API changes
- S (Deactivated)
- Erik Larsen
New functionality
PAdES support
The 5.2 version of BankID C Server introduces support for new CMS (PKCS#7) and OCSP response formats to be produced during a Sign operation. The formats are introduced to enable creation of PAdES compatible PDF Signatures based on output from BankID. They should generally not be used in other signing scenarios. Authentication transactions will allways use the default original BankID formats.
It should be noted that an empty Signature Dictionary must be a part of the PDF data that is signed. The dictionary must be added to the PDF data to be signed prior to invoking BID_InitTransaction.
The CMS and OCSP response formats are controlled by setting their respective info items prior to invoking BID_InitTransaction and BID_VerifyTransactionRequest. The info items must allways have the same values for BID_InitTransaction and BID_VerifyTransactionRequest when they are used.
Infoitem | Description | Mand. | 2.0 | 2.1 |
|---|---|---|---|---|
cmsFormat | Values: | No | X | X |
ocspFormat | Values: | No | X | X |
BID_GetSignatureAndFullOCSP
Syntax
int BID_GetSignatureAndFullOCSP( const SESSION_HANDLE sessioncontext,
int docnum,
char **clientsignature,
char **clientfullocsp);
Purpose
Retrieve the client signature and full client ocsp response for document x. Generally used when signing PDFs and adding PDF signatures (PAdES) to the document with the signature and full OCSP response.
Parameter | Type | In/Out | Description |
|---|---|---|---|
sessioncontext | SESSION_HANDLE | in | Session context |
docnum | int | in | The index of the document. 0 is the first document. |
clientsignature | char ** | out | The end user signature (PKCS7) |
clientfullocsp | char ** | out | The full OCSP for the end user certificate |
Changes in functionality
BID_SDOXMLValidate and BID_SimpleDynamicSDOXMLVaildate
Support for validating the legacy BankID SDO format have been removed from these functions in version 5.2. They now only support validation of a SEID SDO.
Removed functionality
BankID 1.0 has been discontinued and the following functions have been removed in version 5.2:
- BID_GetTag
- BID_GetLaunchUri
Other changes
New version of Visual Studio
From version 5.2 the Windows version of BankID C Server may require the Microsoft Visual C++ Redistributable for Visual Studio 2015 for the targeted platform (vc_redist_x64.exe or vc_redist_x86.exe) at runtime.
Updated trust store certificate file names
The 5.2 release of the BankID C Server contain new versions of the pre-production and production trust-store certificates for BankID. These can be found in the release package under Certs/Va_ssl. It is important that these certificates are used when upgrading from a version prior to 5.2. The certificates can be placed in the chosen trust store folder for BankID C Server.
It is only the file names of the certificates that has been changed. These have been rehashed because BankID C Server version 5.2 is linked with OpenSSL 1.0.2k. Previous versions were linked with OpenSSL 0.98. The hash algorithm used for subject name hashing changed in OpenSSL version >= 1.0.0, and all certificate stores have to be rehashed when moving from OpenSSL 0.9.8 to 1.0.2k.
The rehasing can also be done manually on exising certificate files in the BankID C Server trust-store folder. OpenSSL must be available to be able to do this:
- Execute the following OpenSSL command: openssl x509 –in “path to file” –hash –noout
- Change the file name according to the output from the command. The output will be the new filename minus the ending “.0”, which must to be added manually. If more than one certificate get the same hash value “.0” must be replaced with “.1”, “.2” etc.
Example file names where the hash value output from the openssl command is 08b37ef3 for two certificates:
- Certificate 1: 08b37ef3.0
- Certificate 2: 08b37ef3.1