Oberthur Cosmo One v7.3

Introduction

The ID-One Cosmo V7-n is part of the Oberthur family of cryptographic modules called ID-One Cosmo V7. Modules within

this family share the same functionalities and the description of the ID-One Cosmo V7 applies to all versions including the “-n” subject to this validation.

This document describes the functionality provided by the Oberthur ID-One smartcard - which is a PKI container - on the T1C-GCL (Generic Connector Library) implemented version:

• ID-One Cosmo V7-n; FIPS 140-2 Security Policy

Interface

export interface AbstractOberthur73 {
    allCertFilters(): string[];
    allKeyRefs(): string[];
    allCerts(parseCerts?: boolean, filters?: string[] | Options, callback?: (error: T1CLibException, data: TokenAllCertsResponse) => void): Promise<TokenAllCertsResponse>;
    tokenData(callback?: (error: T1CLibException, data: TokenDataResponse) => void): Promise<TokenDataResponse>;
    rootCertificate(parseCerts?: boolean, callback?: (error: T1CLibException, data: TokenCertificateResponse) => void): Promise<TokenCertificateResponse>;
    authenticationCertificate(parseCerts?: boolean, callback?: (error: T1CLibException, data: TokenCertificateResponse) => void): Promise<TokenCertificateResponse>;
    nonRepudiationCertificate(parseCerts?: boolean, callback?: (error: T1CLibException, data: TokenCertificateResponse) => void): Promise<TokenCertificateResponse>;
    encryptionCertificate(parseCerts?: boolean, callback?: (error: T1CLibException, data: TokenCertificateResponse) => void): Promise<TokenCertificateResponse>;
    issuerCertificate(parseCerts?: boolean, callback?: (error: T1CLibException, data: TokenCertificateResponse) => void): Promise<TokenCertificateResponse>
    verifyPin(body: TokenVerifyPinData, callback?: (error: T1CLibException, data: TokenVerifyPinResponse) => void): Promise<TokenVerifyPinResponse>;
    authenticate(body: TokenAuthenticateOrSignData, callback?: (error: T1CLibException, data: TokenAuthenticateResponse) => void): Promise<TokenAuthenticateResponse>;
    sign(body: TokenAuthenticateOrSignData, bulk?: boolean, callback?: (error: T1CLibException, data: TokenSignResponse) => void): Promise<TokenSignResponse>;
    allAlgoRefs(callback?: (error: T1CLibException, data: TokenAlgorithmReferencesResponse) => void): Promise<TokenAlgorithmReferencesResponse>
    resetBulkPin(callback?: (error: T1CLibException, data: BoolDataResponse) => void): Promise<BoolDataResponse>;
}

Models

All model information can be found in the Token typings model page

Examples

Create the Oberthur module

T1cSdk.initialize(config).then(res => {
    const oberthur = res.client.createOberthur(readerId);
}, err => {
    console.error(error)
});

When initialisation is finished you can continue using the aventra object to execute the functions below.

All certificate filters

oberthur.allCertFilters().then(res => {
}, err => {
    console.error(err)
})

The expected response for this call should be;

{
    success: true,
    data: ['rootCertificate', 'authenticationCertificate', 'encryptionCertificate', 'nonRepudiationCertificate', 'issuerCertificate']
}

all Key references

oberthur.allKeyRefs().then(res => {
}, err => {
    console.error(err)
})

The expected response for this call should be;

{
    success: true,
    data: ['authenticate', 'sign', 'encrypt']
}

all Certificates

Exposes all the certificates publicly available on the smart card. The following certificates can be found on the card:

• Root certificate

• Signing certificate

• Authentication certificate

• Issuer certificate

• Encryption certificate

When additional parsing of the certificate is needed you can add a boolean to indicate if you want to parse the certificate or not.

const filter = ['rootCertificate', 'authenticationCertificate', 'encryptionCertificate'];
oberthur.allCerts(filter).then(res => {
}, err => {
    console.error(err)
})

The expected response for this call should be;

{
    success: true,
    data: {
       authenticationCertificate?: {
             certificate?: string,
             certificates?: Array<string>,
             certificateType?: string,
             id?: string,
             parsedCertificate?: Certificate,
             parsedCertificates?: Array<Certificate>
       },
       citizenCertificate?: {
             certificate?: string,
             certificates?: Array<string>,
             certificateType?: string,
             id?: string,
             parsedCertificate?: Certificate,
             parsedCertificates?: Array<Certificate>
       },
       nonRepudiationCertificate?: {
             certificate?: string,
             certificates?: Array<string>,
             certificateType?: string,
             id?: string,
             parsedCertificate?: Certificate,
             parsedCertificates?: Array<Certificate>
       },,
       rootCertificate?: {
             certificate?: string,
             certificates?: Array<string>,
             certificateType?: string,
             id?: string,
             parsedCertificate?: Certificate,
             parsedCertificates?: Array<Certificate>
       },,
       encryptionCertificate?: {
             certificate?: string,
             certificates?: Array<string>,
             certificateType?: string,
             id?: string,
             parsedCertificate?: Certificate,
             parsedCertificates?: Array<Certificate>
       },
    }
}

Token data

This will return information of the Aventra card.

oberthur.tokenData().then(res => {
}, err => {
    console.error(err)
})

The expected response for this call should be;

{
    success: true,
    data: {
       version?: string,
       serialNumber?: string,
       label?: string,
       changeCounter?: number,
    }
}

Certificate

When additional parsing of the certificate is needed you can add a boolean to indicate if you want to parse the certificate or not.

Root certificate

Contains the 'root certificate' stored on the smart card. The service can be called:

oberthur.rootCertificate(parseCertsBoolean).then(res => {
}, err => {
    console.error(err)
})

Authentication certificate.

Contains the 'authentication certificate' stored on the smart card. The 'authentication certificate' contains the public key corresponding to the private RSA authentication key. The 'authentication certificate' is needed for pin validation, authentication and singing. The service can be called:

oberthur.authenticationCertificate(parseCertsBoolean).then(res => {
}, err => {
    console.error(err)
})

Non repudiation certificate

Contains the 'non-repudiation certificate' stored on the smart card. The 'non-repudiation certificate' contains the public key corresponding the private RSA non-repudiation key. The service can be called:

oberthur.nonRepudiationCertificate(parseCertsBoolean).then(res => {
}, err => {
    console.error(err)
})

Issuer certificate

oberthur.issuerCertificate(parseCertsBoolean).then(res => {
}, err => {
    console.error(err)
})

Encryption certificate

aventra.encryptionCertificate(parseCertsBoolean).then(res => {
}, err => {
    console.error(err)
})

The expected response for these calls should be in the following format;

{
    success: true,
    data: {
        certificate?: string,
        certificates?: Array<string>,
        certificateType?: string,
        id?: string
    }    
}

Verify pin

const data = {
    pin: "1234", // optional
    osDialog: true // optional
}
oberthur.verifyPin(data).then(res => {
}, err => {
    console.error(err)
})

The expected response for these calls should be in the following format;

{
    success: true,
    data: {
        certificate?: string,
        certificates?: Array<string>,
        certificateType?: string,
        id?: string
    }    
}

Sign

Data can be signed using the smartcard. To do so, the SDK facilitates in:

• Retrieving the certificate chain (root, intermediate and non-repudiation certificate)

• Perform a sign operation (private key stays on the smart card)

• Return the signed has

To sign data, an algorithm must be specified in the algorithm property (see Supported Algorithms), and a Base64-encoded string representation of the digest bytes of the same algorithm in the data property.

Additionally, it is possible to bulk sign data without having to re-enter the PIN by adding an optional bulk parameter set to true to the request. Subsequent sign requests will not require the PIN to be re-entered until a request with bulk being set to false is sent, or the Bulk PIN Reset method is called.

When using bulk signing, great care must be taken to validate that the first signature request was successful prior to sending subsequent requests. Failing to do this will likely result in the card being blocked.

const data = {
    algorithm: "sha256",
    data: "E1uHACbPvhLew0gGmBH83lvtKIAKxU2/RezfBOsT6Vs=",
    id: "123"
}
const bulk = false;
oberthur.sign(data, bulk).then(res => {
}, err => {
    console.error(err)
})

The expected response for this call should be;

{
    success: true,
    data: {
        data: string
    }
}

Bulk PIN Reset

The PIN set for bulk signing can be reset by calling this method.

diplad.resetBulkPin().then(res => {
}, err => {
    console.error(err)
})

Response will look like:

{
    "success": true,
    "data": true
}

Authenticate

The SDK is able to authenticate a card holder based on a challenge. The challenge can be:

• provided by an external service

• provided by the smart card

  An authentication can be interpreted as a signature use case, the challenge is signed data, that can be validated in a back-end process.

const data = {
    algorithm: "sha256",
    data: "E1uHACbPvhLew0gGmBH83lvtKIAKxU2/RezfBOsT6Vs="
    id: "123"
}
oberthur.authenticate(data).then(res => {
}, err => {
    console.error(err)
})

The expected response for this call should be;

{
    success: true,
    data: {
        data: string
    }
}

Retrieve supported algorithms

oberthur.allAlgoRefs(data).then(res => {
}, err => {
    console.error(err)
})

The expected response for this call should be;

{
    success: true,
    data: {
        ref: ['sha256', 'md5']
    }
}