Review #192: Problem with Service of BIW AG / Add note in specification how to handle RequiredCHAT/OptionalCHAT which is no subset of the CHAT within the certificate - Common eID - Open eCard Development Center

Actions

Copy link

Review #192

open

Problem with Service of BIW AG / Add note in specification how to handle RequiredCHAT/OptionalCHAT which is no subset of the CHAT within the certificate

Added by Detlef Hühnlein about 11 years ago. Updated about 10 years ago.

Status:

New

Priority:

Normal

Assignee:

Category:

Specification

Start date:

03/23/2013

Due date:

% Done:

Estimated time:

Files

Download all files

richclient_info.log (35.6 KB) richclient_info.log		Detlef Hühnlein, 03/23/2013 02:46 PM
BIW-Fehler.PNG (12.3 KB) BIW-Fehler.PNG		Detlef Hühnlein, 03/23/2013 02:46 PM
BIW-not-allowed-CHAT-Ausstellendes-Land.PNG (37.4 KB) BIW-not-allowed-CHAT-Ausstellendes-Land.PNG		Detlef Hühnlein, 04/08/2013 10:57 AM

History
Notes
Property changes

Actions

Copy link

Updated by Detlef Hühnlein about 11 years ago

There is a problem with the service at http://www.personalausweisportal.de/DE/Buergerinnen-und-Buerger/Anwendungen/Finanzen/Finanzen_node.html#biw .
It seems that the application is sending an inappropriate CHAT value.

Actions

Copy link

Updated by Detlef Hühnlein about 11 years ago

Tracker changed from PartnerIssue to Bug

As the application works with the AusweisApp there seems to be a problem on our side.
Hence the change from PartnerIssue to Bug.

Actions

Copy link

Updated by Tobias Wich about 11 years ago

Assignee set to Dirk Petrautzki
Target version set to 1.0.2

If it has to do with the CHAT it is an EAC issue. So most probably Dirk's field.

Actions

Copy link

Updated by Dirk Petrautzki about 11 years ago

Status changed from New to Feedback

The service sends the following CHATs:
CHAT of the TA certificate: 0x7F 0x4C 0x12 0x06 0x09 0x04 0x00 0x7F 0x00 0x07 0x03 0x01 0x02 0x02 0x53 0x05 0x00 0x01 0x01 0xD9 0x04
Required CHAT: 0x7F 0x4C 0x12 0x06 0x09 0x04 0x00 0x7F 0x00 0x07 0x03 0x01 0x02 0x02 0x53 0x05 0x00 0x01 0x01 0x99 0x04
Optional CHAT: 0x7F 0x4C 0x12 0x06 0x09 0x04 0x00 0x7F 0x00 0x07 0x03 0x01 0x02 0x02 0x53 0x05 0x00 0x00 0x00 0x42 0x00

We are responding with
<ns2:ResultMajor>http://www.bsi.bund.de/ecard/api/1.1/resultmajor#error</ns2:ResultMajor>
<ns2:ResultMinor>http://www.bsi.bund.de/ecard/api/1.1/resultminor/al/common#unknownError</ns2:ResultMinor>
<ns2:ResultMessage xml:lang="en">java.security.GeneralSecurityException: The second CHAT is not a subset of the first one</ns2:ResultMessage>

because the Optional CHAT is not a subset of the CHAT of the TA certificate. The second last byte of the TA CHAT is 0xD9 and the second last byte of the optional CHAT is 0x42, so the 2 (0010) is not a subset of 9 (1001).

Actions

Copy link

Updated by Detlef Hühnlein about 11 years ago

File BIW-not-allowed-CHAT-Ausstellendes-Land.PNG BIW-not-allowed-CHAT-Ausstellendes-Land.PNG added
Tracker changed from Bug to PartnerIssue
Subject changed from Problem with Service of BIW AG to Problem with Service of BIW AG / Add note in specification how to handle RequiredCHAT/OptionalCHAT which is no subset of the CHAT within the certificate

The problematic byte 0x42 corresponds to requesting DG7 (Academic Title) and DG2 (Issuing State).
While requesting DG7 is allowed in the CHAT of the CVC, it is not allowed to request DG2.
As the AusweisApp obviously does not perform this check and BIW is not accessing DG2 the
EAC protocol is performed without further problems.

As this behaviour is probably not entirely correct, the issue is kept as PartnerIssue to
allow additional checks at BIW AG, within BSI-TR-03112-7 (Section 4.6.5) and possibly within AusweisApp.

Actions

Copy link