Encoding using T-Systems TCOS middleware in Identity Manager
This article includes updates for Smart ID 23.04.6.
An encoding description contains the information for the electronic personalization of a card. You import the encoding description from a file. This can be used in Smart ID Identity Manager.
This article includes information about the T-Systems TCOS middleware and cards as supported by Identity Manager and describes how you create descriptions for them.
TCOS DLLs
TCOS P11 Dynamic Link Libraries (DLLs) come in three different versions:
- NetKey version (basic P11 library for NKS application)
- SigG version (for qualified digital signatures, if the card in question supports it via an additional SigG application - not officially supported by Identity Manager)
- ELSTER version (for the German tax reporting system - not officially supported by Identity Manager)
The DLL you load gives you a view of a specific subset of the card. For example, with the SigG DLL you can only see the PINs/keys/certs of the SigG application. Make sure you always load the DLL of the appropriate type.
Make sure that you use a recommended version of the P11 middleware. The documents and software available at https://www.telesec.de/de/tcos/support/downloadbereich may sometimes be outdated, especially the P11 DLLs, make sure to verify the file versions and not the publishing date.
Different versions of the middleware may use different DLL filenames.
PIN/PUK/CR-Key
Supported cards
Refer to the lists of public key and certificate labels for each card when needed in the encoding description.
Encryption Keypair Recovery support on WAR file deployment
Important! Encryption Keypair Recovery only works if Identity Manager Operator is deployed as standalone without Admin or Protocol Gateway (PGWY) in a WAR file deployment.
Feature support
- supported by Identity Manager
- not supported by Identity Manager, card/P11 feature might be present or planned
n/a - not available on card/P11 lib and not possible or planned
| Feature | Signature Card V2.0 (ECC) | IDKey 1.0 (RSA) |
|---|---|---|
| P10 request for pre-loaded RSA keys | n/a | |
| P10 request for pre-loaded ECC sig/auth keys | The CA connector needs to support ECC. | n/a |
| P10 request for pre-loaded ECC enc key |
| n/a |
| Plain request (including key archival) | Key import is not supported. | Up to 10 keypairs with associated certificate can be imported. |
| Generate key on card | Not tested, can just redirect to matching pre-loaded key. | see Signature Card V2.0 |
| Init PIN and PUK via InitToken | | |
| Delete existing certs by label |
| |
| Profile init via InitToken | n/a | n/a |
| Profile reset | Not supported via P11 or the Telesec CardManager. | see Signature Card V2.0 |
| Change PIN/PUK with old one | | |
| Unblock PIN with PUK | | |
| Unblock PUK with PIN | Not implemented for consistency with other cards. | see Signature Card V2.0 |
| Unblock PIN with CardManagerKey | n/a | (Identity Manager 22.04.3 and later only, uses TCOS P11 extension, which is not challenge/response-based) |
| Change CardManagerKey with old one | n/a | (Identity Manager 22.04.3 and later only, uses TCOS P11 extension, which is not challenge/response-based) |
| Store cert chain or other arbitrary CA certs |
However, up to two CA certificates (root+intermediate) may be written separately. | StoreUserCertOnly=true is mandatory. |
| Change attributes on existing keys/certs | n/a as C_SetAttributeValue just returns CKR_OK without making any changes. | n/a see Signature Card V2.0 |
| Support NetKey P11 library | | |
| Support SigG P11 library (for qualified signatures) | Not tested except for PIN/PUK handling. | see Signature Card V2.0 |
| Support ELSTER P11 library (DE tax reporting) | Not tested | see Signature Card V2.0 |
| Importing to a specific slot via label | n/a | Middleware supports it only starting with version 1.12.4.0 |
- supported by Identity Manager
- not supported by Identity Manager, card/P11 feature might be present or planned
n/a - not available on card/P11 lib and not possible or planned
| Feature | TCOS 4.0 NetKey |
|---|---|
| P10 request for pre-loaded RSA keys | |
| P10 request for pre-loaded ECC sig/auth keys | The CA connector needs to support ECC. |
| P10 request for pre-loaded ECC enc key |
|
| Plain request (including key archival) | Up to 10 RSA 2048 keypairs + 6 RSA 3072 keypairs + 16 ECC keypairs with associated certificate can be imported. |
| Generate key on card | Not tested, can just redirect to matching pre-loaded key. |
| Init PIN and PUK via InitToken | |
| Delete existing certs by label |
|
| Profile init via InitToken | n/a |
| Profile reset | Not supported |
| Change PIN/PUK with old one | |
| Unblock PIN with PUK | |
| Unblock PUK with PIN | Not implemented for consistency with other cards. |
| Unblock PIN with CardManagerKey | (Identity Manager 22.10 and later only, uses TCOS P11 extension, which is not challenge/response-based) |
| Change CardManagerKey with old one | (Identity Manager 22.10 and later only, uses TCOS P11 extension, which is not challenge/response-based) |
| Store cert chain or other arbitrary CA certs | StoreUserCertOnly=true is mandatory. |
| Change attributes on existing keys/certs | n/a |
| Support NetKey P11 library | |
| Support SigG P11 library (for qualified signatures) | Not tested |
| Support ELSTER P11 library (DE tax reporting) | Not tested |
| Importing to a specific slot via label | Middleware supports it only starting with version 1.12.4.0 |
Encoding description settings
The cards are pre-initialized, and the initToken=true flag is used to trigger initialization of Pin 1 (PIN) and subsequent unblocking of Pin 2 (PUK).
Both PIN and InitialPUK have to be set.
Define like this in the encoding description:
CODE... [Fields] PIN= PUK= ... [Description] InitToken=true PIN=PIN InitialPUK=PUK ...
This feature is available on Signature Card V2.0 only.
Any certificates on the card which you want to replace have to be deleted first. See Delete certificates above.
Write new CA certificates
You can write up to two CA certificates by specifying the target label.
The label parameter depends on whether the certificate to be written is a root or intermediate certificate.
Define like this in the encoding description:
CODE... [Application_X] WriteCertificate=true Certificate=INTERMEDIATE_CA_CERT_FIELD LabelTemplateCertIntermediate=fixtext=EF.C.CSP.SCA1 ... [Application_Y] WriteCertificate=true Certificate=ROOT_CA_CERT_FIELD LabelTemplateCertRoot=fixtext=EF.C.CSP.RCA1 ...
Any certificates on the card which you want to replace have to be deleted first. See Delete certificates above.
Certificate chain writing not supported
Applies to:
- IDKey 1.0
- Signature Card V2.0
- TCOS 4.0 NetKey
You must specify this in your certificate application, as writing a certificate chain supplied in the CA response is not supported (for Signature Card V2.0 see Write CA certificates above for an alternative).
Define like this in the encoding description:
CODE... [Application_X] StoreUserCertOnly=true ...
ECC KeySize
Applies to:
- Signature Card V2.0
- TCOS 4.0 NetKey
Even though keys are not generated, existing ones are used, you must specify the KeySize to indicate ECC is to be used. Different variants of the cards use, for example, brainpoolp256r1 or prime256v1 curves.
Identity Manager uses BC curve names.
As a minimum requirement, you must specify a curve which has the same size (for example, 256 bits) as the card is using, which is required for request validation to work. To future-proof your encodings it is recommended to specify the exact curve.
For cards with different key sizes you need separate applications.
Define like this in the encoding description:
CODE... [Application_X] # NOTE: some cards use ECC/brainpool256r1 KeySize=ECC/prime256v1 ...
ECC P10 Signing Algorithms
Applies to:
- Signature Card V2.0
- TCOS 4.0 NetKey
The only supported signing algorithm for Signature Card V2.0 is ECDSA with SHA1. On TCOS 4.0 NetKey cards you may use ECDSA with SHA256 as well.
Define like this in the encoding description:
CODE... [Application_X] # use this for Signature Card V2.0 cards: Pkcs10SigningAlgorithm=SHA1_ECDSA # for TCOS 4.0 NetKey cards you can use this instead: Pkcs10SigningAlgorithm=SHA256_ECDSA ...
Dummy P10 signing for ECC encryption keys
Applies to:
- Signature Card V2.0
Unlike ECC sig/auth keys, the ECC encryption keys on a Signature Card V2.0 cannot be used for signing. This is a restriction of the key permissions on the card and cannot be solved by a middleware update. If the CA does not need to verify the P10 signature (for example, CM, DTrust and others where the connector parses the P10), P10 signing can be enabled with a dummy key.
Define like this in the encoding description:
CODE... [Application_X] SignP10WithDummyKey=true ...
Select user certificate slot
Applies to:
- Signature Card V2.0
On a Signature Card V2.0, each keypair can have multiple certificate slots. You must explicitly define which slot to use by specifying the correct certificate label (unlike above, not key label). Deleting existing certificates for a keypair does not guarantee that the resulting certificate will end up in the main slot.
The Telesec CardManager does not display the correct labels. You must use a P11 admin tool like https://www.pkcs11admin.net/ to view them.
Define like this in the encoding description:
CODE... [Application_X] LabelTemplate=fixtext=The Certificate Label Goes Here ...
Skip label or select target slot via labels
Applies to:
- IDKey 1.0
- TCOS 4.0 NetKey
When using pre-loaded keypairs it is recommended to skip setting the label attribute via LabelTemplate=skip instead of specifying the actual label via fixtext as shown above, as it is easier to configure and less error-prone.
When importing a keypair and certificate setting the label attribute is not allowed by the middleware in versions before 1.12.4.0, so it is mandatory to skip it. On TCOS 1.12.4.0 this restriction was removed Now it's possible to address to slot to put the certificate and keypair.
Before writing, make sure the target slot is free by deleting the certificate and keys, or the middleware might report an error.
Define like this in the encoding description:
CODE... [Application_X] # next free spot is taken automatically (mandatory before TCOS 1.12.4.0) LabelTemplate=skip ... [Application_Y] # TCOS 1.12.4.0 and up only, make sure the slot you specify here is free! # you have to specify the labels for private- and public key separately # from the certificate label, as they differ but share the same index LabelTemplate=fixtext=... PrivateKeyLabelTemplate=fixtext=... PublicKeyLabelTemplate=fixtext=... ...