Operations

ApplyConfig

The following properties are available to control the behavior for configuration manipulation.

Property Description Default value Requirement

Config:<section>:<entry>

Updates the local configuration file. The <section> and <entry> values refers to the specified section and entry in the configuration file. See Settings in the Net iD Enterprise Technical Description for details.
+ The local update will be affected immediately at SetProperty, but plugin will not be updated internally until this operation is called.

ConfigLocal:<section>:<entry>

Updates the local configuration file. The <section> and <entry> values refers to the specified section and entry in the configuration file. See Settings in the Net iD Enterprise Technical Description for details.
+ The local update will be affected immediately at SetProperty, but plugin will not be updated internally until this operation is called.

ConfigGlobal:<section>:<entry>

Updates the global configuration file. The <section> and <entry> values refers to the specified section and entry in the configuration file. See Settings in the Net iD Enterprise Technical Description for details.
+ The global update will be affected as soon as this operation is called. The global update depends upon the access condition for the global configuration file. On Windows Vista and later a UAC (User Access Control) dialog will probably be shown to allow a user to get administrator access. The global update on MacOSX and Linux will probably fail, since there is currently no implementation to get administrator access.

Only servers registered as allowed servers in configuration will be allowed to update the configuration.
File system access protection, also known as Sandbox, in different web browsers may interfere with all updates. Never try to update unless your server is registered as trusted in the web browser.
This operation will reload everything including the internal PKCS#11 library. This operation may have undesirable effects for web browsers using both the plugin and the PKCS#11 directly, since eventual open sessions will be closed. Typical problem scenario is when a SSL/TLS session is opened towards the web server manipulating the configuration.
Set configuration.
iid = document.getElementById(‘iid’);
if (iid != null) {
  iid.SetProperty(‘Config:Language:Current’, ‘English’);
  iid.Invoke(‘ApplyConfig’);
}

ApplyComponentConfig:<name>

The following property is available to control the behavior for configuration manipulation:

ComponentConfig:<name>:<value>

This operation will call apply configuration for extended component <name>. See documentation for the specific component for more information.

ChangePassword

The following properties are available to control the behavior for change password:

Property Description Default value Requirement

ActiveSlot

Specifies the slot ID of the slot/token which should change the password/PIN.

The default value is the first available slot/token.

optional

Password

Specifies the old password/PIN value. The value is a string value or a hexadecimal string prefixed with 0x. If neither Password nor NewPassword are available a change password dialog will be shown.

optional

NewPassword

Specifies the new password/PIN value. The value is a string value or a hexadecimal string prefixed with 0x. If neither Password nor NewPassword are available a change password dialog will be shown.

optional

Changing password.
iid = document.getElementById(‘iid’);
if (iid != null) {
  iid.SetProperty(‘ActiveSlot’, ‘1’);
  iid.SetProperty(‘Password’, ‘0000’);
  iid.SetProperty(‘NewPassword’, ‘4711’);
  iid.Invoke(‘ChangePassword’);
}

iid = document.getElementById(‘iid’);
if (iid != null) {
  iid.SetProperty(‘ActiveSlot’, ‘1’);
  iid.SetProperty(‘Password’, ‘0x30303030’);
  iid.SetProperty(‘NewPassword’, ‘4711’);
  iid.Invoke(‘ChangePassword’);
}
To change password for SO user, you will need to login with password type set to CKU_SO and then call this operation.

CreateObject

The following properties are available to control the behavior of the object creation. In the future all types of PKCS#11 objects may be handled, but currently only data objects are handled:

Property Description Default value Requirement

Base64

Specifies whether the string values given are base64 encoded. Values should always be URL encoded even after base64 encoding.

Default value is false, no base64 encoding.

optional

CKA_APPLICATION*

The value is a string value or a hexadecimal string prefixed with 0x. CK_ULONG values should be specified in big endian order.

optional

CKA_CLASS*

The value is a string value or a hexadecimal string prefixed with 0x. CK_ULONG values should be specified in big endian order.

CKA_LABEL*

The value is a string value or a hexadecimal string prefixed with 0x. CK_ULONG values should be specified in big endian order.

optional

CKA_MODIFIABLE*

The value is a string value or a hexadecimal string prefixed with 0x. CK_ULONG values should be specified in big endian order.

optional

CKA_OBJECT_ID*

The value is a string value or a hexadecimal string prefixed with 0x. CK_ULONG values should be specified in big endian order.

optional

CKA_PRIVATE*

The value is a string value or a hexadecimal string prefixed with 0x. CK_ULONG values should be specified in big endian order.

optional

CKA_TOKEN*

The value is a string value or a hexadecimal string prefixed with 0x. CK_ULONG values should be specified in big endian order.

optional

CKA_VALUE*

The value is a string value or a hexadecimal string prefixed with 0x. CK_ULONG values should be specified in big endian order.

optional

*) All properties starting with CKA_ are attributes specified in the PKCS#11. Check PKCS#11 documentation for details.

Creating data objects using URL encoding.
iid = document.getElementById(‘iid’);
if (iid != null) {
  iid.SetProperty(‘CKA_CLASS’, ‘0x00000000’);
  iid.SetProperty(‘CKA_TOKEN’, ‘0x01’);
  iid.SetProperty(‘CKA_PRIVATE’, ‘0x00’);
  iid.SetProperty(‘CKA_MODIFIABLE’, ‘0x01’);
  iid.SetProperty(‘CKA_LABEL’, ‘My+Label’);
  iid.SetProperty(‘CKA_VALUE’, ‘My+Value’);
  if (iid.Invoke(‘CreateObject’) == 0) {
  }
}
CKA_LABEL and CKA_VALUE are given URL encoded, so real string values are ‘My Label’ and ‘My Value’.
Creating data objects using base64 encoding.
iid = document.getElementById(‘iid’);
if (iid != null) {
  iid.SetProperty(‘Base64’, ‘true’);
  iid.SetProperty(‘CKA_CLASS’, ‘0x00000000’);
  iid.SetProperty(‘CKA_TOKEN’, ‘0x01’);
  iid.SetProperty(‘CKA_PRIVATE’, ‘0x00’);
  iid.SetProperty(‘CKA_MODIFIABLE’, ‘0x01’);
  iid.SetProperty(‘CKA_LABEL’, ‘TXkgTGFiZWw=’);
  iid.SetProperty(‘CKA_VALUE’, ‘TXkgVmFsdWU=’);
  if (iid.Invoke(‘CreateObject’) == 0) {
  }
}
Values given in hexadecimal form should not be base64 encoded.

CreateRequest

The following properties are available to control the behavior for certificate requests.

Property Description Default value Requirement

ActiveSlot

Specifies the slot ID of the slot/token which should generate the certificate request. Use this property when creating a request for an existing token, and use TokenLabel when creating a new token.

Base64

Specifies whether the generated request value should be base64 encoded. This property does not affect given values, only the returned request value.

Default value is false, no base64 encoding.

Extractable

Specifies whether a generated key pair should be extractable or not. This value only has effect when a new key pair is generated during the creation of the certificate request.

Default value is false, key pair not extractable.

KeyId

Specifies the key pair ID. This value is preferably used when generating a request for an existing key pair, but may be used to set a specific ID for your key pair.

Default value is none; key ID will be generated when key pair is generated.

KeyLabel

Specifies the key pair label. This value is used when generating a request for a new key pair.

Default value is none; key pair will have empty label.

KeyReuse

Specifies whether the certificate request should be reusing an old key pair or tries to generate a new key pair. Only KeyId property will be used to search for a matching key pair; KeyLabel, KeySize and KeyUsage will be ignored.

Default value is false; will try to generate a new key pair.

KeySize

Specifies the key pair size. This value is used when generating a request for a new key pair. Specify a number in bits.

Mandatory when generating a new request.

KeyUsage

Specifies the key pair usage. This value is used when generating a request for a new key pair.

Default value is 255, all usages are available. Specifies the value as a number or in hexadecimal form.

OneTimePassword

Specifies the one time password. This value may be used when generating a CMC certificate request for a new key pair.

Default value is none; no one time password used.

Password

Specifies the password/PIN used to get private access to the token.

Default value is none; will show a password dialog if needed.

PubKey

Specifies the public key exponent. This value is used when generating a request for a new key pair.

Default value is 65535 (0x010001).

RequestType

specifies the types of request. Supported values are PKCS10 and CMC. See your preferred certificate request documentation for details for each request type.

Default value is PKCS10.

Subject

Specifies the subject for the certificate request. Use standard RDN values with object identifier, some short names are supported, but not reliable.

Default value is none; no subject will be present in the request.

SubjectAltName

Specifies the value for subject alternative attribute extension.

Template

Specifies the value for Microsoft CA template attribute extension.

TokenLabel

Specifies the token label. This value is used when creating a new token during the create certificate request.

Not recommended, instead use operation CreateToken for better control of the token creation.

UrlEncode

Specifies whether the generated request value should be URL encoded. This property does not affect given values, only the returned request value. If property Base64 is false then this value is always true.

Default value is true.

The following property is available after a successful create certificate request:

Property Description Default value Requirement

Request

Can be used to retrieve the certificate request after a successful operation. This value will be formatted according to properties URLEncode and Base64.

Create PKCS#10 certificate request generating a new key pair.
iid = document.getElementById(‘iid’);
if (iid != null) {
  iid.SetProperty(‘RequestType’, ‘PKCS10’);
  iid.SetProperty(‘ActiveSlot’, ‘1’);
  iid.SetProperty(‘Password’, ‘4711’);
  iid.SetProperty(‘Subject’, ‘2.5.4.3=John+Doe’);
  iid.SetProperty(‘KeySize’, ‘1024’);
  iid.SetProperty(‘KeyUsage’, ‘0xA0’);
  if (iid.Invoke(‘CreateRequest’) == 0) {
    request = iid.GetProperty(‘Request’);
  }
}
Create PKCS#10 certificate request reusing an old key pair.
iid = document.getElementById(‘iid’);
if (iid != null) {
  iid.SetProperty(‘RequestType’, ‘PKCS10’);
  iid.SetProperty(‘ActiveSlot’, ‘1’);
  iid.SetProperty(‘Password’, ‘4711’);
  iid.SetProperty(‘Subject’, ‘2.5.4.3=John+Doe’);
  iid.SetProperty(‘KeyId’, ‘0x45’);
  iid.SetProperty(‘KeyReuse’, ‘true’);
  if (iid.Invoke(‘CreateRequest’) == 0) {
    request = iid.GetProperty(‘Request’);
  }
}

The CMC certificate request type may specify several key pairs during a single request and therefore all key pair properties include a number:

  • KeyId<number>

  • KeyLabel<number>

  • KeyReuse<number>

  • KeySize<number>

  • KeyUsage<number>

  • PubKey<number>

The <number> value starts from 1 and it is possible to specify any number of key pairs to generate and/or reuse.

Create CMC certificate request with two key pairs when generating new keys.
iid = document.getElementById(‘iid’);
if (iid != null) {
  iid.SetProperty(‘RequestType’, ‘CMC’);
  iid.SetProperty(‘ActiveSlot’, ‘1’);
  iid.SetProperty(‘Password’, ‘4711’);
  iid.SetProperty(‘Subject’, ‘2.5.4.3=John+Doe’);
  iid.SetProperty(‘KeySize1’, ‘1024’);
  iid.SetProperty(‘KeyUsage1’, ‘0xA0’);
  iid.SetProperty(‘KeySize2’, ‘1024’);
  iid.SetProperty(‘KeyUsage2’, ‘0x40’);
  if (iid.Invoke(‘CreateRequest’) == 0) {
    request = iid.GetProperty(‘Request’);
  }
}

CreateToken

The following properties are available to control the behavior for soft token creation.

Property Description Default value Requirement

FileName

Specifies the file containing the token data. Token data is either retrieved from property TokenData or FileName. When no data is available an empty token is created. If both are specified then this property will be ignored.

Default value is none.

optional

ImportPassword

Specifies the password used to protect the token data. This parameter is mandatory when the TokenData or FileName property specifies data protected with a password using PKCS#12.

optional

Password

Specifies the token password. This value is optional when creating a new soft token or importing an existing soft token using the internal soft token format. This property is mandatory when creating a soft token by importing data protected with PKCS#12.

optional

PasswordMaxLen

Specifies the maximum password length.

Default value is according to configuration.

optional

PasswordMinLen

Specifies the minimum password length.

Default value is according to configuration.

optional

PasswordType

Specifies the password type. See configuration for details.

Default value is according to configuration.

optional

RenewMode

Specifies the renew mode when an existing token is found when creating a new token. Available values are add, remove or backup.

add

Adds existing soft token if a soft token already exists.

backup

Moves existing soft token to a new name in soft tokens folder.

remove

Removes the existing soft token.

Default value is add.

optional

TokenData

Specifies the token data. Token data is either retrieved from property TokenData or FileName. When no data is available an empty token is created.

Default value is none.

optional

TokenLabel

Specifies the token label, which will be the name of the soft token.

Create empty soft token.
iid = document.getElementById(‘iid’);
if (iid != null) {
  iid.SetProperty(‘Password’, ‘4711’);
  iid.SetProperty(‘TokenLabel’, ‘Soft+eID’);
  if (iid.Invoke(‘CreateToken’) == 0) {
  }
}
Importing PKCS#12 soft token.
iid = document.getElementById(‘iid’);
if (iid != null) {
  iid.SetProperty(‘Password’, ‘4711’);
  iid.SetProperty(‘ImportPassword’, ‘secret’);
  iid.SetProperty(‘FileName’, ‘d:\soft.pfx’);
  iid.SetProperty(‘TokenLabel’, ‘Soft+eID’);
  if (iid.Invoke(‘CreateToken’) == 0) {
  }
}

Decrypt

The following properties are available to control the behavior for decrypt data.

Property Description Default value Requirement

Base64

Specifies whether the decrypted data value should be base64 encoded. This property does not affect given values, only the returned data value.

Default value is false; no base64 encoding.

optional

Data

Specifies the encrypted data. This value must be both base64 and URL encoded.

Password

Specifies the password/PIN used to get private access to the token.

Default value is none; will show a password dialog if needed.

optional

URLEncode

Specifies whether the decrypted data value should be URL encoded. If property Base64 is false then this value is always true.

Default value is true.

optional

The following property is available after a successful decrypt operation:

Property Description Default value Requirement

Data

Property Data can be used to retrieve the decrypted data after a successful operation. This value will be formatted according to properties URLEncode and Base64.

Example of decrypt operation:
iid = document.getElementById(‘iid’);
if (iid != null) {
  iid.SetProperty(‘Data’, ‘AA…==’);
  if (iid.Invoke(‘Decrypt’) == 0) {
    data = iid.GetProperty(‘Data’);
  }
}

DeleteCertificate

The following properties are available to control the behavior for certificate deletion.

Property Description Default value Requirement

ActiveSlot

Specifies the slot ID for the slot/token which contains the certificate to delete.

Certificate

Specifies the certificate value which should be deleted from the token. Value should be both base64 and URL encoded.

Password

Specifies the password/PIN used to get private access to the token.

Default value is none; will show a password dialog if needed.

Example to delete certificate:
if (iid != null) {
  iid.SetProperty(‘ActiveSlot’, ‘1’);
  iid.SetProperty(‘Certificate’, ‘MII…=’);
  if (iid.Invoke(‘DeleteCertificate’) == 0) {
  }
}

DeleteKey

The following properties are available to control the behavior for key pair deletion.

Property Description Default value Requirement

ActiveSlot

Specifies the slot ID of the slot/token which contains the key pair to delete.

KeyId

Specifies the key ID value of the key pair which should be deleted from the token. The value is either a string value or hexadecimal encoded.

Password

Specifies the password/PIN used to get private access to the token.

Default value is none; will show a password dialog if needed.

Example to delete key pair:
if (iid != null) {
  iid.SetProperty(‘ActiveSlot’, ‘1’);
  iid.SetProperty(‘KeyId’, ‘0x45’);
  if (iid.Invoke(‘DeleteKey’) == 0) {
  }
}

DeleteToken

The following parameter is available to control the behavior for token deletion.

Property Description Default value Requirement

ActiveSlot

Specifies the slot ID of the slot/token which will be deleted.

Example to delete soft token:
if (iid != null) {
  iid.SetProperty(‘ActiveSlot’, ‘100’);
  if (iid.Invoke(‘DeleteToken’) == 0) {
  }
}

DestroyObject

The following properties are available to control the behavior for destroy object.

Property Description Default value Requirement

Base64

optional

CKA_APPLICATION*

CKA_CLASS*

CKA_LABEL*

CKA_PRIVATE*

*) See operation CreateObject for information on the attribute values.

This operation will search for an object with matching properties: CKA_APPLICATION, CKA_CLASS, CKA_LABEL, CKA_PRIVATE and destroy this object.

Example for destroy data objects using base64 encoding:
iid = document.getElementById(‘iid’);
if (iid != null) {
  iid.SetProperty(‘Base64’, ‘true’);
  iid.SetProperty(‘CKA_CLASS’, ‘0x00000000’);
  iid.SetProperty(‘CKA_APPLICATION’, ‘’);
  iid.SetProperty(‘CKA_PRIVATE’, ‘0x00’);
  iid.SetProperty(‘CKA_LABEL’, ‘TXkgTGFiZWw=’);
  if (iid.Invoke(‘DestroyObject’) == 0) {
  }
}

Digest

The following properties are available to control the behavior for encrypt data.

Property Description Default value Requirement

Algorithm

Specifies the algorithm to use when digesting the data. The value is the object identifier for the algorithm. The list of supported algorithms is dependent upon the token/smart card, and some algorithms will be available in software.

Base64

Specifies whether the digested data value should be base64 encoded.

Default value is false, no base64 encoding.

optional

Data

Specifies the original data. This value must be both base64 and URL encoded.

URLEncode

Specifies whether the decrypted data value should be URL encoded. Default value is false.

optional

The following property is available after a successful encrypt operation:

Property Description Default value Requirement

Data

Can be used to retrieve the encrypted data after a successful operation. This value will be formatted according to properties URLEncode and Base64. If none is true the value will be hexadecimal encoded.

Example of digest data:
iid = document.getElementById(‘iid’);
if (iid != null) {
  iid.SetProperty(‘Data’, ‘AA…==’);
  if (iid.Invoke(‘Digest’) == 0) {
    data = iid.GetProperty(‘Data’);
  }
}

DisableTrace

There are no properties available. The trace enabled with operation EnableTrace will be disabled.

Example for disable trace:
iid = document.getElementById(‘iid’);
if (iid != null) {
  if (iid.Invoke(‘DisableTrace’) == 0) {
  }
}

EnableTrace

There are no properties available. This operation will either enable local trace or server trace. Server trace requires that trace server is available and will require the trace server component.

Is currently only available on Windows.
Example for enabling trace:
iid = document.getElementById(‘iid’);
if (iid != null) {
  if (iid.Invoke(‘EnableTrace’) == 0) {
  }
}

Encrypt

The following properties are available to control the behavior for encrypt data.

Property Description Default value Requirement

Algorithm

Specifies the algorithm to use when encrypting the data. The value is the object identifier for the algorithm. The list of supported algorithms is dependent upon the token/smart card. Verify with the vendor which algorithm is supported.

Base64

Specifies whether the encrypted data value should be base64 encoded.

Default value is false; no base64 encoding.

optional

Certificate

Specifies the certificate used to encrypt the data. This value must be both base64 and URL encoded. Either this property or KeyId property must be available.

optional

Data

Specifies the original data. This value must be both base64 and URL encoded.

KeyId

Specifies a list of subject key identifiers used to encrypt the data. This value must be hexadecimal. Encoded subject key identifiers from present certificates are separated with ;. Either this property or Certificate property must be available.

optional

Password

Specifies the password/PIN used to get private access to the token.

Default value is none; will show a password dialog if needed.

optional

URLEncode

Specifies whether the decrypted data value should be URL encoded. If property Base64 is false then this value is always true.

Default value is true.

optional

The following property is available after a successful encrypt operation:

Property Description Default value Requirement

Data

Can be used to retrieve the encrypted data after a successful operation. This value will be formatted according to properties URLEncode and Base64.

Example for encrypting data:
iid = document.getElementById(‘iid’);
if (iid != null) {
  iid.SetProperty(‘Data’, ‘AA…==’);
  iid.SetProperty(‘Certificate’, ‘MII…==’);
  if (iid.Invoke(‘Encrypt’) == 0) {
    data = iid.GetProperty(‘Data’);
  }
}

Export

The following properties are available to control the behavior for soft token or certificate exporting.

Property Description Default value Requirement

ActiveSlot

Specifies the slot ID of the slot/token which will be exported. The property is mandatory when exporting a soft token.

optional

Certificate

Specifies the certificate which will be exported. The property is mandatory when exporting a certificate.

optional

FileName

Specifies full path to the file which will get the exported value. File name ending with .tkn means exporting a soft token, ending with .cer means exporting a certificate.

optional

Example for exporting soft token:
iid = document.getElementById(‘iid’);
if (iid != null) {
  iid.SetProperty(‘ActiveSlot’, ‘100’);
  iid.SetProperty(‘FileName’, ‘d:\soft.tkn’);
  if (iid.Invoke(‘Export’) == 0) {
  }
}
Example for exporting certificate:
iid = document.getElementById(‘iid’);
if (iid != null) {
  iid.SetProperty(‘Certificate’, ‘MII…==’);
  iid.SetProperty(‘FileName’, ‘d:\soft.cer’);
  if (iid.Invoke(‘Export’) == 0) {
  }
}
File system requirement for exporting must be fulfilled, but file system access protection, also known as Sandbox, in different web browsers may also interfere with all exporting. Never try to export unless your server is registered as trusted in the web browser.

FindObject

The following properties are available to control the behavior for find object.

Property Description Default value Requirement

Base64

optional

CKA_APPLICATION*

optional

CKA_CLASS*

optional

CKA_LABEL*

optional

CKA_PRIVATE*

optional

CKA_VALUE*

optional

*) See operation CreateObject for information of the attribute values.

This operation will search for an object with matching properties and remember this object until a later call to operation UpdateObject. The active attribute list will be reset after this call.

Example for find data objects using base64 encoding:
iid = document.getElementById(‘iid’);
if (iid != null) {
  iid.SetProperty(‘Base64’, ‘true’);
  iid.SetProperty(‘CKA_CLASS’, ‘0x00000000’);
  iid.SetProperty(‘CKA_APPLICATION’, ‘’);
  iid.SetProperty(‘CKA_PRIVATE’, ‘0x00’);
  iid.SetProperty(‘CKA_LABEL’, ‘TXkgTGFiZWw=’);
  if (iid.Invoke(‘FindObject’) == 0) {
  }
}

GenerateChallenge

There are no properties available to control the behavior. The generated challenge is dependent upon the token/smart card. Check with the card vendor for more information

The following property is available after a successful operation:

Property Description Default value Requirement

Challenge

Can be used to retrieve the challenge after a successful operation. This value will be hexadecimal encoded. The real usage of the Challenge is depending on operation. It may be used to generate a response at the server-side for a successful unlock operation.

Example to generate a challenge:
iid = document.getElementById(‘iid’);
if (iid != null) {
  if (iid.Invoke(‘GenerateChallenge’)) {
    challenge = iid.GetProperty(‘Challenge’);
  }
}

HasCertificate

The following property is available to control the search for certificate:

Property Description Default value Requirement

Certificate

Specifies the certificate to find. This value must be both base64 and URL encoded.

Return value is 0 for certificate not present and 1 for certificate available.

Example find certificate:
iid = document.getElementById(‘iid’);
if (iid != null) {
  iid.SetProperty(‘Certificate’, ‘MII…==’);
  if (iid.Invoke(‘HasCertificate’)) {
  }
}

InitToken

The following properties are available to control the behavior for token initialization.

Property Description Default value Requirement

ActiveSlot

Specifies the slot ID of the slot/token which will be initialized. This operation is only available for smart card tokens.

Password

Specifies the administrator password used to initialize the token. The value is a string or hexadecimal string prefixed with 0x. The value usually represents a 3DES key.

Profile

Specifies the smart card profile available in configuration. This profile is depending on smart card and purpose of the card. The available profile values are returned from EnumProperty(‘Profiles’). For more information contact your technical product support contact.

UnlockPassword

Specifies the PUK used to unlock the password/PIN after smart card is initialized. The value is string value, depending on smart card, but usually 8 digits.

optional

Example to initialize token using administrator password:
iid = document.getElementById(‘iid’);
if (iid != null) {
  iid.SetProperty(‘ActiveSlot’, ‘1’);
  iid.SetProperty(‘Password’, ‘0x00..00’);
  iid.SetProperty(‘UnlockPassword’, ‘47114711’);
  iid.SetProperty(‘Profile’, ‘eID+Card’);
  if (iid.Invoke(‘InitToken’) == 0) {
  }
}
Example to initialize token using user PIN:
iid = document.getElementById(‘iid’);
if (iid != null) {
  iid.SetProperty(‘ActiveSlot’, ‘1’);
  iid.SetProperty(‘Password’, ‘0x00..00’);
  if (iid.Invoke(‘Login’) == 0) {
    iid.SetProperty(‘Password’, ‘0x’);
    iid.SetProperty(‘Profile’, ‘User+Reset’);
    if (iid.Invoke(‘InitToken’) == 0) {
    }
  }
}
Initialize token using user PIN is only useful when there is a need to update user protected files. The property Password parameter 0x will result in empty password therefore the current logged on user will be used instead of administrator.

IsRefreshing

There are no properties available. The operation will only return the current status of internal refreshing.

Return value is 1 when internally refreshing and 0 when not refreshing.

Example to check for refreshing status:
iid = document.getElementById(‘iid’);
if (iid != null) {
  if (iid.Invoke(‘IsRefreshing’)) {
  }
}

Login

The following properties are available to control the behavior for login:

Property Description Default value Requirement

ActiveSlot

Specifies the slot ID of the slot/token which will be logged on.

Password

Specifies the password/PIN used when logging on. The value is a string or hexadecimal string prefixed with 0x. If no password is given then an enter password/PIN dialog will be shown.

optional

PasswordType

Specifies the type of logon. Either CKU_USER or CKU_SO.

Default value is CKU_USER.

optional

Example to login a token:
iid = document.getElementById(‘iid’);
if (iid != null) {
  iid.SetProperty(‘ActiveSlot’, ‘1’);
  iid.SetProperty(‘Password’, ‘4711’);
  if (iid.Invoke(‘Login’) == 0) {
  }
}

Logout

The following properties are available to control the behavior for login:

Property Description Default value Requirement

ActiveSlot

Specifies the slot ID of the slot/token which will be logged off.

Example to logout a token:
iid = document.getElementById(‘iid’);
if (iid != null) {
  iid.SetProperty(‘ActiveSlot’, ‘1’);
  if (iid.Invoke(‘Logout’) == 0) {
  }
}

OpenTrace

There are no properties available. This operation will open the current active trace file.

Example for open trace:
iid = document.getElementById(‘iid’);
if (iid != null) {
  if (iid.Invoke(‘OpenTrace’) == 0) {
  }
}

Refresh

There are no properties available. The operation will only start an internal refresh. The refresh includes a restart of eventual service and reload of internal components.

Example to start refresh:
iid = document.getElementById(‘iid’);
if (iid != null) {
  iid.Invoke(‘Refresh);
}
This operation will refresh everything including the internal PKCS#11 library. This operation may have undesirable effects for web browsers using both the plugin and the PKCS#11 directly, since eventual open sessions will be closed. Typical problem scenario is when a SSL/TLS session is opened towards the web server initializing the refresh.

RefreshInternal

Same as operation ‘Refresh’, but will only reload internal components.

Example to start internal refresh:
iid = document.getElementById(‘iid’);
if (iid != null) {
  iid.Invoke(‘RefreshInternal’);
}

RefreshService

Same as operation Refresh, but will only restart eventual service component.

Example to start service refresh:
iid = document.getElementById(‘iid’);
if (iid != null) {
  iid.Invoke(‘RefreshService’);
}

Reload

There are no properties available. The operation will only start an internal reload of all components. The reload includes release and load of all libraries.

Example to start reload:
iid = document.getElementById(‘iid’);
if (iid != null) {
  iid.Invoke(‘Reload);
}
This operation will try to reload everything including the internal PKCS#11 library. This operation will not work for web browsers using both the plugin and the PKCS#11 direct, since the PKCS#11 library will not be released by the web browser.

Reset

There are no properties available. The operation will only reset all internal plugin variables to default values. When reusing the plugin object it is recommended to use this operation to avoid any undesirable effects, since some property names are reused between operations.

Example to reset:
iid = document.getElementById(‘iid’);
if (iid != null) {
  iid.Invoke(‘Reset);
}

ResetToken

The following properties are available to control the behavior for token reset.

Property Description Default value Requirement

ActiveSlot

Specifies the slot ID of the slot/token which will be reset. This operation is only available for smart card tokens.

Password

Specifies the user password used to get private access to the token. The value is a string or hexadecimal string prefixed with 0x.

There are also some advanced configuration properties available to control the reset behavior. For more information contact your technical product support contact.

Example to reset token:
iid = document.getElementById(‘iid’);
if (iid != null) {
  iid.SetProperty(‘ActiveSlot’, ‘1’);
  iid.SetProperty(‘Password’, ‘4711’);
  if (iid.Invoke(‘ResetToken’) == 0) {
  }
}

ResetUserData

There are no properties available. This operation will only reset all user data for the current user. This will remove the local configuration and all soft tokens for the current user.

Example to reset user data:
iid = document.getElementById(‘iid’);
if (iid != null) {
  if (iid.Invoke(‘ResetUserData’) == 0) {
  }
}

RestoreComponentConfig:<name>

There are no properties available. This operation will only restore to last unmodified configuration for the component <name>.

See documentation for the specific component for more information.

Run

The following property is available to control the run operation:

Property Description Default value Requirement

Command

The argument list which will be sent to the internal component. See documentation regarding each component for details of the available commands.

Example for run internal command:
iid = document.getElementById(‘iid’);
if (iid != null) {
  iid.SetProperty(‘Command’, ‘-about’);
  if (iid.Invoke(‘Run’) == 0) {
  }
}

ShowMessage

Use this operation to show a message box.

The following properties are available to control the behavior for show message:

Property Description Default value Requirement

Link

Specifies an URL link showed in error, exclamation and information message boxes.

Default value empty, no link available.

optional

Text

Specifies a string that represents the text that will be shown in the message box.

Title

Specifies a string that represents the title that will be shown in the message box.

Default value is standard product title.

optional

Type

Specifies a string with the type of message box. Supported values are: error, exclamation, information and question.

The return value is depending on type of message box, but the following is the complete list:

  • OK 1

  • CANCEL 2

  • YES 6

  • NO 7

Example of information dialog:
iid = document.getElementById(‘iid’);
if (iid != null) {
  iid.SetProperty(‘Text’, ‘My+Message’);
  iid.SetProperty(‘Title’, ‘My+Title’);
  iid.SetProperty(‘Type’, ‘information’);
  iid.Invoke(‘ShowMessage’);
}
Example of question dialog:
iid = document.getElementById(‘iid’);
if (iid != null) {
  iid.SetProperty(‘Text’, ‘My+Question’);
  iid.SetProperty(‘Title’, ‘My+Title’);
  iid.SetProperty(‘Type’, ‘question’);
  rc = iid.Invoke(‘Question’);
  if (rc == 6) {
  }
  else if (rc == 7) {
  }
}
This operation is obsolete and will be removed in the future, since it requires displaying of user interface.

Sign

This operation is used to create a digital signature. There are two ways to create the signature, by scripting or with direct activation when web page loads. For scripting everything will be the same as all other operations, but for direct activation the object created and the result is posted by the plugin to a server according to the properties below.

The following properties are available to control the signature creation for both scripting and direct activation:

Property Description Default value Requirement

Algorithm

Specifies the algorithm to use when creating the signature. The value is the object identifier for the algorithm. The list of supported algorithms depends on the token/smart card. Verify with the vendor which algorithm is supported. Default value is 1.2.840.113549.1.1.5 which is RSA with SHA-1.

optional

Authentication

Used to decide type of signature. For value false certificates with non-repudiation bit set will be used. For value true certificates with non-repudiation will be not set be used.

Default value is false.

optional

Base64

Specifies whether the generated signature value should be base64 encoded. This property does not affect given values, only the returned signature value.

Default value is false; no base64 encoding.

optional

Certificate

Specifies the certificate used to create the signature. Value should be both base64 and URL encoded. It will not be the certificate value that will be used to find the certificate for the signature. Instead the issuer and subject field will be taken from the certificate and the Authentication property above will be used to find the correct certificate based on certificate key usage.

optional

Data

Specifies the data that will be signed. Value should be both base64 and URL encoded. Either Data or DataToBeSigned must be present.

optional

DataToBeSigned

Specifies the data that will be signed. Value should URL encoded. Either Data or DataToBeSigned must be present.

optional

Detached

Specifies whether the created signature should include the data or not, attached or detached PKCS#7 signature blob. Value true will not include the data, value false will include the data.

Default value is false.

optional

IncludeCaCert

Specifies whether the created signature should try to include the CA certificates or not. Value true will include the CA certificates if available, value false will not include any CA certificate.

Default value is false.

optional

IncludeRootCaCert

Specifies whether the created signature should try to include the root CA certificate or not. Value true will include the root CA certificate if available, value false will not include root CA certificate.

Default value is false.

optional

Issuers

Specifies the acceptable issuers when selecting the certificate used for signature. It is possible to separate AND criteria with , and OR criteria with ;. Use standard RDN values with object identifier, some short names are supported, but not reliable. All certificates are acceptable. Certficate property overrides this property.

Default value none.

optional

Password

Specifies the password/PIN used to get private access to the token.

Default value is none; will show a password dialog if needed.

optional

Raw

Specifies the signature format. Value false will create a standard PKCS#7 signature, value true will create an unformatted signature blob.

optional

Subjects

Specifies the acceptable subject when selecting the certificate used for signature. It is possible to separate AND criteria with ,, and OR criteria with ;. Use standard RDN values with object identifier, some short names are supported, but not reliable. All certificates are acceptable. Certficate property overrides this property.

Default value none.

optional

UrlEncode

Specifies whether the signature data value should be URL encoded. If property Base64 is false then this value is always true.

Default value is true.

optional

Version

Specifies the minimum acceptable product version. Value is eight numbers with two digits for each part: version 1.2.3.45 is formatted 01020345. All versions are acceptable.

Default value is none.

optional

The following properties are available to control the signature creation for direct activation:

Property Description Default value Requirement

DataReturnName

Specifies the name to return the data when posting the signature.

Default value none, no data posted.

optional

DirectActivation

Specifies the type of operation that should be activated. Currently only the value Sign is supported, which will activate the creation of a signature.

PostURL

Specifies the server to post the signature result.

optional

SignReturnName

Specifies the name to return the signature when posting the signature.

Default value Signature.

optional

VersionReturnName

Specifies the name to return the data when posting the signature.

Default value none; no version posted.

optional

WindowName

Specifies the window name to post the signature result.

optional

The following property is available after a successful create signature operation:

Property Description Default value Requirement

Signature

Contains the created signature after a successful operation. The format is depending on URLEncode and Base64 values.

Other operations usually return PKCS#11 return coded, but this operation returns the following list to be compatible with other signature plugin vendors:

  • OK 0

  • ERROR_OTHER 1

  • ERROR_USER_ABORT 2

  • ERROR_OUT_OF_MEMORY 3

  • ERROR_BAD_VERSION 4

  • ERROR_PARAMETER_MISSING 5

  • ERROR_PARAMETER_INVALID 6

  • ERROR_SECURITY 7

Example to create standard PKCS#7 signature using RSA with SHA-1:
iid = document.getElementById(‘iid’);
if (iid != null) {
  iid.SetProperty(‘ActiveSlot’, ‘1’);
  iid.SetProperty(‘DataToBeSigned’, ‘My+Data’);
  iid.SetProperty(‘Certificate’, ‘MII…==’);
  if (iid.Invoke(‘Sign’) == 0) {
  }
}
Example to create a standard PKCS#7 signature using RSA with SHA-256, only certificates with "SecMaker CA" will be acceptable:
iid = document.getElementById(‘iid’);
if (iid != null) {
  iid.SetProperty(‘ActiveSlot’, ‘1’);
  iid.SetProperty(‘DataToBeSigned’, ‘My+Data’);
  iid.SetProperty(‘Issuers’, ‘2.5.4.3=SecMaker CA’);
  iid.SetProperty(‘Algorithm’, ‘1.2.840.113549.1.1.11’);
  if (iid.Invoke(‘Sign’) == 0) {
  }
}
Example to create a raw signature blob:
iid = document.getElementById(‘iid’);
if (iid != null) {
  iid.SetProperty(‘ActiveSlot’, ‘1’);
  iid.SetProperty(‘DataToBeSigned’, ‘My+Data’);
  iid.SetProperty(‘Certificate’, ‘MII…==’);
  iid.SetProperty(‘Raw’, ‘true’);
  if (iid.Invoke(‘Sign’) == 0) {
  }
}

StartService

There are no properties available; the operation will only start the internal service.

Example to start service:
iid = document.getElementById(‘iid’);
if (iid != null) {
  iid.Invoke(‘StartService);
}

StopService

There are no properties available; the operation will only stop the internal service.

Example to stop service:
iid = document.getElementById(‘iid’);
if (iid != null) {
  iid.Invoke(‘StopService);
}

UnlockPassword

The following properties are available to control the behavior for unlock password.

Property Description Default value Requirement

ActiveSlot

Specifies the slot ID of the slot/token which will be unlocked.

UnlockPassword

Specifies the password/PUK used to unlock the user password/PIN. The value is a string or hexadecimal string prefixed with 0x. If neither UnlockPassword nor NewPassword are available a unlock password dialog will be shown.

optional

NewPassword

Specifies the new user password/PIN. The value is a string or hexadecimal string prefixed with 0x. If neither Password nor NewPassword are available an unlock password dialog will be shown.

optional

Example to unlock password:
iid = document.getElementById(‘iid’);
if (iid != null) {
  iid.SetProperty(‘ActiveSlot’, ‘1’);
  iid.SetProperty(‘UnlockPassword’, ‘47114711’);
  iid.SetProperty(‘NewPassword’, ‘4711’);
  if (iid.Invoke(‘UnlockPassword’) == 0)
  }
}

UpdateObject

The following properties are available to control the behavior for update object.

Property Description Default value Requirement

Base64

optional

CKA_APPLICATION*

CKA_CLASS*

CKA_LABEL*

CKA_PRIVATE*

CKA_VALUE*

*) See operation CreateObject for information of the attribute values.

This operation will search for an object with matching properties: CKA_APPLICATION, CKA_CLASS, CKA_LABEL, CKA_PRIVATE, and update the CKA_VALUE attribute for this object. Used in combination with operation FindObject will update all specified attributes.

Example update data objects using base64 encoding:
iid = document.getElementById(‘iid’);
if (iid != null) {
  iid.SetProperty(‘Base64’, ‘true’);
  iid.SetProperty(‘CKA_CLASS’, ‘0x00000000’);
  iid.SetProperty(‘CKA_TOKEN’, ‘0x01’);
  iid.SetProperty(‘CKA_PRIVATE’, ‘0x00’);
  iid.SetProperty(‘CKA_MODIFIABLE’, ‘0x01’);
  iid.SetProperty(‘CKA_LABEL’, ‘TXkgTGFiZWw=’);
  iid.SetProperty(‘CKA_VALUE’, ‘TXkgVmFsdWU=’);
  if (iid.Invoke(‘UpdateObject’) == 0) {
  }
}
Example update data objects with operation ‘FindObject’:
iid = document.getElementById(‘iid’);
if (iid != null) {
  iid.SetProperty(‘CKA_CLASS’, ‘0x00000000’);
  iid.SetProperty(‘CKA_TOKEN’, ‘0x01’);
  iid.SetProperty(‘CKA_PRIVATE’, ‘0x00’);
  iid.SetProperty(‘CKA_MODIFIABLE’, ‘0x01’);
  iid.SetProperty(‘CKA_LABEL’, ‘Old+Label’);
  if (iid.Invoke(‘FindObject’) == 0) {
    iid.SetProperty(‘CKA_LABEL’, ‘New+Label’);
    if (iid.Invoke(‘UpdateObject’) == 0) {
    }
  }
}

ValidateInstallation

There are no properties available. The operation will only validate the installation. The validation will check that the configuration has not been updated after the installation.

Return value is 0 for success and 1 for failure (configuration is updated after installation).

Example to start validation:
iid = document.getElementById(‘iid’);
if (iid != null) {
  if (iid.Invoke(‘ValidateInstallation’) != 0) {
  }
}

ValidatePassword

The following properties are available to control the behavior for validate password:

Property Description Default value Requirement

Password

Specifies the password to validate.

PasswordMaxLen

Specifies the maximum password length.

Default value is according to configuration.

optional

PasswordMinLen

Specifies the minimum password length.

Default value is according to configuration.

optional

PasswordType

Specifies the password type. See configuration for details.

Default value is according to configuration.

optional

Return value is 0 for success and 1 for failure (password not valid).

Example to start password validation:
iid = document.getElementById(‘iid’);
if (iid != null) {
iid.SetProperty(‘Password’, ‘4711’);
  if (iid.Invoke(‘ValidatePassword’) != 0) {
  }
}

Verify

The following properties are available to control the behavior for verify digital signature operation.

Property Description Default value Requirement

Base64

Specifies whether the returned original data value should be base64 encoded. This property only affects the returned data value and not the given value.

Default value is false; no base64 encoding.

optional

Data

Specifies the encrypted data. This value must be both base64 and URL encoded.

URLEncode

Specifies whether the returned original data value should be URL encoded. If property Base64 is false then this value is always true.

Default value is true.

optional

The following properties are available after a successful verify digital signature operation:

Property Description Default value Requirement

Certificate

Returns the original certificate value used when creating the digital signature. The format is depending on URLEncode and Base64 values.

Data

Contains the original data after a successful operation. The format is depending on URLEncode and Base64 values.

Example of verify digital signature operation:
iid = document.getElementById(‘iid’);
if (iid != null) {
  iid.SetProperty(‘Data’, ‘AA…==’);
  if (iid.Invoke(‘Verify’) == 0) {
    data = iid.GetProperty(‘Data’);
    cert = iid.GetProperty(‘Certificate’);
  }
}

ViewCertificate

This operation will open a dialog box to show the certificate in the local system certificate viewer.

The following property is available to control the behavior for view certificate operation:

Property Description Default value Requirement

Certificate

Contains the certificate value which should be shown. The value must be both base64 and URL encoded.

Example of view certificate operation:
iid = document.getElementById(‘iid’);
if (iid != null) {
  iid.SetProperty(‘Certificate’, ‘MII…==’);
  iid.Invoke(‘ViewCertificate’);
}

WriteCertificate

The following properties are available to control the behavior for certificate writing.

Property Description Default value Requirement

ActiveSlot

Specifies the slot ID of the slot/token to write the certificate. There may be several reasons why the search for public key fails, so always try to specify the correct slot ID.

Default value is first available token, but this may change if the public key value is found on another token.

optional

Certificate

Specifies the certificate value. The value must be both base64 and URL encoded. The value must contain a standard certificate value, or a PKCS#7 blob with several certificate values, or a PKCS#12 blob with both private key and certificate value. Either Certificate or FileName property is mandatory.

optional

Filename

Specifies the full path to a file containing the same information as Certificate property. Either Certificate or FileName property is mandatory.

optional

ImportPassword

Specifies the password used to protect the PKCS#12 blob. This parameter is mandatory when Certificate or FileName property specify data protected with a password using PKCS#12.

optional

Label

Specifies the label of the object created by this operation.

Default label is subject common name from the certificate for certificate objects and none for key pair objects.

optional

Password

Specifies the password/PIN used to get private access to the token.

Default value is none; will show password dialog if needed.

optional

Example to write certificate:
iid = document.getElementById(‘iid’);
if (iid != null) {
  iid.SetProperty(‘ActiveSlot’, ‘1’);
  iid.SetProperty(‘Certificate’, ‘MII…==’);
  iid.SetProperty(‘Password’, ‘4711’);
  if (iid.Invoke(‘WriteCertificate’) == 0) {
  }
}

WriteKey

The following properties are available to control the behavior for key writing.

Property Description Default value Requirement

ActiveSlot

Specifies the slot ID of the slot/token to write the key.

Default value is first available token.

optional

Data

Specifies the unprotected private key blob. Data value must be both base64 and URL encoded. To write a private key protected according to PKCS#12, use operation WriteCertificate instead. Either Data or FileName property is mandatory.

optional

Filename

Specifies the full path to a file containing the same information as Data property. Either Data or FileName property is mandatory.

optional

Label

Specifies the label of the object created by this operation.

Default label is none.

optional

Password

Specifies the password/PIN used to get private access to the token.

Default value is none; will show password dialog if needed.

optional

Example to write key:
iid = document.getElementById(‘iid’);
if (iid != null) {
  iid.SetProperty(‘ActiveSlot’, ‘1’);
  iid.SetProperty(‘Data’, ‘MII…==’);
  iid.SetProperty(‘Password’, ‘4711’);
  if (iid.Invoke(‘WriteKey’) == 0) {
  }
}