Project

General

Profile

Bug #412

Transport PIN error not displayed to the user

Added by Mehdi Sadeghi about 3 years ago. Updated about 3 years ago.

Status:
In Progress
Priority:
Normal
Assignee:
Target version:
Start date:
11/29/2015
Due date:
% Done:

0%

Reviewer:
Build Version:

Description

Hallo,

ich benutze Debian und habe versucht um Open eCard zu benutzen, aber ich bekomme immer einen Fehler am ende des Prozesses: "*org.xml.sax.SAXParseException; lineNumber:1; columnNumber:1;Premature end of file.*".
Ich habe versucht Aktuelle Code von Github aufrufen und habe ich das selber übersetzt, aber der Fehler bekomme ich immer noch weiter. Ich habe mit OpenJDK 1.8, 1.7 und OracleJDK 8 probiert, immer das gleiche Problem.

Und nochmal alles auf English!
I am trying to use the eID card on Linux. I have a "*REINER SCT cyberJack RFID basis 00 00*" reader which I have installed its driver separately and I think it works fine because I can see reader and card related information in terminal using opensc_tool --list-readers and pcsc_scan commands. I start the java project either by clicking on the downloaded jnlp file (which has installed an icon on my desktop and loads in background) or by running the RichClient from terminal:

java -jar /home/mehdi/.m2/repository/org/openecard/clients/richclient/1.1.1/richclient-1.1.1-bundle-cifs.jar

After running the client I try to login using for example https://openid.internet-sicherheit.de/ or other similar websites. The browser launches the local java application, I see the java app, then I enter my PIN (it does not accept wrong pin) and after processing I get the error.

Could you please help me to solve this problem? I might be able to fix the bug I am not familiar with the project.

Screenshot from 2015-11-29 10-55-38.png (23.1 KB) Mehdi Sadeghi, 11/29/2015 10:56 AM

richclient_info.log Magnifier (8.94 KB) Mehdi Sadeghi, 11/29/2015 01:37 PM

ignore_ns.png (28.5 KB) Tobias Wich, 12/01/2015 04:57 AM

richclient_info.log Magnifier (41.1 KB) Mehdi Sadeghi, 12/02/2015 11:44 AM

Screenshot from 2015-12-02 11-39-55.png - Settings dialog (34.8 KB) Mehdi Sadeghi, 12/02/2015 11:44 AM

Screenshot from 2015-12-02 11-40-20.png - SOAP/JAXB error message (18.7 KB) Mehdi Sadeghi, 12/02/2015 11:44 AM

richclient_info.log Magnifier - Using stage branch's latest build (52.1 KB) Mehdi Sadeghi, 12/02/2015 03:22 PM

error.log Magnifier (10.1 KB) Mehdi Sadeghi, 12/12/2015 09:05 PM


Related issues

Related to Feature #404: Add error note in EAC dialog if the pin was entered wrong the first time. Closed 07/23/2015

History

#1 Updated by Mehdi Sadeghi about 3 years ago

I have attached the correct screenshot.

#2 Updated by Mehdi Sadeghi about 3 years ago

  • File deleted (Screenshot from 2015-11-29 10-50-43.png)

#3 Updated by Tobias Wich about 3 years ago

Can you please provide a clean log file (~/.openecard/logs/richclient_info.log) using the latest version from the stage branch?

#4 Updated by Mehdi Sadeghi about 3 years ago

Here is a just created fresh log file using the stage branch.

#5 Updated by Tobias Wich about 3 years ago

  • Status changed from New to Feedback

The error is caused by invalid messages sent by the eID Server as described here (page is written in german).
The settings dialog of the Open eCard App provides an option "Ignore Namespaces" in the settings dialog to accept the schema violation. This bug in the Governikus server is known for more than a year now.
Due to the compliance with the eCard specifications it was decided that the Open eCard App per default rejects such invalid messages.

I created a patch which improves the error message slightly, however the real cause can not be displayed so easily. The PAOS part only evaluates the responses from the server, not the messages sent to it. According to this a failure to evaluate the EAC2Input message does not terminate the process. After receiving an EAC2Output message indicating an error, the eID Server should reply with a StartPAOSReponse terminating the procedure which does not happen. Instead the connection is terminated leading to the error reading the XML message.

#6 Updated by Mehdi Sadeghi about 3 years ago

I got the latest code and tried everything again. I see, while repeating the process, a new error message appeers. However, the basic problem remains unchanged––I can not use the card to confirm my identity. I also noticed that the same problem happens if I try to login to www.tk.de. I also tried http://service-bw.de/zfinder-bw-web/welcome.do?showMsbwDetails=1 which raises another error which I will open another issue for that.

So, is there any workaroung for this problem to let me use my card for the first time? :)

#7 Updated by Tobias Wich about 3 years ago

As I said in my last post, there is an option called "Ignore Namespace" in the settings dialog which disables the XML Schema validation of the incoming messages and returns the elements values even if the namespaces do not match. I highlighted the option in the attached screenshot.

#8 Updated by Mehdi Sadeghi about 3 years ago

  • Assignee deleted (Tobias Wich)

I am using gnome-shell and this dialog does not appear at all. I tried at work and there is an icon in windows system tray which has a right click entry that opens the settings dialog. However, I found no way to open settings on my Debian box. Is there any settings file that I can change this value there or is there any command line flag for that? Any alternative way to set that flag is welcome.

#9 Updated by Mehdi Sadeghi about 3 years ago

Good news is, I was able to get to the settings dialog using "GNOME on Wayland" option in login screen and switching to OracleJDK using update-java-alternatives tool(I don't know which one made it possible to see the dialog).

Bad news is, nothing has changed. I have attached two screenshots and one log file. I hope we can get further and I am looking forward to applying your workaround and fixes.

Small Update:
I can confirm that legacy.ignore_ns=true is written to the ~/.openecard/openecard.properties.

#10 Updated by Detlef Hühnlein about 3 years ago

  • Assignee set to Antonio González Robles
  • Tracker changed from Bug to PartnerIssue

As the service at https://openid.internet-sicherheit.de/ seems to have multiple (more or less major) deviations from the relevant BSI-specification,
I would recommend to get in contact with the colleagues at https://openid.internet-sicherheit.de/sites/index.jsp?site=Contact.jsp and/or
http://www.governikus.com/de/impressum/5982851.

We are always keen to support the community, but I fear that we are not able to fix all the well known problems in proprietary software components.
Thanks for your understanding. BR, Detlef

#11 Updated by Tobias Wich about 3 years ago

Mehdi Sadeghi wrote:

Good news is, I was able to get to the settings dialog using "GNOME on Wayland" option in login screen and switching to OracleJDK using update-java-alternatives tool(I don't know which one made it possible to see the dialog).

It would be good to have a seperate issue opened for that. Was there a relevant error logged when pressing the settings button in the status screen?

Bad news is, nothing has changed. I have attached two screenshots and one log file. I hope we can get further and I am looking forward to applying your workaround and fixes.

Small Update:
I can confirm that legacy.ignore_ns=true is written to the ~/.openecard/openecard.properties.

I seem to have misinterpreted the error message. I pushed a patch to the stage branch which fixes a problem with the certificate chain building. If that does not help, please log more details, especially the PAOS and EAC related info.

#12 Updated by Mehdi Sadeghi about 3 years ago

Tobias Wich wrote:

Mehdi Sadeghi wrote:

Good news is, I was able to get to the settings dialog using "GNOME on Wayland" option in login screen and switching to OracleJDK using update-java-alternatives tool(I don't know which one made it possible to see the dialog).

It would be good to have a seperate issue opened for that. Was there a relevant error logged when pressing the settings button in the status screen?

I didn't get any errors while using settings. Moreover it seems that settings are stored properly.

Bad news is, nothing has changed. I have attached two screenshots and one log file. I hope we can get further and I am looking forward to applying your workaround and fixes.

Small Update:
I can confirm that legacy.ignore_ns=true is written to the ~/.openecard/openecard.properties.

I seem to have misinterpreted the error message. I pushed a patch to the stage branch which fixes a problem with the certificate chain building. If that does not help, please log more details, especially the PAOS and EAC related info.

I pulled your commit and rebuild the project. I also enabled log for EAC and PAOS in settings. This time I tried to register on skidentity.de (which is listed on openecard website). I got authentication failed error, the log message is attached. Please let me know whether I you have a test site for testing the services.

#13 Updated by Tobias Wich about 3 years ago

Mehdi Sadeghi wrote:

Tobias Wich wrote:

Mehdi Sadeghi wrote:

Good news is, I was able to get to the settings dialog using "GNOME on Wayland" option in login screen and switching to OracleJDK using update-java-alternatives tool(I don't know which one made it possible to see the dialog).

It would be good to have a seperate issue opened for that. Was there a relevant error logged when pressing the settings button in the status screen?

I didn't get any errors while using settings. Moreover it seems that settings are stored properly.

I referred to the problem to open the settings.

Bad news is, nothing has changed. I have attached two screenshots and one log file. I hope we can get further and I am looking forward to applying your workaround and fixes.

Small Update:
I can confirm that legacy.ignore_ns=true is written to the ~/.openecard/openecard.properties.

I seem to have misinterpreted the error message. I pushed a patch to the stage branch which fixes a problem with the certificate chain building. If that does not help, please log more details, especially the PAOS and EAC related info.

I pulled your commit and rebuild the project. I also enabled log for EAC and PAOS in settings. This time I tried to register on skidentity.de (which is listed on openecard website). I got authentication failed error, the log message is attached. Please let me know whether I you have a test site for testing the services.

The log does not contain any information regarding EAC and PAOS besides the already known error. Please use level debug.

#14 Updated by Mehdi Sadeghi about 3 years ago

  • Tracker changed from PartnerIssue to Bug
  • File error.logMagnifier added

Today, I tried the latest code for another time. I have attached the error log. I tried setting the level to debug, if still it is not in debug level, please send me the values to put them directly in openecard.properties file (instead of setting them in GUI), working with flat text files is much easire than GUIs right?

Moreover, I changed the status to Bug, since the errors happen with MULTIPLE providers listed on your website and not only with the initial one that I had tried with.

#15 Updated by Mehdi Sadeghi about 3 years ago

I think I realized the problem. Since this is the first time that I am using my eCard, it is still on the initial 5 digit password. After changing the pin to a 6 digit one, I am able to use the application. However, openecard, if possible, should inform the user about this issue and ask her to change the initial password, or, show an exclusive error message about this problem.

#16 Updated by Tobias Wich about 3 years ago

  • Subject changed from Premature end of file Fehler to Transport PIN error not displayed to the user
  • Status changed from Feedback to In Progress
  • Assignee changed from Antonio González Robles to Tobias Wich
  • Target version set to 1.3.0

The german eID was designed in a way that it is not possible to differentiate between the transport and activated state. The only option for the citizen is to read the letter he receives and set the PIN prior to using his card.
It would be worth evaluating the PACE response further to see whether this problem can be determined more precisely.

Here is an excerpt from the Card Info file which illustrates what is possible.

The status of the PIN may be determined using the MSE.Set AT
command (cf. [EAC2], Section B.11.1.):
CL ='00'
INS='22' - MSE
P1 ='C1'
P2 ='A4' - PACE
Lc ='0F' - Length of Data field
Data = '800A04007F00070202040202830103'
- 80 0A 04 00 7F 00 07 02 02 04 02 02 - PACE-Protocol-OID
(id-PACE-ECDH-GM-AES-CBC-CMAC-128 (0 4 0 127 0 7 2 2 4 2 2))
- 83 01 03 - PACE Key Reference
The corresponding Response-APDUs indicate the state of the PIN:
(1) 9000 - activated with RC=3
(2) 63C2 - activated with RC=2
(3) 63C1 - suspended with RC=1
(will become resumed after entry of the CAN)
(4) 6283 - deactivated
(will become activated after activation; this state requires new state recognition)
(5) 63C0 - blocked (RC=0)
Note that the PIN may be in a specific transport mode, in which a 5 character secret needs
to be entered and changed to a regular PIN which is 6 characters long. As it is not possible
to recognize that the PIN is in this specific transport mode there is no separate state or
differential identity for this purpose.

#17 Updated by Detlef Hühnlein about 3 years ago

It would be worth evaluating the PACE response further to see whether this problem can be determined more precisely.

Unfortunately, the responses are the same as this behaviour is considered to be a security feature. The only
option is to change the displayed message after the first wrong pin entry and to provide a clear hint to the
user that he should consider being in the transport pin mode.

#18 Updated by Tobias Wich about 3 years ago

The issue is that there seems to be no proper evaluation of the 'Wrong PIN' result. As stated in comment 12, the App displays authentication failed which is too general to recognize the problem. Even that it is related to the wrong PIN.

#19 Updated by Tobias Wich about 1 year ago

  • Related to Feature #404: Add error note in EAC dialog if the pin was entered wrong the first time. added

Also available in: Atom PDF