Control Interface » History » Version 11
Tobias Wich, 09/17/2012 05:28 PM
| 1 | 8 | Tobias Wich | h1. Client Control Interface |
|---|---|---|---|
| 2 | 1 | Moritz Horsch | |
| 3 | 8 | Tobias Wich | The Client Control Interface is http based. The webserver of the eCard client is available only under http://localhost:24724. |
| 4 | 1 | Moritz Horsch | |
| 5 | 8 | Tobias Wich | h2. Activation |
| 6 | |||
| 7 | *URL* |
||
| 8 | @http://127.0.0.1:24727/eID-Client@ |
||
| 9 | |||
| 10 | *Method* |
||
| 11 | GET |
||
| 12 | |||
| 13 | *Query* |
||
| 14 | | tcTokenURL | The URL determines where the client can retrieve the TC Token. See TR-03112-7, section 3.2 | Mandatory | |
||
| 15 | | ifdName | The ifdName determines the card terminal.| Optional[1] | |
||
| 16 | | contextHandle | The contextHandle addresses a specific IFD. | Optional[1] | |
||
| 17 | | slotHandle | The slotHandle determines a connected eCard. See TR-03112-6, section 3.2.1. | Optional[1] | |
||
| 18 | | cardType | The cardType determines the type of card which must be selected. | Optional[1] | |
||
| 19 | |||
| 20 | *Returns* |
||
| 21 | | 200 OK | The refresh address is comprised in the Message Body (Hack for Mac OS Safari). | |
||
| 22 | | 303 See Other | The Location field in the response should contain the refresh address. | |
||
| 23 | | 400 Bad Request | Malformed GET request, e.g. parameters are missing. | |
||
| 24 | | 500 Internal Server Error | Other errors. | |
||
| 25 | |||
| 26 | *Content-Types* |
||
| 27 | | text/html | Webpage with user evaluatable content. E.g. error page, manual redirect, ... | |
||
| 28 | |||
| 29 | |||
| 30 | *Description* |
||
| 31 | The interface can be used to start the eID application. |
||
| 32 | |||
| 33 | The parameters ifdName, contextHandle, slotHandle and cardType address a particular eCard, or a type of card. |
||
| 34 | There are three meaningful combinations of the optional parameters: |
||
| 35 | * _none_ |
||
| 36 | Use the fist nPa available. Display a "Please insert nPa" dialog if needed. This is the behaviour of the AusweisApp. |
||
| 37 | * _cardType_ |
||
| 38 | Use the fist card of the specified type which is available. Display a "Please insert <cardType>" dialog if needed. |
||
| 39 | * _ifdName_, _contextHandle_, _slotHandle_ |
||
| 40 | Use exactly the card matching the parameters. |
||
| 41 | |||
| 42 | |||
| 43 | *Notes* |
||
| 44 | |||
| 45 | 1 | Moritz Horsch | <pre> |
| 46 | TODO |
||
| 47 | * What happens if the Client Activator cannot start an application? |
||
| 48 | * What happens if the Client Activator cannot fetch a TC Token from the given TCTokenURL? Should that result in a 400 or 404? |
||
| 49 | </pre> |
||
| 50 | |||
| 51 | 11 | Tobias Wich | During the processing of the activation, a TCToken is fetched from a remote server. |
| 52 | The TCToken is defined as follows: |
||
| 53 | <pre><code class="xml"> |
||
| 54 | <element name="TCToken" type="TCTokenType" /> |
||
| 55 | 1 | Moritz Horsch | |
| 56 | 11 | Tobias Wich | <complexType name="TCTokenType"> |
| 57 | <sequence> |
||
| 58 | <element name="ServerAddress" type="anyURI" /> |
||
| 59 | <element name="SessionIdentifier" type="string" /> |
||
| 60 | <element name="RefreshAddress" type="anyURI" /> |
||
| 61 | <element name="Binding" type="anyURI" maxOccurs="1" minOccurs="0"/> |
||
| 62 | <element name="PathSecurity-Protocol" type="anyURI" /> |
||
| 63 | <element name="PathSecurity-Parameter" maxOccurs="1" minOccurs="0"> |
||
| 64 | <complexType> |
||
| 65 | <choice> |
||
| 66 | <element name="PSK" type="hexBinary" /> |
||
| 67 | </choice> |
||
| 68 | </complexType> |
||
| 69 | </element> |
||
| 70 | </sequence> |
||
| 71 | </complexType> |
||
| 72 | </code></pre> |
||
| 73 | 1 | Moritz Horsch | |
| 74 | 11 | Tobias Wich | The contents of the elements are defined as follows: |
| 75 | * ServerAddress |
||
| 76 | Must contain a https-URL which shall be used by the eCA to connect to the authentication server. |
||
| 77 | * SessionIdentifier |
||
| 78 | Must contain a unique identifier of the current authentication session. |
||
| 79 | * RefreshAddress |
||
| 80 | Must be a https-URL. The eCA redirects the browser to this URL (or the URL retrieved by following redirects starting from this URL) after conclusion of the online authentication. |
||
| 81 | * Binding |
||
| 82 | May be used to indicate that an authentication protocol according to [ISO24727-3] is to be performed over the session between eCA and the authentication server. |
||
| 83 | Currently the following values are defined: |
||
| 84 | ** @urn:liberty:paos:2006-08@ |
||
| 85 | * PathSecurity-Protocol |
||
| 86 | This element specifies the security protocol, which is to be used for securing the connection between eCA and AS. |
||
| 87 | Currently the following values are defined: |
||
| 88 | ** @urn:ietf:rfc:4346@[1] |
||
| 89 | TLS according to [RFC4346]. |
||
| 90 | ** @urn:ietf:rfc:4279@ |
||
| 91 | TLS-PSK according to [RFC4279]. |
||
| 92 | ** @urn:ietf:rfc:5487@ |
||
| 93 | TLS-PSK with a cipher suite according to [RFC5487]. |
||
| 94 | * PathSecurity-Parameter |
||
| 95 | Must be present to supply path security parameters such as PSK values. |
||
| 96 | |||
| 97 | The following changes are made to the token type defined in [eCard-7]: |
||
| 98 | * Binding is optional to use solely the transport protocol for authentication. |
||
| 99 | * PathSecurity-Protocol has additional values. |
||
| 100 | * PathSecurity-Parameter is optional because of the additional default TLS Protocol. |
||
| 101 | 8 | Tobias Wich | |
| 102 | h2. GetStatus[1] |
||
| 103 | |||
| 104 | *URL* |
||
| 105 | @http://127.0.0.1:24727/getStatus@ |
||
| 106 | |||
| 107 | *Method* |
||
| 108 | GET |
||
| 109 | |||
| 110 | *Query* |
||
| 111 | | session | The session parameter establishes an event queue for further requests with waitforChange. | Optional | |
||
| 112 | |||
| 113 | *Returns* |
||
| 114 | | 200 OK | Status element (see below). | |
||
| 115 | | 500 Internal Server Error | Errors in the smartcard stack or the webserver. | |
||
| 116 | |||
| 117 | <pre>TODO: define Status element</pre> |
||
| 118 | |||
| 119 | *Content-Types* |
||
| 120 | | text/xml | The Status element. | |
||
| 121 | | text/html | Error message in case of a 500 status code. | |
||
| 122 | |||
| 123 | |||
| 124 | *Description* |
||
| 125 | The interface can be used to request information about the eID application and its current state. |
||
| 126 | |||
| 127 | h2. WaitForChange |
||
| 128 | |||
| 129 | *URL* |
||
| 130 | @http://127.0.0.1:24727/waitForChange@ |
||
| 131 | |||
| 132 | *Method* |
||
| 133 | 1 | Moritz Horsch | GET |
| 134 | 8 | Tobias Wich | |
| 135 | *Query* |
||
| 136 | 10 | Tobias Wich | | session | The session of a previously set up event queue (see [[Client_Activation#GetStatus1|GetStatus]]). | Mandatory | |
| 137 | 8 | Tobias Wich | |
| 138 | *Returns* |
||
| 139 | | 200 OK | StatusChange element (see below). | |
||
| 140 | | 500 Internal Server Error | Errors in the smartcard stack or the webserver. | |
||
| 141 | |||
| 142 | <pre>TODO: define StatusChange element</pre> |
||
| 143 | |||
| 144 | *Content-Types* |
||
| 145 | | text/xml | The StatusChange element. | |
||
| 146 | | text/html | Error message in case of a 500 status code. | |
||
| 147 | |||
| 148 | |||
| 149 | *Description* |
||
| 150 | The interface can be used to request status change information after an initial GetStatus call. |
||
| 151 | |||
| 152 | |||
| 153 | --- |
||
| 154 | |||
| 155 | fn1. Openecard proposal: This parameter/interface is an Open eCard specific extension. It is not part of the official eCard specification. |