Obtain Certificates

[nils-wisiol]

We need certificates for the test infrastructure.

[Armagetron]

I tested the Demo app with a test id as well as with my own nPA.

With my nPA I get the following error message in the AusweisApp2 The authenticity of your ID card could not be verified. Please make sure that you are using a genuine ID card. Please note that test applications require the use of a test ID card. and the demo app returns:

urn:oasis:names:tc:SAML:2.0:status:AuthnFailed

An error was reported from eCardAPI: http://www.bsi.bund.de/ecard/api/1.1/resultminor/sal#securityConditionNotSatisfied|Card not valid: Term holder not available or no root found for searched issuer in CVC

However the service provider could be verified.

With the test ID the card can be verified but no data could be read. The AusweisApp2 shows the following error text The ID card is invalid or disabled. The demo app returns:

urn:oasis:names:tc:SAML:2.0:status:AuthnFailed

An error was reported from eCardAPI: http://www.bsi.bund.de/ecard/api/1.1/resultminor/sal/mEAC#DocumentValidityVerificationFailed|DocumentValidity is false

The ID card was only valid until 31.10.2016. So we may need new ones.

[nils-wisiol]

I will have new test ID cards by Friday.

As to the expired service provider certificate, this may not be a problem. The ID card stores the latest issue date of any service provider certificate it has seen as the current date. So we may be able to work with expired service provider certificates. I am also working on non-expired service provider certificates.

[nils-wisiol]

Also, the service provider certificate ("Berechtiungszertifikat") is bound to the SSL/TLS certificate of the HTTP server: The service provider certificate contains a hash value of the SSL/TLS certificate and will only work when used together with this particular certificate. That way, the service provider certificate is also bound to a particular hostname (the one in the HTTP SSL/TLS certificate).

[Armagetron]

Ok, changing my system time did not work. But I think I can use the Demo App as a basis for us.

[zervnet]

thanks for testing the current situation! could you please also test the demo app in combination with the PersoSim app? This could show us whether the problem is the expiry date of the test ID card or the validity of the certificates in the demo app.

[BenjaminKeller]

I have tested the Governikus Demo App with a valid test nPA. It is valid until 31.10.2020. The authentication starts, I have to enter my PIN. After that, a progress bar appears and fills until 50%. Then, I get the following error messages:

AusweisApp2 - Fehler

Die Authentisierungs ist fehlgeschlagen.

<OK>

AusweisApp2 - Fehler

Für die Operation fehlen die benötigten Rechte.

<OK>

Die DemoApp meldet danach:

EIN FEHLER IST AUFGETRETEN
URN:OASIS:NAMES:TC:SAML:2.0:STATUS:AUTHNFAILED
An error was reported from eCardAPI: http://www.bsi.bund.de/ecard/api/1.1/resultminor/al/common#noPermission|Die Authentisierung ist fehlgeschlagen

@zervnet Therefore, it seems to be the validity of the certificates. I will test with PersoSim soon but I have problems with my Ubuntu VM. @Armagetron Added error message.

[Armagetron]

@BenjaminKeller what is the error message the eID Service displays?

[zervnet]

@BenjaminKeller have you seen that there is a Windows version of the PersoSim app?

[Armagetron]

@zervnet the Windows Version does not work on my Windows 10 machine

[BenjaminKeller]

@zervnet I can confirm that. The driver cannot be installed on Windows 10.

[nils-wisiol]

ping @Armagetron certificates are available now

[Armagetron]

Great news!

[zervnet]

@Armagetron 101Swp!17?

Gibt keine PM mehr ...

[Armagetron]

@zervnet I received your mail. investigating now.

[Armagetron]

@zervnet I was unable to extract the zip

[zervnet]

with the password?

[nils-wisiol]

I extracted sucessfully.

[nils-wisiol]

try using 7z x key.zip

[Armagetron]

The default unzip (UnZip 6.00 of 20 April 2009, by Debian. Original by Info-ZIP.) of Ubuntu 16.04 cannot handle the encryption. 7z was able to extract.

Archive:  key.zip
   skipping: eidcertprivate.key      need PK compat. v5.1 (can do v4.6)

[zervnet]

seems like unzip does not support password protected .zip files

[Armagetron]

I tried to convert the certificates into p12 via openssl pkcs12 -export -in eid.dedyn.io.pem -chain 0000_chain.pem -inkey eidcertprivate.key -out cert.p12 but somehow openssl does not like this command.

[nils-wisiol]

please always include error messages

[Armagetron]

Well, there was no real error message.

openssl pkcs12 -export -in eid.dedyn.io.pem -chain 0000_chain.pem -inkey eidcertprivate.key -out cert.p12
Usage: pkcs12 [options]
where options are
-export       output PKCS12 file
-chain        add certificate chain
-inkey file   private key if not infile
-certfile f   add all certs in f
-CApath arg   - PEM format directory of CA's
-CAfile arg   - PEM format file of CA's
-name "name"  use name as friendly name
-caname "nm"  use nm as CA friendly name (can be used more than once).
-in  infile   input filename
-out outfile  output filename
-noout        don't output anything, just verify.
-nomacver     don't verify MAC.
-nocerts      don't output certificates.
-clcerts      only output client certificates.
-cacerts      only output CA certificates.
-nokeys       don't output private keys.
-info         give info about PKCS#12 structure.
-des          encrypt private keys with DES
-des3         encrypt private keys with triple DES (default)
-seed         encrypt private keys with seed
-aes128, -aes192, -aes256
              encrypt PEM output with cbc aes
-camellia128, -camellia192, -camellia256
              encrypt PEM output with cbc camellia
-nodes        don't encrypt private keys
-noiter       don't use encryption iteration
-nomaciter    don't use MAC iteration
-maciter      use MAC iteration
-nomac        don't generate MAC
-twopass      separate MAC, encryption passwords
-descert      encrypt PKCS#12 certificates with triple DES (default RC2-40)
-certpbe alg  specify certificate PBE algorithm (default RC2-40)
-keypbe alg   specify private key PBE algorithm (default 3DES)
-macalg alg   digest algorithm used in MAC (default SHA1)
-keyex        set MS key exchange type
-keysig       set MS key signature type
-password p   set import/export password source
-passin p     input file pass phrase source
-passout p    output file pass phrase source
-engine e     use engine e, possibly a hardware device.
-rand file:file:...
              load the file (or the files in the directory) into
              the random number generator
-CSP name     Microsoft CSP name
-LMK          Add local machine keyset attribute to private key

[nils-wisiol]

Try

cat eid.dedyn.io.pem > altogether.pem
cat 0000_chain.pem >> altogether.pem 
cat eidcertprivate.key >> altogether.pem 
openssl pkcs12 -export -in altogether.pem -out cert.p12 

[Armagetron]

I cannot get the cert working. Merging worked now but the tomcat server does not like the storage password. I tried no password and 123456.

Both did not work. Do you have any hints?

java.lang.IllegalArgumentException: java.io.IOException: keystore password was incorrect
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
    at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225)
    at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:982)
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:244)
    at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:620)
    at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:66)
    at org.apache.catalina.connector.Connector.initInternal(Connector.java:997)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
    at org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
    at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:607)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:630)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
    at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
Caused by: java.io.IOException: keystore password was incorrect
    at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2015)
    at java.security.KeyStore.load(KeyStore.java:1445)
    at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:139)
    at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:187)
    at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:182)
    at org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.java:79)
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112)
    ... 20 more
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded
    ... 27 more

[zervnet]

to clarify, the cert we are talking about is the cert provided by Governikus, not the LE cert for the homepage?

[Armagetron]

I have not received an answer from Governikus. I will try to mock this functionality but this remains a major show stopper.

[Armagetron]

Btw I wrote to the AusweisApp2 support to report the error.

[Armagetron]

@zervnet is there any new progress regarding this?

[zervnet]

no progress at all. (I also have written another mail to governikus last week, no answer)