Project

General

Profile

Actions
Copy link

Review #192

open

Problem with Service of BIW AG / Add note in specification how to handle RequiredCHAT/OptionalCHAT which is no subset of the CHAT within the certificate

Added by Detlef Hühnlein about 11 years ago. Updated about 10 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Specification
Start date:
03/23/2013
Due date:
% Done:

0%

Estimated time:

Files

Download all files
richclient_info.log (35.6 KB) richclient_info.log Detlef Hühnlein, 03/23/2013 02:46 PM
BIW-Fehler.PNG (12.3 KB) BIW-Fehler.PNG Detlef Hühnlein, 03/23/2013 02:46 PM
BIW-not-allowed-CHAT-Ausstellendes-Land.PNG (37.4 KB) BIW-not-allowed-CHAT-Ausstellendes-Land.PNG Detlef Hühnlein, 04/08/2013 10:57 AM
Actions
Copy link
 #1

Updated by Detlef Hühnlein about 11 years ago

There is a problem with the service at http://www.personalausweisportal.de/DE/Buergerinnen-und-Buerger/Anwendungen/Finanzen/Finanzen_node.html#biw .
It seems that the application is sending an inappropriate CHAT value.

Actions
Copy link
 #2

Updated by Detlef Hühnlein about 11 years ago

  • Tracker changed from PartnerIssue to Bug

As the application works with the AusweisApp there seems to be a problem on our side.
Hence the change from PartnerIssue to Bug.

Actions
Copy link
 #3

Updated by Tobias Wich about 11 years ago

  • Assignee set to Dirk Petrautzki
  • Target version set to 1.0.2

If it has to do with the CHAT it is an EAC issue. So most probably Dirk's field.

Actions
Copy link
 #4

Updated by Dirk Petrautzki about 11 years ago

  • Status changed from New to Feedback

The service sends the following CHATs:
CHAT of the TA certificate: 0x7F 0x4C 0x12 0x06 0x09 0x04 0x00 0x7F 0x00 0x07 0x03 0x01 0x02 0x02 0x53 0x05 0x00 0x01 0x01 0xD9 0x04
Required CHAT: 0x7F 0x4C 0x12 0x06 0x09 0x04 0x00 0x7F 0x00 0x07 0x03 0x01 0x02 0x02 0x53 0x05 0x00 0x01 0x01 0x99 0x04
Optional CHAT: 0x7F 0x4C 0x12 0x06 0x09 0x04 0x00 0x7F 0x00 0x07 0x03 0x01 0x02 0x02 0x53 0x05 0x00 0x00 0x00 0x42 0x00

We are responding with
<ns2:ResultMajor>http://www.bsi.bund.de/ecard/api/1.1/resultmajor#error&lt;/ns2:ResultMajor>
<ns2:ResultMinor>http://www.bsi.bund.de/ecard/api/1.1/resultminor/al/common#unknownError&lt;/ns2:ResultMinor>
<ns2:ResultMessage xml:lang="en">java.security.GeneralSecurityException: The second CHAT is not a subset of the first one</ns2:ResultMessage>

because the Optional CHAT is not a subset of the CHAT of the TA certificate. The second last byte of the TA CHAT is 0xD9 and the second last byte of the optional CHAT is 0x42, so the 2 (0010) is not a subset of 9 (1001).

Actions
Copy link
 #5

Updated by Detlef Hühnlein about 11 years ago

The problematic byte 0x42 corresponds to requesting DG7 (Academic Title) and DG2 (Issuing State).
While requesting DG7 is allowed in the CHAT of the CVC, it is not allowed to request DG2.
As the AusweisApp obviously does not perform this check and BIW is not accessing DG2 the
EAC protocol is performed without further problems.

As this behaviour is probably not entirely correct, the issue is kept as PartnerIssue to
allow additional checks at BIW AG, within BSI-TR-03112-7 (Section 4.6.5) and possibly within AusweisApp.

Actions
Copy link
 #6

Updated by Tobias Wich about 11 years ago

  • Target version deleted (1.0.2)
Actions
Copy link
 #7

Updated by Detlef Hühnlein about 10 years ago

  • Tracker changed from PartnerIssue to Review
  • Project changed from Open eCard to Common eID
  • Category set to Specification
  • Status changed from Feedback to New
  • Assignee deleted (Dirk Petrautzki)
Actions
Copy link

Also available in: Atom PDF