1 of 39

v3.2.x

Introduction

Trust1Connector v3 Release Documentation

A Word of Introduction

The Trust1Connector Javascript SDK is a library that purely functions as a proxy towards the Trust1Connector API. This Library does not contain any business logic.

Prerequisites

Trust1Connector API DNS

The Trust1Connector API v3 exposes a secure REST API on the client device. Trust1Team has created a t1c.t1t.io DNS entry (or customer-specific DNS entry) that points to 127.0.0.1 in order to facilitate SSL communication. This means that if the customer infrastructure uses a proxy for all network traffic, an exemption must be made for t1c.t1t.io to always point to the origin device's loopback address.

If no exemption is made and https://t1c.t1t.io is handled by a proxy, it will redirect to 127.0.0.1 IP of the proxy server instead of the local machine, and the Trust1Connector API will be unreachable.

Distribution Service

In order to correctly function, the Trust1Connector API must be able to connect to its configured Distribution Service. You must allow REST traffic to the following URLs (if applicable):

Acceptance: https://acc-ds.t1t.io
Production: https://ds.t1t.io

Disk Space

The T1C-Proxy (necessary for shared environments only) requires ± 200Mb of space

The T1C-API is installed in user space and also requires ± 200Mb of space for every user.

API Key

All endpoints of the Trust1Connector API are secured and require a JWT to access. To obtain a token, an . This API key must be requested from Trust1Team, or created by the customer if they are hosting their own Distribution Service

Operating System

Right now Trust1Conector support two operating systems;

MacOS 10.9 or higher
Windows 8.1 or higher

Windows 8.1 or higher

To run in user-space on Windows 8.1 or higher some components have to be set on the operating system

Registry keys

Below you can find a list of all registry keys that will be created for the working of the Trust1Connector, All these keys are added to HKCU

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\SOFTWARE\Trust1Team\Trust1Connector

Cookies

When running in a shared environment a cookie is used to store the user's consent, the following cookie will be used:

Trust1Connector JS SDK

You can find the trust1connector JS SDK for the Trust1Connector v3 via NPM

You can also find the source code here https://github.com/Trust1Team/t1c-sdk-js/tags

Changelog

Release notes - Trust1Connector - Version T1C-JS-v3.2.13

Bug

Pkcs11 module and os dialog return decryption error
Update certificate model to correctly handle multiple certificates

Release notes - Trust1Connector - Version T1C-JS-v3.2.12

Bug

Device-key endpoint gets called in error handler instead of successhandler

Release notes - Trust1Connector - Version T1C-JS-v3.2.11

Bug

File-exchange ArrayBuffer should be Blob

Release notes - Trust1Connector - Version T1C-JS-v3.2.10

Bug

Initialising with invalid JWT does not throw an error

Release notes - Trust1Connector - Version T1C-JS-v3.2.9

Bug

Entity and type response object inconsistency
Remoteloading split TX, RX and SW value based on APDU response

Story

Use Device certificate to encrypt the pin value sent in clear text
I want to enable the module for eHerkenning
I want to enable module for Print Writer

Release notes - Trust1Connector - Version T1C-JS-v3.2.8

Bug

Aventra, Idemia, Oberthur callback functions not being triggered
FileExchange typing inconsistency

Story

Add LuxeID to the token generic interface in JS SDK

Release notes - Trust1Connector - Version T1C-JS-v3.2.7

Bug

Fix imports for Pkijs

Story

Disbable implicit any typing

Release notes - Trust1Connector - Version T1C-JS-v3.2.6

Bug

Fix for bulk sign reset in JS SDK causes the reader ID not to be included in certificate retrieval

Release notes - Trust1Connector - Version T1C-JS-v3.2.5

Improvement

Provide separate implementation for Belgian eID with Crelan reader

Core

Concept

Running the Trust1Connector in a shared environment, such as Citrix, XenApp and Remote Desktop, requires additional installation steps. In this section we explain the concept and approach used.

Architecture Overview

The following schematic seems rather complicated as it explains the inner workings of the Trust1Connector components, the concept is elaborate further on this page. If you are only interested in what the integration impact is for your Web Application in a Shared Environment, you can skip directly to the section: Integration in Web Applications

Components

Web Environment

The Web Application can use the T1C-SDK-JS or a custom REST API client for integration purpose. As the Web Application operates in a browser context, resolving an agent, by means of a consent, will result in a browser cookie being provided.

The T1C-SDK-JS implements the detection of a Shared Environment during the initialisation of the library. When initialisation succeeds without a controlled exception, the setup is a standalone; when the initialisation throws an 401 Error, the T1C-SDK-JS can be used to request the user for a Consent.

When using the REST API directly form your web application, reading the browser cookie and performing the initialisation must be done by the integrating Web Application itself.

Shared Environment Host

Compared to Trust1Connector v2, the v3 release has a separate component to be be installed on a shared host. This component is called the T1C-Proxy and only exposes the following use cases:

Verify random available ports [in a predefined range] which can be used by an Agent (Session of T1C-API running in user space)
Port reservation upon installation of a new T1C-API in an active user session
Port registration upon initialisation of a T1C-API in an active user session

The T1C-Proxy operates by Default on the API port defined in the T1C-DS (Distribution Server). From a Web Application perspective, this is the only information known. When a Web Application requests the information of the device, the PROXY device type will inform the Web Application that the targeted underlying API is a PROXY, which means that the Web Application must ask for the Agent specific API port to configure an URI which can be used to execute the use cases.

When using the T1C-SDK-JS this is done implicitly during initialisation.

Shared Environment Client

A T1C-API installed for a specific users runs in [User Space]. To avoid possible attack vectors, the Trust1Connector v3 will always run in [User Space].

Upon installation of the T1C-API, during the post install phase, the T1C-API will try to verify automatically if it is running in a shared environment. If this is the case, the T1C-API will ask the T1C-Proxy for available ports and will reserve those post, prior to initialisation and startup.

The ports which are reserved by the T1C-Proxy are the following:

T1C-API Port: This is the port exposing the OpenAPI interface towards Web Applications and used by the T1C-SDK-JS
T1C-gRPC Port: This is the port exposing the gRPC interface locally towards the T1C-API component. The T1C-gRPC runs in a sandboxed and hardened environment, it contains the implementation modules needed for hardware communication with local or remote peripherals.

When receiving ports during post-install, an user agent device is temporary RESERVED in the Agent Registry of the T1C-Proxy. Upon T1C-API initialisation, the port configurations will be confirmed and the Agent Registry will set the device state on REGISTERED. From this moment on, a T1C-API instance, running in an active user session, will be available for the Web Application.

The T1C-gRPC instance is inherently a component from the T1C-API, and thus is managed by the T1C-API. As each user must have it's own hardened runtime for communication purpose, the port assigned for T1C-gRPC will be registered and configured by the T1C-API (and restarted when needed).

Central Back-Office

Starting from this release (v3) of the Trust1Connector, each device must have a link with an active and running T1C-DS (Trust1Connector Distribution Server). This is to guarantee security, updates, and avoid potential risk in production.

The T1C-DS is proceeded by an API Gateway who is managing the security offloading in the application layer. For a Web Application to communicate with a T1C-Proxy or T1C-API, a JWT (Json Web Token) is needed and obliged. The T1C-DS is responsible for the key management, the certificate management and other use cases which are described in a separate wiki.

In order to retrieve a valid JWT, the T1C-DS can be requested from your application back-end with a valid api-key. The JWT is valid for a given amount of time, and sets the context used when requesting the T1C-API on a device.

Security

Communication Stack

Core Service

Sample code uses ES6 language features such as arrow functions and promises. For compatibility with IE11, code written with these features must be either transpiled using tools like Babel or refactored accordingly using callbacks.

Introduction

The Trust1Connector core services address communication functionality with local devices. The Trust1Connector core exposes 2 main interfaces:

interface for web/native applications using JavaScrip/Typescript
REST API as a new approach and to incorporate the Trust1Connector as a microservice in the application architecture

In this guide, we target only the use of Trust1Connector's core interface for web/native applications. The T1C-SDK-JS exposes protected resources for administration and consumer usage.

The JavaScript library must be initialized with a correct token in order to access the all resource. The security policy for Trust1Connector v3 secured ALL endpoints.

Administration resources

Protected resources are administration resources. The JavaScript library must be initialized with a correct token in order to access the resource.

Download Trust1Connector installer
Get Information of the device and user context
Register T1C for device

Executing these functionality is explained further.

Consumer resources

Consumer resources are typically used from an application perspective:

Get pub-key certificate
Get version
Get Information (operating system, runtime, user context, variable configuration)

Executing these functionality is explained further.

Core Functionalities

The Trust1Connector functionalities are about secured communication with device hardware. The document highlights communication with smart card readers - contact and contact-less. Other hardware devices can be enabled or integrated as well in the solution. Some of the already are, for example printer drivers, signature tablet drivers, ...

Initialize the client library

The client can be initialized by passing a T1CConfig object in the constructor

List card readers

Returns a list of available card readers. Multiple readers can be connected. Each reader is identified by a unique reader_id.

The response will contains a list of card readers:

When multiple readers are attached to a device, the response will show all connected card readers:

Important to notice:

The response adds a card-element when a card is inserted into the card reader.
The response contains card-reader pin-pad capabilities

Card Inserted

As mentioned in the List card-readers, when a smart-card is inserted/detected, the reader will contain the cart-type based on the ATR. The ATR (Anwser To Reset), is the response from any smart-card when powered, and defines the card type. The Trust1Connector recognized more than 3k smart-card types.

Pin-Pad Capabilities

As mentioned in the List card-readers, when a card-reader has pin-pad capabilities, this will be mentioned in the response (notice the pinpadproperty):

List Card-Readers - Explained Example

The following example is the response for List card-readers on a device with 4 different card-readers attached:

In the above example you notice that 4 card-readers are connected. Each card-reader receives his temporary id which can be used for other functions where a card-reader id is needed. This method can be requested in order to list all available card-readers, and optional cards-inserted. Each card-reader has a vendor provided name, which is retrieved from the card-reader itself. An additional property pinpad, a boolean value, denotes if the card-reader has pin-pad capabilities. A pin-pad is a card-reader, most of the times with its own display and key-pad. From a security perspective, it's considered best practice to use as much as possible pin-pad capabilities of a pin-pad card-reader. When a reader has a smart-card inserted (contact interface) or detected (contactless interface), the card type will be resolved by the GCL in order to respond with a meaningful type. In the above examples you see that; one card-reader has a Belgian eID card; another card-reader has a MisterCash or VISA Card available for interaction.

The readers returned, are the card-readers with a card available. The card-readers where no card is presented, are ignored.

Get card reader with card inserted

Returns a list of available card readers with a smart card inserted. Multiple readers can be connected with multiple smart cards inserted. Each reader is identified by a unique reader_id and contains information about a connected smart card. A smart card is of a certain type. The Trust1Connector detects the type of the smart card and returns this information in the JSON response.

Response:

Get device public key

via the getDevicePublicKey endpoint you're able to fetch the public key information of the device. This requires an authenticated client to be able to access this endpoint.

This endpoint is used in the library to encrypt pin, puk and pace information so that it is not exposed in the network logs of the browser.

Encryption of pin, puk and pace is only possible when the Trust1Connector is registered via a DS and has a valid device key-pair. The SDK will automatically switch to send the pin, puk or pace info in clear text if its not able to encrypt. The Trust1Connector API will also detect if it has no valid device key-pair it will not try to decrypt the incoming pin, puk or pace information.

Core interface

Trust1Connector SDK integration

Integration in Web Applications

A Web Application interacts with the Trust1Connector on standalone devices or within a shared environment. The Web Application is not aware, but must take this into consideration upon integration.

Integrating the Trust1Connector can be done via the Javascript SDK. This SDK is compiled in regular javascript and in Typescript. Each release of the Javascript SDK will have the following files;

dist
- T1CSdk.js (complete SDK)
- T1CSdk.js.map
lib (typings, default Typescript compilation)
lib-esm (typings, Compilation with ES6 module support)

In V3 of the Trust1Connector the javascript SDK is meant as a comparable manner of integrating like the V2. The SDK includes most of the API featureset but not all.

We strongly encourage to integrate via the API, since this will be the most feature-complete and the de-facto way of integration in the future.

All examples below will be shown in regular Javascript. All Javascript for changing UI will not be present but are purely displayed as part of the example.

Initialising the Trust1Connector

For initialisation of the T1C you need to prepare your application first by adding the SDK JS files to your project and importing them in such a way that you can call for the Javascript functions when you need them.

Next up we will prepare the SDK's configuration Object, this object is used to pass information about which default port the Trust1Connector is running on, JWT key, API url, ...

When the configuration is set you can initialise the Trust1Connector with that Config and an optional property for clipboardData. This clipboard data is used for initialisation of the Trust1Connector in a shared environment. This will be handled later.

You can see in the code above we catch 3 errors;

814501: Consent error, this means the user is running in a shared environment and needs to provide his consent
812020: Initialisation error: The Trust1Connector is not able to initialise because it could not find any users with a Trust1Connector installed.
112999: T1C exception, this will be thrown when the T1C is not available, where you can display an URL where the user can

Readers

To retrieve the reader after initialisation you can do the following;

Initialisation of a module

After initialisation of the T1C you can start using it. For example the BEID module needs to be initialised with a readerId, That is why fetching the readers and providing the user-selected reader to the client is a necessity.

The code above will return a BEID client which can be used to execute the BEID functionality.

Shared environments

Initialisation of the Trust1Connector for shared environments is similar to the regular initialisation with the difference being a required consent. More information can be found in the page.

For initialising the Trust1Connector in a shared environment you need to setup the config so that it contacts the Proxy. When initialising you need to provide a token that is residing on the user's clipboard, via this clipboard token the Proxy can determine which which user is trying to communicate and will return an updated configuration value for the API and the sandbox service.

This configuration update is handled by the SDK itself.

The code above is an example of how you can integrate a copy command in the webbrowser. When the data is copied to the clipboard you just need to pass it to the initialize function like so;

Token

Token typing models

Introduction

This page describes all generic token models used.

Models

Payment

Payment typing models

Introduction

Crelan

Introduction

This container supports functionality for Crelan bank cards

Get Crelan Module

Initialise a Trust1Connector client:

Get the Crelan module:

Call a function for the Crelan module:

Obtain the Reader-ID

The constructor for the Crelan expect as the parameter to be a valid reader-ID. A reader-ID can be obtained from the exposed core functionality, for more information see . Core services responds with available card-readers, available card in a card-reader, etc. For example: In order to get all connected card-readers, with available cards:

This function call returns:

We notice that a card object is available in the response in the context of a detected reader. The reader in the example above is VASCO DIGIPASS 870, has pin-pad capabilities, and there is a card detected with given ATR and some descriptions. An ATR (Answer To Reset) identifies the type of a smart-card. The reader, has a unique ID, reader_id; this reader_id must be used in order to request functionalities for the Crelan card. This must be done upon instantiation of the Crelan container:

All methods for crelan will use the selected reader - identified by the reader_id.

Reading data

Applications

List the supported applications on the Crelan card

An example callback:

Response:

Application data

The application data contains information of the holder of the card, the validity, the primary account number, ...

An example callback:

Response:

Issuer Public Key Certificate

On some applications there is an issuer public key certificate present. The aid parameter indicates which application you want to use, this can be fetched using the applications endpoint.

An example callback:

Response:

ICC Public Key Certificate

On some applications there is an icc public key certificate present. The aid parameter indicates which application you want to use, this can be fetched using the applications endpoint.

An example callback:

Response:

Verify PIN

Verify PIN without pin-pad

When the web or native application is responsible for showing the password input, the following request is used to verify a card holder PIN:

Response:

Verify PIN with pin-pad

When the pin entry is done on the pin-pad, the following request is used to verify a given PIN:

Response:

Verify PIN - retries left

After an unsuccessful PIN verification, the error code indicates the number of retries left. For example, when executing:

The following error message will be returned when PIN is wrong:

After a second wrong PIN verification:

Note that, when the user has at least one retry left, entering a correct PIN resets the PIN retry status.

Sign

A Base64-encoded string representation of the digest bytes must be included in the data property of the request.
txId will be displayed on the PIN pad
language

Additionally, it is possible to bulk sign data without having to re-enter the PIN by adding an optional bulk parameter set to true to the request. The PIN will not need to re-entered until a request with bulk being set to false is sent, or the method is called.

When using bulk signing, great care must be taken to validate that the first signature request was successful prior to sending subsequent requests. Failing to do this will likely result in the card being blocked.

The PIN can provided/entered in the same way as

Response will look like:

Error Handling

Error Object

The functions specified are asynchronous and always need a callback function. The callback function will reply with a data object in case of success, or with an error object in case of an error. An example callback:

The error object returned:

For the error codes and description, see .

FIle

File exchange

Introduction

The File-exchange payload limit is set to 50 MB. If your needs exceed this please contact support

Notifications

The File Exchange container allows the application to choose whether to notify the users in the application context, or to delegate notification to the T1C. The T1C uses the underlying operating system to notify users

Context and scope

The context of a type mapping is defined by the following concepts:

applicationid (property of Type class): a string value denoting the application identifier. This is the root context for entity mapping
entity: a string value denoting the root entity for types mapping
type: a string value denoting a file typing, related to the absolute path mapped by an user, this value abstracts absolute paths from an application perspective

The following image depicts the file exchange object model:

Type Mapping

A 'Type' in the context of the File Exchange container, is a label, used by an application, to abstract the absolute path reference of the local file system. A 'Type' allows the application to perform file transfers, without the notion of the local file system organization. The File Exchange container maps the absolute path, chose by a user, on the application scoped label. We call this action a 'type mapping', this is, an absolute path, in the context of an application, is references by a label.

A user can chose to 'persist' the Type mapping, or can decide to assign an absolute path for each individual transaction.

Type subfolders

Subfolders can be managed by the application. All subfolder are relative paths and when requested can be created, optionally recursively, by the File Exchange API. It's important to understand:

Type mapping : correlates to absolute paths on a local file system
Type subfolders: correlates to relative paths on a local file system

The File Exchange container maintains the mapping for absolute paths. Relative paths will be created when used in the specified use case. Neither absolute paths or relative paths will result in deletion on the local file system! When deleting a 'type' (aka absolute path), the type will be removed from the File Exchange container, but the references directory will still exist on the user's file system.

In the File Exchange API, the parameter relpath refers to an array of strings denoting a directory path.

Responses

The File Exchange API can be integrated using Promises or callbacks. Both are returning the same result.

Interface

Objects

Enums

The following enumerators have been exported by the File Exchange container:

Classes

Function Descriptions

The following functions are available in the T1C-JS library:

Error Responses

The error codes mentioned are added to the File Exchange container. The exception handling follows the framework exception handling and are extensions of status codes mentioned on:

HSM

PKCS11

PKCS11 Keystore

Interface

interface AbstractPkcs11Generic {
    uploadConfig(config: string, callback?: (error: T1CLibException, data: Pkcs11UploadConfigResponse) => void): Promise<Pkcs11UploadConfigResponse>;
    getConfig(callback?: (error: T1CLibException, data: Pkcs11GetConfigResponse) => void): Promise<Pkcs11GetConfigResponse>;
    clearConfig(callback?: (error: T1CLibException, data: Pkcs11ClearConfigResponse) => void): Promise<Pkcs11ClearConfigResponse>;
    os(callback?: (error: T1CLibException, data: OsResponse) => void): Promise<OsResponse>;
    info(callback?: (error: T1CLibException, data: Pkcs11InfoResponse) => void): Promise<Pkcs11InfoResponse>;
    slots(callback?: (error: T1CLibException, data: Pkcs11SlotsResponse) => void): Promise<Pkcs11SlotsResponse>;
    slotsWithTokenPresent(callback?: (error: T1CLibException, data: Pkcs11SlotsResponse) => void): Promise<Pkcs11SlotsResponse>;
    slotInfo(slotId: string, callback?: (error: T1CLibException, data: Pkcs11SlotInfoResponse) => void): Promise<Pkcs11SlotInfoResponse>;
    token(slotId: string, callback?: (error: T1CLibException, data: Pkcs11TokenResponse) => void): Promise<Pkcs11TokenResponse>;
    getAliases(slotId: string, data: Pkcs11VerifyPinRequest, callback?: (error: T1CLibException, data: AliasesResponse) => void): Promise<AliasesResponse>;
    getPrivateKeyType(slotId: string, alias: string, data: Pkcs11VerifyPinRequest, callback?: (error: T1CLibException, data: PrivateKeyTypeResponse) => void): Promise<PrivateKeyTypeResponse>;
    getCertificates(slotId: string, alias: string, data: Pkcs11VerifyPinRequest, callback?: (error: T1CLibException, data: Pkcs11CertificatesResponse) => void): Promise<Pkcs11CertificatesResponse>;
    sign(slotId: string, alias: string, data: Pkcs11SignRequest, callback?: (error: T1CLibException, data: DataResponse) => void): Promise<DataResponse>;
    verifyPin(slotId: string, alias: string, data: Pkcs11VerifyPinRequest, callback?: (error: T1CLibException, data: BoolDataResponse) => void): Promise<BoolDataResponse>;
}

Models

Initialising the SDK

Before you are able to use the SDK's methods you need to initialise the trust1connector javascript SDK. Below you can find an example of how to do this. You can also check the page.

In this example you can see when the connector is initialised we try to fetch the pkcs11 configuration already loaded in (if present), if this is not loaded you still need to upload the configuration. (line 30)

we store the client data for later use (line 27)

After initialising the configuration we can fetch all available slots to display on the screen. (line 31)

Configuration

Example

Example config contents

The most important config values are the name and the library (location of the PKCS11 dylib or DLL).

Base64 ecoding the config contents described in the codeblock above and sending them via the uploadConfig method of the JS sdk will enable you to upload and use that pkcs11 configuration.

Upload configuration

To be able to use the PKCS11 generic you need to upload a correct configuration file, which includes the name and library to be used. We use a html file chooser to fetch a file and use the FilereaderAPI to retrieve the contents of the selected file, then we convert it to a base64 string which we send to the uploadConfig method

Get configuration

Clear configuration

This method is used to clear a currently active configuration

Os information

Via the following endpoint your're able to retrieve OS information if required

Info

Retrieve the library information of the loaded configuration. When the loaded config is not present it will throw a configuration exception

Requirements: loaded configuration

slots

Retrieve all available slots

Requirements: loaded configuration

The same endpoint can be triggered but only showing the slots present;

Slot information

Retrieve relevant slot information

Requirements: loaded configuration, slotId

Token information

Retrieve information about the selected token

Requirements: loaded configuration, slotId

Retrieve aliasses

Retrieve all aliasses for a specific token.

Requirements: loaded configuration, slotId, verifyPin object

Retrieve the Private key type

Returns the name of the algorithm associated with this key

Requirements: loaded configuration, slotId, Alias, verifyPin object

Retrieve the certificates

Retrieve all certificates present for a specific token.

Requirements: loaded configuration, slotId, Alias, verifyPin object

Sign

Sign base64 data object.

Requirements: loaded configuration, slotId, Alias, signData object

Verify pin

Verify the pin of a specific token.

Requirements: loaded configuration, slotId, Alias, VerifyPin object

Status/error codes

TBD

PKCS11 Objects

Introduction

The PKCS #11 standard defines a platform-independent API to cryptographic tokens, such as hardware security modules (HSM), smart cards, and names the API itself "Cryptoki" (from "cryptographic token interface" and pronounced as "crypto-key" - but "PKCS #11" is often used to refer to the API as well as the standard that defines it). The API defines most commonly used cryptographic object types (RSAX.509 keys, DES/Triple DES Certificates/keys, etc.) and all the functions needed to use, create/generate, modify and delete those objects. This container relies on a PKCS#11 a library which handles the communication with the token/card. This can be a vendor specific library or an opensource one, please select the correct one depending on the type of token/card you are using.

Interface Summary

The Abstract PKCS #11 smartcard interface is summarised in the following snippet:

Pkcs11 object models

Get the PKCS #11 container object

For more information on how to configure the JS client library see .

Depending on the OS you need to provide a valid location to the desired PKCS11 library to be used.

Call a function for the PKCS #11 container:

Reading data

Slots

This methods returns the available slots on the system.

An example response:

Slots with tokens present

This method is similar the the slots endpoint but only returns a list of slots where a token is present.

An example response:

Token

This methods returns the token information for a slot.

An example response:

Certificates

This methods allows you to retrieve the certificates from the PKCS #11 token.

Response:

Signing data

To successfully sign data, we need the following parameters:

Slot ID of the token to use
Certificate ID of the signing certificate
PIN code

The slot id can be found using either a call to slots, slotsWithTokenPresent. Once the slot id is found, the certificates can be retrieved with a call to certificates. This then returns the certificate id. Now we can combine this with the PIN code and hashed data + hashing algorithm (SHA1, SHA256, SHA384, SHA512) to create the final signData call:

signData call

Returns signed data for provided input data.

An example response:

Error Handling

Error Object

The error object returned:

Belgian eID

Introduction

The Belgian eID container facilitates communication with card readers with inserted Belgian eID smart card. The T1C-JS client library provides function to communicate with the smart card and facilitates integration into a web or native application. This document describes the functionality provided by the Belgian eID container on the T1C-GCL (Generic Connector Library).

Interface

Models

All model information can be found in the

Get Belgian eID container object

Initialise a Trust1Connector client:

Get the Belgian eID container service:

Call a function for the Belgian eID container:

Obtain the Reader-ID

The constructor for the Belgian eID expect as the parameter to be a valid reader-ID. A reader-ID can be obtained from the exposed core functionality, for more information see Core services responds with available card-readers, available card in a card-reader, etc. For example: In order to get all connected card-readers, with available cards:

This function call returns:

We notice that a card object is available in the response in the context of a detected reader. The reader in the example above is Bit4id miniLector, has no pin-pad capabilities, and there is a card detected with given ATR and description "Belgian eID Card". An ATR (Answer To Reset) identifies the type of a smart-card. The reader, has a unique ID, reader_id; this reader_id must be used in order to request functionalities for the Belgian eID card. This must be done upon instantiation of the Belgian eID container:

All methods for beid will use the selected reader - identified by the reader_id.

Cardholder Information

The card holder is the person identified using the Belgian eID card. It's important to note that all data must be validated in your backend. Data validation can be done using the appropriate certificate (public key).

Biometric data

Contains all card holder related data, excluding the card holder address and photo. The service can be called:

An example callback:

Response:

Address

Contains the card holder's address. The service can be called:

Response:

Picture

Contains the card holder's picture stored on the smart card. The service can be called:

Response:

Token info

The token info contains generic information about the card and it's capabilities. This information includes the serial number, file types for object directory files, algorithms implemented on the card, etc.

Response

Certificates

Exposes all the certificates publicly available on the smart card.

Root Certificate

Contains the 'root certificate' stored on the smart card. The root certificate is used to sign the 'citizen CA certificate'. When additional parsing of the certificate is needed you can add a boolean to indicate if you want to parse the certificate or not. The service can be called:

Response:

Authentication Certificate

Contains the 'authentication certificate' stored on the smart card. The 'authentication certificate' contains the public key corresponding to the private RSA authentication key. The 'authentication certificate' is needed for pin validation and authentication. When additional parsing of the certificate is needed you can add a boolean to indicate if you want to parse the certificate or not The service can be called:

Response:

Intermediate Certificate (citizen)

Contains the citizen certificate stored on the smart card. The 'citizen certificate' is used to sign the 'authentication certificate' and the 'non-repudiation certificate'. When additional parsing of the certificate is needed you can add a boolean to indicate if you want to parse the certificate or not The service can be called:

Response:

Non-repudiation Certificate

Contains the 'non-repudiation certificate' stored on the smart card. The 'non-repudiation certificate' contains the public key corresponding the private RSA non-repudiation key. When additional parsing of the certificate is needed you can add a boolean to indicate if you want to parse the certificate or not The service can be called:

Response:

Encryption Certificate (RRN)

Contains the 'encryption certificate' stored on the smart card. The 'encryption certificate' corresponds to the private key used to sign the 'biometric' and 'Address' data. When additional parsing of the certificate is needed you can add a boolean to indicate if you want to parse the certificate or not The service can be called:

Response:

Data Filter

Filter Card Holder Data

All data on the smart card can be dumped at once, or using a filter. In order to read all data at once:

Response:

The filter can be used to ask a list of custom data containers. For example, we want to read only the biometric data

Response:

Filter Certificates

All certificates on the smart card can be dumped at once, or using a filter. In order to read all certificates at once:

Response:

The filter can be used to ask a list of custom data containers. For example, we want to read only the rootCertificate

Response:

Sign Data

Data can be signed using the Belgian eID smart card. To do so, the T1C-GCL facilitates in:

Retrieving the certificate chain (citizen-certificate, root-certificate and non-repudiation certificate)
Perform a sign operation (private key stays on the smart card)
Return the signed hash

To get the certificates necessary for signature validation in your back-end:

Response:

Depending on the connected smart card reader. A sign can be executed in 2 modes:

Using a connected card reader with 'pin-pad' capabilities (keypad and display available)
Using a connected card reader without 'pin-pad' capabilities (no keypad nor display available)

Security consideration: In order to sign a hash, security considerations prefer using a 'pin-pad'.

Signing with a Crelan card reader

When signing with a crelan card reader, it is additionally possible to optionally specify a transaction ID and the language. If the card reader is not a Crelan reader, these values will be ignored. This applies to all signing methods described below.

Crelan card readers only support nl, fr, and de as languages

Sign Hash without pin-pad

When the web or native application is responsible for showing the password input, the following request is used to sign a given hash:

Response is a base64 encoded signed hash:

The 'authenticationreference' property can contain the following values: sha1, sha256, sha512, md5.

Sign Hash with pin-pad

When the pin entry is done on the pin-pad, the following request is used to sign a given hash:

Response is a base64 encoded signed hash:

The 'algorithm_reference' property can contain the following values: sha1, sha256, sha512, md5.

The core services lists connected readers, and if they have pin-pad capability. You can find more information in the Core Service documentation on how to verify card reader capabilities.

Bulk Signing

It is possible to bulk sign data without having to re-enter the PIN by adding an optional bulk parameter set to true to the request. Subsequent sign requests will not require the PIN to be re-entered until a request with bulk being set to false is sent, or the method is called.

Bulk PIN Reset

The PIN set for bulk signing can be reset by calling this method.

Response will look like:

Calculate Hash

In order to calculate a hash from the data to sign, you need to know the algorithm you will use in order to sign.

You can use the following online tool to calculate the SHA256:

Hexadecimal result:

Notice that the length of the SHA256 is always the same. Now we need to convert the hexadecimal string to a base64-encoded string, another online tool can be used for this example:

Base64-encoded result:

Now we can sign the data:

Result:

Note: If you want to convert a binary signed hash to HEX (for development) you can use for example an online hexdump tool:

Verify PIN

Verify PIN without pin-pad

When the web or native application is responsible for showing the password input, the following request is used to verify a card holder PIN:

Response:

Verify PIN with pin-pad

When the pin entry is done on the pin-pad, the following request is used to verify a given PIN:

Response:

Verify PIN - retries left

In order to inform a user upon the PIN retries left, the Belgian eID doesn't provide a request to retrieve this information. After an unsuccessful PIN verification, the error code indicates the number of retries left. For example, when executing:

Note that, when the user has at least one retry left, entering a correct PIN resets the PIN retry status.

Authentication

The T1C-GCL is able to authenticate a card holder based on a challenge. The challenge can be:

provided by an external service
provided by the smart card An authentication can be interpreted as a signature use case, the challenge is signed data, that can be validated in a back-end process.
External Challenge
An external challenge is provided in the data property of the following example:
Response:

Get valid algorithms to use for Sign or Authenticate

Via the Trust1Connector modules you are able to retrieve available algorithms to use for Signing or Authenticate

The response you can expect is a list of algorithms, an example can be found below (the values below are purely examplatory)

Generic token

Introduction

The Generic token interface is an interface used to integrate all supported tokens. This interface relies on the fact that you will need to provide a valid module. The module suggested from the reader response can be used here.

Interface

Models

All model information can be found in the

Initialise the Trust1Connector JS

Initialise a Trust1Connector client with a valid configuration:

Obtain the Reader information

In order to get all connected card-readers, with available cards:

This function call returns:

As you can see in the response we get a property suggestedModule which is returned based on the card, reader and AID information. This suggested module can be used in the generic interface.

Using the generic interface can be done as follows;

The pin and pinType are optional and are used for unlocking the pace layer (if the card is protected with a pace layer).

At this point for each use-case you will need to provide the module. This can be manually defined or be retrieved from the suggestedModule property in the reader-response. In the examples below we provide the module as a variable module

Cardholder Information

Biometric data

Contains all card holder related data, excluding the card holder address and photo. The service can be called:

An example callback:

Response:

Address

Contains the card holder's address. The service can be called:

Response:

Picture

Contains the card holder's picture stored on the smart card. The service can be called:

Response:

Token info

Response

Certificates

Exposes all the certificates publicly available on the smart card.

Root Certificate

Response:

Authentication Certificate

Response:

Intermediate Certificate (citizen)

Response:

Non-repudiation Certificate

Response:

Encryption Certificate (RRN)

Response:

Data Filter

Filter Card Holder Data

All data on the smart card can be dumped at once, or using a filter. In order to read all data at once:

Response:

The filter can be used to ask a list of custom data containers. For example, we want to read only the biometric data

Response:

Filter Certificates

All certificates on the smart card can be dumped at once, or using a filter. In order to read all certificates at once:

Response:

The filter can be used to ask a list of custom data containers. For example, we want to read only the rootCertificate

Response:

Sign Data

Data can be signed using the Belgian eID smart card. To do so, the T1C-GCL facilitates in:

Retrieving the certificate chain (citizen-certificate, root-certificate and non-repudiation certificate)
Perform a sign operation (private key stays on the smart card)
Return the signed hash

To get the certificates necessary for signature validation in your back-end:

Response:

Depending on the connected smart card reader. A sign can be executed in 2 modes:

Using a connected card reader with 'pin-pad' capabilities (keypad and display available)
Using a connected card reader without 'pin-pad' capabilities (no keypad nor display available)

Security consideration: In order to sign a hash, security considerations prefer using a 'pin-pad'.

Sign Hash without pin-pad

When the web or native application is responsible for showing the password input, the following request is used to sign a given hash:

Response is a base64 encoded signed hash:

The 'authenticationreference' property can contain the following values: sha1, sha256, sha512, md5.

Sign Hash with pin-pad

When the pin entry is done on the pin-pad, the following request is used to sign a given hash:

Response is a base64 encoded signed hash:

The 'algorithm_reference' property can contain the following values: sha1, sha256, sha512, md5.

The core services lists connected readers, and if they have pin-pad capability. You can find more information in the Core Service documentation on how to verify card reader capabilities.

Bulk Signing

Bulk PIN Reset

The PIN set for bulk signing can be reset by calling this method.

Response will look like:

Verify PIN

Verify PIN without pin-pad

When the web or native application is responsible for showing the password input, the following request is used to verify a card holder PIN:

Response:

Verify PIN with pin-pad

When the pin entry is done on the pin-pad, the following request is used to verify a given PIN:

Response:

Authentication

The T1C-GCL is able to authenticate a card holder based on a challenge. The challenge can be:

provided by an external service
provided by the smart card An authentication can be interpreted as a signature use case, the challenge is signed data, that can be validated in a back-end process.
External Challenge
An external challenge is provided in the data property of the following example:

Response:

Take notice that the PIN property can be omitted when using a smart card reader with pin-pad capabilities.

Get valid algorithms to use for Sign or Authenticate

Via the Trust1Connector modules you are able to retrieve available algorithms to use for Signing or Authenticate

The response you can expect is a list of algorithms, an example can be found below (the values below are purely examplatory)

Remote loading

Introduction

The ReLo (Remote Loading) container is provided through the T1C (Trust1Connector) in order to provide a secured communication channel to executed APDU commands that are generated from a back-end service (which can be optionally signed by a HSM).

The ReLo provides smart card operations, like for example:

open/close session
execute APDUs (single or in bulk)
retrieve card/card reader features

Communication Flow

The ReLo-API is an example back-end service implementing different smart card or token profiles (there is no limitation to smart cards). The T1V (Trust1Vault) is a Trust1Team product operating as a secured vault, and integrating with a HSM.

Available functions

The following functions are available in the library:

ReaderId

The readerId is passed to theremoteloading handler object on initialization. For example, opening a session on reader with idf56c0ffe15a07d09

Callback/Promise

All function return Promises by default.

If you prefer callbacks, each function also has an optional parameter to pass in a callback function. If a callback function is provided, the function will still return a promise, but the callback function will be called when the promise resolves/gets rejected.

SessionID is optional

For any function that accepts a sessionIdparameter, the parameter is optional. If a sessionId is provided, the corresponding session will be used for the request and then will be _kept open_once the request completes. This means that if this was the last request that needed to be made, the session needs to be explicitly closed with a call tocloseSession.

If no sessionId is provided, the request will still complete, but the GCL will set up a new session, perform the required action and then close the session. This means that there is _no open session_once the request completes.

When a wrong sessionID is sent in a request, an error message will be returned. The status code will be 'invalid sessionID' or 'no active session'

Interface

Objects

Detailed Function Overview

openSession

Opens a new session. Returns the sessionId, which will need to be stored by the client application for later use.

Interface

Parameters

timeout (optional): session timeout in seconds. If not provided, will default to value set in GCLConfig. Must be a number > 0.

Output

command

Sends a command to the reader for execution.

Interface

command(tx: string, sessionId?: string, callback: (error, data))

Parameters

tx: command-string to be executed
sessionId (optional): sessionId to use. Required if the session needs to be kept open after the request completes.

Output

ccid

Activates a specific CCID feature if it is available on the reader

Interface

ccid(feature: string, command: string, sessionId?: string, callback?: (error, data))

Parameters

feature: feature to check
command: command to send to the ccid reader (hex format)
sessionId (optional): sessionId to use. Required if the session needs to be kept open after the request completes.

Output

closeSession

Closes currently open session.

Interface

closeSession(callback?: (error, data))

Parameters

none

Output

isPresent

Checks if the card for this session is still present.

If no sessionId is provided, checks if a card is present in the reader.

Interface

isPresent(sessionId?: string, callback?: (error, data))

Parameters

sessionId (optional): sessionId to use. Required if the session needs to be kept open after the request completes.

Output

atr

Retrieves the ATR for the card currently in the reader.

Interface

atr(sessionId?: string, callback?: (error, data))

Parameters

sessionId (optional): sessionId to use. Required if the session needs to be kept open after the request completes.

Output

ccidFeatures

Returns a list of available CCID features for the current reader.

Interface

ccidFeatures(sessionId?: string, callback?: (error, data))

Parameters

sessionId (optional): sessionId to use. Required if the session needs to be kept open after the request completes.

Output

apdu

Executes an APDU call on the current reader. The difference with the commandfunction is that theapdu function takes an APDU object, whereas commandtakes a string.

Interface

apdu(apdu: ApduObject, sessionId?: string, callback?: (error, data))

Parameters

apdu: object containing the APDU to be executed
sessionId (optional): sessionId to use. Required if the session needs to be kept open after the request completes.

APDU Object interface:

Output

Bulk Actions

For the apduand commandfunctions, it is possible to send an array of apdu's/commands.

apdus (bulk)

Executes an array of APDU calls on the current reader.

Interface

apdus(apdu: ApduObject[], sessionId?: string, callback?: (error, data))

Parameters

apdu: array containing the APDU objects to be executed
sessionId (optional): sessionId to use. Required if the session needs to be kept open after the request completes.

APDU Object interface:

Output

commands (bulk)

Executes an array of commands on the current reader.

Interface

commands(tx: string[], sessionId?: string, callback?: (error, data))

Parameters

tx
: array containing the command strings to be executed
sessionId
(optional)
: sessionId to use. Required if the session needs to be kept open after the request completes.

v3.2.x

Introduction

hashtagA Word of Introduction

Prerequisites

hashtagTrust1Connector API DNS

hashtagDistribution Service

hashtagDisk Space

hashtagAPI Key

hashtagOperating System

hashtagWindows 8.1 or higher

hashtagRegistry keys

hashtagCookies

Trust1Connector JS SDK

Changelog

hashtagRelease notes - Trust1Connector - Version T1C-JS-v3.2.13

hashtagBug

hashtagRelease notes - Trust1Connector - Version T1C-JS-v3.2.12

hashtagBug

hashtagRelease notes - Trust1Connector - Version T1C-JS-v3.2.11

hashtagBug

hashtagRelease notes - Trust1Connector - Version T1C-JS-v3.2.10

hashtagBug

hashtagRelease notes - Trust1Connector - Version T1C-JS-v3.2.9

hashtagBug

hashtagStory

hashtagRelease notes - Trust1Connector - Version T1C-JS-v3.2.8

hashtagBug

hashtagStory

hashtagRelease notes - Trust1Connector - Version T1C-JS-v3.2.7

hashtagBug

hashtagStory

hashtagRelease notes - Trust1Connector - Version T1C-JS-v3.2.6

hashtagBug

hashtagRelease notes - Trust1Connector - Version T1C-JS-v3.2.5

hashtagImprovement

Core

Concept

hashtagArchitecture Overview

hashtagComponents

hashtagWeb Environment

hashtagShared Environment Host

hashtagShared Environment Client

hashtagCentral Back-Office

hashtagSecurity

hashtagShare Environment Flows

hashtagCommunication Stack

Core Service

hashtagIntroduction

hashtagAdministration resources

hashtagConsumer resources

hashtagCore Functionalities

hashtagInitialize the client library

hashtagList card readers

hashtagCard Inserted

hashtagPin-Pad Capabilities

hashtagList Card-Readers - Explained Example

hashtagGet card reader with card inserted

hashtagGet device public key

hashtagCore interface

Trust1Connector SDK integration

Integration in Web Applications

hashtagInitialising the Trust1Connector

hashtagReaders

hashtagInitialisation of a module

hashtagShared environments

Token

Token typing models

hashtagIntroduction

hashtagModels

Payment

Payment typing models

hashtagIntroduction

Crelan

hashtagIntroduction

hashtagGet Crelan Module

hashtagObtain the Reader-ID

hashtagReading data

hashtagApplications

hashtagApplication data

hashtagIssuer Public Key Certificate

A Word of Introduction

Trust1Connector API DNS

Distribution Service

Disk Space

API Key

Operating System

Windows 8.1 or higher

Registry keys

Cookies

Release notes - Trust1Connector - Version T1C-JS-v3.2.13

Bug

Release notes - Trust1Connector - Version T1C-JS-v3.2.12

Bug

Release notes - Trust1Connector - Version T1C-JS-v3.2.11

Bug

Release notes - Trust1Connector - Version T1C-JS-v3.2.10

Bug

Release notes - Trust1Connector - Version T1C-JS-v3.2.9

Bug

Story

Release notes - Trust1Connector - Version T1C-JS-v3.2.8

Bug

Story

Release notes - Trust1Connector - Version T1C-JS-v3.2.7

Bug

Story

Release notes - Trust1Connector - Version T1C-JS-v3.2.6

Bug

Release notes - Trust1Connector - Version T1C-JS-v3.2.5

Improvement

Architecture Overview

Components

Web Environment

Shared Environment Host

Shared Environment Client

Central Back-Office

Security

Share Environment Flows

Communication Stack

Introduction

Administration resources

Consumer resources

Core Functionalities

Initialize the client library

List card readers

Card Inserted

Pin-Pad Capabilities

List Card-Readers - Explained Example

Get card reader with card inserted

Get device public key

Core interface

Initialising the Trust1Connector

Readers

Initialisation of a module

Shared environments

Introduction

Models

Introduction

Introduction

Get Crelan Module

Obtain the Reader-ID

Reading data

Applications

Application data

Issuer Public Key Certificate

ICC Public Key Certificate

Verify PIN

Verify PIN without pin-pad

Verify PIN with pin-pad

Verify PIN - retries left

Sign

Error Handling

Error Object

Introduction

Notifications

Context and scope

Type Mapping

Type subfolders

Responses

Interface