Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
The Trust1Connector core services address communication functionality with local devices. The Trust1Connector core exposes 2 main interfaces:
interface for web/native applications using JavaScrip/Typescript
REST API as a new approach and to incorporate the Trust1Connector as a microservice in the application architecture
In this guide, we target only the use of Trust1Connector's core interface for web/native applications.
The T1C-SDK-JS exposes protected resources for administration and consumer usage.
The JavaScript library must be initialized with a correct token in order to access the all resource. The security policy for Trust1Connector v3 secured ALL endpoints.
Protected resources are administration resources. The JavaScript library must be initialized with a correct token in order to access the resource.
Download Trust1Connector installer
Get Information of the device and user context
Register T1C for device
Update T1C on device (install new version)
Update DS (distribution server) metadata
Increment use case counter
Executing these functionality is explained further.
Consumer resources are typically used from an application perspective:
Get pub-key certificate
Get version
Get Information (operating system, runtime, user context, variable configuration)
List card-readers
List modules
Get module
Get card-reader
Get card-reader with cards inserted
Get card-readers without card
Get consent (needed for shared environments)
Detect card for card-reader (polling utility resource)
Detect any card (polling utility resource)
Detect card-readers (polling utility resource)
Browser Information (utility resource)
Executing these functionality is explained further.
The Trust1Connector functionalities are about secured communication with device hardware.
The document highlights communication with smart card readers - contact and contact-less. Other hardware devices can be enabled or integrated as well in the solution. Some of the already are, for example printer drivers, signature tablet drivers, ...
The client can be initialized by passing a T1CConfig object in the constructor
Returns a list of available card readers. Multiple readers can be connected. Each reader is identified by a unique reader_id.
The response will contains a list of card readers:
When multiple readers are attached to a device, the response will show all connected card readers:
Important to notice:
The response adds a card-element when a card is inserted into the card reader.
The response contains card-reader pin-pad capabilities
As mentioned in the List card-readers, when a smart-card is inserted/detected, the reader will contain the cart-type based on the ATR. The ATR (Anwser To Reset), is the response from any smart-card when powered, and defines the card type.
The Trust1Connector recognized more than 3k smart-card types.
As mentioned in the List card-readers, when a card-reader has pin-pad capabilities, this will be mentioned in the response (notice the pinpadproperty):
The following example is the response for List card-readers on a device with 4 different card-readers attached:
In the above example you notice that 4 card-readers are connected. Each card-reader receives his temporary id which can be used for other functions where a card-reader id is needed.
This method can be requested in order to list all available card-readers, and optional cards-inserted.
Each card-reader has a vendor provided name, which is retrieved from the card-reader itself.
An additional property pinpad, a boolean value, denotes if the card-reader has pin-pad capabilities. A pin-pad is a card-reader, most of the times with its own display and key-pad.
From a security perspective, it's considered best practice to use as much as possible pin-pad capabilities of a pin-pad card-reader.
When a reader has a smart-card inserted (contact interface) or detected (contactless interface), the card type will be resolved by the GCL in order to respond with a meaningful type.
In the above examples you see that; one card-reader has a Belgian eID card; another card-reader has a MisterCash or VISA Card available for interaction.
The readers returned, are the card-readers with a card available. The card-readers where no card is presented, are ignored.
Returns a list of available card readers with a smart card inserted. Multiple readers can be connected with multiple smart cards inserted. Each reader is identified by a unique reader_id and contains information about a connected smart card. A smart card is of a certain type. The Trust1Connector detects the type of the smart card and returns this information in the JSON response.
Response:
The T1C JS SDK no longer has a method to download the T1C installer.
Instead, the T1C installer can be downloaded by navigating the client browser to the /v3/downloads/installer endpoint of the Distribution Service (e.g. https://acc-ds.t1t.io/v3/downloads/installer). The Distribution Service will analyze the User-Agent header and automatically initiate the download of an OS-appropriate installer of the latest configured version. The user agent string parsing is considered "best-effort"; as they can vary wildly depending OS and browser software.
Alternatively, you can also initiate the download of a T1C installer with the following endpoints:
/v3/downloads/installers/{{OS}}: This endpoint allows you to specify the OS for which you wish to obtain an installer. The possible values are win32, win64, unix, macos.
/v3/downloads/installers/{{OS}}/versions/{{version}}: This endpoint allows you to download a specific version of a T1C installer for a specific OS.
In order to use the JS-SDK, the library must be initialised with an api-key. The api-key is a key received upon subscription. The JS-SDK is a client library for web based consumers. As a reminder, the T1C can be used from a native applications context using a native client, or addressing directly the T1C interface. In order to work with an api-key in a browser context, 2 type of consumers can be distinguished:
SPA (Single Page Application) integration: this is a web application without any back-end
Web Application integration: this is a web application with a back-end implementation
For an SPA, an api-key (thus the access token to the Distribution Service) is considered unsafe in a browser context. For SPA's, Trust1Team configures extra security measures on infrastructure level. A mutual authentication is required and additional policies are applied (IP restriction policy, ...).
The api-key must be translated into an JWT token in order to enable communication with the T1C.
To initialise the JavaScript client library, the library must be loaded into your HTML page:
Once loaded, the script will expose a GCLLib global. This global will allow you to create a GCLConfig:
The GCLConfigOptions object will allow you to specify and/or override the configuration to be used. Configuration options can be found in the Configuration Options below. You can create a GCLConfigOptions as follows:
Now that we have a configuration, we can initialise the client library. The following example creates a Promise that will resolve with an instance of a T1CClient:
The Trust1Connector API requires a valid JWT token to be provided in the Authorization header. This JWT token can be retrieved by asking the Distribution Service to generate a token for a specific API-key.
It is important that this API-key is not exposed in the front-end application as this is a security violation.
When you've received a valid JWT token from the DS you can provide this into the configuration object when initialising the Trust1Connector JS client.
When using the Trust1Connector Javascript SDK the Authorization header is automatically populated with the JWT provided while initialising.
When the Token has expired there is a function which you can call to provide a new token and which will in turn return an updated client to be used.
Retrieving a valid JWT token happens via the DS. When passing a valid API-key to header of the endpoint {{ds-url}}/v3/tokens/application (GET) you wil in turn receive a valid JWT token.
Example response
A JWT token is only valid for a certain period. After this period the API will return an error. At this point you need to request a new JWT token to be able to communicate with the API.
In the T1C JS SDK there is a function which you can use to re-initalise the client with a new valid JWT token.
The updateJWT function can be found in the Core service. After initialising you can retrieve the core as follows:
The function's interface is as follows;
This function returns an updated client which you can continue to use for your desired use-cases.
A Web Application interacts with the Trust1Connector on standalone devices or within a shared environment. The Web Application is not aware, but must take this into consideration upon integration.
Integrating the Trust1Connector can be done via the Javascript SDK. This SDK is compiled in regular javascript and in Typescript. Each release of the Javascript SDK will have the following files;
dist
T1CSdk.js (complete SDK)
T1CSdk.js.map
lib (typings, default Typescript compilation)
lib-esm (typings, Compilation with ES6 module support)
In V3 of the Trust1Connector the javascript SDK is meant as a comparable manner of integrating like the V2. The SDK includes most of the API featureset but not all.
We strongly encourage to integrate via the API, since this will be the most feature-complete and the de facto manner of integration in the future.
All examples below will be shown in regular Javascript. Javascript for changing UI behavior will not be present.
For initialisation of the T1C you need to prepare your application first by adding the SDK JS files to your project and importing them in such a way that you can call for the Javascript functions when you need them.
Next up we will prepare the SDK's configuration Object, this object is used to pass information about which default port the Trust1Connector is running on, JWT key, API url, ...
When the configuration is set you can initialise the Trust1Connector with that Config and an optional property for clipboardData. This clipboard data is used for initialisation of the Trust1Connector in a shared environment. This will be handled later.
You can see in the code above we catch 3 errors;
500: Consent error, this means the user is running in a shared environment and needs to provide his consent
115: Initialisation error: The Trust1Connector is not able to initialise because it could not
199: T1C exception, this will be thrown when the T1C is not available
To retrieve the reader after initialisation you can do the following;
After initialisation of the T1C you can start using it. For example the BEID module needs to be initialised with a readerId, That is why fetching the readers and providing the user-selected reader to the client is a necessity.
The code above will return a BEID client which can be used to execute the BEID functionality.
Initialisation of the Trust1Connector for shared environments is similar to the regular initialisation with the difference being a required consent. More information can be found in the Consent page.
For initialising the Trust1Connector in a shared environment you need to setup the config so that it contacts the Proxy. When initialising you need to provide a token that is residing on the user's clipboard, via this clipboard token the Proxy can determine which which user is trying to communicate and will return an updated configuration value for the API and the sandbox service.
This configuration update is handled by the SDK itself.
The code above is an example of how you can integrate a copy command in the webbrowser. When the data is copied to the clipboard you just need to pass it to the initialize function like so;
File digests config doesn't take the path differences between Mac OS and Windows into account
PKCS11 configuration cookie cannot be created on Windows devices
PKCS11 returns null pointer exception when no pin is provided
Unresolved address exception when the Trust1Connector is installed or started without internet connection
As an end user I can use RMC with the new T1C v3 for the belgian eID and the file exchange
Windows installers are signed with the Trust1Team certificate
Windows installer includes the firewall settings upfront
All endpoints communicating with smartcards/tokens/... need to be protected by means of JWT
Support for silent install on Win Platforms
Remove sensitive system info from API & Proxy exposed on /info endpoint
Remove from API & Proxy the temp folder path on the /info
Provide the possibility to use PKCS11 objects instead of keystores
Integrate PKCS11 container in the sandbox-service
Maintain a transaction log with labels
Ability to do bulk signing with the generic token interface
PKCS11 SlotId in config issue
Fileexchange when canceling file or directory dialogs, no error is thrown but an empty path is returned
Catch errors with regards to the GRPC service nog being running
File IO needs to check if access rights for file are fulfilled otherwise return 803
Fileexchange v2 recovery failed due to wrong encoding
T1C JS SDK fix typo for responseObject info endpoint
Typescript typings are conflicting with eachother (generics)
T1C SDK pkcs11generic slots should be numbers instead of strings
Cookie implementation for the Trust1Connector JS SDK in shared environments
check fileexchange file/directory access rights before executing the command
After reinstallation the v3.0.1 of the t1c api config defines its running in a shared environment but there are no other instances running on the machine
When no connector is installed no valid error code is returned in JS
Play.pid blocking reinstallation of Trust1Connector API
Move file location of the T1C v3 file-exchange config to the new folder structure instead of using the old folder structure
Audit logging for tampering checks in the Trust1Connector
Configure logging for T1C-API
Keep audit record for lifecycle changes T1C-API (restart sandbox, ...)
As an integrator I want to have the RemoteLoading functionality in REST available
Keep DS logs for 1 year
As the Trust1Connector I want the Sandbox to have an automatic recovery when an unexpected shutdown happens
Add parameter validation to each endpoint which requires it
The ID-One Cosmo V7-n is part of the Oberthur family of cryptographic modules called ID-One Cosmo V7. Modules within
this family share the same functionalities and the description of the ID-One Cosmo V7 applies to all versions including the “-n” subject to this validation.
This document describes the functionality provided by the Oberthur ID-One smartcard - which is a PKI container - on the T1C-GCL (Generic Connector Library) implemented version:
ID-One Cosmo V7-n; FIPS 140-2 Security Policy
All model information can be found in the Token typings model page
When initialisation is finished you can continue using the aventra object to execute the functions below.
The expected response for this call should be;
The expected response for this call should be;
Exposes all the certificates publicly available on the smart card. The following certificates can be found on the card:
Root certificate
Signing certificate
Authentication certificate
Issuer certificate
Encryption certificate
When additional parsing of the certificate is needed you can add a boolean to indicate if you want to parse the certificate or not.
The expected response for this call should be;
This will return information of the Aventra card.
The expected response for this call should be;
When additional parsing of the certificate is needed you can add a boolean to indicate if you want to parse the certificate or not.
Contains the 'root certificate' stored on the smart card. The service can be called:
Contains the 'authentication certificate' stored on the smart card. The 'authentication certificate' contains the public key corresponding to the private RSA authentication key. The 'authentication certificate' is needed for pin validation, authentication and singing. The service can be called:
Contains the 'non-repudiation certificate' stored on the smart card. The 'non-repudiation certificate' contains the public key corresponding the private RSA non-repudiation key. The service can be called:
The expected response for these calls should be in the following format;
The expected response for these calls should be in the following format;
Data can be signed using the smartcard. To do so, the SDK facilitates in:
Retrieving the certificate chain (root, intermediate and non-repudiation certificate)
Perform a sign operation (private key stays on the smart card)
Return the signed has
To sign data, an algorithm must be specified in the algorithm property (see Supported Algorithms), and a Base64-encoded string representation of the digest bytes of the same algorithm in the data property.
Additionally, it is possible to bulk sign data without having to re-enter the PIN by adding an optional bulk parameter set to true to the request. Subsequent sign requests will not require the PIN to be re-entered until a request with bulk being set to false is sent, or the Bulk PIN Reset method is called.
When using bulk signing, great care must be taken to validate that the first signature request was successful prior to sending subsequent requests. Failing to do this will likely result in the card being blocked.
The expected response for this call should be;
The PIN set for bulk signing can be reset by calling this method.
Response will look like:
The SDK is able to authenticate a card holder based on a challenge. The challenge can be:
provided by an external service
provided by the smart card
An authentication can be interpreted as a signature use case, the challenge is signed data, that can be validated in a back-end process.
The expected response for this call should be;
The expected response for this call should be;
Aventra MyEID PKI Card is a cryptographic smart card conforming to common Public Key Infrastructure standards like ISO/IEC-7816 and PKCS#15v1.0 specification. It can be used for various tasks requiring strong cryptography, e. g. logging securely to Windows, encrypting e-mail, authentication, and electronic signatures. The card is also available as a Dual Interface version, compatible with T=CL protocol and also emulating Mifare™. The card is a JavaCard with Aventra MyEID applet that implements the functionality.
The applet implements the FINEID S1 v1.12 specification and it can be configured to include all or any subset of the features specified in FINEID S4-1 or S4-2 specifications. Starting from version 2.2.0 the applet supports both 1024 and 2048 bit RSA keys. From version 3.0.0 (MyEID3) the applet supports keys from 512 bit up to 2048 bit in increments of 64 bits. The applet is fully compatible with JavaCard 2.1.1 and GlobalPlatform 2.0.1 specifications. The new MyEID version 3 (MyEID3) is now released and it uses the new JavaCard 2.2.1 and GlobalPlatform 2.1.1 platform. The new MyEID3 now supports RSA keys from 512 up to 2048 bits in 64 bit increments. MyEID3 supports file sizes up to 32767 bytes and 14 different PIN-codes can be created and used. The number of RSA keys is only limited by the available memory and maximum numbers of files (see PUT DATA: INITIALISE APPLET).
References
The most relevant specifications and standards are:
ISO/IEC 7816-4
ISO/IEC 7816-8
ISO/IEC 7816-9
JavaCard 2.1.1, MyEID3: 2.2.1
GlobalPlatform 2.0.1 ' (Open Platform), MyEID3: GlobalPlatform 2.1.1
FINEID S1 and S4 documentation
This document describes the functionality provided by the Aventra smartcard - which is a PKI container - on the T1C-GCL (Generic Connector Library) implemented version:
MyEID - reference manual v1.7.36
All model information can be found in the Token typings model page
When initialisation is finished you can continue using the aventra object to execute the functions below.
The expected response for this call should be;
The expected response for this call should be;
Exposes all the certificates publicly available on the smart card. The following certificates can be found on the card:
Root certificate
Signing certificate
Authentication certificate
Issuer certificate
Encryption certificate
When additional parsing of the certificate is needed you can add a boolean to indicate if you want to parse the certificate or not.
The expected response for this call should be;
This will return information of the Aventra card.
The expected response for this call should be;
When additional parsing of the certificate is needed you can add a boolean to indicate if you want to parse the certificate or not.
Contains the 'root certificate' stored on the smart card.
Contains the 'authentication certificate' stored on the smart card. The 'authentication certificate' contains the public key corresponding to the private RSA authentication key. The 'authentication certificate' is needed for pin validation, authentication and signing.
Contains the 'non-repudiation certificate' stored on the smart card. The 'non-repudiation certificate' contains the public key corresponding the private RSA non-repudiation key.
The expected response for these calls should be in the following format;
The expected response for these calls should be in the following format;
To sign data, an algorithm must be specified in the algorithm property (see Supported Algorithms), and a Base64-encoded string representation of the digest bytes of the same algorithm in the data property.
Additionally, it is possible to bulk sign data without having to re-enter the PIN by adding an optional bulk parameter set to true to the request. Subsequent sign requests will not require the PIN to be re-entered until a request with bulk being set to false is sent, or the Bulk PIN Reset method is called.
When using bulk signing, great care must be taken to validate that the first signature request was successful prior to sending subsequent requests. Failing to do this will likely result in the card being blocked.
The expected response for this call should be;
The PIN set for bulk signing can be reset by calling this method.
Response will look like:
The expected response for this call should be;
The expected response for this call should be;
The expected response for this call should be;
Each lawyer in Belgium registered at the balie is obliged since 1/1/2018 to have an electronic lawyer card. This is declared in atr. 193bis of the Codex Deontologie voor Advocaten:
“De advocaat moet voor zijn identificatie en voor de authenticatie beschikken over de elektronische CCBE-advocatenkaart.”
More info at https://www.diplad.be/en-GB/t/23/elektronische-advocatenkaart.aspx.
All model information can be found in the Token typings model page
Response will look like:
�Response will look like:
Response will look like:
When additional parsing of the certificate is needed you can add a boolean to indicate if you want to parse the certificate or not.
The filter is optional
Response will look like:
When additional parsing of the certificate is needed you can add a boolean to indicate if you want to parse the certificate or not.
Response will look like:
When additional parsing of the certificate is needed you can add a boolean to indicate if you want to parse the certificate or not.
Response will look like:
When additional parsing of the certificate is needed you can add a boolean to indicate if you want to parse the certificate or not.
Response will look like:
If the card reader has a PIN pad, the PIN must always be entered via the card-reader PIN pad.
If the card reader has no PIN pad:
If the osDialog property is set to true, a OS dialog window will be displayed for the user the enter their PIN
If the pin property is defined, that value is used
If osDialog is set to false, and pin is undefined, an error will be returned
Response will look like:
To sign data, an algorithm must be specified in the algorithm property (see Supported Algorithms), and a Base64-encoded string representation of the digest bytes of the same algorithm in the data property.
Additionally, it is possible to bulk sign data without having to re-enter the PIN by adding an optional bulk parameter set to true to the request. Subsequent sign requests will not require the PIN to be re-entered until a request with bulk being set to false is sent, or the Bulk PIN Reset method is called.
When using bulk signing, great care must be taken to validate that the first signature request was successful prior to sending subsequent requests. Failing to do this will likely result in the card being blocked.
The PIN can provided/entered in the same way as Verify PIN
Response will look like:
To sign data, an algorithm must be specified in the algorithm property (see Supported Algorithms), and a Base64-encoded string representation of the digest bytes of the same algorithm in the data property.
The PIN can provided/entered in the same way as Verify PIN
Response will look like:
Response will look like:
The PIN set for bulk signing can be reset by calling this method.
Response will look like:
The ID-One Cosmo V8-n is part of the Idemia IAS ECC family of cryptographic modules called ID-One Cosmo V8. Modules within this family share the same functionalities and the description of the ID-One Cosmo V8 applies to all versions including the “-n” subject to this validation. This document describes the functionality provided by the Idemia IAS ECC ID-One smartcard - which is a PKI container - on the T1C-GCL (Generic Connector Library) implemented version:
ID-One Cosmo V8-n; FIPS 140-2 Security Policy
All model information can be found in the Token typings model page
When initialisation is finished you can continue using the aventra object to execute the functions below.
The expected response for this call should be;
The expected response for this call should be;
When additional parsing of the certificate is needed you can add a boolean to indicate if you want to parse the certificate or not.
The expected response for this call should be;
This will return information of the Aventra card.
The expected response for this call should be;
When additional parsing of the certificate is needed you can add a boolean to indicate if you want to parse the certificate or not.
Contains the 'root certificate' stored on the smart card. The service can be called:
Contains the 'authentication certificate' stored on the smart card. The 'authentication certificate' contains the public key corresponding to the private RSA authentication key. The 'authentication certificate' is needed for pin validation, authentication and singing. The service can be called:
Contains the 'non-repudiation certificate' stored on the smart card. The 'non-repudiation certificate' contains the public key corresponding the private RSA non-repudiation key. The service can be called:
The expected response for these calls should be in the following format;
The expected response for these calls should be in the following format;
Data can be signed using the smartcard. To do so, the SDK facilitates in:
Retrieving the certificate chain (root, intermediate and non-repudiation certificate)
Perform a sign operation (private key stays on the smart card)
Return the signed hash
To sign data, an algorithm must be specified in the algorithm property (see Supported Algorithms), and a Base64-encoded string representation of the digest bytes of the same algorithm in the data property.
Additionally, it is possible to bulk sign data without having to re-enter the PIN by adding an optional bulk parameter set to true to the request. Subsequent sign requests will not require the PIN to be re-entered until a request with bulk being set to false is sent, or the Bulk PIN Reset method is called.
When using bulk signing, great care must be taken to validate that the first signature request was successful prior to sending subsequent requests. Failing to do this will likely result in the card being blocked.
The expected response for this call should be;
The PIN set for bulk signing can be reset by calling this method.
Response will look like:
The SDK is able to authenticate a card holder based on a challenge. The challenge can be:
provided by an external service
provided by the smart card An authentication can be interpreted as a signature use case, the challenge is signed data, that can be validated in a back-end process
The expected response for this call should be;
The expected response for this call should be;
The PKCS #11 standard defines a platform-independent API to cryptographic tokens, such as hardware security modules (HSM), smart cards, and names the API itself "Cryptoki" (from "cryptographic token interface" and pronounced as "crypto-key" - but "PKCS #11" is often used to refer to the API as well as the standard that defines it). The API defines most commonly used cryptographic object types (RSAX.509 keys, DES/Triple DES Certificates/keys, etc.) and all the functions needed to use, create/generate, modify and delete those objects. This container relies on a PKCS#11 a library which handles the communication with the token/card. This can be a vendor specific library or an opensource one, please select the correct one depending on the type of token/card you are using.
The Abstract PKCS #11 smartcard interface is summarised in the following snippet:
For more information on how to configure the JS client library see Configuration.
Depending on the OS you need to provide a valid location to the desired PKCS11 library to be used.
Call a function for the PKCS #11 container:
This methods returns the available slots on the system.
An example response:
This method is similar the the slots endpoint but only returns a list of slots where a token is present.
An example response:
This methods returns the token information for a slot.
An example response:
This methods allows you to retrieve the certificates from the PKCS #11 token.
Response:
To successfully sign data, we need the following parameters:
Slot ID of the token to use
Certificate ID of the signing certificate
PIN code
Hashed data to sign
Hashing algorithm used
The slot id can be found using either a call to slots, slotsWithTokenPresent. Once the slot id is found, the certificates can be retrieved with a call to certificates. This then returns the certificate id. Now we can combine this with the PIN code and hashed data + hashing algorithm (SHA1, SHA256, SHA384, SHA512) to create the final signData call:
Returns signed data for provided input data.
An example response:
The functions specified are asynchronous and always need a callback function. The callback function will reply with a data object in case of success, or with an error object in case of an error. An example callback:
The error object returned:
Migration from the v2 to the v3 of the Trust1Connector can be done in 2 ways;
Integration of the API
Integration via the deprecated Javascript SDK
Both are viable integrations but we strongly suggest to integrate via the API since the JS SDK does not include all features, only the ones which were available in the v2. When integrating via the API you have more control over the Javascript packages used.
The Javascript SDK has the following packages as dependencies;
For updating your web application first of all you need to use the new Javascript SDK. After this there are some differences in using the SDK from the v2.
The configuration from the v2 has changed, we simplified this.
The v2 had the following configuration options;
With the v3 this is significantly simplified to the following;
Some of the config options of the v3 are still in review and can be removed up until the final release of the v3, in the table below you will find more information
After you've created your configuration object you can do the initialisation of the Trust1Connector SDK. This has largely remained the same except for the error codes.
V2 example:
V3 example;
The Belgian eID container facilitates communication with card readers with inserted Belgian eID smart card. The T1C-JS client library provides function to communicate with the smart card and facilitates integration into a web or native application. This document describes the functionality provided by the Belgian eID container on the T1C-GCL (Generic Connector Library).
All model information can be found in the Token typings model page
Initialise a Trust1Connector client:
Get the Belgian eID container service:
Call a function for the Belgian eID container:
The constructor for the Belgian eID expect as the parameter to be a valid reader-ID. A reader-ID can be obtained from the exposed core functionality, for more information see Core services responds with available card-readers, available card in a card-reader, etc. For example: In order to get all connected card-readers, with available cards:
This function call returns:
We notice that a card object is available in the response in the context of a detected reader.
The reader in the example above is Bit4id miniLector, has no pin-pad capabilities, and there is a card detected with given ATR and description "Belgian eID Card".
An ATR (Answer To Reset) identifies the type of a smart-card.
The reader, has a unique ID, reader_id; this reader_id must be used in order to request functionalities for the Belgian eID card.
This must be done upon instantiation of the Belgian eID container:
All methods for beid will use the selected reader - identified by the reader_id.
The card holder is the person identified using the Belgian eID card. It's important to note that all data must be validated in your backend. Data validation can be done using the appropriate certificate (public key).
Contains all card holder related data, excluding the card holder address and photo. The service can be called:
An example callback:
Response:
Contains the card holder's address. The service can be called:
Response:
Contains the card holder's picture stored on the smart card. The service can be called:
Response:
The token info contains generic information about the card and it's capabilities. This information includes the serial number, file types for object directory files, algorithms implemented on the card, etc.
Response:
Exposes all the certificates publicly available on the smart card.
Contains the 'root certificate' stored on the smart card. The root certificate is used to sign the 'citizen CA certificate'. When additional parsing of the certificate is needed you can add a boolean to indicate if you want to parse the certificate or not. The service can be called:
Response:
Contains the 'authentication certificate' stored on the smart card. The 'authentication certificate' contains the public key corresponding to the private RSA authentication key. The 'authentication certificate' is needed for pin validation and authentication. When additional parsing of the certificate is needed you can add a boolean to indicate if you want to parse the certificate or not The service can be called:
Response:
Contains the citizen certificate stored on the smart card. The 'citizen certificate' is used to sign the 'authentication certificate' and the 'non-repudiation certificate'. When additional parsing of the certificate is needed you can add a boolean to indicate if you want to parse the certificate or not The service can be called:
Response:
Contains the 'non-repudiation certificate' stored on the smart card. The 'non-repudiation certificate' contains the public key corresponding the private RSA non-repudiation key. When additional parsing of the certificate is needed you can add a boolean to indicate if you want to parse the certificate or not The service can be called:
Response:
Contains the 'encryption certificate' stored on the smart card. The 'encryption certificate' corresponds to the private key used to sign the 'biometric' and 'Address' data. When additional parsing of the certificate is needed you can add a boolean to indicate if you want to parse the certificate or not The service can be called:
Response:
All data on the smart card can be dumped at once, or using a filter. In order to read all data at once:
Response:
The filter can be used to ask a list of custom data containers. For example, we want to read only the biometric data
Response:
All certificates on the smart card can be dumped at once, or using a filter. In order to read all certificates at once:
Response:
The filter can be used to ask a list of custom data containers. For example, we want to read only the rootCertificate
Response:
Data can be signed using the Belgian eID smart card. To do so, the T1C-GCL facilitates in:
Retrieving the certificate chain (citizen-certificate, root-certificate and non-repudiation certificate)
Perform a sign operation (private key stays on the smart card)
Return the signed hash
To get the certificates necessary for signature validation in your back-end:
Response:
Depending on the connected smart card reader. A sign can be executed in 2 modes:
Using a connected card reader with 'pin-pad' capabilities (keypad and display available)
Using a connected card reader without 'pin-pad' capabilities (no keypad nor display available)
Security consideration: In order to sign a hash, security considerations prefer using a 'pin-pad'.
When the web or native application is responsible for showing the password input, the following request is used to sign a given hash:
Response is a base64 encoded signed hash:
The 'authenticationreference' property can contain the following values: sha1, sha256, sha512, md5.
When the pin entry is done on the pin-pad, the following request is used to sign a given hash:
Response is a base64 encoded signed hash:
The 'algorithm_reference' property can contain the following values: sha1, sha256, sha512, md5.
The core services lists connected readers, and if they have pin-pad capability. You can find more information in the Core Service documentation on how to verify card reader capabilities.
It is possible to bulk sign data without having to re-enter the PIN by adding an optional bulk parameter set to true to the request. Subsequent sign requests will not require the PIN to be re-entered until a request with bulk being set to false is sent, or the Bulk Sign Reset method is called.
When using bulk signing, great care must be taken to validate that the first signature request was successful prior to sending subsequent requests. Failing to do this will likely result in the card being blocked.
The PIN set for bulk signing can be reset by calling this method.
Response will look like:
In order to calculate a hash from the data to sign, you need to know the algorithm you will use in order to sign.
You might have noticed the algorithm_reference property provided in the sign request.
The algorithm_reference can be one of the values: md5, sha1, sha256, sha512.
For example, we want the following text to be signed using sha256:
You can use the following online tool to calculate the SHA256: calculate SHA256
Hexadecimal result:
Notice that the length of the SHA256 is always the same. Now we need to convert the hexadecimal string to a base64-encoded string, another online tool can be used for this example: hex to base64 converter
Base64-encoded result:
Now we can sign the data:
Result:
Note: If you want to convert a binary signed hash to HEX (for development) you can use for example an online hexdump tool:
http://www.fileformat.info/tool/hexdump.htm
When the web or native application is responsible for showing the password input, the following request is used to verify a card holder PIN:
Response:
When the pin entry is done on the pin-pad, the following request is used to verify a given PIN:
Response:
In order to inform a user upon the PIN retries left, the Belgian eID doesn't provide a request to retrieve this information. After an unsuccessful PIN verification, the error code indicates the number of retries left. For example, when executing:
The following error message will be returned when PIN is wrong:
After a second wrong PIN verification:
Note that, when the user has at least one retry left, entering a correct PIN resets the PIN retry status.
The T1C-GCL is able to authenticate a card holder based on a challenge. The challenge can be:
provided by an external service
provided by the smart card An authentication can be interpreted as a signature use case, the challenge is signed data, that can be validated in a back-end process.
External Challenge
An external challenge is provided in the data property of the following example:
Response:
Take notice that the PIN property can be omitted when using a smart card reader with pin-pad capabilities. The 'algorithm_reference' property can contain the following values: sha1, sha256, sha512, md5.
Generated Challenge
A server generated challenge can be provided to the JavaScript library. In order to do so, an additional contract must be provided with the 'OCV API' (Open Certificate Validation API).
The Luxembourg ID container facilitates communication with card readers with inserted Luxembourg ID smart card. The T1C-JS client library provides function to communicate with the smart card and facilitates integration into a web or native application. This document describes the functionality provided by the Luxembourg ID container on the T1C-GCL (Generic Connector Library).
The Abstract Lux eID interface is summarised in the following snippet:
Each interface will be covered on this wiki, accompanied with example code and response objects.
All model information can be found in the Token typings model page
Initialise a Trust1Connector client:
Get the Luxembourg ID container service:
Note that we pass both the reader_id and pin/can and specify the pin_type in this call. Unlike other cards, all communication with the Luxembourg ID card is protected with the PIN or CAN code.
Call a function for the Luxembourg ID container:
For demonstration purpose we will use the aforementioned callback, which only outputs the data and eventual error messages. During integration meaningful functionality should be provided.
The pin should be provided in order to instantiate the container. It's is possible to enforce user PIN entry for each function separately. Providing the PIN at instantiation of the container, means that the PIN will be in the browser session - but not persisted - for the lifetime of the container instance within the browser session.
The constructor for the Luxembourg ID expect as the parameter to be a valid reader-ID. A reader-ID can be obtained from the exposed core functionality, for more information see Core Services. Core services responds with available card-readers, available card in a card-reader, etc. For example: In order to get all connected card-readers, with available cards:
This function call returns:
We notice that a card object is available in the response in the context of a detected reader.
The reader in the example above is iDentiv CL, has no pin-pad capabilities, and there is a card detected with given ATR and description "Grand Duchy of Luxembourg...".
An ATR (Answer To Reset) identifies the type of a smart-card.
The reader, has a unique ID, reader_id; this reader_id must be used in order to request functionalities for the Luxembourg eID card.
This must be done upon instantiation of the container:
All methods for luxeid will use the selected reader - identified by the reader_id.
The card holder is the person identified using the Luxembourg eID card. It's important to note that all data must be validated in your backend. Data validation can be done using the appropriate certificate (public key).
Contains all biometric related data, excluding the card holder address and picture. The service can be called:
An example callback:
Response:
Contains the card holder's address. The service can be called:
Response:
Contains the card holder's picture stored on the smart card. The service can be called:
Response:
Contains an image of the card holder's signature stored on the smart card. The service can be called:
Response:
Exposes all the certificates publicly available on the smart card. The following certificates can be found on the card:
Root certificate
Intermediate certificate
Authentication certificate
Non-repudiation certificate
T1C-JS will return the raw base64 certificate, optionally it can also return an object representing the certificate as parsed by PKI.js. To enable parsing, parseCerts must be set to true.
The root and intermediate certificates are both stored as root certificates.
Contains the 'root certificate' stored on the smart card. The root certificate is used to sign the 'intermediate certificate'. The service can be called:
Response:
There are 2 root certificates on the card, one is the issuer certificate of the intermediate
Contains the 'authentication certificate' stored on the smart card. The 'authentication certificate' contains the public key corresponding to the private RSA authentication key. The 'authentication certificate' is needed for pin validation, authentication and singing. The service can be called:
Response:
Contains the 'non-repudiation certificate' stored on the smart card. The 'non-repudiation certificate' contains the public key corresponding the private RSA non-repudiation key. The service can be called:
Response:
All data on the smart card can be dumped at once, or using a filter. In order to read all data at once:
Response:
The filter can be used to ask a list of custom data containers. For example, we want to read only the 'rn', 'picture' and 'rrn certificate':
Response:
All certificates on the smart card can be dumped at once, or using a filter. In order to read all certificates at once:
Response:
The filter can be used to ask a list of custom data containers. For example, we want to read only the 'root-certificate' and the 'rrn-certificate':
Response:
Data can be signed using the Luxembourg ID smart card. To do so, the T1C-GCL facilitates in:
Retrieving the certificate chain (root, inetermediate and non-repudiation certificate)
Perform a sign operation (private key stays on the smart card)
Return the signed hash
To get the certificates necessary for signature validation in your back-end:
Response:
Depending on the connected smart card reader. A sign can be executed in 2 modes:
Using a connected card reader with 'pin-pad' capabilities (keypad and display available)
Using a connected card reader without 'pin-pad' capabilities (no keypad nor display available)
Security consideration: In order to sign a hash, security considerations prefer using a 'pin-pad'.
When the web or native application is responsible for showing the password input, the following request is used to sign a given hash:
Response is a base64 encoded signed hash:
The 'authentication_reference' property can contain the following values: sha1, sha256, sha512, md5.
Avoid using SHA-1: is deprecated on the interface and will not be available in the future
In order to calculate a hash from the data to sign, you need to know the algorithm you will use in order to sign.
You might have noticed the algorithm_reference property provided in the sign request.
The algorithm_reference can be one of the values: md5, sha1, sha256, sha512.
For example, we want the following text to be signed using sha256:
You can use the following online tool to calculate the SHA256: calculate SHA256
Hexadecimal result:
Notice that the length of the SHA256 is always the same. Now we need to convert the hexadecimal string to a base64-encoded string, another online tool can be used for this example: hex to base64 converter
Base64-encoded result:
Now we can sign the data:
Result:
When the web or native application is responsible for showing the password input, the following request is used to verify a card holder PIN:
Response:
In order to inform a user upon the PIN retries left, the Luxembourg eID doesn't provide a request to retrieve this information. After an unsuccessful PIN verification, the error code indicates the number of retries left. For example, when executing:
The following error message will be returned when PIN is wrong:
After a second wrong PIN verification:
Note that, when the user has at least one retry left,entering a correct PIN resets the PIN retry status.
The T1C-GCL is able to authenticate a card holder based on a challenge. The challenge can be:
provided by an external service
provided by the smart card An authentication can be interpreted as a signature use case, the challenge is signed data, that can be validated in a back-end process.
External Challenge
An external challenge is provided in the data property of the following example:
Response:
Take notice that the PIN property can be omitted when using a smart card reader with pin-pad capabilities. The 'algorithm_reference' property can contain the following values: sha1, sha256, sha512, md5.
Generated Challenge
A server generated challenge can be provided to the JavaScript library. In order to do so, an additional contract must be provided with the 'OCV API' (Open Certificate Validation API).
This container supports functionality for EMV "chip and PIN" bank cards, including:
VISA, MasterCard, Amex, CB and UK Post Office Account contact cards
PayWave (VISA) and PayPass (MasterCard) contactless cards
Initialise a Trust1Connector:
Get the EMV service:
Call a function for the EMV container:
The constructor for the EMV expect as the parameter to be a valid reader-ID. A reader-ID can be obtained from the exposed core functionality, for more information see Core Services. Core services responds with available card-readers, available card in a card-reader, etc. For example: In order to get all connected card-readers, with available cards:
This function call returns:
We notice that a card object is available in the response in the context of a detected reader.
The reader in the example above is VASCO DIGIPASS 870, has pin-pad capabilities, and there is a card detected with given ATR and some descriptions.
An ATR (Answer To Reset) identifies the type of a smart-card.
The reader, has a unique ID, reader_id; this reader_id must be used in order to request functionalities for the EMV card.
This must be done upon instantiation of the EMV container:
All methods for emv will use the selected reader - identified by the reader_id.
List the supported applications on the EMV card
An example callback:
Response:
The application data contains information of the holder of the card, the validity, the primary account number, ...
An example callback:
Response:
On some applications there is an issuer public key certificate present. The aid parameter indicates which application you want to use, this can be fetched using the applications endpoint.
An example callback:
Response:
On some applications there is an icc public key certificate present. The aid parameter indicates which application you want to use, this can be fetched using the applications endpoint.
An example callback:
Response:
When the web or native application is responsible for showing the password input, the following request is used to verify a card holder PIN:
Response:
When the pin entry is done on the pin-pad, the following request is used to verify a given PIN:
Response:
After an unsuccessful PIN verification, the error code indicates the number of retries left. For example, when executing:
The following error message will be returned when PIN is wrong:
After a second wrong PIN verification:
Note that, when the user has at least one retry left, entering a correct PIN resets the PIN retry status.
The functions specified are asynchronous and always need a callback function. The callback function will reply with a data object in case of success, or with an error object in case of an error. An example callback:
The error object returned:
For the error codes and description, see Status codes.
This container supports functionality for Crelan bank cards
Initialise a Trust1Connector client:
Get the Crelan module:
Call a function for the Crelan module:
The constructor for the Crelan expect as the parameter to be a valid reader-ID. A reader-ID can be obtained from the exposed core functionality, for more information see Core Services. Core services responds with available card-readers, available card in a card-reader, etc. For example: In order to get all connected card-readers, with available cards:
This function call returns:
We notice that a card object is available in the response in the context of a detected reader.
The reader in the example above is VASCO DIGIPASS 870, has pin-pad capabilities, and there is a card detected with given ATR and some descriptions.
An ATR (Answer To Reset) identifies the type of a smart-card.
The reader, has a unique ID, reader_id; this reader_id must be used in order to request functionalities for the Crelan card.
This must be done upon instantiation of the Crelan container:
All methods for crelan will use the selected reader - identified by the reader_id.
List the supported applications on the Crelan card
An example callback:
Response:
The application data contains information of the holder of the card, the validity, the primary account number, ...
An example callback:
Response:
On some applications there is an issuer public key certificate present. The aid parameter indicates which application you want to use, this can be fetched using the applications endpoint.
An example callback:
Response:
On some applications there is an icc public key certificate present. The aid parameter indicates which application you want to use, this can be fetched using the applications endpoint.
An example callback:
Response:
When the web or native application is responsible for showing the password input, the following request is used to verify a card holder PIN:
Response:
When the pin entry is done on the pin-pad, the following request is used to verify a given PIN:
Response:
After an unsuccessful PIN verification, the error code indicates the number of retries left. For example, when executing:
The following error message will be returned when PIN is wrong:
After a second wrong PIN verification:
Note that, when the user has at least one retry left, entering a correct PIN resets the PIN retry status.
A Base64-encoded string representation of the digest bytes must be included in the data property of the request.
txId will be displayed on the PIN pad
language determines the language displayed on the PIN pad
Additionally, it is possible to bulk sign data without having to re-enter the PIN by adding an optional bulk parameter set to true to the request. The PIN will not need to re-entered until a request with bulk being set to false is sent, or the Bulk PIN Reset method is called.
When using bulk signing, great care must be taken to validate that the first signature request was successful prior to sending subsequent requests. Failing to do this will likely result in the card being blocked.
The PIN can provided/entered in the same way as Verify PIN
Response will look like:
The functions specified are asynchronous and always need a callback function. The callback function will reply with a data object in case of success, or with an error object in case of an error. An example callback:
The error object returned:
For the error codes and description, see Status codes.
Before you are able to use the SDK's methods you need to initialise the trust1connector javascript SDK. Below you can find an example of how to do this. You can also check the integration in web applications page.
In this example you can see when the connector is initialised we try to fetch the pkcs11 configuration already loaded in (if present), if this is not loaded you still need to upload the configuration. (line 30)
we store the client data for later use (line 27)
After initialising the configuration we can fetch all available slots to display on the screen. (line 31)
The most important config values are the name and the library (location of the PKCS11 dylib or DLL).
Base64 ecoding the config contents described in the codeblock above and sending them via the uploadConfig method of the JS sdk will enable you to upload and use that pkcs11 configuration.
To be able to use the PKCS11 generic you need to upload a correct configuration file, which includes the name and library to be used. We use a html file chooser to fetch a file and use the FilereaderAPI to retrieve the contents of the selected file, then we convert it to a base64 string which we send to the uploadConfig method
This method is used to clear a currently active configuration
Via the following endpoint your're able to retrieve OS information if required
Retrieve the library information of the loaded configuration. When the loaded config is not present it will throw a configuration exception
Requirements: loaded configuration
Retrieve all available slots
Requirements: loaded configuration
The same endpoint can be triggered but only showing the slots present;
Retrieve relevant slot information
Requirements: loaded configuration, slotId
Retrieve information about the selected token
Requirements: loaded configuration, slotId
Retrieve all aliasses for a specific token.
Requirements: loaded configuration, slotId, verifyPin object
Returns the name of the algorithm associated with this key
Requirements: loaded configuration, slotId, Alias, verifyPin object
Retrieve all certificates present for a specific token.
Requirements: loaded configuration, slotId, Alias, verifyPin object
Sign base64 data object.
Requirements: loaded configuration, slotId, Alias, signData object
Verify the pin of a specific token.
Requirements: loaded configuration, slotId, Alias, VerifyPin object
TBD
T1C uses the following HTTP response codes when handling a request.
In case of an error the response will contain a body with more detailed information about the error:
All possible values of the codes are described below in "Application Status Codes" The description field contains more information
These errors are still in draft. These can change until the final release of the v3
Trust1Connector v3 Release Documentation
The Trust1Connector is a technical product that aims to make all hardware tokens, used for authentication and digital signing, interoperable in a web environment. No operating system dependencies to take into account, no browser dependencies, and compatible with smart-card readers, contactless readers and pin-pad readers/terminals.
Our mission is straight forward our focus is to enable secured communication, from a web application, to a desktop device, in the world of person identity, mainly for the following use cases:
Read token information (personal info, ICAO, ...)
Read certificates, certificate chains or certificate information
Verify a known password (PIN, PUK, CAN, ...)
Authenticate using a hash
Digitally sign a hash
Our mission is to add all token profiles we find in B2C and B2B, government, banking, insurance, health, ...
This library is an SDK meant for fast integration in a web application. We promote although the use of the REST API. After installation of the middleware, from an application perspective, you can consume the functionalities as you do with other microservices. The application will need any REST client, in any language to enable all card communication functionalities.
As the connector exists for more than 5 years, Trust1Team decided to enhance the design, security, functionalities, ... and to incorporate all feedback of existing partners into the Trust1Connector v3.
The library has evolved as a technology product for smart card communication to a framework of secured communication from a browser to any hardware device. In our eco-system we have implemented communication to various printers, signature tablets, biometric devices etc.
During the years, the Trust1Connector has evolved from a product to be installed on standalone dekstops to a product which can be used on shared environments such as Citrix, XenApp, ...
In order to guarantee secured communication, former versions needed a user to have administrator rights during the installation. From this release on, the solution runs completely in user space, sandboxed and hardened. No user data is compromised and thus the solution is GDPR compliant.
The following list describes the characteristics of the Trust1Connector:
Browser independent (no impact upon browser update)
No need for browser plugin
Based on official communication standards, security standards and regulations
No additional software needed, the middleware includes it's own dependencies
Recoverability build-in, preventive checks and tamper-proof
Coops with multiple card readers/terminals (contact and contactless)
Coops with multiple card types (we call it card application profiles)
Extendable and secured framework, we are open to add any card the business needs on our platform
Installers for all supported versions of Mac, Windows and Linux
Installers for Citrix, XenApp or other shared environments
The ReLo (Remote Loading) container is provided through the T1C (Trust1Connector) in order to provide a secured communication channel to executed APDU commands that are generated from a back-end service (which can be optionally signed by a HSM).
The ReLo provides smart card operations, like for example:
open/close session
execute APDUs (single or in bulk)
retrieve card/card reader features
verify if card present
retrieve ATR
...
The ReLo-API is an example back-end service implementing different smart card or token profiles (there is no limitation to smart cards). The T1V (Trust1Vault) is a Trust1Team product operating as a secured vault, and integrating with a HSM.
The following functions are available in the library:
The readerId is passed to theremoteloading handler object on initialization. For example, opening a session on reader with idf56c0ffe15a07d09
All function return Promises by default.
If you prefer callbacks, each function also has an optional parameter to pass in a callback function. If a callback function is provided, the function will still return a promise, but the callback function will be called when the promise resolves/gets rejected.
For any function that accepts a sessionIdparameter, the parameter is optional. If a sessionId is provided, the corresponding session will be used for the request and then will be _kept open_once the request completes. This means that if this was the last request that needed to be made, the session needs to be explicitly closed with a call tocloseSession.
If no sessionId is provided, the request will still complete, but the GCL will set up a new session, perform the required action and then close the session. This means that there is _no open session_once the request completes.
When a wrong sessionID is sent in a request, an error message will be returned. The status code will be 'invalid sessionID' or 'no active session'
Opens a new session. Returns the sessionId, which will need to be stored by the client application for later use.
timeout (optional): session timeout in seconds. If not provided, will default to value set in GCLConfig. Must be a number > 0.
Sends a command to the reader for execution.
command(tx: string, sessionId?: string, callback: (error, data))
tx: command-string to be executed
sessionId (optional): sessionId to use. Required if the session needs to be kept open after the request completes.
Activates a specific CCID feature if it is available on the reader
ccid(feature: string, command: string, sessionId?: string, callback?: (error, data))
feature: feature to check
command: command to send to the ccid reader (hex format)
sessionId (optional): sessionId to use. Required if the session needs to be kept open after the request completes.
Closes currently open session.
closeSession(callback?: (error, data))
none
Checks if the card for this session is still present.
If no sessionId is provided, checks if a card is present in the reader.
isPresent(sessionId?: string, callback?: (error, data))
sessionId (optional): sessionId to use. Required if the session needs to be kept open after the request completes.
Retrieves the ATR for the card currently in the reader.
atr(sessionId?: string, callback?: (error, data))
sessionId (optional): sessionId to use. Required if the session needs to be kept open after the request completes.
Returns a list of available CCID features for the current reader.
ccidFeatures(sessionId?: string, callback?: (error, data))
sessionId (optional): sessionId to use. Required if the session needs to be kept open after the request completes.
Executes an APDU call on the current reader. The difference with the commandfunction is that theapdu function takes an APDU object, whereas commandtakes a string.
apdu(apdu: ApduObject, sessionId?: string, callback?: (error, data))
apdu: object containing the APDU to be executed
sessionId (optional): sessionId to use. Required if the session needs to be kept open after the request completes.
APDU Object interface:
For the apduand commandfunctions, it is possible to send an array of apdu's/commands.
Executes an array of APDU calls on the current reader.
apdus(apdu: ApduObject[], sessionId?: string, callback?: (error, data))
apdu: array containing the APDU objects to be executed
sessionId (optional): sessionId to use. Required if the session needs to be kept open after the request completes.
APDU Object interface:
Executes an array of commands on the current reader.
commands(tx: string[], sessionId?: string, callback?: (error, data))
tx
: array containing the command strings to be executed
sessionId
(optional)
: sessionId to use. Required if the session needs to be kept open after the request completes.
The Trust1Connector supports 2 different user consent mechanisms for applications:
implicit user consent: the user will be provided with a consent token which can be pasted into his clipboard. The T1C-GCL will implicitly retrieve the consent token form the clipboard and perform a verification (the token pasted in the clipboard - form the application context - should match with the token available on the clipboard for the T1C-GCL)
For an implicit consent, the T1C is performing the verification of the shared code word.
The consent can be configured to have an expiration date, when this expiration date has been exceeded, a new consent will be asked towards the user.
The implementation of the consent flows only apply with the T1C JS SDK. Implementation with the API directly is different
If the consent has been enabled upon installation of the Trust1Connector, a user will not be able to retrieve any data from the connector without first giving its consent, agreeing to give access to his/her card reader of filestorage. Without this consent, all requests will return a 401 Unauthorized response with error code 500 No valid consent found or at initialisation of the Trust1Connector SDK an error code 500 No valid consent found. The application should detect these error codes and use it to trigger the consent dialog.
The application shows this code word on screen and provide a button for 'copy-to-clipboard'. When the user has copied the code word to the clipboard (on user click button event), an implicit consent request can be executed towards the T1C. The T1C will grab the pasted code word from the user system clipboard and if both match, an implicit user consent has been granted for the calling application. The relation between the application and the local T1C instance is 'approved'. At this point the Trust1Connector returns a cookie that should be stored in the browser. This cookie will be re-used the next time the user wants to use the Trust1Connector until the cookie expires.
Initially the concept was based on copying programmatically the code word, from the application context, to the user system clipboard. Although, through CAB forum, this not allowed; A user interaction is mandatory. The application should provide a 'copy-to-clipboard' button or alike in order to 'trigger' a user action. Once this action has been done, the T1C executes the flow automatically, this is retrieval and verification of the code word.
Currently, the need for a user interaction is a known limitation (aka. clipboard.js). As this is the case, the W3C has a project ' Clipboard APIs' to propose a solution for a new clipboard API in browsers. The use case for 'Remote clipboard synchronisation' as a use case included in this draft proposal. As this is a draft, and not yet supported by the browsers, we can not perform an automatic 'paste' ('copy' in terms of the browser) to the clipboard.
Sending an implicit consent request can be done as follows:
This call has 1 required and 2 optional parameters:
Code Word (required): a code word in string format that will be shown in the consent dialog.
Consent duration in days (optional): Allows the application the specify how long this consent is to be valid if granted
Callback function (optional): function to be called with the result of the consent request.
The response of the consent will be an updated T1C Client which you after this point can use to continue your use-case(s).
The response can also be a 400 Bad Request with status code 115 "No agents registered to the proxy service" which means that the request has been sent with the unique code but the Proxy cannot not find the user associated with it by checking the clipboards of all connected users.
This could mean that there is no T1C API client present or it is not running correctly.
The File Exchange container allows the application to choose whether to notify the users in the application context, or to delegate notification to the T1C. The T1C uses the underlying operating system to notify users
The context of a type mapping is defined by the following concepts:
applicationid (property of Type class): a string value denoting the application identifier. This is the root context for entity mapping
entity: a string value denoting the root entity for types mapping
type: a string value denoting a file typing, related to the absolute path mapped by an user, this value abstracts absolute paths from an application perspective
The following image depicts the file exchange object model:
A 'Type' in the context of the File Exchange container, is a label, used by an application, to abstract the absolute path reference of the local file system. A 'Type' allows the application to perform file transfers, without the notion of the local file system organization. The File Exchange container maps the absolute path, chose by a user, on the application scoped label. We call this action a 'type mapping', this is, an absolute path, in the context of an application, is references by a label.
A user can chose to 'persist' the Type mapping, or can decide to assign an absolute path for each individual transaction.
Subfolders can be managed by the application. All subfolder are relative paths and when requested can be created, optionally recursively, by the File Exchange API. It's important to understand:
Type mapping : correlates to absolute paths on a local file system
Type subfolders: correlates to relative paths on a local file system
The File Exchange container maintains the mapping for absolute paths. Relative paths will be created when used in the specified use case. Neither absolute paths or relative paths will result in deletion on the local file system! When deleting a 'type' (aka absolute path), the type will be removed from the File Exchange container, but the references directory will still exist on the user's file system.
In the File Exchange API, the parameter relpath refers to an array of strings denoting a directory path.
The File Exchange API can be integrated using Promises or callbacks. Both are returning the same result.
The following enumerators have been exported by the File Exchange container:
The following functions are available in the T1C-JS library:
The error codes mentioned are added to the File Exchange container. The exception handling follows the framework exception handling and are extensions of status codes mentioned on:
Running the Trust1Connector in a shared environment, such as Citrix, XenApp and Remote Desktop, requires additional installation steps. In this section we explain the concept and approach used.
The following schematic seems rather complicated as it explains the inner workings of the Trust1Connector components, the concept is elaborate further on this page. If you are only interested in what the integration impact is for your Web Application in a Shared Environment, you can skip directly to the section:
The Web Application can use the T1C-SDK-JS or a custom REST API client for integration purpose. As the Web Application operates in a browser context, resolving an agent, by means of a consent, will result in a browser cookie being provided.
The T1C-SDK-JS implements the detection of a Shared Environment during the initialisation of the library. When initialisation succeeds without a controlled exception, the setup is a standalone; when the initialisation throws an 401 Error, the T1C-SDK-JS can be used to request the user for a Consent.
When using the REST API directly form your web application, reading the browser cookie and performing the initialisation must be done by the integrating Web Application itself.
Compared to Trust1Connector v2, the v3 release has a separate component to be be installed on a shared host. This component is called the T1C-Proxy and only exposes the following use cases:
Verify random available ports [in a predefined range] which can be used by an Agent (Session of T1C-API running in user space)
Port reservation upon installation of a new T1C-API in an active user session
Port registration upon initialisation of a T1C-API in an active user session
Management of an in-memory list of active Agents
Management of user consents in a shared environment by means of browser cookies with an optional configurable TTL (time to live)
The T1C-Proxy operates by Default on the API port defined in the T1C-DS (Distribution Server). From a Web Application perspective, this is the only information known. When a Web Application requests the information of the device, the PROXY device type will inform the Web Application that the targeted underlying API is a PROXY, which means that the Web Application must ask for the Agent specific API port to configure an URI which can be used to execute the use cases.
When using the T1C-SDK-JS this is done implicitly during initialisation.
A T1C-API installed for a specific users runs in [User Space]. To avoid possible attack vectors, the Trust1Connector v3 will always run in [User Space].
Upon installation of the T1C-API, during the post install phase, the T1C-API will try to verify automatically if it is running in a shared environment. If this is the case, the T1C-API will ask the T1C-Proxy for available ports and will reserve those post, prior to initialisation and startup.
The ports which are reserved by the T1C-Proxy are the following:
T1C-API Port: This is the port exposing the OpenAPI interface towards Web Applications and used by the T1C-SDK-JS
T1C-gRPC Port: This is the port exposing the gRPC interface locally towards the T1C-API component. The T1C-gRPC runs in a sandboxed and hardened environment, it contains the implementation modules needed for hardware communication with local or remote peripherals.
When receiving ports during post-install, an user agent device is temporary RESERVED in the Agent Registry of the T1C-Proxy. Upon T1C-API initialisation, the port configurations will be confirmed and the Agent Registry will set the device state on REGISTERED. From this moment on, a T1C-API instance, running in an active user session, will be available for the Web Application.
The T1C-gRPC instance is inherently a component from the T1C-API, and thus is managed by the T1C-API. As each user must have it's own hardened runtime for communication purpose, the port assigned for T1C-gRPC will be registered and configured by the T1C-API (and restarted when needed).
Starting from this release (v3) of the Trust1Connector, each device must have a link with an active and running T1C-DS (Trust1Connector Distribution Server). This is to guarantee security, updates, and avoid potential risk in production.
The T1C-DS is proceeded by an API Gateway who is managing the security offloading in the application layer. For a Web Application to communicate with a T1C-Proxy or T1C-API, a JWT (Json Web Token) is needed and obliged. The T1C-DS is responsible for the key management, the certificate management and other use cases which are described in a separate wiki.
In order to retrieve a valid JWT, the T1C-DS can be requested from your application back-end with a valid api-key. The JWT is valid for a given amount of time, and sets the context used when requesting the T1C-API on a device.
V2 config option
V3 config option
Description
gclUrl
t1cApiUrl
in the V2 this was https://localhost:10443 while in the V3 this will be https://t1c.t1t.io (for T1T)
t1cApiPort
is the port where the webserver is listening on, in the v2 this is 10443 but in the v3 by default(T1T) this is 51983
t1cRpcPort
this is the port where the sandbox is running (card communication)
t1cProxyPort
This value represents the port where the Proxy webserver is listening on. By default this is 51983
gwOrProxyUrl
t1cProxyUrl
Similar to the api url this is the URL where the proxy used in shared environment is running on. This is by default the same as the API url
apiKey
/
gwJwt
jwt
JWT token used for authentication of the web application towards the Trust1Connector. This must be retrieved from the web applications backend
tokenExchangeContextPath
/
ocvContextPath
/
dsContextPath
dsUrl
in v2 this was the context path for the DS based on the gwOrProxyUrl, in the v3 this is the complete DS root url
dsFileContextPath
/
pkcs11Config
/
agentPort
/
implicitDownload
/
forceHardwarePinpad
/
sessionTimeout
/
consentDuration
/
syncManaged
/
osPinDialog
osPinDialog
boolean which depicts the default os pin dialog value (This is up for review to be removed from v3 config)
containerDownloadTimeout
/
localTestMode
/
lang
/
providedContainers
/
Code
Description
100
general t1c error
101
Module not supported
102
Module not available
103
Module not implemented
104
function not supported
105
function not available
106
function not implemented
107
service not supported
108
service not available
109
service not implemented
110
Pace layer error
111
Reader error
112
Notification error
160
Digest error
115
Initialisation error
116
DistributionService error
117
Rest exception
118
JSON Parsing error
119
JWT parsing error
120
Forbidden error
121
Unauthorized error
122
Invalid DS JWE
123
Device keystore missing
125
Parameter exception
130
Proxy service exception
131
Invalid T1C state exception
199
T1C unavailable exception (JS)
500
Agent consent missing or expired (JS)
Code
Description
300
General transaction error
301
Pin error
304
Puk error
305
Not supported error
Code
Description
400
General certificate error
Code
Description
800
General fileexchange error
801
IO exception (files/folder)
803
Access exception ( not enough rights )
804
Type related errors
805
Entity related errors
806
configuration related error
Old code
New code
example description
351
803
/Library/Updates/ProductMetadata2.plist (Operation not permitted)
352
803
/Library/Updates/ProductMetadata2.plist (Operation not permitted)
353
803
/Library/Updates/ProductMetadata2.plist (Operation not permitted)
354
801
Source '/Users/gilles/Desktop/fileextest/test.plist' does not exist
355
112
No valid dir path returned, no valid file path returned, Timeout, No PIN entered
356
804
No Type with name test was found in entity with name testEnt,
357
804
type with name testType already exists
358
not applicable
error 801 will be thrown with a more detailed message
359
not applicable
360
805
Entity with name testEnt already exists
361
805
No Entity with name testEnt was found
/
806
No configuration found (file-exchange config file is missing/deleted…)
Code
Description
900
Internal error
Code
Description
301
Warning: the user can try twice more to verify his PIN
301
Warning: the user has only 1 retry left, after this the PIN must be reset at the local municipally
301
Error: the PIN is blocked, the PIN must be reset at the local municipally
Code
Description
103
Warning: the user can try twice more to verify his PIN
104
Warning: the user has only 1 retry left, after this the PIN must be reset at the local municipally
105
Error: the PIN is blocked, the PIN must be reset at the local municipally
JavaScript API
Function
Input
Output
Description
openSession
session timeout in seconds
sessionId
Opens a remote session, the session will be accessible through a session-id. The T1C will keep the session open and reusable.
command
tx, sessionId (optional)
command response
A single command to be executed remotely. When no session is available, a new session will be opened and immediately closed after execution of the command.
commands
tx[], sessionId (optional)
command response[]
One or more command to be executed remotely and sequentially. When no session is available, a new session will be opened and immediately closed after execution of the commands.
ccid
feature, command, sessionId (optional)
ccid response
Trigger a specific CCID feature.
closeSession
N/A
N/A
Close a session. When no session is available, a new session will be opened and closed. The T1C will be in its initial state.
isPresent
sessionId (optional)
boolean
Verify if a card is present. When no session is available, a new session will be opened and closed. The T1C will be in its initial state.
atr
sessionId (optional)
ATR for card
Retrieve ATR from card. When no session is available, a new session will be opened and closed. The T1C will be in its initial state.
ccidFeatures
sessionId (optional)
list of features
List of card readers features available for CCID. When no session is available, a new session will be opened and closed. The T1C will be in its initial state.
apdu
apdu object, sessionId (optional)
apdu response
Execute a single APDU command. When no session is available, a new session will be opened and closed. The T1C will be in its initial state.
apdus
apdu[], sessionId (optional)
apdu response[]
Execute one or more APDU commands (APDU bulk). When no session is available, a new session will be opened and closed. The T1C will be in its initial state.
Code
Description
301
Warning: the user can try twice more to verify his PIN
301
Warning: the user has only 1 retry left
301
Error: the PIN is blocked
Code
Description
301
Warning: the user can try twice more to verify his PIN
301
Warning: the user has only 1 retry left
301
Error: the PIN is blocked
Enum
Values
Description
FileSort
ASC, DESC
Used for sorting files. ASC = ascending, DESC = descending
TypeStatus
MAPPED, UNMAPPED
Use to inform the application if a Type has been mapped to an absolute path by the user.
JavaScript API
Function
Input
Output
Description
download
entity, type, file, filename, relpath, implicitCreationType, notifyOnCompletion
success value
Creates a file named filename at the type location, optionally in relative folder denoted by relpath, with file contents file. Optionally notifies user upon completion.
upload
entity, type, filename, relpath, notifyOnCompletion
array buffer
Uploads a file named filename, from the type location, optionally in relative folder denoted with relpath. Optionally notifies user upon completion.
listTypes
entity, page
list of type objects
Returns a list of existing types. The type object contains information about the mapping of absolute paths. Paging can be used optionally by using the page parameter.
listType
entity, type
type object
Returns the targeted type object.
listTypeContent
entity, type, relpath, page
list of file objects
Returns a list of file objects for the targeted type. A file can be a directory or a binary file. The relpath refers to the directory path where files should be searched for.
listContent
entity, page
list of file objects
Returns a list of file objects for all known types. The list will contain all files that are present in defined types.
existsType
entity, type
boolean
Verifies if type exists. Be aware that a type can exist, but no mapping has been persisted by the user.
existsFile
entity, type, relpath
boolean
Verifies if a file exists on the local file system.
getAccessMode
entity, type, relpath, filename
access mode
Returns the access mode for a file or directory. The param relpath can be used to target a nested file or directory.
createDir
entity, type, relpath, recursive
file object
Returns the created file object (which in this use case is always a directory). When recursive is set to true, the all subfolders will be created.
copyFile
entity, fromType, toType, filename, newfilename, fromrelpath, torelpath
file object
Copy a file or directory on the local file system.
moveFile
entity, fromType, toType, filename, fromrelpath, torelpath
file object
Move a file or directory on the local file system.
renameFile
entity, type, filename, newfilename, relpath
file object
Rename a file or directory
getFileInfo
entity, type, filename, relpath
file object
Returns the targeted file information
createType
entity, type, timeoutInSeconds, initabspath
type object
Creates a new type mapping, with optional initial path (migration support). When the path is not found on the local system, the user will be prompted with a file chooser.
createTypeDirs
entity, type, relpath, showModal, timeoutInSeconds
type object
Creates new subfolders for a type mapping. If the type mapping is not existing, the user will be prompted with a file chooser.
updateType
entity, type, timeoutInSeconds
type object
Prompt the user to force renewal of type mapping. The user will be presented with file chooser, even when the mapping exists already.
deleteType
entity, type
boolean
Removes the type mapping, but does not delete directories or files from the local system.
Code
Description
Info
800
FileExchangeException
General File exchange exception
801
IoException
Exception regarding file IO
803
AccessException
Exception regarding access towards a file/folder
804
Type Exception
Exception regarding a Type
805
Entity exception
Exception regarding a Entity
806
Configuration exception
Exception regarding the configuration file
