How to use 3skey token ?

[abdelmajidhafidi]

Hello,

To use EBICS TS with a French bank, they send a USB token for SWIFT 3skey's certificate.

Can anyone please help me to understand how I can use these certificate with the code ?

Thanks.

[andrew-svirin]

Hi, I think you need to add this key in certificate generation. But I am not sure that library supports that. Or you can already have certificate in your 3SKey storage that need to use instead generate new one.

[abdelmajidhafidi]

Hello @andrew-svirin, I'm sorry for my late reply. I exported the certificate that is on 3SKey storage and tried to use it as the signing certificate for the INI request, but I get an error when I call it: Error Code: 091214 - EBICS_X509_UNKNOWN_CERTIFICATE_AUTHORITY

I found this recommended measure for this error:

If OrderType = INI, PUB or HCS and X509v3 supported:
Rejection of the Request is mandatory, if signature class <> “T”
If OrderType = FUL and X509v3 supported:
Rejection of the Request is mandatory, if OrderAttributes = “OZHNN”

I used an INI request to get this error, it means the signature class is not T, but I don't understand what that means

[andrew-svirin]

Hello @abdelmajidhafidi Interesting error EBICS_X509_UNKNOWN_CERTIFICATE_AUTHORITY, never seen in. You can check what is in authority when you use it with INI request.

[abdelmajidhafidi]

Hello @andrew-svirin , I found out that I got the error "EBICS_X509_UNKNOWN_CERTIFICATE_AUTHORITY" because the certificate I exported from the USB token was not yet activated on the "3skey" website. Now after activating it and exporting it again, I executed the INI command and the HIA command without getting any errors, and now I'm waiting to see if the bank will validate the certificates or not because their is some problem with the contract we signed with them, I will inform you if there is any news.

[abdelmajidhafidi]

Hello @andrew-svirin, the keys have been validated by the bank but unfortunately we cannot use the "BTU" command because we need the private key of the signature certificate and we don't have it since we can't get it export from the USB token, and now we are stuck

[andrew-svirin]

Hello @abdelmajidhafidi Do you have all values in keyring like this? https://github.com/andrew-svirin/ebics-client-php/blob/2.x/tests/_data/workspace/keyring_1.json

[abdelmajidhafidi]

Hello @abdelmajidhafidi Do you have all values in keyring like this? https://github.com/andrew-svirin/ebics-client-php/blob/2.x/tests/_data/workspace/keyring_1.json

No, for the signature (USER->A) we have the certificate because we can exported from the USB token, and we can also extract the public key from the certificate but we don't have the private key and we can't export it

[andrew-svirin]

@abdelmajidhafidi If there is PK in 3SKey then should be some interface for use it to encrypt data.

[abdelmajidhafidi]

@andrew-svirin The private key is stored in the USB Token but we can't export it (as 3Skey Support said to us) to put it on the json file.

[andrew-svirin]

Is 3Skey supports to encrypt with Private key?

[abdelmajidhafidi]

Is 3Skey supports to encrypt with Private key?

Sorry I don't understand what do you mean

[andrew-svirin]

https://github.com/andrew-svirin/ebics-client-php/blob/7e86066d41236bc8ddad3ed22a6eb634df4b4419/src/Services/CryptService.php#L123 here is uses private key for encryption. So if it possible to have with 3Skey then it possible to adopt it for library.

[abdelmajidhafidi]

I don't know because I didn't find yet a way to encrypt or sign directly with the USB Token using PHP. By the way, the USB Token is a "Token 5110" model.