Changelog

v3.6.4

Released 20/09/2022

Requires JS SDK 3.6.3

Release notes

Bug

  • Proxy is not used when PAC file is defined in registry

v3.6.3

Released 19/08/2022

Requires JS SDK 3.6.3

🔺 Proxy not used when PAC file is defined

Specifically in windows in the registry settings you can define proxy settings but also a autoconfiguration file (PAC). The library responsible for detecting proxy settings on windows would not return proxy information when a PAC file was defined.

As the Trust1Connector cannot parse PAC files we still need the windows registry proxy settings to find us the correct proxy URL, which is now fixed in this version.

Release notes

Bug

  • Fix the cleanup in launcher when user specific folder has been provided on startup when not equal to the installation folder

  • PKCS11 tokens search for non-rep certificate implicitly when no ID is givin in the request. This search for the certificate does not yield the correct value

  • Synchronisation issue between registry and API on startup of the Connector

  • fix the cors sync for registry after registry restarts

Improvement

  • Update the rotate API endpoint to also refresh the device_xxx files (during renewal) and force re-registration to DS

  • Implement the first external storage provider for read all-data (generic smart cards) to use the local file system

  • Update full api/reg code from lock to try_lock avoiding blocking threads

  • Remove the implicit CORS request from API info endpoint to DS, and provide/expose a public function in JS for application to force a CORS sync

Story

  • As a dashboard user I want to see when and if there was a DNS rebind issue for a given device, including the resolution (if applicable)

  • As a user I want to receive a link with online documentation on how to solve the DNS (rebind attack issue)

  • Optionally dump the card info an a configured location and given format (xml, json)

  • Reader API read USB devices

v3.6.2

Release 07/06/2022

Requires upgrade to Javacript SDK 3.6.2

Release notes

Bug

  • Distribution communication error after a couple of reboots/login-logouts

Improvement

  • Consolidate DS requests from 5 -> 1 using optionals

  • As a connector instance I need to add randomness after requesting the DS

  • As an integrator I want to have a new sign method for bytes which needs to be hashed by the RUST API

🔺 Distribution service communication error after a couple of reboots/login-logouts

After a couple of reboots/restarts or installing new versions the public key of the machine would change, now the DS accepts the new public key after validation

Distribution service request consolidation

Previously the DS communication had 5 different calls to do all the needed actions. This has been consolidated to 1 call so that we reduce the stress on the DS.

Distribution service request randomness

Together with the reducing of the requests towards the DS, the connector will now randomise the sync towards the DS after startup and first sync. This is to reduce the amount of devices that start up at the same time to put a high load on the DS. This will reduce peak requests on the DS.

Raw sign method added

The Trust1Connector now has a sign_raw` method that allows to execute the sign operation sending the unhashed raw (base64 encoded) data. Then the Trust1Connector wil hash itself when the requested module needs hashing or not.

The module info endpoint also has an additional property that depicts if the module requires hashed or unhashed data.

v3.6.0

Released 01/04/2022

Requires upgrade to Javacript SDK 3.6.1

Release notes

Bug

  • As an integrator I want to receive a correct error when requesting a sign operation with a wrong or unknown sign mechanism/algorithm

  • when Launchagents folder for the user does not exist it fails to start the Trust1Connector

  • Trust1Connector for multiple clients cause race condition on API port assignment on startup (Windows)

  • Using unknown algorithm returns error code 111

  • Trust1Connector creates a folder in the Roaming folder when installed

Improvement

  • As a user I want to allow only SHA256 for Chambersign token on the sign API

  • Enable default certificate selection for sign, authenticate on PKCS11 modules

  • Add Jcop3 ATR

  • Migrate PKCS11 from sandbox

  • As a user I want to validate the signed hash from a PKCS11 token, using the validation function of the PKCS11 interface

  • Add type to TokenInfo object when calling token-info enpdpoint such that eID cards have a different object then the PKCS11 tokens

  • As the Trust1Connect I want to be able to fetch all the certificates on a token, including their information

Story

  • As the User when I use the Trust1Connector I want the CORS configuration to be up-to-date

  • As a user I want to be presented with both M1 and Intel download links when I request them from the DS

  • Build the Sandbox for linux (debian)

The consent error code has been updated in the Javascript library, and t1c-sdk-js clients have no impact on that change.

🔺 Multi-client support and race condition fix

When using different instances of the Trust1Connector (optionally from another partner) on a Windows system, a port collision could be possible due to a race condition in port assignment upon initialization. Ports are now protected with anti-collision and are salted to make a port less guessable.

🔺 Implicit creation of LaunchAgents folder on Mac/OSX

When no LaunchAgents folder was present on the system, the installation procedure creates this folder implicitly.

☑️ Exposed Camerfirma interface

Camerfima is a new PKCS11 token added to the modules of the Trust1Connector. The Camerfirma token pre-requisites the installation of the Carmerfirma middleware.

☑️ Exposed Chambersign interface

Chambersign is a new PKCS11 token added to the modules of the Trust1Connector. The Chambersign token pre-requisites the installation of the Chambersign middleware.

☑️ Token Info endpoint will now returned detailed information when using a PKCS11 token

The token info endpoint has been implemented before only for identity tokens. We have added support for Token Info of the PKCS11 modules. As the response has a different data structure, an additional type has been added for clients to parse the response correctly.

The PKCS11 token info exposes information on the algorithms which can be used for different use cases (digital signature, validation, authentication, ...). In a future release additional functionality will be provided such as: encryption, decryption, key exchange,...

Fetch all the certificates on a token including all their information

For the different notification types, many tokens share multiple certificates for a single type. The original interface supported only a single certificate response. To be backwards compatible, those certification function have been adapted to be behave the same as in v3.5.x.

New functions are available to support multiple certificate reponses, they are called: [certificateType]Extended. For PKCS11 tokens the certificate response also returns, besides the base64 encoded certificate and the certificate id, the following properties:

  • issuer

  • subject

  • serial number

  • hash sub pub key

  • hash iss pub key

  • exponent (payment modules)

  • remainder (payment modules)

  • parsed certificate (ASN1 format of the base64 encoded certificate)

Signed hash validation function exposed for PKCS11 tokens

A new function has been added for all PKCS11 modules called the 'validate' endpoint. This endpoint, when available, can be used to validate a signed hash received after calling the 'sign' function. In an next version a variant of the validation function using OpenSSL will be added for all tokens.

PKCS11 migration towards RUST

For the Trust1Connector to support more PKCS11 functionality, the intermediate PKCS11 layer has been removed in preference of a direct PKCS11 LIB integration. FFI is used in RUST to support any library which need to be loaded.

Token Algortihm input validation for signing and authentication

Additional guard has been implemented to prevent empty algorithms for the digital signature and validation endpoints. PKCS11 tokens will verify as well if the provided algortihm is exposed as an allowed mechanism for the targetted use case.

JCOP3 ATR added

The Trust1Connector can now detec Java Card Object Platform 3 typed cards

Select default PKCS11 non-repudation or authentication certificate

When requesting for a signature or an authentication, the correct certificate must be provided. For PKCS11 tokens the certificate id (or reference) can be ommitted. The PKCS11 token will be default pick the first certificate (for the type needed) and use this with the specified mechanism to sign/authenticate.

v3.5.20

Compatible with Javascript SDK v3.5.4

This version and previous versions contains a bug where windows TCP reservation has a race condition between Connectors of different clients which are installed on the same system.

If this occurs you need to restart 1 of the connectors. via the t1c-launch(.exe), with the command t1c-launch(.exe) --env {{environment}} --restart

Bug

  • Trust1Connector API must accept a JSON body limit of 2MB

  • Fix registry to start directly after dissapearing on shared environment

Story

  • As a Integrator I would like to use a central registry hosted on the DS

🔺 Trust1Connector accepts JSON body payload of max 2MB

Some use-cases require JSON payloads which are quite substantial. That is why we increased the maximum payload size to 2MB. This value can be changed to maximum 50MB if a client has a use-case for it.

🔺 Registry restart instantly

When the user where the registry is running on logs out or shuts down its system it will also stop the registry. In the Trust1Connector there is a gossip mechanism so that a new registry starts.

In this version this has been improved so that the registry will now start on a new user almost instantly, preventing any downtime.

🔷 Enabled central registry hosted on DS

Up until now we only had the ability to have a local registry. Altough this is a perfect for almost all use-cases we have some use-cases where having a central registry is needed.

This means that the DS will take on most of the tasks of the local registry.

v3.5.19

Compatible with Javascript SDK v3.5.4

This version and previous versions contains a bug where windows TCP reservation has a race condition between Connectors of different clients which are installed on the same system.

If this occurs you need to restart 1 of the connectors. via the t1c-launch(.exe), with the command t1c-launch(.exe) --env {{environment}} --restart

Overview

Bug

  • Macos, add uninstall shell script again to the installation

  • Latest Certigna middleware is not detected

Improvement

  • New custom PKCS11 implementation

    • Low level Attribute mapping

    • Exposing all available token flags

    • Update to function handler to override PKCS11 config

    • Additional error handeling for PKCS11

  • [interface impact] PKCS11 Response object for TokenInfo has been updated to be able to hold all flags

🔺 Certigna middleware is not detected

The latest Certigna middleware gave the error middleware not detected even when it was installed. This was because of a change in the Certigna middleware. This issue was the precursor to do a complete custom PKCS11 implementation which is explained below.

🔺 Uninstall shell script

We've added the uninstall shell script again uninstall.sh in 3.5.18 this was replaced by the .app variant. We've decided to put this back because in certain environments where the MacOS devices are managed by administrators the shell script made it easy to script certain flows.

PKCS11

In this release we have created a custom PKCS11 implementation (CFR issue with Certigna). This implementation is a more robust and faster implementation than the previous one.

The PKCS11 interface has some new error codes and a new response object for TokenInfo. The updated TokenInfo will not work with the generic interface in this release but will be solved in the following one.

The error codes that have been added are;

The final error codes (PKCS11InitException and PKCS11ReaderException) are wrong and will be fixed in the following release

206047

PinChangeNeeded

(user) Pin needs to be updated

206046

PinBlockedError

(user) Pin is blocked

208071

InvalidPin1RetriesRemaining

Only 1 (user) pin try remains

206047

InvalidPinError

(user) Pin was wrong

800101

PKCS11InitException

Could not initialise the PKCS11 library

800101

PKCS11ReaderException

Could not correctly read the reader (PKCS11)

v3.5.18

Compatible with Javascript SDK v3.5.4

This version and previous versions contains a bug where windows TCP reservation has a race condition between Connectors of different clients which are installed on the same system.

If this occurs you need to restart 1 of the connectors. via the t1c-launch(.exe), with the command t1c-launch(.exe) --env {{environment}} --restart

Improvement

  • As a user, I want an easier way to uninstall T1C on Mac

v3.5.17

Compatible with Javascript SDK v3.5.4

This version and previous versions contains a bug where windows TCP reservation has a race condition between Connectors of different clients which are installed on the same system.

If this occurs you need to restart 1 of the connectors. via the t1c-launch(.exe), with the command t1c-launch(.exe) --env {{environment}} --restart

Improvement

  • Add proxy functionallity with basic auth to DS client in T1C-api

v3.5.16

Compatible with Javascript SDK v3.5.4

Bug

  • Pinpad security context error when trying to sign with beid v1.8

v3.5.15

Compatible with Javascript SDK v3.5.4

Improvement

  • Consent flow, check if /info endpoint user matches the request user, if not new consent is needed, if present, ok

v3.5.14

Compatible with Javascript SDK v3.5.4

Bug

  • Registry validate endpoint does not update the agent values

  • When the t1c.zip file is corrupt/not a zip the Trust1Connector gets into a restart launch

Story

  • As a System I want to have log rotation

  • As a User I would like to have an universal installer for MacOS

  • As a Trust1Connector I want to make sure the Digests of my binaries are verified

  • As a System I would like to prevent CSRF attacks

  • As a System I would like to synchronise my transactions with the Distribution Service

  • As the Trust1Connector I want to validate the JWT token provided

  • Trust1Connector should be able to provide organization context when not requiring application tokens

v3.5.13

Compatible with Javascript SDK v3.5.3

Bug

  • Cors list with domains including port numbers fail

Story

  • As a DS admin I can update the DS cycle time to a value in seconds

  • MacOS pin popup not focused

  • Migration to Rust Luxtrust

v3.5.12

Compatible with Javascript SDK v3.5.3

Story

  • Enable the possibility to launch in sillent and non-silent mode on windows

Bug

  • Trust1Connector tries to catch up for the cycles it could not complete when coming back from sleep for a prolongued time

  • Trust1Connector API disappears/stops after a couple of seconds without any crash information

v3.5.11

Compatible with Javascript SDK v3.5.3

Story

  • Launcher have the capability to run in silent and non-silent mode

  • When updating it should clean-up the old versions files which are not needed anymore

  • Configure workers through CLI for actix web server

  • Launcher log its process logging to a log file

  • As a System I would like to log the panic output to a log-file

  • Implement NTLM compatibility

  • As the Trust1Connector I need to have my current time information exposed on the system/info endpoint

Task

  • Launcher have a dynamic process and launchd configuration based on a per client configuration object

  • Add the option to enable the cURL functionality in the launcher configuration

  • Remove the need of a nightly build to enable quote interpolation in the launcher

v3.5.10

Requires upgrade of JS SDK to v3.5.3

Improvement

  • Consent flow, check if /info endpoint user matches the request user, if not new consent is needed, if present, ok

Story

  • Support Citrix multi-host session management for consent flow

v3.5.9

Compatible with JavaScript v3.5.1

Bug

  • Quovadis token does not work with the Safenet Library

  • Remove the use of TaskList in the launcher

  • LuxID card not working in Windows

v3.5.8

Compatible with JavaScript v3.5.1

Bug

  • Cors list should always completely represent what is defined in the DS

  • Macos CORS sync towards registry is not immediate

  • Pin values cause validation to trigger when the encrypted value becomes to big

Improvement

  • input validation on all endpoints of API and REG

Story

  • Parameterize the range of free ports to run on

  • As a user I would like to have the possibility to receive a notification for a new version

v3.5.7

Compatible with JavaScript v3.5.1

Bug

  • Dialogs on OSX should have binary names with ENV prefix/suffix

Story

  • As a Mac user I would like to have a launcher to better manage the Trust1Connector

  • As the Trust1Connector I want my SSL certificate to be updated automatically when it has been updated in the DS

v3.5.6

Component

Version

JavaScript

v3.5.0

Bug

  • Eherkenning middleware does not work properly with M1 hardware

  • Launcher should only stop component in its own user-context

v3.5.5

Component

Version

JavaScript

v3.5.0

Story

  • Support for Airbus token

  • Support for safenet token

  • Support for Eherkenning token

v3.5.4

Component

Version

JavaScript

v3.5.0

Bug

  • File-exchange when folder does not exist the open dialog crashes

Story

  • Migration to Rust Wacom

v3.5.3

Component

Version

JavaScript

v3.5.0

Bug

  • Fix for Wacom App::data() Mutex issue

  • Update Error handling to reflect prior version of T1C (and map new once to existing error codes for ease of integration)

Improvement

  • Added x-xsrf-token to CORS headers

v3.5.2

Component

Version

JavaScript

v3.5.0

Bug

  • Registry and API Cors syncing does not happen in the first cycle when registration towards DS is done

  • Pin dialog does not give focus to the input field in Windows

  • Cors rules do not take into account the protocol

  • Pin dialog does not display on MacOS

  • Prepare registry cert does not find the certficates and tries to copy but fails

Story

  • Provide launcher executable to start and manage the Trust1Connector

  • Add dialog timeout to CLI (for both win and mac)

v3.5.1

Component

Version

JavaScript

v3.5.0-RC7

Bug

  • Application launcher does not check current installed files and folders properly

v3.5.0

Component

Version

JavaScript

v3.5.0-RC7

Bug

  • DS public key should not be needed when no DS config is present

  • Unavailable DS makes the Trust1Connector crash

  • CMD.exe /c SET is executed by the sandbox with no apparent use-case

  • Device key rotation also needs to update the ds-txs.json

  • Trust1Connector with DS capabilities uses current dir as rootfolder

  • File exchange download create folders write authorization error

  • File exchange List Type Content response object is not complete

  • File exchange dialog and network timeout need to follow the parameter or default

  • update-type and cancel the browse windows does not return data in the response

  • File exchange Update Type does not show correct the entity folder in the dialog

  • File exchange List type response object is not correct

  • File exchange create type shows dialog when path doesnt exist and modal is false

  • As a packager I want to provide a specific port for the Registry

  • API and Registry info endpoint do not return all properties

  • T1C API uses the readers as an info endpoint

  • MacOS limited the access towards files for services

  • Sending unknown filters makes the API crash

  • rename query param for all_data and all_certs to filter

  • Standalone mode should not trigger prepare_registry_cert

  • MacOS logger does not work when the binary is packaged

  • Airbus selects wrong Non-Repudiation cert

  • MacOS installer sometimes asks for administrative password

Improvement

  • RUST support Jcop card

  • Device key rotation

  • Bulk reset MUST be a GET as it does not contain any body

Story

  • As a Integrator I want all dialogs to have an optional timeout property

  • As a user, I want to be able to use/have a DS for the v3

  • Migrate to Rust Jcop

  • Migration to Rust Luxid

  • Migration to Rust Crelan

  • Migration to Rust Chambersign

  • Migration to Rust Certinomis

  • Migration to Rust Certigna

  • Migration to Rust airbus

  • Add timeout and file parameter for MacOS dialogs

  • Encapsulate MacOS package in an administrative package which always automatically installs in the correct context

  • As a Packager I would like to run the Trust1Connector via an executable

  • Safenet rustification

  • eHerkenning rustification

  • Use the exe filename instead of env! cargo name

  • Refactor usize/isize for win/osx

  • Implement Relo rust module

  • Implement EMV rust module

  • Implement new architecture for shared environment, multi session host, single installation, ...

  • Expose CORS config, to be configurable upon runtime (not compile time)

  • Rust - File Exchange

  • Improve the startup of the T1C with the sandbox

V3.5.0-rc020

Component

Version

JavaScript

v3.5.0-RC7

Bug

  • Not starting due to DS cert loaded, when DS is not needed (upon startup ds client)

  • DS public key should not be needed when no DS config is present

Story

  • Add anti caching headers on the response to avoid http caching on the client

  • Update the license terms for Signid Release

V3.5.0-rc019

Component

Version

JavaScript

v3.5.0-RC6

Bug

  • Unavailable DS makes the Trust1Connector crash

  • Device key rotation also needs to update the ds-txs.json

  • Trust1Connector with DS capabilities uses current dir as rootfolder

V3.5.0-rc018

Component

Version

JavaScript

v3.5.0-RC6

Bug

  • Cors control of Trust1Connector API and Registry does not allow the CSRF header

V3.5.0-rc017

Component

Version

JavaScript

v3.5.0-RC6

Story

  • As a user, I want to be able to use/have a DS for the v3

  • Expose CORS config, to be configurable upon runtime (not compile time)

V3.5.0-rc016

Component

Version

JavaScript

v3.5.0-RC6

Bug

  • File exchange download fails to move the temporary file to its final location

V3.5.0-rc015

Component

Version

JavaScript

v3.5.0-RC6

Bug

  • File exchange download create folders write authorization error

V3.5.0-rc014

Component

Version

JavaScript

v3.5.0-RC5

Bug

  • File exchange List Type Content response object is not complete

  • File exchange dialog and network timeout need to follow the parameter or default

  • update-type and cancel the browse windows does not return data in the response

  • File exchange Update Type does not show correct the entity folder in the dialog

  • File exchange List type response object is not correct

  • File exchange create type shows dialog when path doesnt exist and modal is false

  • API and Registry info endpoint do not return all properties

Story

  • As a Integrator I want all dialogs to have an optional timeout property

V3.5.0-rc013

Component

Version

JavaScript

v3.5.0-RC2

Bug

  • As a packager I want to provide a specific port for the Registry

  • T1C API uses the readers as an info endpoint

V3.5.0-rc012

Component

Version

JavaScript

v3.5.0-RC2

Bug

  • Airbus selects wrong Non-Repudiation cert

Story

  • Migrate to Rust Jcop

  • Migration to Rust Luxid

  • Migration to Rust Crelan

  • Migration to Rust Chambersign

  • Migration to Rust Certinomis

  • Migration to Rust Certigna

  • Migration to Rust airbus

  • Safenet rustification

  • eHerkenning rustification

V3.5.0-RC10

Component

Version

JavaScript

v3.5.0-RC1

Bug

  • Trust1Connector API must be able to log when packaged

  • MacOS installer sometimes asks for administrative password

  • MacOS limited the access towards files for services

Story

  • Encapsulate MacOS package in an administrative package which always automatically installs in the correct context

  • As a Packager I would like to run the Trust1Connector via an executable

  • Use the exe filename instead of env! cargo name

  • Refactor usize/isize for win/osx

  • Rust - File Exchange

The folder restriction from Apple regarding user sensitive folders such as

  • Documents,

  • Desktop,

  • ...

has been fixed in this version. More information regarding this restriction can be found in their release notes here under the section Launch Daemons and Agents

V3.5.0-RC9

Component

Version

JavaScript

v3.5.0-RC1

Bug

  • Spaces in path caused invalid CLI arguments

  • Sandbox log path caused crashes

V3.5.0-RC8

Component

Version

JavaScript

v3.5.0-RC1

Bug

  • T1C-sandbox does not automatically restart after crash

V3.5.0-RC7

Component

Version

JavaScript

v3.5.0-RC1

Bug

  • Sending unknown filters makes the API crash

  • rename query param for all_data and all_certs to filter

V3.5.0-RC6

Component

Version

JavaScript

v3.5.0-RC1

Bug

  • MacOS T1C api does not register towards the registry when installed via the packaging

  • Standalone mode should not trigger prepare_registry_cert

V3.5.0-RC5

Component

Version

JavaScript

v3.5.0-RC1

Bug

  • MacOS logger does not work when the binary is packaged

Improvement

  • RUST support Jcop card

  • Device key rotation

  • Bulk reset MUST be a GET as it does not contain any body

Story

  • Implement EMV rust module

  • Implement new architecture for shared environment, multi session host, single installation, ...

Last updated