Project

General

Profile

Bug #706

DATEV Arbeitnehmer online Login fails

Added by Chris Vogel 7 months ago. Updated 7 months ago.

Status:
Solved
Priority:
Normal
Target version:
Start date:
11/28/2018
Due date:
% Done:

100%

Reviewer:
Build Version:

Description

Login to https://www.datev.de/ano/ used to work with Open eCard (Version I used to load directly from the webpage).

Since Version 1.3.0 (locally installed on Ubuntu 16.04LTS) the login to DATEV Arbeitnehmer online using my Personalausweis fails with the appended error message ("Die Authentifizierung ist fehlgeschlagen! Der folgende Fehler wurde vom Sytem zurückgegeben: Die Schema-Prüfung einer PAOS-Nachricht ist fehlgeschlagen. Aus Sicherheitsgründen wird empfohlen, die Chipkarte vom Kartenleser zu entfernen.")

My installation seems to work generally since I can successfully login to https://epetitionen.bundestag.de using my Personalausweis.

Bildschirmfoto von »2018-11-28 11-03-58«.png (26.2 KB) Chris Vogel, 11/28/2018 12:05 PM

datev_eid_validation_errors.log Magnifier (10.5 KB) Tobias Wich, 11/28/2018 06:49 PM

History

#1 Updated by Tobias Wich 7 months ago

Thank you for the report. There is a problem in the schema validation of the legacy InitializeFramework which is defined in a different XML schema than all the other eCard messages. The problem is fixed is published on github. The problem did not show up during testing due to, let's say an interpretation of the schema, in the eID-Client Testbed.

However after fixing this problem in the client, shortcomings in the eID server became apparent (see attached log).

Unfortunately these violations of the XML schema must be fixed in the eID-Server, so the only option is to disable the Schema Validation for now in the settings dialog. This also fixes the validation error in the app, so you don't have to wait for a new release before you can use the app with the DATEV Ano service.

#2 Updated by Chris Vogel 7 months ago

  • % Done changed from 0 to 100

Thanks, works without validation. If the changes on github do not work I'll reopen the ticket

#3 Updated by Tobias Wich 7 months ago

  • Assignee set to Detlef Hühnlein

As I said this only fixes the validation of the first message (InitializeFramework) whose schema definitions were not loaded by the Validator component. The eID Server used by DATEV is sending invalid messages afterwards.
That means in order for the DATEV service to work with message validation enabled, the DATEV server must be fixed.

@Detlef, can you take care of communicating the issue to DATEV? I can provide a build with the current fix, so that the error shown below can be triggered.

The next error that occurs is this one:

2018-12-02 11:36:32,598+01 [PAOS] DEBUG org.openecard.transport.paos.PAOS:224 - Message received:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<ns2:Envelope xmlns:ns2="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns3="urn:liberty:paos:2006-08" xmlns:ns4="urn:liberty:paos:2003-08" xmlns:ns5="http://www.w3.org/2005/03/addressing">
  <ns2:Header>
    <ns5:MessageID>urn:uuidaa1975d2c33c2207e1dd23922037e13e2f2bb4e2</ns5:MessageID>
    <ns5:ReplyTo>
      <ns5:Address>https://npa.datev.de:443</ns5:Address>
    </ns5:ReplyTo>
    <ns5:Action>http://www.bsi.bund.de/ecard/api/1.1/PAOS/GetNextCommand</ns5:Action>
  </ns2:Header>
  <ns2:Body>
    <ns4:DIDAuthenticate xmlns:ns1="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns10="http://uri.etsi.org/01903/v1.3.2#" xmlns:ns11="http://www.w3.org/2001/04/xmlenc#" xmlns:ns12="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns13="urn:oasis:names:tc:dss:1.0:core:schema" xmlns:ns14="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:ns15="http://www.w3.org/2001/04/xmldsig-more#" xmlns:ns16="http://paos.eidserver.openlimit.com/" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:ns3="http://www.bsi.bund.de/ecard/api/1.1" xmlns:ns4="urn:iso:std:iso-iec:24727:tech:schema" xmlns:ns5="http://uri.etsi.org/02231/v2.1.1#" xmlns:ns6="http://uri.etsi.org/02231/v2.x#" xmlns:ns7="http://uri.etsi.org/02231/v3.1.2#" xmlns:ns8="http://www.setcce.org/schemas/ers" xmlns:ns9="urn:oasis:names:tc:dss-x:1.0:profiles:verificationreport:schema#">
      <ns4:ConnectionHandle>
        <ns4:SlotHandle>24586A2D1879CB5B2535AD8BFA8295E5CFFE58066FC09238</ns4:SlotHandle>
      </ns4:ConnectionHandle>
      <ns4:DIDName>PIN</ns4:DIDName>
      <ns4:AuthenticationProtocolData xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ns4:EAC1InputType">
        <ns4:Certificate>7F218201487F4E8201005F2901004210444544566549444454523130313433357F494F060A04007F000702020202038641049079E9BB22C83AA9DF75FB81476E8A16FD6DB4C8F99FF8EE980F75AD63B3FE110341362898960E0FA92199F83A7FB7234AED222D895D2F3914F8F4FF042DD9125F200E4445303030303032343030324F4C7F4C12060904007F000703010202530500010098045F25060108010200025F2406010801020003655E732D060904007F00070301030280204EF8D6C9E2175EE26E5398094D9D7232848ECEF692F244E4F3A0D90F87350832732D060904007F00070301030180201F4D8F617C8DE679EB89EF1CA230912CB537DC567201F54384DEEC923D69A2135F37402F5422B347159F0F22CF18C3E3894E7295F4D249F0973A754142D93C7CDB86749A5B0AD8F51E47D6324D3AA34263AB3E96EAF517ECA76D84FDFF60D9A5C3E7D9</ns4:Certificate>
        <ns4:Certificate>7F2181E77F4E81A05F290100420E44454356434165494430303130357F494F060A04007F00070202020203864104050EADC2E783AA255B5983CE76FD386A01D81B1EE349722B1EC77BE5716144E149BA10499DF64559C10C81474BF218158C4C00B4173A3238B91D5CA14E010E0C5F2010444544566549444454523130313433357F4C12060904007F0007030102025305400513FF975F25060108000902085F24060108010202075F37403D15CDF1CB540C9237694A569F9E1A2464B502848B3A8171B0274153E1CC517C403D7B8232A181DE28327526B0B1A119A7A883589E57EAA4C53D188BFFC052A2</ns4:Certificate>
        <ns4:CertificateDescription>30820340060A04007F00070301030101A10E0C0C442D547275737420476D6248A2181316687474703A2F2F7777772E642D74727573742E6E6574A30A0C084441544556206547A41A131868747470733A2F2F736563757265362E64617465762E6465A58202500C82024C4E616D652C20416E7363687269667420756E6420452D4D61696C2D4164726573736520646573204469656E737465616E626965746572733A0D0A44415445562065470D0A5061756D676172746E65727374722E20362D31340D0A3930343239204EC3BC726E626572670D0A696E666F4064617465762E64650D0A0D0A4765736368C3A46674737A7765636B3A0D0A2D20496E746567726174696F6E20696E20646173204964656E746974792D20756E64204163636573734D616E6167656D656E742053797374656D20646572204441544556207A756D2053636875747A20646573205A7567726966667320617566204F6E6C696E652062657265697467657374656C6C74652070657273C3B66E6C6963686520446174656E2C20496E666F726D6174696F6E656E20756E6420426573636865696E6967756E67656E202D0D0A0D0A48696E7765697320617566206469652066C3BC722064656E204469656E737465616E626965746572207A757374C3A46E646967656E205374656C6C656E2C20646965206469652045696E68616C74756E672064657220566F7273636872696674656E207A756D20446174656E73636875747A206B6F6E74726F6C6C696572656E3A0D0A4261796572697363686573204C616E646573616D742066C3BC7220446174656E73636875747A61756673696368740D0A50726F6D656E6164652032370D0A393135323220416E73626163680D0A303938312F35332D313330300D0A706F73747374656C6C65406C64612E62617965726E2E64650D0A7777772E6C64612E62617965726E2E64650D0AA7818B318188042041F0F0962834FE9D54A4FC8F302C58A1634BF8C50569E96691F634F44AF18C0C0420776DA36DB0AAD8EC560857835284CDCEE47D7DC2620420FCD08AE464B4E2E7C50420AC3CADC814337DE8A7A39264BD1AB8E22F935BCD111F507CD60F2776542927790420AD7D57FC7AF8B18EE3D6742E4C97C2443B264CA081FB32D2472B2919DADF402C</ns4:CertificateDescription>
        <ns4:RequiredCHAT>7F4C12060904007F00070301020253050000000004</ns4:RequiredCHAT>
        <ns4:OptionalCHAT>7F4C12060904007F00070301020253050000000000</ns4:OptionalCHAT>
        <ns4:AuthenticatedAuxiliaryData>67177315060904007F00070301040253083230313831323032</ns4:AuthenticatedAuxiliaryData>
      </ns4:AuthenticationProtocolData>
    </ns4:DIDAuthenticate>
  </ns2:Body>
</ns2:Envelope>

2018-12-02 11:36:32,604+01 [PAOS] ERROR o.o.common.util.JAXPSchemaValidator:110 - Validation of the input object failed.
org.xml.sax.SAXParseException: cvc-complex-type.4: Attribut 'Protocol' muss in Element 'ns4:AuthenticationProtocolData' vorkommen.

Also available in: Atom PDF