Project

General

Profile

Client Server communication

Added by Jan Diekhoff about 11 years ago

Hello

Im would like to build an eId-Server with a Virtualsmartcard that emulates an nPA as part of an university project. For the client I want to use the Open eCard Application. So far the nPa is recognized and PIN change is possible as well.But Connecting to the PAOS endpoint with TLSv1.1 failed; I assume the client accepts only signed TLS connections from certain CA's. What is the best way to import my CA cert or is there an existing test certificate I could use?

Last question do you have an advice how to implement the TLS-PSK connection?


Replies (1)

RE: Client Server communication - Added by Tobias Wich about 11 years ago

Hi Jan,

the CA is irrelevant for the PAOS channel.
BSI TR-03112-7 sec. 3.4.4 and 3.4.5 describe how the certificate is validated. Sec. 3.4.2 states that
the certificate is validated according to 3.4.4.
The checks are roughly as follows:
  • The hash of the certificate of the TCToken channel must be present in the eService certificate.
  • The host of the TCToken URL must be present in the eService Certificates CertificateDescription.

To work around these checks, you can disable the checks entirely. A simple change in the code is
sufficient.
If you use the stable version (tag 1.0.4), you'll find the function isPerformTR03112Checks in
control-interface/control-
modules/tctoken/src/main/java/org/openecard/control/module/tctoken/hacks/ObjectTag.java
.
If you work on the current development version, the class is located in
addons/tr03112/src/main/java/org/openecard/control/module/tctoken/TCTokenHacks.java.
Always return false and you should be fine for your tests.

However your log indicates a problem in the TLS stack which is most probably because you are not
employing TLS-PSK, which depends on your TCToken. If you are not requesting a TLS-PSK channel in the
TCToken, then this might be a bug.

Regarding TLS-PSK, you might (will) need to patch your application server. It depends a bit how your setup looks like.
We are also interested in your plans for the eID Server, so we should discuss this directly. We will come back to you shortly.

Greetz Tobias

    (1-1/1)