Review #192
openProblem with Service of BIW AG / Add note in specification how to handle RequiredCHAT/OptionalCHAT which is no subset of the CHAT within the certificate
0%
Files
Updated by Detlef Hühnlein over 11 years ago
There is a problem with the service at http://www.personalausweisportal.de/DE/Buergerinnen-und-Buerger/Anwendungen/Finanzen/Finanzen_node.html#biw .
It seems that the application is sending an inappropriate CHAT value.
Updated by Detlef Hühnlein over 11 years ago
- Tracker changed from PartnerIssue to Bug
As the application works with the AusweisApp there seems to be a problem on our side.
Hence the change from PartnerIssue to Bug.
Updated by Tobias Wich over 11 years ago
- Assignee set to Dirk Petrautzki
- Target version set to 1.0.2
If it has to do with the CHAT it is an EAC issue. So most probably Dirk's field.
Updated by Dirk Petrautzki over 11 years ago
- Status changed from New to Feedback
The service sends the following CHATs:
CHAT of the TA certificate: 0x7F 0x4C 0x12 0x06 0x09 0x04 0x00 0x7F 0x00 0x07 0x03 0x01 0x02 0x02 0x53 0x05 0x00 0x01 0x01 0xD9 0x04
Required CHAT: 0x7F 0x4C 0x12 0x06 0x09 0x04 0x00 0x7F 0x00 0x07 0x03 0x01 0x02 0x02 0x53 0x05 0x00 0x01 0x01 0x99 0x04
Optional CHAT: 0x7F 0x4C 0x12 0x06 0x09 0x04 0x00 0x7F 0x00 0x07 0x03 0x01 0x02 0x02 0x53 0x05 0x00 0x00 0x00 0x42 0x00
We are responding with
<ns2:ResultMajor>http://www.bsi.bund.de/ecard/api/1.1/resultmajor#error</ns2:ResultMajor>
<ns2:ResultMinor>http://www.bsi.bund.de/ecard/api/1.1/resultminor/al/common#unknownError</ns2:ResultMinor>
<ns2:ResultMessage xml:lang="en">java.security.GeneralSecurityException: The second CHAT is not a subset of the first one</ns2:ResultMessage>
because the Optional CHAT is not a subset of the CHAT of the TA certificate. The second last byte of the TA CHAT is 0xD9 and the second last byte of the optional CHAT is 0x42, so the 2 (0010) is not a subset of 9 (1001).
Updated by Detlef Hühnlein over 11 years ago
- File BIW-not-allowed-CHAT-Ausstellendes-Land.PNG BIW-not-allowed-CHAT-Ausstellendes-Land.PNG added
- Tracker changed from Bug to PartnerIssue
- Subject changed from Problem with Service of BIW AG to Problem with Service of BIW AG / Add note in specification how to handle RequiredCHAT/OptionalCHAT which is no subset of the CHAT within the certificate
The problematic byte 0x42 corresponds to requesting DG7 (Academic Title) and DG2 (Issuing State).
While requesting DG7 is allowed in the CHAT of the CVC, it is not allowed to request DG2.
As the AusweisApp obviously does not perform this check and BIW is not accessing DG2 the
EAC protocol is performed without further problems.
As this behaviour is probably not entirely correct, the issue is kept as PartnerIssue to
allow additional checks at BIW AG, within BSI-TR-03112-7 (Section 4.6.5) and possibly within AusweisApp.
Updated by Detlef Hühnlein over 10 years ago
- Tracker changed from PartnerIssue to Review
- Project changed from Open eCard to Common eID
- Category set to Specification
- Status changed from Feedback to New
- Assignee deleted (
Dirk Petrautzki)