Project

General

Profile

Actions

Review #192

open

Problem with Service of BIW AG / Add note in specification how to handle RequiredCHAT/OptionalCHAT which is no subset of the CHAT within the certificate

Added by Detlef Hühnlein almost 9 years ago. Updated almost 8 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Specification
Start date:
03/23/2013
Due date:
% Done:

0%

Estimated time:

Files

richclient_info.log (35.6 KB) richclient_info.log Detlef Hühnlein, 03/23/2013 02:46 PM
BIW-Fehler.PNG (12.3 KB) BIW-Fehler.PNG Detlef Hühnlein, 03/23/2013 02:46 PM
BIW-not-allowed-CHAT-Ausstellendes-Land.PNG (37.4 KB) BIW-not-allowed-CHAT-Ausstellendes-Land.PNG Detlef Hühnlein, 04/08/2013 10:57 AM
Actions #1

Updated by Detlef Hühnlein almost 9 years ago

There is a problem with the service at http://www.personalausweisportal.de/DE/Buergerinnen-und-Buerger/Anwendungen/Finanzen/Finanzen_node.html#biw .
It seems that the application is sending an inappropriate CHAT value.

Actions #2

Updated by Detlef Hühnlein almost 9 years ago

  • Tracker changed from PartnerIssue to Bug

As the application works with the AusweisApp there seems to be a problem on our side.
Hence the change from PartnerIssue to Bug.

Actions #3

Updated by Tobias Wich almost 9 years ago

  • Assignee set to Dirk Petrautzki
  • Target version set to 1.0.2

If it has to do with the CHAT it is an EAC issue. So most probably Dirk's field.

Actions #4

Updated by Dirk Petrautzki almost 9 years ago

  • Status changed from New to Feedback

The service sends the following CHATs:
CHAT of the TA certificate: 0x7F 0x4C 0x12 0x06 0x09 0x04 0x00 0x7F 0x00 0x07 0x03 0x01 0x02 0x02 0x53 0x05 0x00 0x01 0x01 0xD9 0x04
Required CHAT: 0x7F 0x4C 0x12 0x06 0x09 0x04 0x00 0x7F 0x00 0x07 0x03 0x01 0x02 0x02 0x53 0x05 0x00 0x01 0x01 0x99 0x04
Optional CHAT: 0x7F 0x4C 0x12 0x06 0x09 0x04 0x00 0x7F 0x00 0x07 0x03 0x01 0x02 0x02 0x53 0x05 0x00 0x00 0x00 0x42 0x00

We are responding with
<ns2:ResultMajor>http://www.bsi.bund.de/ecard/api/1.1/resultmajor#error&lt;/ns2:ResultMajor>
<ns2:ResultMinor>http://www.bsi.bund.de/ecard/api/1.1/resultminor/al/common#unknownError&lt;/ns2:ResultMinor>
<ns2:ResultMessage xml:lang="en">java.security.GeneralSecurityException: The second CHAT is not a subset of the first one</ns2:ResultMessage>

because the Optional CHAT is not a subset of the CHAT of the TA certificate. The second last byte of the TA CHAT is 0xD9 and the second last byte of the optional CHAT is 0x42, so the 2 (0010) is not a subset of 9 (1001).

Actions #5

Updated by Detlef Hühnlein almost 9 years ago

The problematic byte 0x42 corresponds to requesting DG7 (Academic Title) and DG2 (Issuing State).
While requesting DG7 is allowed in the CHAT of the CVC, it is not allowed to request DG2.
As the AusweisApp obviously does not perform this check and BIW is not accessing DG2 the
EAC protocol is performed without further problems.

As this behaviour is probably not entirely correct, the issue is kept as PartnerIssue to
allow additional checks at BIW AG, within BSI-TR-03112-7 (Section 4.6.5) and possibly within AusweisApp.

Actions #6

Updated by Tobias Wich almost 9 years ago

  • Target version deleted (1.0.2)
Actions #7

Updated by Detlef Hühnlein almost 8 years ago

  • Tracker changed from PartnerIssue to Review
  • Project changed from Open eCard to Common eID
  • Category set to Specification
  • Status changed from Feedback to New
  • Assignee deleted (Dirk Petrautzki)
Actions

Also available in: Atom PDF