AX.TrustStore.SDK 2.0.0

dotnet add package AX.TrustStore.SDK --version 2.0.0
 
NuGet\Install-Package AX.TrustStore.SDK -Version 2.0.0
 
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.
<PackageReference Include="AX.TrustStore.SDK" Version="2.0.0" />
 
For projects that support PackageReference, copy this XML node into the project file to reference the package.
<PackageVersion Include="AX.TrustStore.SDK" Version="2.0.0" />
 
Directory.Packages.props
<PackageReference Include="AX.TrustStore.SDK" />
 
Project file
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package.
paket add AX.TrustStore.SDK --version 2.0.0
 
The NuGet Team does not provide support for this client. Please contact its maintainers for support.
#r "nuget: AX.TrustStore.SDK, 2.0.0"
 
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.
#:package AX.TrustStore.SDK@2.0.0
 
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package.
#addin nuget:?package=AX.TrustStore.SDK&version=2.0.0
 
Install as a Cake Addin
#tool nuget:?package=AX.TrustStore.SDK&version=2.0.0
 
Install as a Cake Tool
The NuGet Team does not provide support for this client. Please contact its maintainers for support.

AstreaX Public Trust Store SDK

This SDK downloads, signature-validates, and parses the AstreaX Public Trust Store payloads, returning typed models for VICAL (ISO/IEC 18013-5 Annex C), proximity RICAL (Annex F), and website RICAL (ISO/IEC 18013-7).

Trust Stores

Payload Spec Endpoint (prod) Endpoint (test)
VICAL ISO 18013-5 Annex C https://stopublicdocs.blob.core.windows.net/digitalidentity/prod/vical.cbor https://stopublicdocs.blob.core.windows.net/digitalidentity/test/vical.cbor
Proximity RICAL ISO 18013-5 Annex F https://stopublicdocs.blob.core.windows.net/digitalidentity/prod/rical.cbor https://stopublicdocs.blob.core.windows.net/digitalidentity/test/rical.cbor
Website RICAL ISO 18013-7 https://stopublicdocs.blob.core.windows.net/digitalidentity/prod/webrical.cbor https://stopublicdocs.blob.core.windows.net/digitalidentity/test/webrical.cbor

Setup

Register services in your DI container. AddTrustStoreServices wires IHttpClientFactory, IMemoryCache, and ITrustStoreClient automatically.

var logger = builder.Services.BuildServiceProvider().GetService<ILogger<TrustStoreClient>>();
builder.Services.AddTrustStoreServices(logger);

Usage

Inject ITrustStoreClient and call the method for the trust store you need:

public class MyService
{
 private ITrustStoreClient TrustStoreClient { get; }
 public MyService(ITrustStoreClient trustStoreClient)
 {
 this.TrustStoreClient = trustStoreClient;
 }
 public async Task ValidateMdlAsync(byte[] certificate)
 {
 // Returns a VicalModel — never throws; returns an empty model on failure.
 var vical = await this.TrustStoreClient.GetVicalAsync();
 foreach (var cert in vical.CertificateInfos)
 {
 // cert is a VicalCertificateInfoModel
 Console.WriteLine($"{cert.DisplayName} — {string.Join(", ", cert.DocType)}");
 }
 }
}

All three methods follow the same pattern:

VicalModel vical = await client.GetVicalAsync();
RicalModel rical = await client.GetRicalAsync();
RicalModel webRical = await client.GetWebRicalAsync();

Pass isTestEnvironment: true to target the test endpoints, or override the default 60-minute cache:

var vical = await client.GetVicalAsync(isTestEnvironment: true, cacheExpirationInMinutes: 5);

Model Hierarchy

TrustPayloadBase
├── VicalModel // VICAL (ISO 18013-5 Annex C)
│ └── CertificateInfos: List<VicalCertificateInfoModel>
└── RicalModel // RICAL / WebRICAL (Annex F / ISO 18013-7)
 └── CertificateInfos: List<RicalCertificateInfoModel>
CertificateInfoBase // common to all entries
├── VicalCertificateInfoModel
│ ├── DocType // e.g. ["org.iso.18013.5.1.mDL"]
│ ├── CertificateProfile
│ └── IssuingAuthority
└── RicalCertificateInfoModel
 ├── Type // collision-resistant type identifier
 ├── Name // human-readable CA name
 └── TrustConstraints: List<TrustConstraintModel>

TrustPayloadBase (shared fields)

Property Description
Version CDDL version string
Provider Free-form provider identifier
Date Issuance date-time (UTC)
NextUpdate Expected next issuance date-time
NotAfter Absolute payload expiry
GetCertificateInfos() Returns all entries as IEnumerable<CertificateInfoBase>

VicalModel additional fields

Property Description
VicalIssueId Monotonically-increasing issue identifier
VicalUri HTTP retrieval endpoint for this VICAL

RicalModel additional fields

Property Description
Id Optional monotonically-increasing issue identifier
Type RICAL type identifier (org.iso.18013.5.1.reader_authentication or org.iso.18013.7.website_reader_authentication)
LatestRicalUrl HTTPS retrieval URL for this RICAL

CertificateInfoBase (all entries)

Property Description
Subject X.509 subject distinguished name
SerialNumber Hex serial number
SHA256Fingerprint SHA-256 fingerprint (hex)
SubjectKeyIdentifier SKI (hex)
AuthorityKeyIdentifier AKI raw data (hex)
ValidFrom / ValidTo Certificate validity window
CertificateBase64 Base64-encoded DER certificate
IssuingCountry ISO 3166-1/3166-2 country code
StateOrProvinceName State or province from the spec entry
DisplayName Human-readable display name (AX extension)
Description Description of this CA (AX extension)
IconUrl Icon URL for the issuing authority (AX extension)
Source Entry source, e.g. "AstreaX", "Aamva" (AX extension)

Signature Validation

Each payload is a COSE_Sign1 message. The client:

  1. Downloads the .cbor blob over HTTPS.
  2. Extracts the signer certificate chain from the x5chain header (header label 33).
  3. Validates the chain up to the pinned AstreaX CA certificate (test or prod, selected by isTestEnvironment).
  4. Verifies the ECDSA signature with the leaf cert's public key.

If validation fails or the endpoint is unreachable, an empty model is returned — the methods never throw.

Product Compatible and additional computed target framework versions.
.NET net8.0 is compatible. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. net9.0 was computed. net9.0-android was computed. net9.0-browser was computed. net9.0-ios was computed. net9.0-maccatalyst was computed. net9.0-macos was computed. net9.0-tvos was computed. net9.0-windows was computed. net10.0 was computed. net10.0-android was computed. net10.0-browser was computed. net10.0-ios was computed. net10.0-maccatalyst was computed. net10.0-macos was computed. net10.0-tvos was computed. net10.0-windows was computed.
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last Updated
2.0.0 276 6/18/2026
2.0.0-alpha 95 6/18/2026
1.2.0 1,234 10/31/2025
1.1.0 648 10/7/2025
1.0.0 395 10/7/2025