LogoLogo
v3.8.x
v3.8.x
  • Introduction
  • Concept
  • Prerequisites
  • Trust1Connector JS SDK
  • Release Notes
  • Installation Profiles
  • Core
    • Setting up the SDK
    • Initialize Trust1Connector
    • DNS Rebind
    • Readers
    • Core Service
    • Downloading latest Trust1Connector
    • Consent
    • Authenticated client
    • Module/container setup
    • Status codes / error handeling
    • Quick-Migration Guide (v2 -> v3)
  • Token
    • Token typing models
    • Generic token
    • Belgian eID
    • Aventra MyEID PKI
    • Idemia Cosmo One v8.2
    • Oberthur Cosmo One v7.3
    • Diplad (BeLawyer)
    • Chambersign*
    • Camerfirma*
    • Certigna*
    • Certinomis*
    • Jcop3*
    • Airbus
    • Eherkenning
    • Safenet*
    • Luxembourg ID
    • LuxTrust
  • Truststore
    • Introduction
    • Truststore API
    • Other PKCS11 Compatible Tokens*
  • Payment
    • Payment typing models
    • EMV*
    • Crelan
  • FIle
    • File exchange
    • Custom
      • VDDS
  • HSM
    • Remote loading
  • Other
    • Print
    • Wacom*
    • Simple Sign
  • Miscellaneous
    • Prerequisites New Token/Smart Card
    • Prerequisites Support
    • Troubleshooting
      • Connector Connection Issues
      • Windows
      • Windows dynamic port range
      • Mac OSX Sonoma and higher
      • Mac OSX Sonoma and higher Smart-card reader issue
      • MacOS Rosetta
      • Enable Debug Logging
      • Changing Device date/time
      • Disable DNS rebind pop-up
    • Installation FAQ
    • Removal of Trust1Connector
  • Installation Manual
    • Windows
    • Mac OSX
Powered by GitBook
On this page
  • v3.8.8
  • v3.8.7
  • v3.8.6
  • v3.8.4
  • v3.8.3
  • v3.8.2
  • v3.8.1
  • v3.8.0
  • v3.7.13
  • v3.7.11
  • v3.7.10
  • v3.7.9
  • v3.7.7
  • v3.7.5
  • v3.7.4
  • v3.7.2
  • v3.7.1
  • v3.7.0
  • 🔺Mutex
  • 🔺System time out of sync
  • ✅ Private Network Access
  • ​ Sync log files with DS
  • ​ HTTP verify response signature
  • v3.6.3
  • v3.6.1
  • Consent error code update
  • Multi-client support and race condition fix
  • Implicit creation of LaunchAgents folder on Mac/OSX
  • Exposed Camerfirma interface
  • Exposed Chambersign interface
  • Token Info endpoint will now returned detailed information when using a PKCS11 token
  • Fetch all the certificates on a token including all their information
  • Signed hash validation function exposed for PKCS11 tokens
  • PKCS11 migration towards RUST
  • Token Algortihm input validation for signing and authentication
  • JCOP3 ATR added
  • Select default PKCS11 non-repudation or authentication certificate

Was this helpful?

Export as PDF

Release Notes

PreviousTrust1Connector JS SDKNextInstallation Profiles

Last updated 3 months ago

Was this helpful?

v3.8.8

Release 02/12/2024

Improvement

  • add static compilation for MSVC (vc runtime)

  • update sandbox linker (robustness)

  • disable default DNS rebind (will be added in UI component in future versions, can be overriden using t1c-launc fix-dns-rebind

v3.8.7

Release 02/12/204

New Features

  • VDDS Medical module

  • Update tracing

  • Update command exec functionality

v3.8.6

Release 21/08/2024

Bug

Fix the blocking SSL download at startup (DS communication)

Improvement

Add flag to check SSL certificate on startup

v3.8.4

Release 06/06/2024

Release notes - Trust1Connector - t1c-sdk-js_v3.8.4

Bug

Task

Story

Improvement

v3.8.3

Release 29/05/2024

Release notes - Trust1Connector - t1c-rust-api_v3.8.3

Bug

v3.8.2

Release 22/05/2024

Release notes - Trust1Connector - t1c-rust-api_v3.8.2

Bug

Story

v3.8.1

Release 19/03/2024

Story

Release 21/02/2024

Bug

Task

Story

Improvement

v3.7.13

Release 19/02/2024

Bug

Task

Improvement

v3.7.11

Release 30/10/2023

Release notes

Bug

Task

Story

Improvement

v3.7.10

Release 03/10/2023

Release Notes

Bug

Task

Story

Improvement

v3.7.9

Released 26/07/2023

Release notes

Bug

Task

Story

Improvement

v3.7.7

Released 30/05/2023

Release notes

Bug

Story

Improvement

v3.7.5

Released 18/01/2023

Release notes

Bug

  • After registering the device a synchronisation needs to happen

v3.7.4

Released 22/12/2022

Release notes

Task

  • Upgrade compiler version to latest stable

Story

  • As a system I when installed in a separate folder I want to validate the SSL certificate validity and domain based on the root file

v3.7.2

Released 20/10/2022

Release notes

Story

  • As a system I should be able to send the log files to the DS so that support can easily look for issues with a device

v3.7.1

Released 20/10/2022

Release notes

Bug

  • Remove header that was added in 3.7.0 from testing APN (w3c draft) implementation which caused older versions to fail

v3.7.0

Released 19/10/2022

Release notes

Bug

  • Registry does not retrieve the base cors list on startup

  • Mutex lock causes Registry and api to go into a deadlock

  • When the user has a custom date/time set on his System it causes the API to crash on DS communication

  • Shared environment/multi user setup makes the Registry and API get in a deadlock state

  • Vulnerabilities based on Penetration test of Connective

Improvement

  • Use separate endpoint for reg to validate if api is registered on the correct user

  • As an integrator I can ask for all readers and ask to exclude readers by name

Story

  • As a system I want to use the private and public device key to encrypt and decrypt the response data so that an integrator/SDK can validate that no man in the middle attack has happened

🔺Mutex

The API and Registry use a feature called Mutexes to have data that can be shared over multiple OS threads. Using this is necessary for some functionality. In previous versions when you have a Shared environment (citrix for example) you could make the API and Registry get into what's called a DeadlockThis caused the Mutex to never be unlocked for use by another OS thread. Causing the connector to be blocked completely.This has now been solved and has been tested on instances of 1000 concurrent devices.

🔺System time out of sync

We had a user which Operating system had a custom date set (not synced) which caused issues with DS communication. The DS communication also checks wether the time of request is not in the future or in the past (with some slack ofcourse). So if you use the Connector with a custom date you will not be able to contact the DS because it requires a request within a correct time-zone.If this is not the case it could be that a malicious user is trying to exploit the DS at which point the DS refuses the request. The issue was that this caused the Connector to crash.This has been solved so that the Connector does not crash.System time must be correct, otherwise DS communication can not be done (secrity issue)

✅ Private Network Access

Private Network Access is a new CORS draft. Which prevents remote servers to contact local instances without any extra checks. Chrome has already implemented this draft in a non-blocking manner, the implemenation of chrome is to send 2 pre-flight requests. One which is the normal pre-flight and another one where the PNA implementation has been done.At this point the pre-flight for the PNA implementation is non-blocking meaning that if the pre-flight fails it will not block the request.When the PNA Cors draft is final this will become blocking.In this release we've already started adding some required components to support this in an upcoming release.

In this release we've implemented a feature where the Connector will send it's log files towards the DS. This is so that support desks can easily get the log files of the device which is requesting support.

We've added a feature where you can run the Connector in regualr HTTP mode. To still be secure we've added a signature field to the responses which can be verified to not be tampered with at the client's side. This verification is implemented in the JS SDK.

v3.6.3

Released 19/08/2022

Release notes

Bug

t1c-sdk-js tries to validate any present consent token when consent is disabled (optional consent)

Improvement

Remove the implicit CORS request from API info endpoint to DS, and provide/expose a public function in JS for application to force a CORS sync

Story

As a dashboard user I want to see how many installation have the DNS rebind issue

v3.6.1

Javascript SDK 3.6.0 has been unpublished and contains a bug in the consent flow where the error code is not returned correctly

Released 01/04/2022

The Mac Silicon (M1) is not yet supported for this version

Release notes

Bug

  • Update consent error codes for 3.6.x so that they do not interfere with other error codes

Improvement

  • As an SDK integrator I want to be able to fetch all the certificates on a token, including their information

  • As a user I want to validate the signed hash from a PKCS11 token, using the validation function of the PKCS11 interface

Story

  • As a user I want ot use Camerfirma token

  • As a user I want to use Chambersign token

  • As a SDK integrator I want to be able to call the TokenInfo enpdoint on PKCS11 tokens

The consent error code has been updated in the Trust1Connector API library, and t1c-sdk-js clients have no impact on that change

When using different instances of the Trust1Connector (optionally from another partner) on a Windows system, a port collision could be possible due to a race condition in port assignment upon initialization. Ports are now protected with anti-collision and are salted to make a port less guessable.

When no LaunchAgents folder was present on the system, the installation procedure creates this folder implicitly.

Camerfima is a new PKCS11 token added to the modules of the Trust1Connector. The Camerfirma token pre-requisites the installation of the Carmerfirma middleware.

Chambersign is a new PKCS11 token added to the modules of the Trust1Connector. The Chambersign token pre-requisites the installation of the Chambersign middleware.

The token info endpoint has been implemented before only for identity tokens. We have added support for Token Info of the PKCS11 modules. As the response has a different data structure, an additional type has been added for clients to parse the response correctly.

The PKCS11 token info exposes information on the algorithms which can be used for different use cases (digital signature, validation, authentication, ...). In a future release additional functionality will be provided such as: encryption, decryption, key exchange,...

For the different notification types, many tokens share multiple certificates for a single type. The original interface supported only a single certificate response. To be backwards compatible, those certification function have been adapted to be behave the same as in v3.5.x.

New functions are available to support multiple certificate reponses, they are called: [certificateType]Extended. For PKCS11 tokens the certificate response also returns, besides the base64 encoded certificate and the certificate id, the following properties:

  • issuer

  • subject

  • serial number

  • hash sub pub key

  • hash iss pub key

  • exponent (payment modules)

  • remainder (payment modules)

  • parsed certificate (ASN1 format of the base64 encoded certificate)

A new function has been added for all PKCS11 modules called the 'validate' endpoint. This endpoint, when available, can be used to validate a signed hash received after calling the 'sign' function. In an next version a variant of the validation function using OpenSSL will be added for all tokens.

For the Trust1Connector to support more PKCS11 functionality, the intermediate PKCS11 layer has been removed in preference of a direct PKCS11 LIB integration. FFI is used in RUST to support any library which need to be loaded.

Additional guard has been implemented to prevent empty algorithms for the digital signature and validation endpoints. PKCS11 tokens will verify as well if the provided algortihm is exposed as an allowed mechanism for the targetted use case.

The Trust1Connector can now detec Java Card Object Platform 3 typed cards

When requesting for a signature or an authentication, the correct certificate must be provided. For PKCS11 tokens the certificate id (or reference) can be ommitted. The PKCS11 token will be default pick the first certificate (for the type needed) and use this with the specified mechanism to sign/authenticate.

Simplesign SDK-JS points to wrong endpoint

Document host file issue

As a user I want to get the version available for the Belgian eID

Detect DNS Rebind and fix by asking user to allow update of the local host file

As an integrator I can ask for all readers and ask to exclude readers by name

DNS Rebind check + dialog to fix it with admin rights

T1C SDK JS, retrieve reader list should exclude windows hello for business

Update the SimpleSign bootstrap filename to the original

As an integrator I want correct error codes when cancelling the pin action on Sign, Authenticate or verify pin actions

As an integrator I want correct error codes when timeout the pin action on Sign, Authenticate or verify pin actions

As an integrator I want access to the SimpleSign module

Implement Pkcs11 module

v3.8.0

Update T1C SSL certificates when running binaries from user session, while binaries are located in admin location

Apple al-tool deprecation for signing/notarization

Allow t1c-sdk-js to initialize using multiple endpoints

Cleanup certificates interfaces

Allow sdk initialisation with multiple hosts, selecting first-to-respond

Implement Truststore Certificates interface

Implement Truststore Transactions interface

Add global x509 utility endpoints for certificate parsing (DER|PEM|x509)

Remove deprecated proxy url and port from SDK initialization

Remove PKI.js dependency (replaced with the addition of API x509 endpoints

Add parsing of certificates into Subject or Issuer CN

Impelementing reader and truststore cross-over model

Adding Keychain integration for Mac OSX

Adding MSCAPI (wincrypt) and CNG for Windows

GetReaders does not return a suggested module, it only does it when using GetReaderS

When DS /download/ssl is not available -> api does not start (panic due to unwrap) :-)

Prevent REG from running when a local process has been deteced!

Update the T1C with the new SSL for DNS t1c.t1t.io

Update system crate

Shared environment - issue with 904300-Signature data does not equal the expected data: reg should not send out the signature in the responses (or verify if the client pub is correctly loaded for REMOTE environments) -> local is not an issue

Apple al-tool deprecation for signing/notarization

Direct download of SSL when digest is not equal to the published version on DS

Add the integration with Local Signing Application

Sidecar for Certificate check upon start and init

Add swagger-ui initial set of exposed apis

Provide an initial openApi spec for LSA module

As an integrator I can ask T1C to digest data before sign for each module

t1c-sdk-js make excessive failing "pre-flight" requests

Ds Logs push using CURL has issues -> not sending over the PUT json body

File exchange list content type on macos sometimes gives read access errors on a just created folder via the API

SSL certifiicate synchronisation does not happen after first startup

Update T1C SSL certificates when running binaries from user session, while binaries are located in admin location

Update notarization in packager, altool being deprecated

RMCR - Upgrade sentry to latest version

Document Dashboard setup

As a User/Support desk I would like to change the log-level (info|debug|warn)

As a System I need to keep my transactions between installations

Update Cryptoki on Mac/Win for updated PKCS11 drivers

Validate and consent Lock error on mutex should not return invalid consent but should give a propper try again later error

As a system administator I want to see the transactions of devices - somehow the transactions don't reach the DS

Prevent the refresh needed when polling during connector update/upgrade

Add version to the installer

Upgrade Rust Edition 2021

Update Clap

As a connector running on a local device I want to support key rotation from the application consumer

Update clap to v4 as CLI parser

Enable insecure for debugging when running in dev mode

Update the token information returned to the web application to contain a valid type

Finalise PKCS11 session for each running instance when ending a remote transaction

Update the PNA specification as an extension on previous release (announced Google Chrome v117)

Add documentation for ReadMyCards Web Application used for demonstration and showcase

Upgrade utility libs

Initial version for an independant debugger

Add tracing events to the connector api and registry

JWT token validation consistently fails due to incorrect device time

As a DS I need to provide a JWT token based on the time information of the requester.

Pass through the optional lable from the JWT SUB to the transactions file and DS

As a system I should be able to send the log files to the DS so that support can easily look for issues with a device

As a client of the T1C API I want the api to validate the JWT token sent before proceeding with the use case

As a T1C API I want to renew the certificate needed for validation of the JWT when rotation happens on the DS

​ Sync log files with DS

​ HTTP verify response signature

Consent error code update

Multi-client support and race condition fix

Implicit creation of LaunchAgents folder on Mac/OSX

Exposed Camerfirma interface

Exposed Chambersign interface

Token Info endpoint will now returned detailed information when using a PKCS11 token

Fetch all the certificates on a token including all their information

You can find an example for

Signed hash validation function exposed for PKCS11 tokens

PKCS11 migration towards RUST

Token Algortihm input validation for signing and authentication

JCOP3 ATR added

Select default PKCS11 non-repudation or authentication certificate

🎉
☑️
☑️
🔺
🔺
🔺
☑️
☑️
☑️
✅
✅
✅
✅
✅
✅
T1C-2900
T1C-2899
T1C-2888
T1C-2866
T1C-2889
T1C-2894
T1C-2717
T1C-2881
T1C-2886
T1C-2890
T1C-2883
T1C-2884
T1C-2885
T1C-2863
T1C-2804
T1C-2777
T1C-2820
T1C-2843
T1C-2851
T1C-2852
T1C-2853
T1C-2854
T1C-2855
T1C-2856
T1C-2857
T1C-2858
T1C-2859
T1C-2860
T1C-2800
T1C-2827
T1C-2846
T1C-2819
T1C-2845
T1C-2806
T1C-2777
T1C-2560
T1C-2808
T1C-2809
T1C-2810
T1C-2812
T1C-2638
T1C-2710
T1C-2742
T1C-2747
T1C-2765
T1C-2804
T1C-2671
T1C-2755
T1C-2760
T1C-2380
T1C-2652
T1C-2805
T1C-2735
T1C-2780
T1C-2788
T1C-2733
T1C-2778
T1C-2779
T1C-2781
T1C-2782
T1C-2783
T1C-2784
T1C-2785
T1C-2786
T1C-2787
T1C-2790
T1C-2791
T1C-2789
T1C-2102
T1C-2266
T1C-2705
T1C-2741
T1C-2695
T1C-2696
certigna here