General Questions

[gesteur]

Hi Uwe,

I've been playing around a bit with this code and have some questions, i' not an expert in java hence my questions might seem trivial.

1) When I get the bank public key with the command "HPB", the bank hashs are not displayed. I can see from the code they are saved in a p12 but that is not readable. Do you have a suggestion how to read? the only way was to insert some debugs in the KeyManagement source. I m also wondering if the framework will check those keys before each connection with the bank to ensure there is no MITM attack.

2) The whole security depends on where the private keys are saved and how they are accessed. Is my understanding correct that the keys are read from the serialized objects saved in plain under the "serialized" folder? i'm not sure, but it seems that when the user is loaded (loadUser) it reads from the inputstream. if that is true, why not load the certificates from the p12 file where the keys are encrypted?

I'm working on a solution to adapt the code to use HSM with a PCKS11, so that the security operations are performed on the token. It should add another security layer.

many thanks for your time, and thanks for fixing the bug yesterday so quickly :)

[gesteur]

Hey all,

So I can confirm that the private keys are read from the serialized Object store on the PC, no password protection. In fact you can change the password on the file and you can still connect to the Bank. A bit of a security issue.

With this commit I fix this security issue and also add the support to read private keys out from a SmartCard/Smart token. https://github.com/gesteur/ebics-java-client/commit/40dff09c63fcaee02c932c8c1fd04a1e277e2036

This is tested using OpenSC driver.

[uwemaurer]

Hi,

thank you for your improvements! I hope we can integrate your additions into the library. I am not so familiar with the SmartCard/Token system but I will have a look. The goal of this ebics library is to be able to make fully automated interactions with the bank (eg from a batch job to import the bank transactions). So there needs to be a way for the library to get the keys without prompting a user for a password. Ideally we can support both ways (fully automated, or leave it up to the library user to provide the keys eg by interactively prompting the user)

about your questions: you can view a p12 file with openssl eg like this openssl pkcs12 -info -in filename.p12 -nokeys You are right, it currently reads it directly from the serialized objects. It could be changed to read it from the encrypted file, then the security depends on where the password is stored.

BTW, I am planning to replace the serialization format and use a text based format (XML, or JSON) instead of Java serialization. This will also make it easier to inspect what is contained in those files.

[gesteur]

Hey Uwe,

Yes I thought the reason must be to automate without user inputting the pw, but if the EBICS contract with the bank allows also payments, then it can be dangerous, as for example there is no beneficiary checks at the Bank. It's a bit of a dilemma, user-friendliness vs security. It was not clear for me at the beginning that the default mode would save keys in plaintext, so that confused me.

Regarding openssl, I have tried that command already, only get this:

MAC: sha1, Iteration 1024
MAC length: 20, salt length: 20
PKCS7 Data
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 1024

In any case I fully agree with you that the user should decide which option he wants (key in plaintext without password or prompted), as long as he is aware of the pro and contra.

A solution where you can decide on in the config file which one to use it a good idea, so each user can decide for themselves. For example I added a new param (keyDir) which will drive the key storage location:

• use Smart token => use-hsm
• use standard Location => default
• specify directory => /home/user/blablabla

I'm really no java expert, so probably my code could have been better, i also refactored some functions and combined them.

Just for your info, since I spent lots of time on it. What didnt work is storing the private keys into the CertificateManager object for later use (might make sense since usually the private Key can't be extracted from the Smart Token), hence I only load the Public Keys. https://github.com/gesteur/ebics-java-client/blob/40dff09c63fcaee02c932c8c1fd04a1e277e2036/src/main/java/org/kopi/ebics/certificate/CertificateManager.java#L168

Reading a bit on internet it seems that calling keystore.getKey returns a handle on the privatekey from the Smart Token. So not sure what happens when I pass that handle and assign it to another object.

I only managed to sign and decrypt using the private key just after loading the key, hence I load the key when I need to do crypto operations on the Smart Token. e.g. https://github.com/gesteur/ebics-java-client/blob/40dff09c63fcaee02c932c8c1fd04a1e277e2036/src/main/java/org/kopi/ebics/client/User.java#L487

might not be the most elegant way, but hey, it works like a charm :)

TO DO:Generating Keys + Certificates on Smart Token

[NileshRameshPatil]

Hi Team I am new in EBICS client and trying to access ebics-java-client. I am following below link to setup ebics-java-client How to get started: https://github.com/honza-toegel/ebics-java-client/wiki/EBICS-Client-HowTo

I am trying to executed command bin/ebics-client.sh --create but getting below error Exception in thread "main" java.io.FileNotFoundException: /home/np/ebics/client/ebics.txt (No such file or directory)

and i am not able to find ebics.txt as well.

If anyone can help me here to execute above command it will be great help.

[uwemaurer]

There is a file ebics-template.txt, you can rename this file to ebics.txt and then fill in the missing configuration values.

[NileshRameshPatil]

Thanks @uwemaurer for your help :)

I am trying to find document/steps to execute FUL, FDL, BTU and BTD along with the ebics-java-client , however I am not able to find any command to execute FUL/BTU etc.

If anyone can help me here to execute FUL/BTU/BTD then it will be great help.

[NileshRameshPatil]

Hi @uwemaurer , can you provide some information on how i can execute FUL order on ebics-java-client. I am successfully executed INI , HIA,HPB bin/ebics-client-h004.sh -at INI bin/ebics-client-h004.sh -at HIA bin/ebics-client-h004.sh -at HPB

now I am trying to execute by below constructing below command bin/ebics-client-h004.sh -ot FUL -i pain.001.xml however it is getting failed . So if possible can you help help me with the FUL command .

[uwemaurer]

Hi,

in order to help I need more information than just "it is getting failed". For example an exception stacktrace or error message. Also check the documentation of your bank if this request type is supported.

I will close this issue for now. If the problem persists please open a new issue with more specific information about the problem.