type Content response object is not complete
File exchange dialog and network timeout need to follow the parameter or default
update-type and cancel the browse windows does not return data in the response
File exchange Update Type does not show correct the entity folder in the dialog
File exchange List type response object is not correct
File exchange create type shows dialog when path doesnt exist and modal is false
As a packager I want to provide a specific port for the Registry
API and Registry info endpoint do not return all properties
T1C API uses the readers as an info endpoint
MacOS limited the access towards files for services
Sending unknown filters makes the API crash
rename query param for all_data and all_certs to filter
Standalone mode should not trigger prepare_registry_cert
MacOS logger does not work when the binary is packaged
Airbus selects wrong Non-Repudiation cert
MacOS installer sometimes asks for administrative password
RUST support Jcop card
Device key rotation
Bulk reset MUST be a GET as it does not contain any body
As a Integrator I want all dialogs to have an optional timeout property
As a user, I want to be able to use/have a DS for the v3
Migrate to Rust Jcop
Migration to Rust Luxid
Migration to Rust Crelan
Migration to Rust Chambersign
Migration to Rust Certinomis
Migration to Rust Certigna
Migration to Rust airbus
Add timeout and file parameter for MacOS dialogs
Encapsulate MacOS package in an administrative package which always automatically installs in the correct context
As a Packager I would like to run the Trust1Connector via an executable
Safenet rustification
eHerkenning rustification
Use the exe filename instead of env! cargo name
Refactor usize/isize for win/osx
Implement Relo rust module
Implement EMV rust module
Implement new architecture for shared environment, multi session host, single installation, ...
Expose CORS config, to be configurable upon runtime (not compile time)
Rust - File Exchange
Improve the startup of the T1C with the sandbox
Component
Version
JavaScript
v3.5.0-RC7
Not starting due to DS cert loaded, when DS is not needed (upon startup ds client)
DS public key should not be needed when no DS config is present
Add anti caching headers on the response to avoid http caching on the client
Update the license terms for Signid Release
Component
Version
JavaScript
v3.5.0-RC6
Unavailable DS makes the Trust1Connector crash
Device key rotation also needs to update the ds-txs.json
Trust1Connector with DS capabilities uses current dir as rootfolder
Component
Version
JavaScript
v3.5.0-RC6
Cors control of Trust1Connector API and Registry does not allow the CSRF header
Component
Version
JavaScript
v3.5.0-RC6
As a user, I want to be able to use/have a DS for the v3
Expose CORS config, to be configurable upon runtime (not compile time)
Component
Version
JavaScript
v3.5.0-RC6
File exchange download fails to move the temporary file to its final location
Component
Version
JavaScript
v3.5.0-RC6
File exchange download create folders write authorization error
Component
Version
JavaScript
v3.5.0-RC5
File exchange List Type Content response object is not complete
File exchange dialog and network timeout need to follow the parameter or default
update-type and cancel the browse windows does not return data in the response
File exchange Update Type does not show correct the entity folder in the dialog
File exchange List type response object is not correct
File exchange create type shows dialog when path doesnt exist and modal is false
API and Registry info endpoint do not return all properties
As a Integrator I want all dialogs to have an optional timeout property
Component
Version
JavaScript
v3.5.0-RC2
As a packager I want to provide a specific port for the Registry
T1C API uses the readers as an info endpoint
Component
Version
JavaScript
v3.5.0-RC2
Airbus selects wrong Non-Repudiation cert
Migrate to Rust Jcop
Migration to Rust Luxid
Migration to Rust Crelan
Migration to Rust Chambersign
Migration to Rust Certinomis
Migration to Rust Certigna
Migration to Rust airbus
Safenet rustification
eHerkenning rustification
Component
Version
JavaScript
v3.5.0-RC1
Trust1Connector API must be able to log when packaged
MacOS installer sometimes asks for administrative password
MacOS limited the access towards files for services
Encapsulate MacOS package in an administrative package which always automatically installs in the correct context
As a Packager I would like to run the Trust1Connector via an executable
Use the exe filename instead of env! cargo name
Refactor usize/isize for win/osx
Rust - File Exchange
The folder restriction from Apple regarding user sensitive folders such as
Documents,
Desktop,
...
has been fixed in this version. More information regarding this restriction can be found in their release notes here under the section Launch Daemons and Agents
Component
Version
JavaScript
v3.5.0-RC1
Spaces in path caused invalid CLI arguments
Sandbox log path caused crashes
Component
Version
JavaScript
v3.5.0-RC1
T1C-sandbox does not automatically restart after crash
Component
Version
JavaScript
v3.5.0-RC1
Sending unknown filters makes the API crash
rename query param for all_data and all_certs to filter
Component
Version
JavaScript
v3.5.0-RC1
MacOS T1C api does not register towards the registry when installed via the packaging
Standalone mode should not trigger prepare_registry_cert
Component
Version
JavaScript
v3.5.0-RC1
MacOS logger does not work when the binary is packaged
RUST support Jcop card
Device key rotation
Bulk reset MUST be a GET as it does not contain any body
Implement EMV rust module
Implement new architecture for shared environment, multi session host, single installation, ...