search

gematik / ref-eRp-FD-Server

ARCHIVED - This project acts as reference implementation of main aspects of an e-prescription server designed by gematik.
Other
44 stars 3 forks source link

$activate with HBA signed document not working #12

Closed pandalec closed 3 years ago

pandalec commented 3 years ago

Happy new year!

First of all, thanks again for the clarification inside the other tickets!

As you implemented the functionality to read the Pseudo-BNetzA-VL.xml I tried $activate with a document signed by a Heilberufsausweis (RU). I checked, the certificate is inside the Pseudo-BNetzA-VL.xml and I get a signed document from a Konnektor (with a warning):

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
    <SOAP-ENV:Header />
    <SOAP-ENV:Body>
        <ns8:SignDocumentResponse xmlns:ns10="urn:oasis:names:tc:dss-x:1.0:profiles:verificationreport:schema#" xmlns:ns11="http://uri.etsi.org/01903/v1.3.2#" xmlns:ns12="http://uri.etsi.org/02231/v2#" xmlns:ns2="http://ws.gematik.de/conn/EncryptionService/v6.1" xmlns:ns3="http://ws.gematik.de/conn/ConnectorCommon/v5.0" xmlns:ns4="http://ws.gematik.de/conn/ConnectorContext/v2.0" xmlns:ns5="urn:oasis:names:tc:dss:1.0:core:schema" xmlns:ns6="http://www.w3.org/2000/09/xmldsig#" xmlns:ns7="http://ws.gematik.de/tel/error/v2.0" xmlns:ns8="http://ws.gematik.de/conn/SignatureService/v7.4" xmlns:ns9="urn:oasis:names:tc:dss-x:1.0:profiles:SignaturePolicy:schema#">
            <ns8:SignResponse RequestID="QES550918688">
                <ns3:Status>
                    <ns3:Result>Warning</ns3:Result>
                    <ns7:Error>
                        <ns7:MessageID>98b73704-dbc0-798a-604e-4ad5b5f84aab</ns7:MessageID>
                        <ns7:Timestamp>2021-01-06T12:07:10.594Z</ns7:Timestamp>
                        <ns7:Trace>
                            <ns7:EventID>8237b464-638c-1b39-4d8e-c6e2d3cc461d</ns7:EventID>
                            <ns7:Instance>Konnektor-Lokal</ns7:Instance>
                            <ns7:LogReference />
                            <ns7:CompType>Konnektor</ns7:CompType>
                            <ns7:Code>4193</ns7:Code>
                            <ns7:Severity>Warning</ns7:Severity>
                            <ns7:ErrorType>Security</ns7:ErrorType>
                            <ns7:ErrorText>Kein XML-Schema für XML-Dokument vorhanden</ns7:ErrorText>
                        </ns7:Trace>
                    </ns7:Error>
                </ns3:Status>
                <ns8:OptionalOutputs>
                    <ns8:DocumentWithSignature ID="QES550918688" ShortText="bundle_2021-01-06_13-07-03.xml">
                        <ns3:Base64XML />
                    </ns8:DocumentWithSignature>
                </ns8:OptionalOutputs>
                <ns5:SignatureObject>
                    <ns5:Base64Signature Type="urn:ietf:rfc:5652">MIJE5AYJKoZIhvcNAQcCoIJE1TCCRNECAQExD...</ns5:Base64Signature>
                </ns5:SignatureObject>
            </ns8:SignResponse>
        </ns8:SignDocumentResponse>
    </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

Task/GUID/$activate is giving me the following error:

{
    "resourceType": "OperationOutcome",
    "meta": {
        "profile": [
            "http://hl7.org/fhir/StructureDefinition/OperationOutcome"
        ]
    },
    "issue": [
        {
            "severity": "error",
            "code": "invalid",
            "details": {
                "text": "Unable to verify CMS container: OpenSSL Error: error:0407008A:rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding:crypto/rsa/rsa_pk1.c:67:, error:04067072:rsa routines:rsa_ossl_public_decrypt:padding check failed:crypto/rsa/rsa_ossl.c:588:, error:21071069:PKCS7 routines:PKCS7_signatureVerify:signature failure:crypto/pkcs7/pk7_doit.c:1041:, error:21075069:PKCS7 routines:PKCS7_verify:signature failure:crypto/pkcs7/pk7_smime.c:353:"
            }
        }
    ]
}

Any idea what could cause the OpenSSL error? Thanks in advance!

BR parsi

Gematik-Entwicklung commented 3 years ago

Hi @parsifallo,

we wish you a happy new year, too :)

The Heilberufsausweis (RU) is only used authenticate you to use the Konnektor. The Konnektor has it's own key pair, that is used to sign the QES container. The certificate of this key pair is included in the QES container. The FD uses the BNetzA-VL to verify this certificate.

Which Konnektor do you use? If you run your own Konnektor, then please check if your certificates are added to the BNetzA-VL used by the FD. If you use an Konnektor provided by gematik, then the Pseudo BNetzA-VL contained in the repository should work.

Can you attach the QES container from the Konnektor to this issue? Then we can try to reproduce your error to find a solution.

Best regards, gematik Dev-Team.

pandalec commented 3 years ago

Hey! I use a secunet Konnektor with 4.0.9 NK Firmware and Gematik RU test cards. I attached the signed bundle which comes from the Konnektor via SOAP. If you meant something different or need more input, just let me know.

Thank you!

BR, parsi

Konnektor_Response.xml.zip

Gematik-Entwicklung commented 3 years ago

Quick update: We can reproduce the error with your data. We are working on a solution right now.

Best regards, gematik Dev-Team.

pandalec commented 3 years ago

Nice, thanks :)

Gematik-Entwicklung commented 3 years ago

Hi @parsifallo,

we've just pushed a new release (v0.10.0). That should fix the problem with the QES verification.

Best regards, gematik Dev-Team