aspyct / eid-applet Goto Github PK

What steps will reproduce the problem?

What is the expected output? What do you see instead?

Applet does not read the card.

What version of the product are you using? On what operating system?

Latest RC.

Please provide any additional information below.

We are beta testing a website, with the latest RC recompilated.

For some users, they are stuck on the applet asking them to introduce their
eID, even if the card is already inserted. And they can remove and put it
back it won't read the card.

The solution is to disconnect then reconnect the reader, and then the
applet does work without reloading.

Do you have any clue about this strange behavior? And how to improve this? 

Thanks in advance.

ePub (and other file formats) may contain XML files with a DOCTYPE.
A resolver is to be added, probably somewhere in
AbstractXmlSignatureService.getXmlSignatureDigestValue

It might be wise to use local copies of well-known DTD's

In fact I would like not displaying all messages in the applet, but
use a callback function to send non sensitive messages to the html
hosting page.
In wish to use exactly the same kind callback function used in kiosk
mode (RemoveCardCallback).
I planned to build a generic callback function messagesCallback which
will sent messages such as : Please connect a card reader, insert your
eid , ....
Today, those messages are displayed in the applet, but I would like to
hide the applet (width=0, heigth=0) and display user useful messages
accordingly to my interface design, which could be FLEX or Html, and
following the overall hosting page layout standards. Of course no
confidential data, only things to tell the user what to do. A
(messagesCallback true/false) parameter in the html config of applet
may tell the applet to send or not messages to javascript.

The applet has a "Detail" button: clicking this button shows a detailed list of 
what the applet is doing, but there isn't a button to hide this info.

What steps will reproduce the problem?

The privacy confirmation in identification mode is useless. In
production environment I can't let this popup, people know what they
do with their ID, it is not the role of your applet to remind them we
are going to copy data from the eID. It should be clear enough on the
web page. But anyway, this mechanism is useless as it can be removed
easily from the code. So, please please please remove it or add an
option to disable this. (it would be easier for me if I do not have to
recompile your applet for every release).

What is the expected output? What do you see instead?

Please remove this, this gives the user a false security feeling as any
malware would recompile it without the warning anyway. 

Either the zip-implementations are buggy, don't store the size of an an
entry or java.util.zip in JDK 1.6.0.16 isn't good at processing them.

Zipentry.getSize() doesn't like files zipped with (ubuntu) zip 2.91
(compression level -1 or -6), and returns -1 / size unknown for zipEntries
compressed with jar 1.6

What steps will reproduce the problem?


What is the expected output? What do you see instead?

An option to hide the applet would be nice. I do not need your
interface. I currently set the width / height to 0, but an extra
option would be better.

In major projects, your UI will not fit. Would be even better if you could
fire some events in javascript so that we can configure the UI.

OOo 3.2 fixes an issue in XML-DSIG, possibly incompatible with OOo 3.1-style  
signed document signatures.

http://wiki.services.openoffice.org/wiki/Security/Digital_Signatures#Improvi
ng_the_Digital_Signature_Implementation_in_OOo_3.2

Meanwhile ODFDOM also announced support for ODF 1.2 signatures
http://odftoolkit.org/bugzilla/show_bug.cgi?id=115

Check if eid-applet is interoperable with these implementations.

What steps will reproduce the problem?

During an authentification, if the user click "cancel" on the pin
request, your applet just display a "general failure". Would be nice
to have an improvement on this, either show a dialog to let the user
choose between really canceling, trying again or entering another
card.  Or even fire a javascript event to let the programmer decide?
It's up to you, but with the current situation I'm sure it will annoy
my users.

What is the expected output? What do you see instead?

Would be better to let user decide if he wants to read another card, stop
the process or if it was an error, but now he gets a "general failure" and
has to reload the page. Not user friendly.

What steps will reproduce the problem?

Open the applet in auth mode, and wait, wait wait...

What is the expected output? What do you see instead?

If you open the applet for auth and do not insert a card, after a
while the textarea will become huge (I mean really huge). Would be
nice to clean up the textera after a while, or get an option to
disable this logging feature.

What steps will reproduce the problem?
1. running the Applet Service with jvm parameter -Dfile.encoding=ISO-8859-1
2. call AppletServiceServlet with an eid card containing special 
characters in the name, firstname or adress (é,è,à... any character 
encoded on 2 bytes in UTF-8)
3. print the identity in the session

What is the expected output? What do you see instead?
special characters are replaced by 2 characters


What version of the product are you using? On what operating system?
1.0.0-rc2 on Windows XP and AIX 5.3 and Red Hat Enterprise Linux Server 
release 5.1 (Tikanga)


Please provide any additional information below.
Identity Data sent by the applet is encoded in UTF-8. When the applet 
service converts these bytes into a String, it does it by default with the 
character set specified with -Dfile.encoding.
We cannot set our file.encoding to UTF-8. This would solve the issue but 
would have side effects on the other services deployed on our Application 
server.

Solution proposal:
convert bytes from the applet into a String with UTF-8 explicitely 
specified. 
I didn't test, but I think just modifying TlvParser.java line 118 should 
do the trick:
117             } else if (String.class == tlvType) {
118                 fieldValue = new String(tlvValue);

into

117             } else if (String.class == tlvType) {
118                 fieldValue = new String
(tlvValue, "UTF-8");

Kind Regards,

Frédéric

Accessibility (keyboard, screen reader, ...) needs to be tested and improved, 
especially JRE popups (content of message / buttons) and focus of the applet.

Screen readers: Jaws/NVDA

(Installing the Java Access Bridge should improve the user experience)

What is the expected output? What do you see instead?

Always the same dialog... and if possible centered ;)

What version of the product are you using? On what operating system?

Latest

Please provide any additional information below.

I wonder why with the Applet there is two dialogs for pin entering. One
pretty nice and large, and a tiny one with only a edit box. 
Could it be possible to always use the large one?
And second question, could it be possible to have it centered on the screen
(or the browser)?

Thanks!

What steps will reproduce the problem?
Make a regular aspx page with the applet on it, while the ASP.NET service
is running on IIS 6 or 7

What is the expected output? What do you see instead?
The test page worked fine on localhost (IIS 5.1), ut when I put the service
on our live server (which has IIS 6) I started receiving 411 status codes
when speaking to the server.

What version of the product are you using? On what operating system?
1.0.0 beta 2 version
windows server 2003
.net framework 3.5

Please provide any additional information below.
After some research I found out that IIS 6 and 7 require httprequests to
have a Content-Length header.
Managed to get the example working when adding some code at the bottom of
the be.fedict.eid.applet.shared.protocol.transport class:

/*
 * Add HTTP body.
 */
if (null != bodyField) {
        Object bodyValue;
        try {
                bodyValue = bodyField.get(dataObject);
        } catch (Exception e) {
                throw new RuntimeException("error reading field: "
                                + bodyField.getName());
        }
        byte[] body;
        if (bodyValue instanceof List) {
                List<String> bodyList = (List<String>) bodyValue;
                ByteArrayOutputStream baos = new ByteArrayOutputStream();
                PrintStream printStream = new PrintStream(baos);
                for (String bodyStr : bodyList) {
                        printStream.println(bodyStr);
                }
                body = baos.toByteArray();
        } else {
                body = (byte[]) bodyValue;
        }

httpTransmitter.addHeader("Content-Length",Integer.toString(body.length));

        httpTransmitter.setBody(body);
}
else httpTransmitter.addHeader("Content-Length", "0");

Reported by Sebastien, see also
http://groups.google.com/group/eid-applet/browse_thread/thread/de8db344b436e48.

Content-Length doesn't get set, so it gives error 411 when using IIS / Lighttpd

I get the following problem when i want to authenticate: 
There is no problem with te identification.

Does anyone know what goes wrong?


eID Applet - Copyright (C) 2008-2010 FedICT.
Released under GNU LGPL version 3.0 license.
More info: http://code.google.com/p/eid-applet/
checking applet privileges...
security manager permission check for java 1.6...
checking web application trust...
running privileged code...
eID browser applet version: 1.0.0.GA
Java version: 1.6.0_20
Java vendor: Sun Microsystems Inc.
OS: Windows 7
OS version: 6.1
OS arch: x86
Web application URL: https://localhost/ValidatePin.aspx
Current time: Fri May 28 08:35:58 CEST 2010
sending message: HelloMessage
current protocol state: null
protocol state transition: INIT
response message: AuthenticationRequestMessage
current protocol state: INIT
protocol state transition: AUTHENTICATE
include hostname: false
include inet address: false
remove card after authn: false
logoff: false
pre-logoff: false
TLS session Id channel binding: false
server certificate channel binding: false
include identity: false
include address: false
include photo: false
include integrity data: false
Detecteren van eID kaart...
PKCS#11 path: C:\WINDOWS\system32\beidpkcs11.dll
library description: Belgium eID PKCS#11 interface v2
manufacturer ID: Belgium Government
library version: 1.0
cryptoki version: 2.b
reader: ACS ACR38U 0
Belgium eID card in slot: 0
Authentiseren...
getting protection parameter
key alias: Root
key alias: CA
key alias: Authentication
key alias: Signature
sending message: AuthenticationDataMessage
current protocol state: AUTHENTICATE
HTTP response code: 500
<html>
    <head>
        <title>Object reference not set to an instance of an 
object.</title>
        <style>
         body {font-family:"Verdana";font-weight:normal;font-
size: .7em;color:black;} 
         p {font-family:"Verdana";font-weight:normal;color:black;margin-
top: -5px}
         b {font-family:"Verdana";font-weight:bold;color:black;margin-
top: -5px}
         H1 { font-family:"Verdana";font-weight:normal;font-
size:18pt;color:red }
         H2 { font-family:"Verdana";font-weight:normal;font-
size:14pt;color:maroon }
         pre {font-family:"Lucida Console";font-size: .9em}
         .marker {font-weight: bold; color: black;text-decoration: none;}
         .version {color: gray;}
         .error {margin-bottom: 10px;}
         .expandable { text-decoration:underline; font-weight:bold; 
color:navy; cursor:hand; }
        </style>
    </head>

    <body bgcolor="white">

            <span><H1>Server Error in '/' Application.<hr width=100% 
size=1 color=silver></H1>

            <h2> <i>Object reference not set to an instance of an 
object.</i> </h2></span>

            <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-
serif ">

            <b> Description: </b>An unhandled exception occurred during 
the execution of the current web request. Please review the stack trace 
for more information about the error and where it originated in the code.

            <br><br>

            <b> Exception Details: </b>System.NullReferenceException: 
Object reference not set to an instance of an object.<br><br>

            <b>Source Error:</b> <br><br>

            <table width=100% bgcolor="#ffffcc">
               <tr>
                  <td>
                      <code>

An unhandled exception was generated during the execution of the current 
web request. Information regarding the origin and location of the 
exception can be identified using the exception stack trace below.</code>

                  </td>
               </tr>
            </table>

            <br>

            <b>Stack Trace:</b> <br><br>

            <table width=100% bgcolor="#ffffcc">
               <tr>
                  <td>
                      <code><pre>

[NullReferenceException: Object reference not set to an instance of an 
object.]
   Be.FedICT.EID.Applet.Service.AuthnAppletService.ProcessRequest
(HttpContext httpContext) in C:\Users\tijs\Desktop\applet\eid-applet-
aspx\AppletService\AuthnAppletService.cs:99

System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionSt
ep.Execute() +181
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, 
Boolean&amp; completedSynchronously) +75
</pre></code>

                  </td>
               </tr>
            </table>

            <br>

            <hr width=100% size=1 color=silver>

            <b>Version Information:</b>&nbsp;Microsoft .NET Framework 
Version:2.0.50727.4927; ASP.NET Version:2.0.50727.4927

            </font>

    </body>
</html>
<!-- 
[NullReferenceException]: Object reference not set to an instance of an 
object.
   at Be.FedICT.EID.Applet.Service.AuthnAppletService.ProcessRequest
(HttpContext httpContext) in C:\Users\tijs\Desktop\applet\eid-applet-
aspx\AppletService\AuthnAppletService.cs:line 99
   at 
System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplicat
ion.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& 
completedSynchronously)
-->
error: error sending message to service. HTTP status code: 500
error type: java.io.IOException
at be.fedict.eid.applet.Controller.sendMessage:193
at be.fedict.eid.applet.Controller.performEidAuthnOperation:1014
at be.fedict.eid.applet.Controller.run:342
at be.fedict.eid.applet.Applet$AppletThread$1.run:525
at java.security.AccessController.doPrivileged:-2
at be.fedict.eid.applet.Applet$AppletThread.run:520
at java.lang.Thread.run:-1
Algemene fout.

What steps will reproduce the problem?
1. Start the applet
2. While reading the BeID card, interrupt the applet (refresh the page or 
click a link to navigate away or ...)
3. Next time the applet loads, it will get stuck in different ways.

What is the expected output? What do you see instead?
I expect the applet to read out the card.

Instead, I see the applet get stuck in a number of ways.  Each time the 
reader is attached and the eID card is inserted.  Each time, pcsctest(1) runs 
all tests just fine:

1. Not sure how to reproduce:

osName = Mac OS X
osVersion = 10.6.2
Detecting eID card...
Scanning card terminal: OmniKey CardMan 3121 00 00
could not connect to card: connect() failed
Please insert your eID card...

When I remove the card, this appears:
Scanning card terminal: OmniKey CardMan 3121 00 00

When I insert the card again, this appears:
Scanning card terminal: OmniKey CardMan 3121 00 00
could not connect to card: connect() failed


2. Reproduced by refreshing the page while authenticating (or causing an 
AJAX request on the page etc.):

osName = Mac OS X
osVersion = 10.6.2
Detecting eID card...
Scanning card terminal: OmniKey CardMan 3121 00 00
could not connect to card: Exclusive access has already been assigned to 
Thread Thread-30
Please insert your eID card...


When I remove the card, this appears:
Scanning card terminal: OmniKey CardMan 3121 00 00

When I insert the card again, this appears:
Scanning card terminal: OmniKey CardMan 3121 00 00

Next time I load the applet, this appears:
osName = Mac OS X
osVersion = 10.6.2
Detecting eID card...


What version of the product are you using? On what operating system?
1.0.0.GA on Mac OS X 10.6.2 with Java:
java version "1.6.0_17"
Java(TM) SE Runtime Environment (build 1.6.0_17-b04-248-10M3025)
Java HotSpot(TM) 64-Bit Server VM (build 14.3-b01-101, mixed mode)

As briefly discussed today, it would be *very* convenient to have an unique
id per message in addition to the text in the javascript callback.

Thanks!

Test runs inside VirtualBox guest, until the root certificate file is to be 
read. Then the applet simply hangs. Same test on the host runs just fine.


Dell D820 with O2Micro CCID built-in card reader
Virtualbox 3.2.6
Windows XP Pro Guest + latest guest utilities + JAB, no middleware
Ubuntu 10 (64 bit) host, pcscd 1.5.3 


Log:

eID Applet - Copyright (C) 2008-2010 FedICT.
Released under GNU LGPL version 3.0 license.
More info: http://code.google.com/p/eid-applet/
checking applet privileges...
security manager permission check for java 1.6...
checking web application trust...
running privileged code...
eID browser applet version: 1.0.1-SNAPSHOT
Java version: 1.6.0_20
Java vendor: Sun Microsystems Inc.
OS: Windows XP
OS version: 5.1
OS arch: x86
Web application URL: https://10.0.2.2:8443/eid-applet-beta/identification.seam
Current time: Fri Jul 23 11:22:00 CEST 2010
session cookie detected
sending message: HelloMessage
current protocol state: null
protocol state transition: INIT
SSL handshake finish cipher suite: SSL_RSA_WITH_RC4_128_MD5
response message: CheckClientMessage
current protocol state: INIT
protocol state transition: ENV_CHECK
Need to check the client secure environment...
sending message: ClientEnvironmentMessage
current protocol state: ENV_CHECK
response message: IdentificationRequestMessage
current protocol state: ENV_CHECK
protocol state transition: IDENTIFY
include address: true
include photo: true
include integrity data: true
include certificates: false
remove card: false
identity data usage: null
Detecting eID card...
Scanning card terminal: O2 O2Micro CCID SC Reader 0
eID card detected in card terminal : O2 O2Micro CCID SC Reader 0
Reading out identity...
Reading identity file...
selecting file
read binary
Size identity file: 160
Read address file...
selecting file
read binary
Size address file: 117
Read photo file...
selecting file
read binary
Read identity signature file...
selecting file
read binary
Read address signature file...
selecting file
read binary
Read national registry certificate file...
selecting file
read binary
size RRN cert file: 817
reading root certificate file...
selecting file

From the ZETES documentation on the eID card format, I see tell of a Preference 
file which details, 
for instance, the citizen's preferred language.

It seems to me that the applet does not read out this data.

What steps will reproduce the problem?

For now, you have Authentification and Identification, but for
identification there is no real validation of data. What about a third
mode Auth+Identification in which a MD5 on the data is added to the
challenge? It would improve reliability on the data and we would be
able to avoid "man in the middle" attacks. 

What is the expected output? What do you see instead?

In my usage, I need the auth and the identification, meaning I need to make
two requests for having the whole data and I'm not even sure the data in
identification is safe. 

An extra mode with a signature on the data would improve my process and
would guarantee the integrity of the data, or at least make it less
sensible to man in the middle attacks.

I'm getting an error on loading the applet, no card inserted.

In the error output there is a reference to: 
be.fedict.eid.applet.serivce.AppletServiceServlet
Notice the 'serivce' instead of 'service', could this be causing my problems?

I used the files in the latest RC1-sdk download.


Error output:

The server encountered an internal error () that prevented it from fulfilling 
this request.

exception

javax.servlet.ServletException: Wrapper cannot find servlet class 
be.fedict.eid.applet.serivce.AppletServiceServlet or a class it depends on
    org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
    org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845)
    org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
    org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
    java.lang.Thread.run(Unknown Source)


root cause

java.lang.ClassNotFoundException: 
be.fedict.eid.applet.serivce.AppletServiceServlet
    org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1387)
    org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1233)
    org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
    org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845)
    org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
    org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
    java.lang.Thread.run(Unknown Source)

What steps will reproduce the problem?
1. Use my mom's or father's eid card ;) 

What is the expected output? What do you see instead?

If I try identification with address and photo on these cards, I receive
the error:
task exception detected: APDU response error: 27392
exception type: java.io.IOException

The auth is workign fine, but identification is failing on both cards.

I have tried using the eid viewer application with the SDK 3.5 with same
reader on the same machine and both cards are fine... 

What version of the product are you using? On what operating system?

I'm using Beta 4

What steps will reproduce the problem?
1.In the implementation of the AuthenticationService throw security 
execption.

----x------
public void validateCertificateChain(
            final List<X509Certificate> certificates) throws 
SecurityException {

        Log.debug(this, "validate certificate chain [" + certificates
            + "]");


        throw new SecurityException();

    }

-----X------

What is the expected output? What do you see instead?
I think expected result should be security error. But i saw the generic 
error with the trace, which mention protocol version header error.
Is it correct one?
When there is security exception is it always the case this kind of 
generic error?

What version of the product are you using? On what operating system?
We are using version 1.0.0 rc-2.

Please provide any additional information below.

A test feature.

hi,

Steps to reproduce the problem :

1. go to https://www.e-contract.be/eid-applet-test/identify.jsp
2. Click "yes" into the Privacy alert
3. i get an "General Error"

At this moment, it happens only on a particular computer(configuration),
under Firefox and Google Chrome but not with IE8.
Windows WP Pro.
eidApplet versions : 1.0.0.GA & 1.0.1-SNAPSHOT

Enabling logging on the server side, i get this log details:

DEBUG 2010-04-09 13:03:46,515
be.fedict.eid.applet.service.AppletServiceServlet - doPost
DEBUG 2010-04-09 13:03:46,515
be.fedict.eid.applet.service.impl.HttpServletProtocolContext - current
protocol state: null
DEBUG 2010-04-09 13:03:46,515
be.fedict.eid.applet.service.impl.HttpServletProtocolContext - protocol
state transition: INIT
DEBUG 2010-04-09 13:03:46,515
be.fedict.eid.applet.service.impl.handler.HelloMessageHandler - hello
message received
DEBUG 2010-04-09 13:03:46,515
be.fedict.eid.applet.service.impl.HttpServletProtocolContext - current
protocol state: INIT
DEBUG 2010-04-09 13:03:46,515
be.fedict.eid.applet.service.impl.HttpServletProtocolContext - protocol
state transition: IDENTIFY
DEBUG 2010-04-09 13:03:46,515
be.fedict.eid.applet.service.impl.CleanSessionProtocolStateListener -
cleaning up the identity session attributes...
DEBUG 2010-04-09 13:03:51,140
be.fedict.eid.applet.service.AppletServiceServlet - doPost
DEBUG 2010-04-09 13:03:51,156
be.fedict.eid.applet.service.impl.HttpServletProtocolContext - current
protocol state: null
09-avr.-2010 13:03:51 org.apache.catalina.core.StandardWrapperValve invoke
GRAVE: "Servlet.service()" pour la servlet AppletServiceServlet a généré
une exception
java.lang.RuntimeException: expected a protocol start message
    at
be.fedict.eid.applet.shared.protocol.ProtocolStateMachine.checkRequestMessage(Pr
otocolStateMachine.java:107)
    at
be.fedict.eid.applet.service.AppletServiceServlet.doPost(AppletServiceServlet.ja
va:221)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)


But when it works well, I get :


DEBUG 2010-04-09 13:04:28,639
be.fedict.eid.applet.service.AppletServiceServlet - doPost
DEBUG 2010-04-09 13:04:28,639
be.fedict.eid.applet.service.impl.HttpServletProtocolContext - current
protocol state: null
DEBUG 2010-04-09 13:04:28,639
be.fedict.eid.applet.service.impl.HttpServletProtocolContext - protocol
state transition: INIT
DEBUG 2010-04-09 13:04:28,639
be.fedict.eid.applet.service.impl.handler.HelloMessageHandler - hello
message received
DEBUG 2010-04-09 13:04:28,639
be.fedict.eid.applet.service.impl.HttpServletProtocolContext - current
protocol state: INIT
DEBUG 2010-04-09 13:04:28,639
be.fedict.eid.applet.service.impl.HttpServletProtocolContext - protocol
state transition: IDENTIFY
DEBUG 2010-04-09 13:04:28,639
be.fedict.eid.applet.service.impl.CleanSessionProtocolStateListener -
cleaning up the identity session attributes...
DEBUG 2010-04-09 13:04:33,467
be.fedict.eid.applet.service.AppletServiceServlet - doPost
DEBUG 2010-04-09 13:04:33,483
be.fedict.eid.applet.service.impl.HttpServletProtocolContext - current
protocol state: IDENTIFY


Looking at the source code, I suspected the http session to be cleaned or
lost so i added some debug to collect information about session :

DEBUG 2010-04-09 13:14:26,171
be.fedict.eid.applet.service.AppletServiceServlet - doPost
DEBUG 2010-04-09 13:14:26,171
be.fedict.eid.applet.service.impl.HttpServletProtocolContext - current
protocol state: null, session:AEFB833F1D07C865E716CA56FCD76B33,
creationTime:1270811666171, lastAccessTime:1270811666171
DEBUG 2010-04-09 13:14:26,171
be.fedict.eid.applet.service.impl.HttpServletProtocolContext - protocol
state transition: INIT, session:AEFB833F1D07C865E716CA56FCD76B33,
creationTime:1270811666171, lastAccessTime:1270811666171
DEBUG 2010-04-09 13:14:26,171
be.fedict.eid.applet.service.impl.handler.HelloMessageHandler - hello
message received
DEBUG 2010-04-09 13:14:26,171
be.fedict.eid.applet.service.impl.HttpServletProtocolContext - current
protocol state: INIT, session:AEFB833F1D07C865E716CA56FCD76B33,
creationTime:1270811666171, lastAccessTime:1270811666171
DEBUG 2010-04-09 13:14:26,171
be.fedict.eid.applet.service.impl.HttpServletProtocolContext - protocol
state transition: IDENTIFY, session:AEFB833F1D07C865E716CA56FCD76B33,
creationTime:1270811666171, lastAccessTime:1270811666171
DEBUG 2010-04-09 13:14:26,171
be.fedict.eid.applet.service.impl.CleanSessionProtocolStateListener -
cleaning up the identity session attributes...
DEBUG 2010-04-09 13:14:36,420
be.fedict.eid.applet.service.AppletServiceServlet - doPost
DEBUG 2010-04-09 13:14:36,436
be.fedict.eid.applet.service.impl.HttpServletProtocolContext - current
protocol state: null, session:EBE58099FF8D7FEF50D214AD07F7E6FD,
creationTime:1270811676436, lastAccessTime:1270811676436
09-avr.-2010 13:14:36 org.apache.catalina.core.StandardWrapperValve invoke
GRAVE: "Servlet.service()" pour la servlet AppletServiceServlet a généré
une exception
java.lang.RuntimeException: expected a protocol start message
    at
be.fedict.eid.applet.shared.protocol.ProtocolStateMachine.checkRequestMessage(Pr
otocolStateMachine.java:107)

As you can see, a new session has been created after the IDENTIFY message.
Why the applet starts a new session????

thanks a lot,

Sébastien

What steps will reproduce the problem?
1. Read out identity eid-applet deployed on non-utf8 default encodig environment
2. Identity containing special characters like é,ë, ...

What version of the product are you using? On what operating system?
1.0.0.GA

Please provide any additional information below.

The TlvParser class will construct a java string from the byte[] in the 
identity file but does not 
specify a CharSet, leaving the encoding depending on the environment the applet 
is run in, so 
sometimes ISO-56.. encoded strings are returned

If the TlvParser could so something like : 

fieldValue = new String(tlvValue, Charset.forName("UTF8"));

would solve the issue imo.

Best regards,
Wim.

eID Applet - Copyright (C) 2008-2009 FedICT.
Released under GNU LGPL version 3.0 license.
More info: http://code.google.com/p/eid-applet/
checking applet privileges...
security manager permission check for java 1.6...
checking web application trust...
eID browser applet version: 0.0.11
Java version: 1.6.0_14
Java vendor: Sun Microsystems Inc.
OS: Linux
OS version: 2.6.29.5-191.fc11.i686.PAE
OS arch: i386
Web application URL:
https://www.e-contract.be/eid-applet-beta/authentication.seam
sending message: HelloMessage
current protocol state: null
protocol state transition: INIT
SSL handshake finish cipher suite: SSL_RSA_WITH_RC4_128_MD5
response message: AuthenticationRequestMessage
current protocol state: INIT
protocol state transition: AUTHENTICATE
include hostname: false
include inet address: false
remove card after authn: false
logoff: true
TLS session Id channel binding: false
server certificate channel binding: false
Detecting eID card...
PKCS#11 path: /usr/local/lib/libbeidpkcs11.so
library description: Belgium eID PKCS#11 interface v2
manufacturer ID: Belgium Government
library version: 1.0
cryptoki version: 2.b
reader: SCM SPR 532 (601023D9) 00 00
Belgium eID card in slot: 0
Authenticating...
getting protection parameter
key alias: Root
key alias: CA
key alias: Authentication
key alias: Signature
logoff from reader: "SCM SPR 532 (601023D9) 00 00"
logoff: card reader not found: SCM SPR 532 (601023D9) 00 00
reader list: []
error: card reader not found: SCM SPR 532 (601023D9) 00 00
error type: java.lang.RuntimeException
at be.fedict.eid.applet.PcscEid.logoff:681
at be.fedict.eid.applet.Controller.performEidAuthnOperation:830
at be.fedict.eid.applet.Controller.run:296
at be.fedict.eid.applet.Applet$AppletThread$1.run:444
at java.security.AccessController.doPrivileged:-2
at be.fedict.eid.applet.Applet$AppletThread.run:440
at java.lang.Thread.run:619
Generic Error.

What steps will reproduce the problem?
1. Launch any website using the eid-applet
2. Request for authentication OR identification
3.

What is the expected output? What do you see instead?
The browser crashes and restarts.

What version of the product are you using? On what operating system?
Mac OS X 10.5.8, Java 1.5.0_22, Firefox 3.6. Absolutely no issue on windows.

Please provide any additional information below.
A log of the crash is also reported on
https://www.e-contract.be/eid-applet-beta/results.seam with status "UNFINISHED"

Could it be due to the Java version which is lower than 1.6 ?
I have all latest updates for my mac 10.5.8 (leopard).
However, I could upgrade to MAC Snow leopard, which will upgrade Java to
1.6.0_17.
If this Java version upgrade solves he issue, it means that only latest Mac
OS can run the eid applet. Am I right ?

this is the applet log:
eID Applet - Copyright (C) 2008-2010 FedICT.
Released under GNU LGPL version 3.0 license.
More info: http://code.google.com/p/eid-applet/
checking applet privileges...
checking web application trust...
running privileged code...
eID browser applet version: 1.0.1-SNAPSHOT
Java version: 1.5.0_22
Java vendor: Apple Inc.
OS: Mac OS X
OS version: 10.5.8
OS arch: i386
Web application URL:
https://www.e-contract.be/eid-applet-beta/identification.seam
Current time: Wed Mar 10 14:41:46 CET 2010
sending message: HelloMessage
current protocol state: null
protocol state transition: INIT
SSL handshake finish cipher suite: SSL_RSA_WITH_RC4_128_MD5
response message: CheckClientMessage
current protocol state: INIT
protocol state transition: ENV_CHECK
Need to check the client secure environment...
PKCS11 getInstance Java 1.5 fallback
sending message: ClientEnvironmentMessage
current protocol state: ENV_CHECK
SSL handshake finish cipher suite: SSL_RSA_WITH_RC4_128_MD5
response message: IdentificationRequestMessage
current protocol state: ENV_CHECK
protocol state transition: IDENTIFY
include address: true
include photo: true
include integrity data: true
include certificates: false
remove card: false
identity data usage: null
Detecting eID card...
error: null
error type: java.lang.NullPointerException
at be.fedict.eid.applet.Controller.waitForEIdCard:1434
at be.fedict.eid.applet.Controller.performEidIdentificationOperation:1246
at be.fedict.eid.applet.Controller.run:359
at be.fedict.eid.applet.Applet$AppletThread$1.run:525
at java.security.AccessController.doPrivileged:-2
at be.fedict.eid.applet.Applet$AppletThread.run:520
at java.lang.Thread.run:613
Generic Error.


Thanks.

suggestion from one of the attendees of the ODF plugfest: have a command 
line version for signing ODF 

Refactoring:

be.fedict.applet.service.JSON/Kml/PDF/VcardServlet -> 
be.fedict.applet.export...

be.fedict.applet.service.impl.JSON/Kml/PDF/VcardGenerator -> 
be.fedict.applet.export.impl...

be.fedict.applet.service.util -> be.fedict.applet.export.util

What steps will reproduce the problem?
1. configure the eid applet for authentication
2. do NOT set "IncludeIdentity" or "IncludeCertificates" to true

What is the expected output? What do you see instead?

If include identity or include certificates is set to false, the applet will 
try 
pkcs11 first. This fails right now on Max OS X 10.6. If set to true the applet 
will ignore pkcs11 and use pcsc directly which works perfectly

What version of the product are you using? On what operating system?

1.0.0.GA, Mac OS X 10.6

What steps will reproduce the problem?

Use Id + Auth and ask for card removal.
The applet does not detect the card removal.

What is the expected output? What do you see instead?


What version of the product are you using? On what operating system?

Latest version. 

Please provide any additional information below.

It is working fine on several dev machines, but on one machine with XP and
the middleware it does not work. If the user is removing the card, the
applet does not detect it BUT if we disconnect the reader the applet detect
it as a card removal... 

I can't ask the user to unplug his reader every time ;)

Do you have any idea what might cause this? There is no relevant info in
the log, just the message to ask to remove the card then nothing.

If no solution is found, would it be interesting to have an option for
timeout for this? Ask nicely for the user to remove his card, but after 5
or 10s (would be a parameter in HTTP) the applet would eventually continue
even if the card is still in. 
Or better, make it work 100% of times of course ;)

Regards,

What steps will reproduce the problem?

Use identification.

What is the expected output? What do you see instead?

Why aren't yellowcane / whitecane included in the identification?

What steps will reproduce the problem?
1.Win
2.
3.

What is the expected output? What do you see instead?


What version of the product are you using? On what operating system?


Please provide any additional information below.

Currently, the applet doesn't accept a FinishedMessage from the service
after a ClientEnvironmentMessage (see also 4.1.2 of the dev-guide)

Suggested enhancement: accept FinishedMessage after
ClientEnvironmentMessage (could be useful when one only wants to perform a
quick configuration check)

Hello,

We are using fedict jar files for the authentication, identification of 
eid card. We also you jtrust for OCSP and CRL validation for 
authentication purpose.

We implement the AuthenticationService interface where we do certificate 
chain validation using jtrust.

example.,

....

 try {
            trustValidator.isTrusted(certificates);
        } catch (final CertPathValidatorException exc) {
            throw new SecurityException("Certificate does not valid");
        }
.....

Now i have problem when i got exception from jtrust the "untrusted 
certificate" i transformed it into the security exception and throw it.
I expected that i will recive the security error message on web page but i 
got generic error message with the following error trace.

......
sending message: AuthenticationDataMessage
current protocol state: AUTHENTICATE
SSL handshake finish cipher suite: SSL_RSA_WITH_RC4_128_MD5
error: no protocol version header
error type: java.lang.RuntimeException
at be.fedict.eid.applet.shared.protocol.Unmarshaller.receive:222
at be.fedict.eid.applet.Controller.sendMessage:201
at be.fedict.eid.applet.Controller.performEidAuthnOperation:1014
at be.fedict.eid.applet.Controller.run:342
at be.fedict.eid.applet.Applet$AppletThread$1.run:525
at java.security.AccessController.doPrivileged:-2
at be.fedict.eid.applet.Applet$AppletThread.run:520
at java.lang.Thread.run:-1
Generic Error.
.....

From initial invesitgation we found that during unmarshalling of object 
there is no protocolVersionHeaderName.

This is really blocing issue for us.
What is the possible situation to overcome this issue?

Thanks in advance,

Kr,
U

What steps will reproduce the problem?
1.Set the windows regional language to French.
2.Pass the 'en' in Language for the eID applet parameter
3.

What is the expected output? What do you see instead?
The result is to display the label in English but its display as French.

What version of the product are you using? On what operating system?
Latest 1.0.0.GA

Please provide any additional information below.

More like a reminder or something to add to the FAQ, Chrome isn't officially 
supported by the Sun Java runtime (so nothing to do with the applet itself), 
so it might or might not work with the lastest JRE 6

http://www.java.com/en/download/faq/chrome.xml

The detail info will show a lot of duplicate messages
(especially the "scanning card terminal...")

It might be better to just check if the previous message is the same as the 
current message. If it is, then don't add the message (but perhaps add a 
"repeated" notice like this:

MessageFoo
MessageBar
Scanning Card terminal (repeated)
MessageBaz

This reduces the number of messages (and screen updates) considerably

Feedback from DII workshop.

Perhaps a virtual appliance based upon JeOS /Ubuntu server/Fedora could be 
interesting (basically an image that runs inside VirtualBox to demo/use the 
eID service for signing documents inside a company network)

What steps will reproduce the problem?
1. Launch any website using the eid-applet
2. Request for authentication OR identification
3.

What is the expected output? What do you see instead?
The browser crashes and restarts.

What version of the product are you using? On what operating system?
Mac OS X 10.5.8, Java 1.5.0_22, Firefox 3.6. Absolutely no issue on windows.

Please provide any additional information below.
A log of the crash is also reported on
https://www.e-contract.be/eid-applet-beta/results.seam with status "UNFINISHED"

Could it be due to the Java version which is lower than 1.6 ?
I have all latest updates for my mac 10.5.8 (leopard).
However, I could upgrade to MAC Snow leopard, which will upgrade Java to
1.6.0_17.
If this Java version upgrade solves he issue, it means that only latest Mac
OS can run the eid applet. Am I right ?

this is the applet log:
eID Applet - Copyright (C) 2008-2010 FedICT.
Released under GNU LGPL version 3.0 license.
More info: http://code.google.com/p/eid-applet/
checking applet privileges...
checking web application trust...
running privileged code...
eID browser applet version: 1.0.1-SNAPSHOT
Java version: 1.5.0_22
Java vendor: Apple Inc.
OS: Mac OS X
OS version: 10.5.8
OS arch: i386
Web application URL:
https://www.e-contract.be/eid-applet-beta/identification.seam
Current time: Wed Mar 10 14:41:46 CET 2010
sending message: HelloMessage
current protocol state: null
protocol state transition: INIT
SSL handshake finish cipher suite: SSL_RSA_WITH_RC4_128_MD5
response message: CheckClientMessage
current protocol state: INIT
protocol state transition: ENV_CHECK
Need to check the client secure environment...
PKCS11 getInstance Java 1.5 fallback
sending message: ClientEnvironmentMessage
current protocol state: ENV_CHECK
SSL handshake finish cipher suite: SSL_RSA_WITH_RC4_128_MD5
response message: IdentificationRequestMessage
current protocol state: ENV_CHECK
protocol state transition: IDENTIFY
include address: true
include photo: true
include integrity data: true
include certificates: false
remove card: false
identity data usage: null
Detecting eID card...
error: null
error type: java.lang.NullPointerException
at be.fedict.eid.applet.Controller.waitForEIdCard:1434
at be.fedict.eid.applet.Controller.performEidIdentificationOperation:1246
at be.fedict.eid.applet.Controller.run:359
at be.fedict.eid.applet.Applet$AppletThread$1.run:525
at java.security.AccessController.doPrivileged:-2
at be.fedict.eid.applet.Applet$AppletThread.run:520
at java.lang.Thread.run:613
Generic Error.

Hello,

I've implemented the aspx source code found in the svn.
When using the AppletService, the data is being read but I am facing a 
Sessionstate problem. After the redirect to the TargetPage, the Session is 
empty (and has another session id).
It seems to work when I setup my web.config sessionState like this: 

<sessionState mode="InProc" cookieless="UseUri" />

But this generates 'ugly' url's...

A similar problem exists in the authentication applet service, this time it 
occurs even in between requests to the same handler...
The error occurs specifically at the lines:

byte[] challenge = (byte[]) httpContext.Session["Challenge"];
memoryStream.Write(challenge, 0, challenge.Length);

of the file "AuthnAppletService.cs".


Has anyone successfully implemented this?


best regards,

Kevin Van Haecke

What steps will reproduce the problem?
1. I added the applet

 <script  src="https://www.java.com/js/deployJava.js  <view-
source:https://www.java.com/js/deployJava.js>"></script> 
 <script> 
          var attributes = {
          code :'be.fedict.eid.applet.Applet.class',
                 archive :'eid-applet.jar', 
                 width :600, 
                 height :300 
          }; 
          var parameters = { 
                 TargetPage :'Login.aspx',
                 AppletService: 'applet-service-authn',
                 BackgroundColor :'#e6e6fa', 
                 Language : 'en' 
          }; 
          var version = '1.6'; 
          deployJava.runApplet(attributes, parameters, version); 
 </script> 

2. I adjusted the web.config
<add path="/applet-authn-service" verb="*" 
type="Be.FedICT.EID.Applet.Service.AuthnAppletService, AppletService" 
validate="true" />

3. added the dll

What is the expected output? What do you see instead?

I expect a popup to enter my pincode, but this error appears:

eID Applet - Copyright (C) 2008-2009 FedICT.
Released under GNU LGPL version 3.0 license.
More info: http://code.google.com/p/eid-applet/
checking applet privileges...
security manager permission check for java 1.6...
checking web application trust...
running privileged code...
eID browser applet version: 1.0.0-SNAPSHOT
Java version: 1.6.0_20
Java vendor: Sun Microsystems Inc.
OS: Windows 7
OS version: 6.1
OS arch: x86
Web application URL: https://localhost/LoginMetEId.aspx
sending message: HelloMessage
current protocol state: null
protocol state transition: INIT
SSL handshake finish cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA
HTTP response code: HTTP NOT FOUND! eID Applet Service not running?
error: error sending message to service. HTTP status code: HTTP NOT FOUND! 
eID Applet Service not running?
error type: java.io.IOException
at be.fedict.eid.applet.Controller.sendMessage:184
at be.fedict.eid.applet.Controller.run:221
at be.fedict.eid.applet.Applet$AppletThread$1.run:483
at java.security.AccessController.doPrivileged:-2
at be.fedict.eid.applet.Applet$AppletThread.run:478
at java.lang.Thread.run:-1
Algemene fout.


What version of the product are you using? On what operating system?
I use the version 1.6 on windows 7

I imported the cert in IIS, and already checked all posts about the eid 
applet in asp.net.

Please provide any additional information below.

Hello Frank,

I have a request for the picture feature in both identification and id+auth
method.

I do need the picture for my application, but reading the picture from the
card and uploading the 4K might be slow for some users. Thus, I started to
think of a method to ask the picture only on certain conditions (like the
card is already known in the system).

The ugly solution would be to keep the applet as is and make two
operations, but no, this would not be a good idea.

Would it be possible to have a small improvement of the protocol? 

Instead of only having the "FinishedMessage" at the end of the transaction,
it would require to handle a new type of message like "NeedMoreData" with
options (or not) to have now the picture. 

What do you think? It would save my users bandwidth and some precious
milliseconds, and milliseconds are important :D

What steps will reproduce the problem?
1. run the sign-files.jsp example
2. click continue
3. generic error is produced

What is the expected output? 
I should be able to select a file for signing.

What do you see instead?
I get a 'generic error' message


What version of the product are you using? On what operating system?
1.0.0-rc-1 on windows xp SP3

Please provide any additional information below.

This is the stacktrace. There seems to be a problem with JFileChooser

eID Applet - Copyright (C) 2008-2009 FedICT.
Released under GNU LGPL version 3.0 license.
More info: http://code.google.com/p/eid-applet/
checking applet privileges...
security manager permission check for java 1.6...
checking web application trust...
running privileged code...
eID browser applet version: 1.0.0-rc-1
Java version: 1.6.0_17
Java vendor: Sun Microsystems Inc.
OS: Windows XP
OS version: 5.1
OS arch: x86
Web application URL: https://racer:8443/eid-applet-test/sign-files-applet.jsp
Current time: Mon Dec 14 23:20:12 CET 2009
sending message: HelloMessage
current protocol state: null
protocol state transition: INIT
SSL handshake finish cipher suite: SSL_RSA_WITH_RC4_128_MD5
response message: FilesDigestRequestMessage
current protocol state: INIT
protocol state transition: DIGEST
files digest algorithm: SHA-1
Select files...
error: null
error type: java.lang.NullPointerException
at javax.swing.ImageIcon.<init>:-1
at javax.swing.ImageIcon.<init>:-1
at sun.swing.WindowsPlacesBar.<init>:-1
at com.sun.java.swing.plaf.windows.WindowsFileChooserUI.updateUseShellFolder:-1
at com.sun.java.swing.plaf.windows.WindowsFileChooserUI.installComponents:-1
at javax.swing.plaf.basic.BasicFileChooserUI.installUI:-1
at com.sun.java.swing.plaf.windows.WindowsFileChooserUI.installUI:-1
at javax.swing.JComponent.setUI:-1
at javax.swing.JFileChooser.updateUI:-1
at javax.swing.JFileChooser.setup:-1
at javax.swing.JFileChooser.<init>:-1
at javax.swing.JFileChooser.<init>:-1
at be.fedict.eid.applet.Controller.performFilesDigestOperation:560
at be.fedict.eid.applet.Controller.run:328
at be.fedict.eid.applet.Applet$AppletThread$1.run:483
at java.security.AccessController.doPrivileged:-2
at be.fedict.eid.applet.Applet$AppletThread.run:478
at java.lang.Thread.run:-1
Generic Error.

It might be nice to add some links:

- where to download the eID middleware
- belpic spec

What steps will reproduce the problem?

In the identity data, why do you encode the birth date in plain
text? Why not the same date encoding for all dates?

What is the expected output? What do you see instead?

Would be nice to have the same encoding for validity date and birth date.
But if there is a change, say it loud and clear as it will break compatibility.

The data we get from the BeID applet is messy and unparsable.  For gender and 
birthDate this has 
been addressed by the applet, but for things like nationality this is not 
handled.

Result?  We're stuck testing whether the nationality is Belg, Belgier or Belge 
to see if the user is 
Belgian.  Worse, with the introduction of the Alien eID card, we're completely 
lost for a decent 
solution.

This is absolutely nuts and begs to question the competence of those that 
designed the way data 
was to be stored on the eID card.  The purpose of making the card Electronic is 
so that it is 
*machine parsable*.  If we wanted to rely on humans to tell us where the user's 
from, why put it 
on a chip in the first place?  To make the eID card what it SHOULD have been, 
Gender must 
become a standard and well-documented enumeration (eg. a digit or a character 
which is 
LOCALE INDEPENDANT), the date string must become an ISO standardized date which 
is LOCALE 
INDEPENDANT), and the nationality must become an ISO standardized country code 
which is 
LOCALE INDEPENDANT.

Of course, we're dealing with the government here, so I don't have any hopes 
that a DECENT 
solution will come out of this before my hair turns gray, so in the mean while, 
we should have a 
FEDICT applet which normalizes all this mess into sane parsable data as the 
BeID was supposed to 
provide.

What is the expected output? What do you see instead?

-

What version of the product are you using? On what operating system?

-

Please provide any additional information below.

For identification and authentification, I have received a request for an
amelioration of our interface. Could it be possible to have a new parameter
with the "X-AppletProtocol-Type: FinishedMessage" to ask the applet not to
go to the TargetPage until the user has removed his ID?

And even better, if the applet could fire a javascript event at this step
so that we can inform the user he has to remove his card, it would really
improve the ergonomy of our platform.

I understand this look like very specific, but I am sure some other
applications could benefit of this.

Thanks!