Open eCard

Hi Jan,

the CA is irrelevant for the PAOS channel.
BSI TR-03112-7 sec. 3.4.4 and 3.4.5 describe how the certificate is validated. Sec. 3.4.2 states that
the certificate is validated according to 3.4.4.
The checks are roughly as follows:

• The hash of the certificate of the TCToken channel must be present in the eService certificate.
• The host of the TCToken URL must be present in the eService Certificates CertificateDescription.

To work around these checks, you can disable the checks entirely. A simple change in the code is
sufficient.
If you use the stable version (tag 1.0.4), you'll find the function isPerformTR03112Checks in
control-interface/control-
modules/tctoken/src/main/java/org/openecard/control/module/tctoken/hacks/ObjectTag.java.
If you work on the current development version, the class is located in
addons/tr03112/src/main/java/org/openecard/control/module/tctoken/TCTokenHacks.java.
Always return false and you should be fine for your tests.

However your log indicates a problem in the TLS stack which is most probably because you are not
employing TLS-PSK, which depends on your TCToken. If you are not requesting a TLS-PSK channel in the
TCToken, then this might be a bug.

Regarding TLS-PSK, you might (will) need to patch your application server. It depends a bit how your setup looks like.
We are also interested in your plans for the eID Server, so we should discuss this directly. We will come back to you shortly.

Greetz Tobias