PKI plug-in supports the following options:
vendorModule=eTPKCS11.dll - PKCS#11 implementation library of a needed vendor.
hash=SHA1 or SHA224, SHA256 (this is a default value if not presented), SHA384, SHA512, RIPEMD160.
padding=PKCS#1 (this is a default value if not presented) or PSS, OAEP.
modulusBits=2048 - key size (this is a default value if not presented). E.g. eToken PRO 32k doesn't support it and you need to set 1024 to use it.
blockingMode=True. The default value is True. OpenSC supports the 'waiting for card' mechanism not completely and it requires to change the option to False. The most of vendors should work fine with the default mode.
PKI plugin uses the simulatar API for card / token detection and two new POST methods pki/enroll, pki/login:Available methods:Card service provides the following POST-methods
- https://127.0.0.1:8440/api/v1/pki/getcertificates - GET method to get all certificates from a token
{ "readerid"=0, "certificates" : [{ "keypairid":"9beb","certificate":"30820371308202daa00....0b90d7290a1a76b0450264dd536d2cb057230f8dbfa8cfda05"}] }
slotid - slot ID keypairid - id of the key pair in the certificate. Save it and use later for future logon operations. certificate - certificate value in DER format.
- https://127.0.0.1:8440/api/v1/pki/generatekeypair- POST method, Request Body: {"pin":"your_pin"}
// Replace with your token pin or empty if there is no pin
{ "readerid"=your_reader_id, "keypairid":"6f4712e554544ac3", "modulus":"a1709fb049c35fdc6695193e9dd980c713c....91daaa9d2604eeeaad73d13b1", "exponent":"010001"}
keypairid - id of the key pair in the certificate. save it and use later for future logon operations. modulus - modulus exponent - big exponent
- https://127.0.0.1:8440/api/v1/pki/signchallenge - POST method, Request Body: {"challenge":"3128", "pin":"your_pin", "keypairid":"9beb" }
challenge in hex-string format(even length, sice one byte is two hex symbols) pin - pin to the token keypairid - id of the keypair from token, you can get it from previous enroll operation
in case of success it returns signature for the given challenge in the hex format{ "readerid"=your_reader_id, "hash":"SHA1", "padding":"PKCS#1", "signature":"58ad84f3a9b7244031aa55c0d0ad753b1a480ae709a37210d48....493130d7b11f128ea2be1fcc42d123bdb715a153974e992b16d022" }
hash - used hash methodpadding - used padding
- https://127.0.0.1:8440/api/v1/pki/verifychallenge - POST method, Request Body {"challenge":"3128", "pin":"your_pin", "keypairid":"9beb", "signature":"58ad84f3a9b72....bdb715a153974e992b16d022" }
in case of an error two methods above returns an error:{ "errorCode"="ERROR_ID"}Possible values of ERROR_ID: PLUGIN_NOT_INITTED - not initted library, etc. dll was not provided METHOD_NOT_FOUND - method not found NO_CARD - no token or no card are presented. Use wait methods to get an event. JSON_PARSE_FAILED - bad request body WRONG_PIN- Wrong PIN GET_PRIVATE_KEY_FAILED - error getting a private key from a token OPERATION_FAILED- general operation failure
- https://127.0.0.1:8440/api/v1/pki/getmessage?nowait - returns immediately the current status. Possible values [NO_READER, NO_CARD, CARD_ON].- https://127.0.0.1:8440/api/v1/pki/getmessage?wait - waits till the next event occurs.
NOTE:When you plug off the reader with a card on, two messages are displayed: NO_CARD, NO_READER. But the first one will be catch with getmessage?wait.When you plug in a reader with a card on, occures READER_ON, CARD_ON. And as a result READER_ON will be returned.
- https://127.0.0.1:8440/api/v1/pki/getreaderon?nowait - returns immediately with READER_ON if it's attached and NO_READER otherwise.- https://127.0.0.1:8440/api/v1/pki/getreaderon?wait - returns immediately with READER_ON if a reader is attached or waits till it's attached.- https://127.0.0.1:8440/api/v1/pki/getcardon?nowait - returns immediately with NO_READER if a reader isn't attached, NO_CARD if a card isn't inserted or CARD_ON if a card is inserted.- https://127.0.0.1:8440/api/v1/pki/getcardon?wait - returns immediately with NO_READER if a reader isn't attached or wait till the card will be on a reader.
NOTE: It will wait the next tap of a card even if a card is already on a reader.
- https://127.0.0.1:8440/api/v1/pki/getcardoff?nowait&cardid=<cardid> - returns immediately with NO_READER if a reader isn't attached, NO_CARD if a card isn't inserted or CARD_ONif a card is inserted. Use cardid to wait when a specific card is removed.- https://127.0.0.1:8440/api/v1/card/getcardoff?wait - returns immediately with NO_READER if a reader isn't attached. if there is no card on a reader return NO_CARD immediately else waits till the card is removed from the reader- https://127.0.0.1:8440/api/abort?cancel-cookie=xxx - all of the wait methods support cancel-cookie=xxx parameter.For example, https://127.0.0.1:8440/api/v1/card/getmessage?wait&cancel-cookie=xxx.And by calling abort with a cancel-cookie, all waiting methods with the same specfied cookie are terminated.Response format:
Response format{result: [NO_READER, READER_ON, NO_CARD, CARD_ON],cardid: <card id>,readerid: <reader id>}cardid is used only with CARD_ON, and NO_CARD result.