Open nils-wisiol opened 7 years ago
I tested the Demo app with a test id as well as with my own nPA.
With my nPA I get the following error message in the AusweisApp2 The authenticity of your ID card could not be verified. Please make sure that you are using a genuine ID card. Please note that test applications require the use of a test ID card.
and the demo app returns:
urn:oasis:names:tc:SAML:2.0:status:AuthnFailed
An error was reported from eCardAPI: http://www.bsi.bund.de/ecard/api/1.1/resultminor/sal#securityConditionNotSatisfied|Card not valid: Term holder not available or no root found for searched issuer in CVC
However the service provider could be verified.
With the test ID the card can be verified but no data could be read. The AusweisApp2 shows the following error text The ID card is invalid or disabled
. The demo app returns:
urn:oasis:names:tc:SAML:2.0:status:AuthnFailed
An error was reported from eCardAPI: http://www.bsi.bund.de/ecard/api/1.1/resultminor/sal/mEAC#DocumentValidityVerificationFailed|DocumentValidity is false
The ID card was only valid until 31.10.2016. So we may need new ones.
I will have new test ID cards by Friday.
As to the expired service provider certificate, this may not be a problem. The ID card stores the latest issue date of any service provider certificate it has seen as the current date. So we may be able to work with expired service provider certificates. I am also working on non-expired service provider certificates.
Also, the service provider certificate ("Berechtiungszertifikat") is bound to the SSL/TLS certificate of the HTTP server: The service provider certificate contains a hash value of the SSL/TLS certificate and will only work when used together with this particular certificate. That way, the service provider certificate is also bound to a particular hostname (the one in the HTTP SSL/TLS certificate).
Ok, changing my system time did not work. But I think I can use the Demo App as a basis for us.
thanks for testing the current situation! could you please also test the demo app in combination with the PersoSim app? This could show us whether the problem is the expiry date of the test ID card or the validity of the certificates in the demo app.
I have tested the Governikus Demo App with a valid test nPA. It is valid until 31.10.2020. The authentication starts, I have to enter my PIN. After that, a progress bar appears and fills until 50%. Then, I get the following error messages:
AusweisApp2 - Fehler
Die Authentisierungs ist fehlgeschlagen.
<OK>
AusweisApp2 - Fehler
Für die Operation fehlen die benötigten Rechte.
<OK>
Die DemoApp meldet danach:
EIN FEHLER IST AUFGETRETEN
URN:OASIS:NAMES:TC:SAML:2.0:STATUS:AUTHNFAILED
An error was reported from eCardAPI: http://www.bsi.bund.de/ecard/api/1.1/resultminor/al/common#noPermission|Die Authentisierung ist fehlgeschlagen
@zervnet Therefore, it seems to be the validity of the certificates. I will test with PersoSim soon but I have problems with my Ubuntu VM. @Armagetron Added error message.
@BenjaminKeller what is the error message the eID Service displays?
@BenjaminKeller have you seen that there is a Windows version of the PersoSim app?
@zervnet the Windows Version does not work on my Windows 10 machine
@zervnet I can confirm that. The driver cannot be installed on Windows 10.
ping @Armagetron certificates are available now
Great news!
@Armagetron 101Swp!17?
Gibt keine PM mehr ...
@zervnet I received your mail. investigating now.
@zervnet I was unable to extract the zip
with the password?
I extracted sucessfully.
try using 7z x key.zip
The default unzip (UnZip 6.00 of 20 April 2009, by Debian. Original by Info-ZIP.
) of Ubuntu 16.04 cannot handle the encryption. 7z was able to extract.
Archive: key.zip
skipping: eidcertprivate.key need PK compat. v5.1 (can do v4.6)
seems like unzip does not support password protected .zip files
I tried to convert the certificates into p12 via openssl pkcs12 -export -in eid.dedyn.io.pem -chain 0000_chain.pem -inkey eidcertprivate.key -out cert.p12
but somehow openssl does not like this command.
please always include error messages
Well, there was no real error message.
openssl pkcs12 -export -in eid.dedyn.io.pem -chain 0000_chain.pem -inkey eidcertprivate.key -out cert.p12
Usage: pkcs12 [options]
where options are
-export output PKCS12 file
-chain add certificate chain
-inkey file private key if not infile
-certfile f add all certs in f
-CApath arg - PEM format directory of CA's
-CAfile arg - PEM format file of CA's
-name "name" use name as friendly name
-caname "nm" use nm as CA friendly name (can be used more than once).
-in infile input filename
-out outfile output filename
-noout don't output anything, just verify.
-nomacver don't verify MAC.
-nocerts don't output certificates.
-clcerts only output client certificates.
-cacerts only output CA certificates.
-nokeys don't output private keys.
-info give info about PKCS#12 structure.
-des encrypt private keys with DES
-des3 encrypt private keys with triple DES (default)
-seed encrypt private keys with seed
-aes128, -aes192, -aes256
encrypt PEM output with cbc aes
-camellia128, -camellia192, -camellia256
encrypt PEM output with cbc camellia
-nodes don't encrypt private keys
-noiter don't use encryption iteration
-nomaciter don't use MAC iteration
-maciter use MAC iteration
-nomac don't generate MAC
-twopass separate MAC, encryption passwords
-descert encrypt PKCS#12 certificates with triple DES (default RC2-40)
-certpbe alg specify certificate PBE algorithm (default RC2-40)
-keypbe alg specify private key PBE algorithm (default 3DES)
-macalg alg digest algorithm used in MAC (default SHA1)
-keyex set MS key exchange type
-keysig set MS key signature type
-password p set import/export password source
-passin p input file pass phrase source
-passout p output file pass phrase source
-engine e use engine e, possibly a hardware device.
-rand file:file:...
load the file (or the files in the directory) into
the random number generator
-CSP name Microsoft CSP name
-LMK Add local machine keyset attribute to private key
Try
cat eid.dedyn.io.pem > altogether.pem
cat 0000_chain.pem >> altogether.pem
cat eidcertprivate.key >> altogether.pem
openssl pkcs12 -export -in altogether.pem -out cert.p12
I cannot get the cert working. Merging worked now but the tomcat server does not like the storage password. I tried no password and 123456
.
Both did not work. Do you have any hints?
java.lang.IllegalArgumentException: java.io.IOException: keystore password was incorrect
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:982)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:244)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:620)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:66)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:997)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.startup.Catalina.load(Catalina.java:607)
at org.apache.catalina.startup.Catalina.load(Catalina.java:630)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
Caused by: java.io.IOException: keystore password was incorrect
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2015)
at java.security.KeyStore.load(KeyStore.java:1445)
at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:139)
at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:187)
at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:182)
at org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.java:79)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112)
... 20 more
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded
... 27 more
to clarify, the cert we are talking about is the cert provided by Governikus, not the LE cert for the homepage?
I have not received an answer from Governikus. I will try to mock this functionality but this remains a major show stopper.
Btw I wrote to the AusweisApp2 support to report the error.
@zervnet is there any new progress regarding this?
no progress at all. (I also have written another mail to governikus last week, no answer)
We need certificates for the test infrastructure.