AX.TrustStore.SDK
2.0.0
dotnet add package AX.TrustStore.SDK --version 2.0.0
NuGet\Install-Package AX.TrustStore.SDK -Version 2.0.0
<PackageReference Include="AX.TrustStore.SDK" Version="2.0.0" />
<PackageVersion Include="AX.TrustStore.SDK" Version="2.0.0" />Directory.Packages.props
<PackageReference Include="AX.TrustStore.SDK" />Project file
paket add AX.TrustStore.SDK --version 2.0.0
#r "nuget: AX.TrustStore.SDK, 2.0.0"
#:package AX.TrustStore.SDK@2.0.0
#addin nuget:?package=AX.TrustStore.SDK&version=2.0.0Install as a Cake Addin
#tool nuget:?package=AX.TrustStore.SDK&version=2.0.0Install as a Cake Tool
AstreaX Public Trust Store SDK
This SDK downloads, signature-validates, and parses the AstreaX Public Trust Store payloads, returning typed models for VICAL (ISO/IEC 18013-5 Annex C), proximity RICAL (Annex F), and website RICAL (ISO/IEC 18013-7).
Trust Stores
| Payload | Spec | Endpoint (prod) | Endpoint (test) |
|---|---|---|---|
| VICAL | ISO 18013-5 Annex C | https://stopublicdocs.blob.core.windows.net/digitalidentity/prod/vical.cbor |
https://stopublicdocs.blob.core.windows.net/digitalidentity/test/vical.cbor |
| Proximity RICAL | ISO 18013-5 Annex F | https://stopublicdocs.blob.core.windows.net/digitalidentity/prod/rical.cbor |
https://stopublicdocs.blob.core.windows.net/digitalidentity/test/rical.cbor |
| Website RICAL | ISO 18013-7 | https://stopublicdocs.blob.core.windows.net/digitalidentity/prod/webrical.cbor |
https://stopublicdocs.blob.core.windows.net/digitalidentity/test/webrical.cbor |
Setup
Register services in your DI container. AddTrustStoreServices wires IHttpClientFactory, IMemoryCache, and ITrustStoreClient automatically.
var logger = builder.Services.BuildServiceProvider().GetService<ILogger<TrustStoreClient>>();
builder.Services.AddTrustStoreServices(logger);
Usage
Inject ITrustStoreClient and call the method for the trust store you need:
public class MyService
{
private ITrustStoreClient TrustStoreClient { get; }
public MyService(ITrustStoreClient trustStoreClient)
{
this.TrustStoreClient = trustStoreClient;
}
public async Task ValidateMdlAsync(byte[] certificate)
{
// Returns a VicalModel — never throws; returns an empty model on failure.
var vical = await this.TrustStoreClient.GetVicalAsync();
foreach (var cert in vical.CertificateInfos)
{
// cert is a VicalCertificateInfoModel
Console.WriteLine($"{cert.DisplayName} — {string.Join(", ", cert.DocType)}");
}
}
}
All three methods follow the same pattern:
VicalModel vical = await client.GetVicalAsync();
RicalModel rical = await client.GetRicalAsync();
RicalModel webRical = await client.GetWebRicalAsync();
Pass isTestEnvironment: true to target the test endpoints, or override the default 60-minute cache:
var vical = await client.GetVicalAsync(isTestEnvironment: true, cacheExpirationInMinutes: 5);
Model Hierarchy
TrustPayloadBase
├── VicalModel // VICAL (ISO 18013-5 Annex C)
│ └── CertificateInfos: List<VicalCertificateInfoModel>
└── RicalModel // RICAL / WebRICAL (Annex F / ISO 18013-7)
└── CertificateInfos: List<RicalCertificateInfoModel>
CertificateInfoBase // common to all entries
├── VicalCertificateInfoModel
│ ├── DocType // e.g. ["org.iso.18013.5.1.mDL"]
│ ├── CertificateProfile
│ └── IssuingAuthority
└── RicalCertificateInfoModel
├── Type // collision-resistant type identifier
├── Name // human-readable CA name
└── TrustConstraints: List<TrustConstraintModel>
TrustPayloadBase (shared fields)
| Property | Description |
|---|---|
Version |
CDDL version string |
Provider |
Free-form provider identifier |
Date |
Issuance date-time (UTC) |
NextUpdate |
Expected next issuance date-time |
NotAfter |
Absolute payload expiry |
GetCertificateInfos() |
Returns all entries as IEnumerable<CertificateInfoBase> |
VicalModel additional fields
| Property | Description |
|---|---|
VicalIssueId |
Monotonically-increasing issue identifier |
VicalUri |
HTTP retrieval endpoint for this VICAL |
RicalModel additional fields
| Property | Description |
|---|---|
Id |
Optional monotonically-increasing issue identifier |
Type |
RICAL type identifier (org.iso.18013.5.1.reader_authentication or org.iso.18013.7.website_reader_authentication) |
LatestRicalUrl |
HTTPS retrieval URL for this RICAL |
CertificateInfoBase (all entries)
| Property | Description |
|---|---|
Subject |
X.509 subject distinguished name |
SerialNumber |
Hex serial number |
SHA256Fingerprint |
SHA-256 fingerprint (hex) |
SubjectKeyIdentifier |
SKI (hex) |
AuthorityKeyIdentifier |
AKI raw data (hex) |
ValidFrom / ValidTo |
Certificate validity window |
CertificateBase64 |
Base64-encoded DER certificate |
IssuingCountry |
ISO 3166-1/3166-2 country code |
StateOrProvinceName |
State or province from the spec entry |
DisplayName |
Human-readable display name (AX extension) |
Description |
Description of this CA (AX extension) |
IconUrl |
Icon URL for the issuing authority (AX extension) |
Source |
Entry source, e.g. "AstreaX", "Aamva" (AX extension) |
Signature Validation
Each payload is a COSE_Sign1 message. The client:
- Downloads the
.cborblob over HTTPS. - Extracts the signer certificate chain from the
x5chainheader (header label 33). - Validates the chain up to the pinned AstreaX CA certificate (test or prod, selected by
isTestEnvironment). - Verifies the ECDSA signature with the leaf cert's public key.
If validation fails or the endpoint is unreachable, an empty model is returned — the methods never throw.
| Product | Versions Compatible and additional computed target framework versions. |
|---|---|
| .NET | net8.0 is compatible. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. net9.0 was computed. net9.0-android was computed. net9.0-browser was computed. net9.0-ios was computed. net9.0-maccatalyst was computed. net9.0-macos was computed. net9.0-tvos was computed. net9.0-windows was computed. net10.0 was computed. net10.0-android was computed. net10.0-browser was computed. net10.0-ios was computed. net10.0-maccatalyst was computed. net10.0-macos was computed. net10.0-tvos was computed. net10.0-windows was computed. |
-
net8.0
- Microsoft.Extensions.Caching.Memory (>= 8.0.1)
- Microsoft.Extensions.Http (>= 8.0.1)
- PeterO.Cbor (>= 4.5.3)
- System.Security.Cryptography.Cose (>= 8.0.2)
NuGet packages
This package is not used by any NuGet packages.
GitHub repositories
This package is not used by any popular GitHub repositories.
| Version | Downloads | Last Updated |
|---|---|---|
| 2.0.0 | 276 | 6/18/2026 |
| 2.0.0-alpha | 95 | 6/18/2026 |
| 1.2.0 | 1,234 | 10/31/2025 |
| 1.1.0 | 648 | 10/7/2025 |
| 1.0.0 | 395 | 10/7/2025 |