Both the Java- and C BankID Servers give the Merchant access to the following services:

• Client - Server Authentication service.
• Signature verification service.
• Certificate status checking service.
• Cryptographic service:
• Signature generation
• Hashing
• Provision of additional information from the Validation Authority.
• Retrieval of the Helper reference, CID and TID.
• Construction and validation of SDO.
• Construction of PAdES.
• Data encoding services.
• Retrieval of transaction security data generated by COI.

Please refer to the Interface Description [IJSRV]/[ICSRV] for the server of your choice for the details on how to use these services.

Client - Server Authentication Process

Three API methods are provided for the client – server authentication process, "InitTransaction", "VerifyTransactionRequest" and "VerifyTransactionResponse". The first method takes the client challenge and generates a signed PKCS#7 object and at the same time producing a server challenge for the client to sign. The challenge must be retained by the calling web application.

The signing process signs the client challenge.

The second API method takes the PKCS#7 object generated by the client and the server challenge held by the web application. The method verifies the applet signature and the certificate path. The third API method creates the response to the client.

Signature verification service

The transaction signed by the client must be verified before the web application can process it. The signature verification process takes the signed transaction PKCS#7 object and verifies the signature. The certificate chain is also verified. This task is implicit in the create SDO method, or may be performed explicitly by the verify data method.

PKCS#7 service

A function is provided to retrieve the following items from a PKCS#7 object:

• The data that was signed (Java server).
• The signer's certificate.
• The number of sub CA certificates (Java server).
• The sub-CA certificates (level 1 to N) (Java server).
• The root CA certificate (Java server).
• The signing time.

Certificate service

A function is provided to retrieve the following items from a certificate:

• The certificate issuer name.
• The issuer Alt name (Java server).
• The certificate subject name.
• The certificate valid from date.
• The certificate valid to date.
• The certificate serial number.
• The certificate version number.
• The certificate key algorithm.
• The key size.
• The Originator.
• The DateOfBirth (if provided).
• The BankName.
• The UniqueID(organization number for merchant certificates).
• The policy OID Info.
• The email address.

The UniqueID uniquely identifies a user in the BankID framework. An application may use the unique id to map their internal user identifier against the BankID user identifier.

Certificate status checking service

The certificate status method takes the PKCS#7 object as input and returns the status of the certificate. The method may also return social security number, account number and the organization number. Please note that there is restricted access to these data.

The method executes the following steps:

• Extracts the signer certificate from the input PKCS#7.
• Creates a OCSP request with the signer certificate as input.
• Calls the BankID Validation Authority requesting the status of the signer certificate and optionally some additional information.
• Returns the certificate status and the additional information if requested and authorized.

How to grant a merchant access to additional information

To enable merchant access to additional information the Bank RA must enable merchant access for the following VA specific OIDs:

The RA must use the OrderContentModify messages described in chapter 4.3 in [RAIF].

Cryptographic services

The following cryptographic services are provided: 

• Signature generation service generates a signature of the input data and returns it in the format of a PKCS#7 object.
• Random number generation service generates random data of given length.
• Hashing service generates a hash of the input data.

SDO services

The following services exist:

• Construction of SDO objects.
• Validation of SDO objects (both BSK and SEID formats).
• Transformation of SDO objects to XML format.

Multisigning services

The BankID Server has a service for generating the string needed as input for the case of multisigning¹. i.e. more than one person signing the same document. This string can be generated from:

• a list of PKCS#7 objects.
• an SDO object.
• a SDO XML.

Security Data service

This interface, accessible through BankID Server, provides security data for a given BankID transaction. See restricted documents [ISDS] and [BIDGS] for documentation of and how to make use of this interface. See also [ICSRV]/[IJSRV].

How to grant a merchant access to security data

To enable merchant access to the BankID Security Data Service the Bank RA must enable merchant access for the following OID:

Basic Data set OID: 2.16.578.1.16.6.2 (BankID Web-client)

The RA must use the OrderContentModify messages described in chapter 4.3 in [RAIF].

PAdES construction service

The following service exists:

1. Turnkey construction of PAdES documents supporting B-B profile, BankID add visual seals for end user and merchant. 
2. Extention of turnkey generated PAdES B-B documents with other incremental updates.
3. Construction of PAdES documents supporting B-B and further profiles using self assembling merchant mode. BankID has interfaces such that merchant may add visual seals and other incremental updates itself. 
4. Construction of PAdES building without merchantls visual seal, for extending already signed PAdESes or for person to person signing.