search

swp-fu-eid / eid-fu-swp

Docker-based REST API implemented with Django and restframework.
MIT License
2 stars 1 forks source link

eID Server implementation #32

Closed Armagetron closed 7 years ago

Armagetron commented 7 years ago

I started the implementation of the eID Server component specified in BSI TR-03130 Technical Guideline eID-Server, Part I: Functional Specification, Version 2.0.2. This file is accompanied by a zip file BSI TR-03130 TR-eID -Server Schemadateien.

I tried to generate a web service from the WSDL with soapfish. This failed.

So I ran the WSDL trough an online WSDL analyzer. This revealed that external/saml-schema-assertion-2.0.xsd links to the, as of writing this, no longer available xmldsig-core-schema.xsd. A copy is available in the wayback machine.

Next steps are to patch the external/saml-schema-assertion-2.0.xsd that links to the xsd and retry the entire soapfish process again.

Armagetron commented 7 years ago

soapfish requires lxml and iso8601 as dependencies.

Armagetron commented 7 years ago

The WSDL is broken!

Instead of

<wsdl:types>
    <xsd:schema>
        <xsd:import schemaLocation="TR-03130eID-Server.xsd"
            namespace="http://bsi.bund.de/eID/" />
    </xsd:schema>
</wsdl:types>

it has to be

<wsdl:types>
    <xsd:schema>
        <xsd:include schemaLocation="TR-03130eID-Server.xsd" />
    </xsd:schema>
</wsdl:types>

because the XSD implements the same namespace (see w3schools).

Armagetron commented 7 years ago

@nils-wisiol @zervnet is there a way to report this?

Armagetron commented 7 years ago

Now using python-zsi and twisted for generation.

Patching of /usr/lib/python2.7/dist-packages/ZSI/twisted/WSresource.py is required to work on Ubuntu 17.04.

First, change from twisted.web.error import NoResource to from twisted.web.resource import NoResource. Second, move DefaultHandlerChain over the WSAddressHandlerChainFactory definition.

nils-wisiol commented 7 years ago

Not sure on how to report this to BSI. Can you elaborate on what exactly is wrong, why it is wrong and where did you get this file from? I'll get in touch with BSI.

Armagetron commented 7 years ago

I split the task in some more issues.

44, #45 and #46

nils-wisiol commented 7 years ago

Communication with the eID client for online authentication is described in TR-03124-1, Section 2.5 (please see the chart on p14!). It uses the Extended Access Control Protocol (EAC Protocol) defined in TR-03112-7 (Section 3.6). The eID Service Certificate ("Berechtigungszertifikat") is sent in Section 3.6.4.1 (see bottom of p. 50).

larissazech commented 7 years ago

We can only use Governikus' eID Server. Closed.