Open eCard Development Center: Issueshttps://dev.openecard.org/https://dev.openecard.org/favicon.ico?16330801422020-11-12T08:40:06ZOpen eCard Development Center
Redmine Open eCard - Bug #825 (Solved): Non integer Proxy Port leads to error and proxy is not workinghttps://dev.openecard.org/issues/8252020-11-12T08:40:06ZTobias Wichtobias.wich@ecsec.de
<p>The following error has been observed.<br /><pre>
Exception in thread "Update-Task" java.lang.ExceptionInInitializerError
at org.openecard.richclient@1.4.5/org.openecard.richclient.updater.VersionUpdateLoader.loadVersionUpdateList(VersionUpdateLoader.java:81)
at org.openecard.richclient@1.4.5/org.openecard.richclient.updater.VersionUpdateChecker.loadCurrentVersionList(VersionUpdateChecker.java:66)
at org.openecard.richclient@1.4.5/org.openecard.richclient.RichClient$UpdateTask.run(RichClient.java:357)
at java.base/java.util.TimerThread.mainLoop(Timer.java:556)
at java.base/java.util.TimerThread.run(Timer.java:506)
Caused by: java.lang.NumberFormatException: For input string: ""
at java.base/java.lang.NumberFormatException.forInputString(NumberFormatException.java:68)
at java.base/java.lang.Integer.parseInt(Integer.java:662)
at java.base/java.lang.Integer.parseInt(Integer.java:770)
at org.openecard.richclient@1.4.5/org.openecard.crypto.tls.proxy.ProxySettingsLoader.load(ProxySettingsLoader.java:101)
at org.openecard.richclient@1.4.5/org.openecard.crypto.tls.proxy.ProxySettings.<clinit>(ProxySettings.java:60)
... 5 more
</pre></p>
<p>The port has a non integer value, so the parsing fails and the proxy initialisation is aborted with the observed error. <br />The proxy implementation should print a warning in this case and fall back to using no proxy.</p> Open eCard - Bug #786 (New): Recognition rule for turkish eID card is too broadhttps://dev.openecard.org/issues/7862019-12-17T13:45:17ZTobias Wichtobias.wich@ecsec.de
<p>The rule for detecting the Turkish eID card is based on the existence of the DF.CIA file specified in ISO/IEC 7816-15, Sec. 7.5.5. <br />This file is very likely to exist on other cards as well, making this rule alone not suitable to precisely detect a Turkish eID card.</p>
<p>A more specific rule containing a unique match of data of this card is needed. This could be a successive read binary call with a match string fitting only to Turkish eID cards.</p>
<p>The excerpt from the recognition tree:<br /><pre>
<iso:CardCall>
<iso:CommandAPDU>00A4040C0CA000000063504B43532D3135</iso:CommandAPDU>
<iso:ResponseAPDU>
<iso:Body>
<iso:MatchingData>
<iso:Offset>00</iso:Offset>
<iso:Length>00</iso:Length>
<iso:MatchingValue/>
</iso:MatchingData>
</iso:Body>
<iso:Trailer>9000</iso:Trailer>
<iso:Conclusion>
<iso:RecognizedCardType>http://www.ekds.gov.tr/2.5</iso:RecognizedCardType>
</iso:Conclusion>
</iso:ResponseAPDU>
</iso:CardCall>
</pre></p> Open eCard - PartnerIssue #473 (Rejected): DATEV Arbeitnehmer online PKI problemhttps://dev.openecard.org/issues/4732016-08-02T08:28:55ZTobias Wichtobias.wich@ecsec.de
<p>The following is the SAML Response returned after trying to authenticate against the DATEV Arbeitnehmer online portal.</p>
<pre><code class="xml syntaxhl"><span class="cp"><?xml version="1.0" encoding="UTF-8"?></span>
<span class="nt"><samlp:Response</span> <span class="na">xmlns:samlp=</span><span class="s">"urn:oasis:names:tc:SAML:2.0:protocol"</span>
<span class="na">Destination=</span><span class="s">"https://secure6.datev.de/saml/SAMLAssertionConsumer/an-online"</span>
<span class="na">ID=</span><span class="s">"_aad366c470a2fb24c2065e2632863aae"</span>
<span class="na">InResponseTo=</span><span class="s">"_67bb35ed-4542-46b2-b2e5-becccd516185"</span>
<span class="na">IssueInstant=</span><span class="s">"2016-08-02T08:05:29.574Z"</span>
<span class="na">Version=</span><span class="s">"2.0"</span><span class="nt">></span>
<span class="nt"><saml:Issuer</span> <span class="na">xmlns:saml=</span><span class="s">"urn:oasis:names:tc:SAML:2.0:assertion"</span> <span class="na">Format=</span><span class="s">"urn:oasis:names:tc:SAML:2.0:nameid-format:entity"</span><span class="nt">></span>https://npa.datev.de:443/<span class="nt"></saml:Issuer></span>
<span class="nt"><samlp:Status></span>
<span class="nt"><samlp:StatusCode</span> <span class="na">Value=</span><span class="s">"urn:oasis:names:tc:SAML:2.0:status:AuthnFailed"</span><span class="nt">></span>
<span class="nt"><samlp:StatusCode</span> <span class="na">Value=</span><span class="s">"260"</span><span class="nt">/></span>
<span class="nt"></samlp:StatusCode></span>
<span class="nt"><samlp:StatusMessage></span>
Internes Konfigurationsproblem Berechtigungs-PKI: Unerwartete Rückmeldung möglicherweise wegen Konfigurationsfehler.
<span class="nt"></samlp:StatusMessage></span>
<span class="nt"><samlp:StatusDetail></span>
<span class="nt"><eid:debugInfo</span> <span class="na">xmlns:eid=</span><span class="s">"http://www.eid-service.de/eid/idcard/1.0"</span><span class="nt">></span>ReturnCode: e247fee3<span class="nt"></eid:debugInfo></span>
<span class="nt"></samlp:StatusDetail></span>
<span class="nt"></samlp:Status></span>
<span class="nt"></samlp:Response></span>
</code></pre> Open eCard - PartnerIssue #472 (Rejected): Blocked Elements on DATEV Arbeitnehmer online error pagehttps://dev.openecard.org/issues/4722016-08-01T13:19:30ZTobias Wichtobias.wich@ecsec.de
<p>In case of an error during authentication with the german eID, a 500 response is displayed. As the CSS and some Javascript resources are loaded from http URLs, they are blocked and can not be used.<br />The attached screenshot shows the page and the debug console printout listing the blocked resource.</p>
<p>The Browser used for the screenshot is Firefox ESR 45.2.0.</p> Open eCard - Feature #407 (Rejected): Move to Maven central or somethinghttps://dev.openecard.org/issues/4072015-10-07T08:25:43ZTobias Wichtobias.wich@ecsec.de
<p>People keep having the problem, that the Java truststore does not contain the Startcom CA.</p> Open eCard - Bug #398 (Rejected): Document step in CI system failshttps://dev.openecard.org/issues/3982015-06-25T07:58:04ZTobias Wichtobias.wich@ecsec.de
The Document step has two problems:
<ol>
<li>Android classes not found by javadoc:aggregate</li>
<li>skipping of javadoc plugin for wsdef-classes ignored</li>
</ol> Open eCard - Feature #396 (Closed): Send certificate chain matching accepted CAshttps://dev.openecard.org/issues/3962015-05-27T12:34:48ZTobias Wichtobias.wich@ecsec.de
<p>When performing TLS client authentication, the TLS RFCs state that the chain should not contain the issuer certificate referenced in certificate request message. Furthermore only certificates which match any of the referenced CAs may be used for the authentication.</p>
<p>For the special case where no issuer is referenced any certificate is acceptable for the server. The Root CA certificate is excluded in that case.</p> Open eCard - Feature #385 (Closed): Rewrite GenericCryptoSignerFinder (crypto-common), so that it...https://dev.openecard.org/issues/3852015-03-10T10:53:25ZTobias Wichtobias.wich@ecsec.de
<p>The code in said class is extremely difficult to follow. It is very unclear if a connection handle represents the actual state of the card or something else. <br />The situation probably gets better by breaking down the function filterTLSCapableDIDs into smaller parts.</p> Open eCard - Bug #382 (Closed): Failed to perform authentication with D-Trust cardhttps://dev.openecard.org/issues/3822015-03-07T16:33:56ZTobias Wichtobias.wich@ecsec.de
<p>In the integrated reader there is an "unknown PC/SC error 0x458" (see ...error-0x458.log),<br />in the CyberJack wave there is a strange message "cyberJack Firewall - Kartenbefehl wird zur Sicherheit blockiert!" and<br />the app shows an error that it can not contact the card in an exclusive mode (see ...-v3.log and d-trust-message.PNG).</p> Open eCard - Bug #379 (Rejected): Pull in CI system failes due to mvn dependency:go-offlinehttps://dev.openecard.org/issues/3792015-03-05T13:55:46ZTobias Wichtobias.wich@ecsec.de
<p>The maven dependency plugin does not calculate the dependencies correctly. Therefore the go-offline goal fails.</p>
<p>There is a bug report for the maven dependency plugin.<br /><a class="external" href="http://jira.codehaus.org/browse/MDEP-204">http://jira.codehaus.org/browse/MDEP-204</a></p>
<p>It seems that no one is interested in fixing the issue, so we either do it ourselves, disable the go-offline task, or call mvn install instead.</p> Open eCard - Bug #369 (Closed): Problem loading JPEG images with OpenJDK 8https://dev.openecard.org/issues/3692014-12-24T16:36:40ZTobias Wichtobias.wich@ecsec.de
<p>OpenJDK 8 has a bug which prevents JPEG files to be loaded with the ImageIO class.</p>
<p>As it can be seen in [1] and [2], this seems to be a problem when libjpeg is built seperately. [1] also provides a patch to solve the issue.</p>
<p>The problem is also reported in OpenSUSE [3]. As long as this is not fixed, the Open eCard App won't work satisfactory, so this bug needs to stay open until the issue is fixed in the distributions.</p>
<p>[1] <a class="external" href="http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1393">http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1393</a><br />[2] <a class="external" href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=760926">https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=760926</a><br />[3] <a class="external" href="https://bugzilla.opensuse.org/show_bug.cgi?id=905950">https://bugzilla.opensuse.org/show_bug.cgi?id=905950</a></p> Common eID - Bug #362 (New): prodpaos.governikus-eid.de does not work with TLS_RSA_PSK_WITH_AES_2...https://dev.openecard.org/issues/3622014-11-13T13:16:30ZTobias Wichtobias.wich@ecsec.de
A PAOS channel can not be established successfully with the server <a class="external" href="https://prodpaos.governikus-eid.de:443">https://prodpaos.governikus-eid.de:443</a> in case the cipher suite <code>TLS_RSA_PSK_WITH_AES_256_CBC_SHA384</code> is used. The connection attempt fails with Decryption failed (21) after the first encrypted handshake message is sent to the server.<br />Tests with the same server revealed, that the following cipher suites work just fine:
<ul>
<li><code>TLS_RSA_PSK_WITH_AES_128_CBC_SHA256</code></li>
<li><code>TLS_RSA_PSK_WITH_AES_256_CBC_SHA</code></li>
</ul>
<p>This problem does not exist with the testserver at <a class="external" href="https://test.governikus-eid.de/Autent-DemoApplication/">https://test.governikus-eid.de/Autent-DemoApplication/</a>. There, the problematic cipher suite is used without any problems.</p>
<p>A build of the Open eCard App using this cipher suite can be found at <a class="external" href="https://files.ecsec.de/public.php?service=files&t=9d87270f5c9d953568db0640c7b844cb">https://files.ecsec.de/public.php?service=files&t=9d87270f5c9d953568db0640c7b844cb</a></p> Open eCard - Feature #358 (New): Developer mode according to BSI TR-03124-1 Sec. 3.7https://dev.openecard.org/issues/3582014-10-14T09:46:45ZTobias Wichtobias.wich@ecsec.de
<p>BSI TR-03124-1 Sec. 3.7 defines a developer mode. The logging functionality is already implemented, but the omission of the security checks when developing is quite charming. I suggest adding a boolean variable to the OpenecardProperties and modify the UI according to the specification. It might be wise to add the debug value to the UserConsentSpecification, so that the User Consent can decide for itself how it wants to notify the user.</p> Open eCard - Bug #354 (New): PAOS Request Error not handled correctlyhttps://dev.openecard.org/issues/3542014-10-10T08:04:01ZTobias Wichtobias.wich@ecsec.de
<p>The PAOS 2.0 specification Sec. 9.4 states that in case of an error while processing the PAOS request, the server is not able to send a SOAP fault. The additional HTTP request should be sent by the app.</p>
<blockquote>
<p>If processing of the PAOS request message fails, the processor has no opportunity to send a SOAP Fault or any other message back to the PAOS requester. In this case it is RECOMMENDED that the user agent resubmits the HTTP request of step 1 (see Section 5), omitting any indication of PAOS support (such as the PAOS SOAP header block, or the PAOS HTTP header).</p>
</blockquote> Open eCard - Bug #351 (Closed): Add-on Manager fails with error on shutdownhttps://dev.openecard.org/issues/3512014-09-19T08:30:41ZTobias Wichtobias.wich@ecsec.de
<p>2014-09-19 10:28:25,777 [AWT-EventQueue-0] ERROR org.openecard.richclient.RichClient:212 - Failed to stop Richclient.<br />java.lang.NullPointerException: null<br /> at org.openecard.addon.Cache.getAllAddonData(Cache.java:207) ~[addon-1.1.0-SNAPSHOT.jar:na]<br /> at org.openecard.addon.AddonManager.unloadAddon(AddonManager.java:176) ~[addon-1.1.0-SNAPSHOT.jar:na]<br /> at org.openecard.addon.AddonManager.unloadAllAddons(AddonManager.java:166) ~[addon-1.1.0-SNAPSHOT.jar:na]<br /> at org.openecard.addon.AddonManager.shutdown(AddonManager.java:391) ~[addon-1.1.0-SNAPSHOT.jar:na]<br /> at org.openecard.richclient.RichClient.teardown(RichClient.java:195) ~[classes/:na]<br /> at org.openecard.richclient.gui.AppTray.shutdown(AppTray.java:132) [classes/:na]<br /> at org.openecard.richclient.gui.Status$1.actionPerformed(Status.java:154) [classes/:na]<br /> at javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:2022) [na:1.8.0_40-internal]<br /> at javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2346) [na:1.8.0_40-internal]<br /> at javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:402) [na:1.8.0_40-internal]<br /> at javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:259) [na:1.8.0_40-internal]<br /> at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(BasicButtonListener.java:252) [na:1.8.0_40-internal]<br /> at java.awt.Component.processMouseEvent(Component.java:6525) [na:1.8.0_40-internal]<br /> at javax.swing.JComponent.processMouseEvent(JComponent.java:3322) [na:1.8.0_40-internal]<br /> at java.awt.Component.processEvent(Component.java:6290) [na:1.8.0_40-internal]<br /> at java.awt.Container.processEvent(Container.java:2234) [na:1.8.0_40-internal]<br /> at java.awt.Component.dispatchEventImpl(Component.java:4881) [na:1.8.0_40-internal]<br /> at java.awt.Container.dispatchEventImpl(Container.java:2292) [na:1.8.0_40-internal]<br /> at java.awt.Component.dispatchEvent(Component.java:4703) [na:1.8.0_40-internal]<br /> at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4898) [na:1.8.0_40-internal]<br /> at java.awt.LightweightDispatcher.processMouseEvent(Container.java:4533) [na:1.8.0_40-internal]<br /> at java.awt.LightweightDispatcher.dispatchEvent(Container.java:4462) [na:1.8.0_40-internal]<br /> at java.awt.Container.dispatchEventImpl(Container.java:2278) [na:1.8.0_40-internal]<br /> at java.awt.Window.dispatchEventImpl(Window.java:2739) [na:1.8.0_40-internal]<br /> at java.awt.Component.dispatchEvent(Component.java:4703) [na:1.8.0_40-internal]<br /> at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:751) [na:1.8.0_40-internal]<br /> at java.awt.EventQueue.access$500(EventQueue.java:97) [na:1.8.0_40-internal]<br /> at java.awt.EventQueue$3.run(EventQueue.java:702) [na:1.8.0_40-internal]<br /> at java.awt.EventQueue$3.run(EventQueue.java:696) [na:1.8.0_40-internal]<br /> at java.security.AccessController.doPrivileged(Native Method) [na:1.8.0_40-internal]<br /> at java.security.ProtectionDomain$1.doIntersectionPrivilege(ProtectionDomain.java:75) [na:1.8.0_40-internal]<br /> at java.security.ProtectionDomain$1.doIntersectionPrivilege(ProtectionDomain.java:86) [na:1.8.0_40-internal]<br /> at java.awt.EventQueue$4.run(EventQueue.java:724) [na:1.8.0_40-internal]<br /> at java.awt.EventQueue$4.run(EventQueue.java:722) [na:1.8.0_40-internal]<br /> at java.security.AccessController.doPrivileged(Native Method) [na:1.8.0_40-internal]<br /> at java.security.ProtectionDomain$1.doIntersectionPrivilege(ProtectionDomain.java:75) [na:1.8.0_40-internal]<br /> at java.awt.EventQueue.dispatchEvent(EventQueue.java:721) [na:1.8.0_40-internal]<br /> at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:201) [na:1.8.0_40-internal]<br /> at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:116) [na:1.8.0_40-internal]<br /> at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:105) [na:1.8.0_40-internal]<br /> at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101) [na:1.8.0_40-internal]<br /> at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:93) [na:1.8.0_40-internal]<br /> at java.awt.EventDispatchThread.run(EventDispatchThread.java:82) [na:1.8.0_40-internal]</p> Open eCard - Bug #350 (Closed): Missing german Translation in EAC dialoghttps://dev.openecard.org/issues/3502014-09-17T14:30:57ZTobias Wichtobias.wich@ecsec.de
<p>At least the retry counter display is not translated. Check if any other strings are missing as well and correct them.</p> Open eCard - Feature #349 (Rejected): Implement CIF based PIN Managementhttps://dev.openecard.org/issues/3492014-09-09T12:09:45ZTobias Wichtobias.wich@ecsec.deOpen eCard - Feature #348 (Rejected): Add IFD function to retrieve ATR for a slot handlehttps://dev.openecard.org/issues/3482014-09-01T10:48:37ZTobias Wichtobias.wich@ecsec.de
<p>It is often desireable to extract information from the ATR, however this is usually not accessible due to the stateless nature of the code calling the IFD (e.g. PACE). A function where the ATR can be requested would help a lot.</p> Open eCard - Feature #326 (Closed): Add log config to Settings GUIhttps://dev.openecard.org/issues/3262014-08-27T14:07:58ZTobias Wichtobias.wich@ecsec.de
<p>The settings page should contain checkboxes for various logworthy packages.</p> Open eCard - Feature #325 (Closed): Replace EAC data structures with counterparts from Bouncy Castlehttps://dev.openecard.org/issues/3252014-08-27T13:41:13ZTobias Wichtobias.wich@ecsec.de
<p>Bouncy Castle contains some classes for EAC such as org.openecard.bouncycastle.asn1.eac.CVCertificate. These classes should be used instead of the custom ones where applicable.</p> Open eCard - Bug #318 (Closed): TCToken TLS connection not reused for PAOS in case it is the same...https://dev.openecard.org/issues/3182014-07-30T17:09:13ZTobias Wichtobias.wich@ecsec.de
<p>The specification demands that if the SP and the eID server are the same host, then the TLS connection must be reused. This is currently not the case.</p> Common eID - Bug #317 (New): esign.eid-service.de and eid.eid-service.de hangs after InitialFrame...https://dev.openecard.org/issues/3172014-07-14T13:05:59ZTobias Wichtobias.wich@ecsec.de
<p>The services mentioned above fail to send the next request message over the PAOS channel to the eCard Client in case the version number in the InitializeFrameworkResponse is set to the currently active version of the eCard API Framework (1.1.4) as requested in BSI TR-03112-3, Sec. 3.1.1</p>
<p>The following log fragmet shows the commonication with eid.eid-service.de. After the InitializeFrameworkResponse is sent, a StartPAOSResponse is sent back after a timeout is triggered in the server. Depending on the service the SP receives an error or is stuck as well.</p>
<pre>
2014-07-14 14:55:51,879 [PAOS] DEBUG org.openecard.transport.paos.PAOS:-1 - Message received:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<ns1:Envelope xmlns:ns1="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns2="urn:liberty:paos:2003-08" xmlns:ns3="urn:liberty:paos:2006-08" xmlns:ns5="http://www.w3.org/2005/03/addressing">
<ns1:Header>
<ns5:MessageID>urn:uuid9cbd01a836dbdc4776b7f2da408fa38da6b84f7f</ns5:MessageID>
<ns5:ReplyTo>
<ns5:Address>https://eid.eid-service.de:443</ns5:Address>
</ns5:ReplyTo>
<ns5:Action>http://www.bsi.bund.de/ecard/api/1.1/PAOS/GetNextCommand</ns5:Action>
</ns1:Header>
<ns1:Body>
<ns3:InitializeFramework xmlns:ns10="http://uri.etsi.org/01903/v1.3.2#" xmlns:ns11="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns12="http://www.w3.org/2001/04/xmlenc#" xmlns:ns13="urn:oasis:names:tc:dss:1.0:core:schema" xmlns:ns14="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:ns15="http://www.w3.org/2001/04/xmldsig-more#" xmlns:ns16="http://paos.eidserver.openlimit.com/" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:ns3="http://www.bsi.bund.de/ecard/api/1.1" xmlns:ns4="urn:iso:std:iso-iec:24727:tech:schema" xmlns:ns5="http://uri.etsi.org/02231/v3.1.2#" xmlns:ns6="http://uri.etsi.org/02231/v2.1.1#" xmlns:ns7="http://uri.etsi.org/02231/v2.x#" xmlns:ns8="http://www.setcce.org/schemas/ers" xmlns:ns9="urn:oasis:names:tc:dss-x:1.0:profiles:verificationreport:schema#"/>
</ns1:Body>
</ns1:Envelope>
2014-07-14 14:55:51,881 [PAOS] DEBUG org.openecard.transport.httpcore.HttpUtils:-1 - HTTP Request (before adding content):
POST /?sessionid=4f184b91494fc99b9e99754f4950 HTTP/1.1
Connection: keep-alive
User-Agent: Open-eCard-App/1.1.0-SNAPSHOT
Host: eid.eid-service.de:443
PAOS: ver="urn:liberty:paos:2006-08"
Accept: text/html; application/vnd.paos+xml
2014-07-14 14:55:51,882 [PAOS] DEBUG org.openecard.transport.paos.PAOS:-1 - Message sent:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<Envelope xmlns="http://schemas.xmlsoap.org/soap/envelope/">
<Header>
<PAOS xmlns:ns0="http://schemas.xmlsoap.org/soap/envelope/" ns0:actor="http://schemas.xmlsoap.org/soap/actor/next" xmlns:ns1="http://schemas.xmlsoap.org/soap/envelope/" ns1:mustUnderstand="1" xmlns="urn:liberty:paos:2006-08">
<Version>urn:liberty:paos:2006-08</Version>
<EndpointReference>
<Address>http://www.projectliberty.org/2006/01/role/paos</Address>
<MetaData>
<ServiceType>http://www.bsi.bund.de/ecard/api/1.1/PAOS/GetNextCommand</ServiceType>
</MetaData>
</EndpointReference>
</PAOS>
<ReplyTo xmlns="http://www.w3.org/2005/03/addressing">
<Address>http://www.projectliberty.org/2006/02/role/paos</Address>
</ReplyTo>
<RelatesTo xmlns="http://www.w3.org/2005/03/addressing">urn:uuid9cbd01a836dbdc4776b7f2da408fa38da6b84f7f</RelatesTo>
<MessageID xmlns="http://www.w3.org/2005/03/addressing">urn:uuid:27118a4d-6e53-4851-a77c-025a062a9c98</MessageID>
</Header>
<Body>
<ns4:InitializeFrameworkResponse xmlns:iso="urn:iso:std:iso-iec:24727:tech:schema" xmlns:ns10="http://uri.etsi.org/01903/v1.3.2#" xmlns:ns11="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:ns12="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns13="http://www.w3.org/2001/04/xmlenc#" xmlns:ns14="http://ws.openecard.org/schema" xmlns:ns15="http://www.w3.org/2001/04/xmldsig-more#" xmlns:ns16="http://www.w3.org/2007/05/xmldsig-more#" xmlns:ns2="urn:oasis:names:tc:dss:1.0:core:schema" xmlns:ns3="http://www.w3.org/2000/09/xmldsig#" xmlns:ns4="http://www.bsi.bund.de/ecard/api/1.1" xmlns:ns5="http://uri.etsi.org/02231/v2.1.1#" xmlns:ns6="http://uri.etsi.org/02231/v2.x#" xmlns:ns7="http://uri.etsi.org/02231/v3.1.2#" xmlns:ns8="http://www.setcce.org/schemas/ers" xmlns:ns9="urn:oasis:names:tc:dss-x:1.0:profiles:verificationreport:schema#">
<ns2:Result>
<ns2:ResultMajor>http://www.bsi.bund.de/ecard/api/1.1/resultmajor#ok</ns2:ResultMajor>
</ns2:Result>
<ns4:Version>
<ns4:Major>1</ns4:Major>
<ns4:Minor>1</ns4:Minor>
<ns4:SubMinor>4</ns4:SubMinor>
</ns4:Version>
</ns4:InitializeFrameworkResponse>
</Body>
</Envelope>
2014-07-14 14:57:32,152 [PAOS] DEBUG org.openecard.transport.httpcore.HttpUtils:-1 - HTTP Response:
HTTP/1.1 200 OK
connection: keep-alive
Content-Type: application/vnd.paos+xml
Content-Length: 1534
Date: Mon, 14 Jul 2014 12:57:30 GMT
Server: Server
<ns1:Envelope xmlns:ns2="urn:liberty:paos:2003-08" xmlns:ns1="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns3="urn:liberty:paos:2006-08" xmlns:ns5="http://www.w3.org/2005/03/addressing"><ns1:Header><ns5:MessageID>urn:uuid2d54f801cc9f95703f9d37587924c695ad13fa17</ns5:MessageID><ns5:ReplyTo><ns5:Address>https://eid.eid-service.de:443</ns5:Address></ns5:ReplyTo><ns5:Action>http://www.bsi.bund.de/ecard/api/1.1/PAOS/GetNextCommand</ns5:Action></ns1:Header><ns1:Body><ns4:StartPAOSResponse xmlns:ns16="http://paos.eidserver.openlimit.com/" xmlns:ns14="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:ns15="http://www.w3.org/2001/04/xmldsig-more#" xmlns:ns9="urn:oasis:names:tc:dss-x:1.0:profiles:verificationreport:schema#" xmlns:ns12="http://www.w3.org/2001/04/xmlenc#" xmlns:ns5="http://uri.etsi.org/02231/v3.1.2#" xmlns:ns13="urn:oasis:names:tc:dss:1.0:core:schema" xmlns:ns6="http://uri.etsi.org/02231/v2.1.1#" xmlns:ns10="http://uri.etsi.org/01903/v1.3.2#" xmlns:ns7="http://uri.etsi.org/02231/v2.x#" xmlns:ns8="http://www.setcce.org/schemas/ers" xmlns:ns11="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:ns4="urn:iso:std:iso-iec:24727:tech:schema" xmlns:ns3="http://www.bsi.bund.de/ecard/api/1.1"><ns13:Result><ns13:ResultMajor>http://www.bsi.bund.de/ecard/api/1.1/resultmajor#error</ns13:ResultMajor><ns13:ResultMinor>http://www.bsi.bund.de/ecard/api/1.1/resultminor/dp#timeout</ns13:ResultMinor><ns13:ResultMessage/></ns13:Result></ns4:StartPAOSResponse></ns1:Body></ns1:Envelope>
2014-07-14 14:57:32,154 [PAOS] DEBUG org.openecard.transport.paos.PAOS:-1 - Message received:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<ns1:Envelope xmlns:ns1="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns2="urn:liberty:paos:2003-08" xmlns:ns3="urn:liberty:paos:2006-08" xmlns:ns5="http://www.w3.org/2005/03/addressing">
<ns1:Header>
<ns5:MessageID>urn:uuid2d54f801cc9f95703f9d37587924c695ad13fa17</ns5:MessageID>
<ns5:ReplyTo>
<ns5:Address>https://eid.eid-service.de:443</ns5:Address>
</ns5:ReplyTo>
<ns5:Action>http://www.bsi.bund.de/ecard/api/1.1/PAOS/GetNextCommand</ns5:Action>
</ns1:Header>
<ns1:Body>
<ns4:StartPAOSResponse xmlns:ns10="http://uri.etsi.org/01903/v1.3.2#" xmlns:ns11="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns12="http://www.w3.org/2001/04/xmlenc#" xmlns:ns13="urn:oasis:names:tc:dss:1.0:core:schema" xmlns:ns14="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:ns15="http://www.w3.org/2001/04/xmldsig-more#" xmlns:ns16="http://paos.eidserver.openlimit.com/" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:ns3="http://www.bsi.bund.de/ecard/api/1.1" xmlns:ns4="urn:iso:std:iso-iec:24727:tech:schema" xmlns:ns5="http://uri.etsi.org/02231/v3.1.2#" xmlns:ns6="http://uri.etsi.org/02231/v2.1.1#" xmlns:ns7="http://uri.etsi.org/02231/v2.x#" xmlns:ns8="http://www.setcce.org/schemas/ers" xmlns:ns9="urn:oasis:names:tc:dss-x:1.0:profiles:verificationreport:schema#">
<ns13:Result>
<ns13:ResultMajor>http://www.bsi.bund.de/ecard/api/1.1/resultmajor#error</ns13:ResultMajor>
<ns13:ResultMinor>http://www.bsi.bund.de/ecard/api/1.1/resultminor/dp#timeout</ns13:ResultMinor>
<ns13:ResultMessage/>
</ns13:Result>
</ns4:StartPAOSResponse>
</ns1:Body>
</ns1:Envelope>
</pre> Common eID - Bug #316 (New): prodpaos.governikus-eid.de fails to process specifcation conforming ...https://dev.openecard.org/issues/3162014-07-14T12:41:19ZTobias Wichtobias.wich@ecsec.de
<p>Said server responds with an Internal Server Error (500) when it receives a StartPAOS message according to the specification in BSI TR-03112-7 v1.1.4, Sec. 2.6.</p>
<p>The following log containing the messages as sent to the server has been created by starting an authentication against <a class="external" href="https://www.buergerserviceportal.de/bayern/wuerzburg/public/classic/register">https://www.buergerserviceportal.de/bayern/wuerzburg/public/classic/register</a>.<br /><pre>
2014-07-14 14:27:20,623 [PAOS] WARN o.o.crypto.tls.auth.DynamicAuthentication:-1 - No certificate verifier available, skipping certificate verification.
2014-07-14 14:27:20,792 [PAOS] DEBUG org.openecard.transport.httpcore.HttpUtils:-1 - HTTP Request (before adding content):
POST /ecardpaos/paosreceiver?sessionid=d2086c14-00a4-49a5-90ca-881495f4eaa0 HTTP/1.1
Connection: keep-alive
User-Agent: Open-eCard-App/1.1.0-SNAPSHOT
Host: prodpaos.governikus-eid.de:443
PAOS: ver="urn:liberty:paos:2006-08"
Accept: text/html; application/vnd.paos+xml
2014-07-14 14:27:20,799 [PAOS] DEBUG org.openecard.transport.paos.PAOS:-1 - Message sent:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<Envelope xmlns="http://schemas.xmlsoap.org/soap/envelope/">
<Header>
<PAOS xmlns:ns0="http://schemas.xmlsoap.org/soap/envelope/" ns0:actor="http://schemas.xmlsoap.org/soap/actor/next" xmlns:ns1="http://schemas.xmlsoap.org/soap/envelope/" ns1:mustUnderstand="1" xmlns="urn:liberty:paos:2006-08">
<Version>urn:liberty:paos:2006-08</Version>
<EndpointReference>
<Address>http://www.projectliberty.org/2006/01/role/paos</Address>
<MetaData>
<ServiceType>http://www.bsi.bund.de/ecard/api/1.1/PAOS/GetNextCommand</ServiceType>
</MetaData>
</EndpointReference>
</PAOS>
<ReplyTo xmlns="http://www.w3.org/2005/03/addressing">
<Address>http://www.projectliberty.org/2006/02/role/paos</Address>
</ReplyTo>
<MessageID xmlns="http://www.w3.org/2005/03/addressing">urn:uuid:015e9b9e-c6bc-4de0-9899-716930db5d31</MessageID>
</Header>
<Body>
<iso:StartPAOS xmlns:iso="urn:iso:std:iso-iec:24727:tech:schema" xmlns:ns10="http://uri.etsi.org/01903/v1.3.2#" xmlns:ns11="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:ns12="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns13="http://www.w3.org/2001/04/xmlenc#" xmlns:ns14="http://ws.openecard.org/schema" xmlns:ns15="http://www.w3.org/2001/04/xmldsig-more#" xmlns:ns16="http://www.w3.org/2007/05/xmldsig-more#" xmlns:ns2="urn:oasis:names:tc:dss:1.0:core:schema" xmlns:ns3="http://www.w3.org/2000/09/xmldsig#" xmlns:ns4="http://www.bsi.bund.de/ecard/api/1.1" xmlns:ns5="http://uri.etsi.org/02231/v2.1.1#" xmlns:ns6="http://uri.etsi.org/02231/v2.x#" xmlns:ns7="http://uri.etsi.org/02231/v3.1.2#" xmlns:ns8="http://www.setcce.org/schemas/ers" xmlns:ns9="urn:oasis:names:tc:dss-x:1.0:profiles:verificationreport:schema#" Profile="http://www.bsi.bund.de/ecard/api/1.1">
<iso:SessionIdentifier>d2086c14-00a4-49a5-90ca-881495f4eaa0</iso:SessionIdentifier>
<iso:ConnectionHandle>
<iso:ChannelHandle>
<iso:SessionIdentifier>4DYYK4LXQRBgLC6t1R_u_A</iso:SessionIdentifier>
</iso:ChannelHandle>
<iso:ContextHandle>184C653A60882185708D8B3BF9B0FE8F</iso:ContextHandle>
<iso:IFDName>REINER SCT cyberJack RFID basis 01 00</iso:IFDName>
<iso:SlotIndex>0</iso:SlotIndex>
<iso:CardApplication>3F00</iso:CardApplication>
<iso:SlotHandle>C9C73C13E993B9483397E02327D336D2</iso:SlotHandle>
<iso:RecognitionInfo>
<iso:CardType>http://bsi.bund.de/cif/npa.xml</iso:CardType>
<iso:CardIdentifier>3B8A80018031F873F741E082900075</iso:CardIdentifier>
</iso:RecognitionInfo>
</iso:ConnectionHandle>
<iso:UserAgent>
<iso:Name>Open eCard App</iso:Name>
<iso:VersionMajor>1</iso:VersionMajor>
<iso:VersionMinor>1</iso:VersionMinor>
<iso:VersionSubminor>0</iso:VersionSubminor>
</iso:UserAgent>
<iso:SupportedAPIVersions>
<iso:Major>1</iso:Major>
<iso:Minor>1</iso:Minor>
<iso:Subminor>4</iso:Subminor>
</iso:SupportedAPIVersions>
<iso:SupportedDIDProtocols>urn:oid:1.3.162.15480.3.0.14</iso:SupportedDIDProtocols>
<iso:SupportedDIDProtocols>urn:oid:1.3.162.15480.3.0.14.2</iso:SupportedDIDProtocols>
<iso:SupportedDIDProtocols>urn:oid:1.3.162.15480.3.0.25</iso:SupportedDIDProtocols>
<iso:SupportedDIDProtocols>urn:oid:1.3.162.15480.3.0.9</iso:SupportedDIDProtocols>
</iso:StartPAOS>
</Body>
</Envelope>
2014-07-14 14:27:20,890 [PAOS] DEBUG org.openecard.transport.httpcore.HttpUtils:-1 - HTTP Response:
HTTP/1.1 500 Internal Server Error
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Content-Length: 1799
Date: Mon, 14 Jul 2014 12:27:18 GMT
Connection: close
<html><head><title>JBoss Web/7.0.16.Final - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 500 - </h1><HR size="1" noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>The server encountered an internal error () that prevented it from fulfilling this request.</u></p><p><b>exception</b> <pre>java.lang.NullPointerException
de.bos_bremen.eid.authentication.paos.handler.AusweisAppPaosHandler.&lt;init&gt;(AusweisAppPaosHandler.java:49)
de.bos_bremen.eid.authentication.paos.handler.PaosHandlerFactory.tryCreateNewInstances(PaosHandlerFactory.java:161)
de.bos_bremen.eid.authentication.paos.handler.PaosHandlerFactory.newInstance(PaosHandlerFactory.java:111)
de.bos_bremen.eid.authentication.paos.PaosReceiver.doPost(PaosReceiver.java:99)
javax.servlet.http.HttpServlet.service(HttpServlet.java:754)
javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
de.bos_bremen.eid.server.filter.CSPFilter.doFilter(CSPFilter.java:36)
</pre></p><p><b>note</b> <u>The full stack trace of the root cause is available in the JBoss Web/7.0.16.Final logs.</u></p><HR size="1" noshade="noshade"><h3>JBoss Web/7.0.16.Final</h3></body></html>
</pre></p> Common eID - Bug #314 (New): StartPAOS schema differs from specificationhttps://dev.openecard.org/issues/3142014-07-10T08:26:53ZTobias Wichtobias.wich@ecsec.de
<p>The XML schema defining the StartPAOS message as delivered by the BSI (<a class="external" href="https://www.bsi.bund.de/DE/Publikationen/TechnischeRichtlinien/tr03112/index_htm.html">https://www.bsi.bund.de/DE/Publikationen/TechnischeRichtlinien/tr03112/index_htm.html</a>) differs from the definition in BSI TR-03112-7 (v1.1.4) Sec. 2.6.</p>
<p>The current schema reads as follows:<br /><pre><code class="xml syntaxhl"><span class="nt"><element</span> <span class="na">name=</span><span class="s">"StartPAOS"</span><span class="nt">></span>
<span class="nt"><complexType></span>
<span class="nt"><complexContent></span>
<span class="nt"><extension</span> <span class="na">base=</span><span class="s">"iso:RequestType"</span><span class="nt">></span>
<span class="nt"><sequence></span>
<span class="nt"><element</span> <span class="na">name=</span><span class="s">"SessionIdentifier"</span> <span class="na">type=</span><span class="s">"string"</span> <span class="nt">/></span>
<span class="nt"><element</span> <span class="na">name=</span><span class="s">"ConnectionHandle"</span>
<span class="na">type=</span><span class="s">"iso:ConnectionHandleType"</span> <span class="na">maxOccurs=</span><span class="s">"unbounded"</span>
<span class="na">minOccurs=</span><span class="s">"0"</span><span class="nt">></span>
<span class="nt"></element></span>
<span class="nt"></sequence></span>
<span class="nt"></extension></span>
<span class="nt"></complexContent></span>
<span class="nt"></complexType></span>
<span class="nt"></element></span>
</code></pre></p>
<p>According to the specification it should be:<br /><pre><code class="xml syntaxhl"><span class="nt"><element</span> <span class="na">name=</span><span class="s">"StartPAOS"</span><span class="nt">></span>
<span class="nt"><complexType></span>
<span class="nt"><complexContent></span>
<span class="nt"><extension</span> <span class="na">base=</span><span class="s">"iso:RequestType"</span><span class="nt">></span>
<span class="nt"><sequence></span>
<span class="nt"><element</span> <span class="na">name=</span><span class="s">"SessionIdentifier"</span> <span class="na">type=</span><span class="s">"string"</span> <span class="nt">/></span>
<span class="nt"><element</span> <span class="na">name=</span><span class="s">"ConnectionHandle"</span>
<span class="na">type=</span><span class="s">"iso:ConnectionHandleType"</span> <span class="na">maxOccurs=</span><span class="s">"unbounded"</span><span class="nt">></span>
<span class="nt"></element></span>
<span class="nt"><element</span> <span class="na">name=</span><span class="s">"UserAgent"</span><span class="nt">></span>
<span class="nt"><complexType></span>
<span class="nt"><sequence></span>
<span class="nt"><element</span> <span class="na">name=</span><span class="s">"Name"</span> <span class="na">type=</span><span class="s">"string"</span> <span class="nt">/></span>
<span class="nt"><element</span> <span class="na">name=</span><span class="s">"VersionMajor"</span> <span class="na">type=</span><span class="s">"integer"</span> <span class="nt">/></span>
<span class="nt"><element</span> <span class="na">name=</span><span class="s">"VersionMinor"</span> <span class="na">type=</span><span class="s">"integer"</span> <span class="nt">/></span>
<span class="nt"><element</span> <span class="na">name=</span><span class="s">"VersionSubminor"</span> <span class="na">type=</span><span class="s">"integer"</span> <span class="na">minOccurs=</span><span class="s">"0"</span> <span class="nt">/></span>
<span class="nt"></sequence></span>
<span class="nt"></complexType></span>
<span class="nt"></element></span>
<span class="nt"><element</span> <span class="na">name=</span><span class="s">"SupportedAPIVersions"</span> <span class="na">maxOccurs=</span><span class="s">"unbounded"</span><span class="nt">></span>
<span class="nt"><complexType></span>
<span class="nt"><sequence></span>
<span class="nt"><element</span> <span class="na">name=</span><span class="s">"Major"</span> <span class="na">type=</span><span class="s">"integer"</span> <span class="nt">/></span>
<span class="nt"><element</span> <span class="na">name=</span><span class="s">"Minor"</span> <span class="na">type=</span><span class="s">"integer"</span> <span class="na">minOccurs=</span><span class="s">"0"</span> <span class="nt">/></span>
<span class="nt"><element</span> <span class="na">name=</span><span class="s">"Subminor"</span> <span class="na">type=</span><span class="s">"integer"</span> <span class="na">minOccurs=</span><span class="s">"0"</span> <span class="nt">/></span>
<span class="nt"></sequence></span>
<span class="nt"></complexType></span>
<span class="nt"></element></span>
<span class="nt"><element</span> <span class="na">name=</span><span class="s">"SupportedDIDProtocols"</span> <span class="na">type=</span><span class="s">"anyURI"</span> <span class="na">minOccurs=</span><span class="s">"0"</span> <span class="na">maxOccurs=</span><span class="s">"unbounded"</span> <span class="nt">/></span>
<span class="nt"></sequence></span>
<span class="nt"></extension></span>
<span class="nt"></complexContent></span>
<span class="nt"></complexType></span>
<span class="nt"></element></span>
</code></pre></p> Open eCard - Bug #313 (Closed): StartPAOS is missing UserAgent and API Version informationhttps://dev.openecard.org/issues/3132014-07-09T11:59:44ZTobias Wichtobias.wich@ecsec.de
<p>According to TR-03112-7, Sec. 2.6, the StartPAOS message must include a UserAgent and a SupportedAPIVersions element. This is missing and must be added.</p> Open eCard - Feature #309 (Rejected): Use Jackson for JAXB Marshalling in Androidhttps://dev.openecard.org/issues/3092014-07-04T09:45:13ZTobias Wichtobias.wich@ecsec.de
<p>Android is missing JAXB support. According to this <a class="external" href="http://stackoverflow.com/questions/5461127/using-jaxb-with-google-android">http://stackoverflow.com/questions/5461127/using-jaxb-with-google-android</a> thread, it is possible to use Jackson, which supports JAXB annotations since version 1.1.<br />This wiki article <a class="external" href="http://wiki.fasterxml.com/JacksonJAXBAnnotations">http://wiki.fasterxml.com/JacksonJAXBAnnotations</a> describes how to use Jackson for this purpose.</p> Open eCard - Feature #308 (Closed): Move CardInfo files to external resource bundlehttps://dev.openecard.org/issues/3082014-06-30T11:59:27ZTobias Wichtobias.wich@ecsec.de
<p>This allows to replace the CIFs without a new build of the App.</p> Open eCard - Bug #307 (Closed): S-Trust card not detected properlyhttps://dev.openecard.org/issues/3072014-06-10T08:01:31ZTobias Wichtobias.wich@ecsec.de
<p>The S-Trust card uses the issuer data set for it's recognition. As it turns out the different institues use different issuers. A suitable data source for the recognition has to be found.</p> Open eCard - Bug #297 (Closed): The minor code sal#unknownConnectionHandle is not defined for SAL...https://dev.openecard.org/issues/2972014-04-14T17:35:41ZTobias Wichtobias.wich@ecsec.de
<p>The TinySAL uses the code <code>sal#unknownConnectionHandle</code> everywhere where handles are processed. However when looking at the allowed response codes invalid parameter must be used instead.</p>
<p>Verify this for all SAL calls and replace the minor code appropriently.</p> Common eID - Bug #296 (New): Minor result code common#invalidChannelHandle missing in TR-03112-1https://dev.openecard.org/issues/2962014-04-14T16:07:21ZTobias Wichtobias.wich@ecsec.de
<p>The minor result code <code>/resultminor/al/common#invalidChannelHandle</code>, which is named in the <code>EstablishContext</code> function in sec. 3.1.1 in TR-03112-6, is not mentioned in the list of minor codes in TR-03112-1 sec. 4.2.2.</p>
<p>There is however a <code>/resultminor/al/common#unknownChannelHandle</code> with description "Invalid channel handle". I suppose those got mixed up in the different documents and one of the two should vanish.</p>