Appendix B Services offered by BankID server API
Both the Java and C server gives the merchant access to the following services:
- Client - Server Authentication service
- Signature verification service
- Certificate status checking service
- Cryptographic service
- Signature generation
- Hashing
- Provision of additional information from the Validation Authority
- Construction and validation of SDO
- Data encoding services
Please refer to the Interface Description [IJSRV]/ [ICSRV] for the server of your choice for the details on how to use these services.
Client - Server Authentication Process
Three API methods are provided for the client – server authentication process, "InitTransaction", "VerifyTransactionRequest" and "VerifyTransactionResponse". The first method takes the client challenge and generates a signed PKCS#7 object and at the same time producing a server challenge for the client to sign. The challenge must be retained by the calling web application.
The signing process signs the client challenge.
The second API method takes the PKCS#7 object generated by the client and the server challenge held by the web application. The method verifies the applet signature and the certificate path. The third API method creates the response to the client.
Signature verification service
The transaction signed by the client must be verified before the web application can process it. The signature verification process takes the signed transaction PKCS#7 object and verifies the signature. The certificate chain is also verified. This task is implicit in the create SDO method, or may be performed explicitly by the verify data method.
PKCS#7 service
A function is provided to retrieve the following items from a PKCS#7 object:
- The data that was signed (Java server)
- The signer's certificate
- The number of sub CA certificates (Java server)
- The sub-CA certificates (level 1 to N) (Java server)
- The root CA certificate (Java server)
- The signing time
Note: it is possible to select two different versions of the returned PKCS#7, a new format with some minor changes to be compatible with the PAdES standard in addition to the default original format. In case the selected format is the new PAdES compatible format the parameter for “signing time” will not be returned. PKCS#7 (CMS) format can be configured by the merchant in initTransaction.
The new format is not compatible with the SDO format and will fail in the validation if it is used to construct a SDO instance. It is only the default original format that is supported together with the SDO services.
Certificate service
A function is provided to retrieve the following items from a certificate:
- The certificate issuer name
- The issuer Alt name (Java server)
- The certificate subject name
- The certificate valid from date
- The certificate valid to date
- The certificate serial number
- The certificate version number
- The certificate key algorithm
- The key size
- The Originator
- The DateOfBirth (if provided)
- The BankName
- The UniqueID(organization number for merchant certificates)
- The policy OID Info
- The email address
The UniqueID uniquely identifies a user in the BankID framework. An application may use the unique id to map their internal user identifier against the BankID user identifier.
Certificate status checking service
The certificate status method takes the PKCS#7 object as input and returns the status of the certificate. The method may also return social security number, account number and the organisation number. Please note that there is restricted access to these data.
The method executes the following steps:
- Extracts the signer certificate from the input PKCS#7
- Creates a OCSP request with the signer certificate as input
- Calls the BankID Validation Authority requesting the status of the signer certificate and optionally some additional information
- Returns the certificate status and the additional information if requested and authorized
Note: It exist two different OCSPResponse formats, the default format is where the OCSPResponse is signed with a Certificate issued by the BankID root CA. The default format is not compatible with [rfc6960] which is required for standards like PAdES. The new OCSPResponse format is signed with a Certificate issued by the same CA as the OCSPRequest certificate is issued from. The new OCSPResponse format is compatible with RFC-6960 and standards like PAdES. OCSPResponse format can be configured by the merchant in initTransaction.
Cryptographic services
The following cryptographic services are provided:
- Signature generation service generates a signature of the input data and returns it in the format of a PKCS#7 object.
- Random number generation service generates random data of given length.
- Hashing service generates a hash of the input data
SDO services
The following services exist:
- Construction of SDO objects
- Validation of SDO objects (both BSK and SEID formats)
- Transformation of SDO objects to XML format.
Multisigning services
The BankID server has a service for generating the string needed as input for multisigning (more than one person signing the same document). This string can be generated from:
- a list of PKCS7 objects
- an SDO object
- a SDO XML