Ocra HOTP
The OCRA container facilitates communication with card readers with initialised OCRA applet. The T1C-JS client library provides function to communicate with the smart card and facilitates integration into a web or native application for the generation of HOTP challenges. This document describes the functionality provided by the OCRA - temporary documentation - on the T1C-GCL (Generic Connector Library).
Refereces
The following standards must be taken into account:
HOTP: An HMAC-Based One-Time Password Algorithm
OCRA: OATH Challenge-Response Algorithm
Generation of an HOTP Value
Additional reference upon the interpretation of the HOTP challenge received from the OCRA applet:
https://tools.ietf.org/html/rfc4226#section-5.3
Resynchronization of the Counter
Additional reference upon the resynchronization of the counter:
https://tools.ietf.org/html/rfc4226#section-7.4
Interface Summary
The Abstract LuxTrust smartcard interface is summarized in the following snippet:
Each interface will be covered on this wiki, accompanied with example code and response objects.
Get the OCRA container object
For more information on how to configure the T1C-JS client library see Client Configuration. Initialize a gclClient:
Get the Ocra container service:
Call a function for the Ocra container:
Obtain the Reader-ID
The constructor for the Ocra container expect as the parameter to be a valid reader-ID. A reader-ID can be obtained from the exposed core functionality, for more information see Core Services. Core services responds with available card-readers, available card in a card-reader, etc. For example: In order to get all connected card-readers, with available cards:
This function call returns:
We notice that a card object is available in the response in the context of a detected reader.
The reader in the example above is VASCO DIGIPASS 870, has pin-pad capabilities, and there is a card detected with given ATR and some descriptions.
An ATR (Answer To Reset) identifies the type of a smart-card.
The reader, has a unique ID, reader_id; this reader_id must be used in order to request functionalities for the Ocra card.
This must be done upon instantiation of the Ocra container:
All methods for ocra will use the selected reader - identified by the reader_id.
Reading data
Counter
The counter on the card is incremented each time you generate a new otp with the challenge method.
An example callback:
Response:
Data Filter
Filter
All data on the smart card can be dumped at once, or using a filter. In order to read all data at once:
Response:
The filter can be used to ask a list of custom data containers. At the moment only the 'counter' is supported:
Response:
Verify PIN
When the web or native application is responsible for showing the password input, the following request is used to verify a card holder PIN:
Response:
Retries left
After an unsuccessful PIN verification, the error code indicates the number of retries left. For example, when executing:
The following error message will be returned when PIN is wrong:
After a second wrong PIN verification:
Note that, when the user has at least one retry left, entering a correct PIN resets the PIN retry status.
Code
Description
103
Warning: the user can try twice more to verify his PIN
104
Warning: the user has only 1 retry left
105
Error: the PIN is blocked
106
Invalid PIN
Challenge
To generate a new OTP value, the challenge method can be called. The request requires a valid PIN code and a challenge. The challenge is a base64 encoded bytestring .
Response:
Error Handling
Error Object
The functions specified are asynchronous and always need a callback function. The callback function will reply with a data object in case of success, or with an error object in case of an error. An example callback:
The error object returned:
For the error codes and description, see Status codes.
Last updated