Bug #706
openDATEV Arbeitnehmer online Login fails
Added by Chris Vogel almost 6 years ago. Updated about 5 years ago.
100%
Description
Login to https://www.datev.de/ano/ used to work with Open eCard (Version I used to load directly from the webpage).
Since Version 1.3.0 (locally installed on Ubuntu 16.04LTS) the login to DATEV Arbeitnehmer online using my Personalausweis fails with the appended error message ("Die Authentifizierung ist fehlgeschlagen! Der folgende Fehler wurde vom Sytem zurückgegeben: Die Schema-Prüfung einer PAOS-Nachricht ist fehlgeschlagen. Aus Sicherheitsgründen wird empfohlen, die Chipkarte vom Kartenleser zu entfernen.")
My installation seems to work generally since I can successfully login to https://epetitionen.bundestag.de using my Personalausweis.
Files
Bildschirmfoto von »2018-11-28 11-03-58«.png (26.2 KB) Bildschirmfoto von »2018-11-28 11-03-58«.png | Chris Vogel, 11/28/2018 12:05 PM | ||
datev_eid_validation_errors.log (10.5 KB) datev_eid_validation_errors.log | Tobias Wich, 11/28/2018 06:49 PM |
Updated by Tobias Wich almost 6 years ago
- File datev_eid_validation_errors.log datev_eid_validation_errors.log added
- Status changed from New to Solved
Thank you for the report. There is a problem in the schema validation of the legacy InitializeFramework which is defined in a different XML schema than all the other eCard messages. The problem is fixed is published on github. The problem did not show up during testing due to, let's say an interpretation of the schema, in the eID-Client Testbed.
However after fixing this problem in the client, shortcomings in the eID server became apparent (see attached log).
Unfortunately these violations of the XML schema must be fixed in the eID-Server, so the only option is to disable the Schema Validation for now in the settings dialog. This also fixes the validation error in the app, so you don't have to wait for a new release before you can use the app with the DATEV Ano service.
Updated by Chris Vogel almost 6 years ago
- % Done changed from 0 to 100
Thanks, works without validation. If the changes on github do not work I'll reopen the ticket
Updated by Tobias Wich almost 6 years ago
- Assignee set to Detlef Hühnlein
As I said this only fixes the validation of the first message (InitializeFramework) whose schema definitions were not loaded by the Validator component. The eID Server used by DATEV is sending invalid messages afterwards.
That means in order for the DATEV service to work with message validation enabled, the DATEV server must be fixed.
@Detlef, can you take care of communicating the issue to DATEV? I can provide a build with the current fix, so that the error shown below can be triggered.
The next error that occurs is this one:
2018-12-02 11:36:32,598+01 [PAOS] DEBUG org.openecard.transport.paos.PAOS:224 - Message received: <?xml version="1.0" encoding="UTF-8" standalone="no"?> <ns2:Envelope xmlns:ns2="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns3="urn:liberty:paos:2006-08" xmlns:ns4="urn:liberty:paos:2003-08" xmlns:ns5="http://www.w3.org/2005/03/addressing"> <ns2:Header> <ns5:MessageID>urn:uuidaa1975d2c33c2207e1dd23922037e13e2f2bb4e2</ns5:MessageID> <ns5:ReplyTo> <ns5:Address>https://npa.datev.de:443</ns5:Address> </ns5:ReplyTo> <ns5:Action>http://www.bsi.bund.de/ecard/api/1.1/PAOS/GetNextCommand</ns5:Action> </ns2:Header> <ns2:Body> <ns4:DIDAuthenticate xmlns:ns1="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns10="http://uri.etsi.org/01903/v1.3.2#" xmlns:ns11="http://www.w3.org/2001/04/xmlenc#" xmlns:ns12="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns13="urn:oasis:names:tc:dss:1.0:core:schema" xmlns:ns14="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:ns15="http://www.w3.org/2001/04/xmldsig-more#" xmlns:ns16="http://paos.eidserver.openlimit.com/" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:ns3="http://www.bsi.bund.de/ecard/api/1.1" xmlns:ns4="urn:iso:std:iso-iec:24727:tech:schema" xmlns:ns5="http://uri.etsi.org/02231/v2.1.1#" xmlns:ns6="http://uri.etsi.org/02231/v2.x#" xmlns:ns7="http://uri.etsi.org/02231/v3.1.2#" xmlns:ns8="http://www.setcce.org/schemas/ers" xmlns:ns9="urn:oasis:names:tc:dss-x:1.0:profiles:verificationreport:schema#"> <ns4:ConnectionHandle> <ns4:SlotHandle>24586A2D1879CB5B2535AD8BFA8295E5CFFE58066FC09238</ns4:SlotHandle> </ns4:ConnectionHandle> <ns4:DIDName>PIN</ns4:DIDName> <ns4:AuthenticationProtocolData xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ns4:EAC1InputType"> <ns4:Certificate>7F218201487F4E8201005F2901004210444544566549444454523130313433357F494F060A04007F000702020202038641049079E9BB22C83AA9DF75FB81476E8A16FD6DB4C8F99FF8EE980F75AD63B3FE110341362898960E0FA92199F83A7FB7234AED222D895D2F3914F8F4FF042DD9125F200E4445303030303032343030324F4C7F4C12060904007F000703010202530500010098045F25060108010200025F2406010801020003655E732D060904007F00070301030280204EF8D6C9E2175EE26E5398094D9D7232848ECEF692F244E4F3A0D90F87350832732D060904007F00070301030180201F4D8F617C8DE679EB89EF1CA230912CB537DC567201F54384DEEC923D69A2135F37402F5422B347159F0F22CF18C3E3894E7295F4D249F0973A754142D93C7CDB86749A5B0AD8F51E47D6324D3AA34263AB3E96EAF517ECA76D84FDFF60D9A5C3E7D9</ns4:Certificate> <ns4:Certificate>7F2181E77F4E81A05F290100420E44454356434165494430303130357F494F060A04007F00070202020203864104050EADC2E783AA255B5983CE76FD386A01D81B1EE349722B1EC77BE5716144E149BA10499DF64559C10C81474BF218158C4C00B4173A3238B91D5CA14E010E0C5F2010444544566549444454523130313433357F4C12060904007F0007030102025305400513FF975F25060108000902085F24060108010202075F37403D15CDF1CB540C9237694A569F9E1A2464B502848B3A8171B0274153E1CC517C403D7B8232A181DE28327526B0B1A119A7A883589E57EAA4C53D188BFFC052A2</ns4:Certificate> <ns4:CertificateDescription>30820340060A04007F00070301030101A10E0C0C442D547275737420476D6248A2181316687474703A2F2F7777772E642D74727573742E6E6574A30A0C084441544556206547A41A131868747470733A2F2F736563757265362E64617465762E6465A58202500C82024C4E616D652C20416E7363687269667420756E6420452D4D61696C2D4164726573736520646573204469656E737465616E626965746572733A0D0A44415445562065470D0A5061756D676172746E65727374722E20362D31340D0A3930343239204EC3BC726E626572670D0A696E666F4064617465762E64650D0A0D0A4765736368C3A46674737A7765636B3A0D0A2D20496E746567726174696F6E20696E20646173204964656E746974792D20756E64204163636573734D616E6167656D656E742053797374656D20646572204441544556207A756D2053636875747A20646573205A7567726966667320617566204F6E6C696E652062657265697467657374656C6C74652070657273C3B66E6C6963686520446174656E2C20496E666F726D6174696F6E656E20756E6420426573636865696E6967756E67656E202D0D0A0D0A48696E7765697320617566206469652066C3BC722064656E204469656E737465616E626965746572207A757374C3A46E646967656E205374656C6C656E2C20646965206469652045696E68616C74756E672064657220566F7273636872696674656E207A756D20446174656E73636875747A206B6F6E74726F6C6C696572656E3A0D0A4261796572697363686573204C616E646573616D742066C3BC7220446174656E73636875747A61756673696368740D0A50726F6D656E6164652032370D0A393135323220416E73626163680D0A303938312F35332D313330300D0A706F73747374656C6C65406C64612E62617965726E2E64650D0A7777772E6C64612E62617965726E2E64650D0AA7818B318188042041F0F0962834FE9D54A4FC8F302C58A1634BF8C50569E96691F634F44AF18C0C0420776DA36DB0AAD8EC560857835284CDCEE47D7DC2620420FCD08AE464B4E2E7C50420AC3CADC814337DE8A7A39264BD1AB8E22F935BCD111F507CD60F2776542927790420AD7D57FC7AF8B18EE3D6742E4C97C2443B264CA081FB32D2472B2919DADF402C</ns4:CertificateDescription> <ns4:RequiredCHAT>7F4C12060904007F00070301020253050000000004</ns4:RequiredCHAT> <ns4:OptionalCHAT>7F4C12060904007F00070301020253050000000000</ns4:OptionalCHAT> <ns4:AuthenticatedAuxiliaryData>67177315060904007F00070301040253083230313831323032</ns4:AuthenticatedAuxiliaryData> </ns4:AuthenticationProtocolData> </ns4:DIDAuthenticate> </ns2:Body> </ns2:Envelope> 2018-12-02 11:36:32,604+01 [PAOS] ERROR o.o.common.util.JAXPSchemaValidator:110 - Validation of the input object failed. org.xml.sax.SAXParseException: cvc-complex-type.4: Attribut 'Protocol' muss in Element 'ns4:AuthenticationProtocolData' vorkommen.