sk-eid / mid Goto Github PK

Provided text examples for Estonian numbers does not match the official formatting of the country-supported number formats for mobile

https://en.wikipedia.org/wiki/Telephone_numbers_in_Estonia

Every modern API should have openapi 3 specification. Add it, please

https://swagger.io/specification/

Every modern API should have openapi 3 specification. Add it, please

https://swagger.io/specification/

Does anyone have tips how to create signed .asice container with digidoc-tool when I get back signature.value?

Or how it should be done?

While implementing MID signing in Python, I encountered an issue that a signature I was getting from the signature endpoint could not be verified using the certificate returned by the authentication endpoint.

Please make the docs more clear about the fact that to verify the signature you need the certificate endpoint.

3.1. Certificate request
This method is necessary for *AdES-styled digital signatures which require knowledge of the certificate before creating the signature. For other types of digital signatures knowledge of the certificate is not needed.

This is misleading because you do need this certificate to verify the signature. I suggest replacing this phrase by:

This method is necessary for successful verification of the signature obtained by the signature endpoint, and for embedding the certificate into *AdES-styled digital signatures which require knowledge of the certificate before creating the signature.

3.3.5. Response structure
| cert | Authentication certificate used. DER + Base64 encoded. Signing process doesn't return this value (need to pull separately). ...

I suggest formulating this clause as follows:

Certificate used to create the authentication signature. DER + Base64 encoded. Signing process doesn't return a certificate, to obtain the certificate used to create the signature make a separate request as per 3.1. The authentication certificate can not be used to verify the signature returned by the signing process.

While it is possible to use an RSA signature directly as a signature value in a CMS SignedData structure the value of an EC signature is a raw 64 byte-string which needs to be processed and embedded into a valid structure.

From RFC5753, item 2.1.1:

• signature MUST contain the DER encoding (as an octet string) of a
  value of the ASN.1 type ECDSA-Sig-Value (see Section 7.2).

  ECDSA-Sig-Value ::= SEQUENCE {
    r INTEGER,
    s INTEGER }

This should be documented or fixed. It is also required to rebuild such structure to be able validate this kind of signature with common tools.

Hey,

https://github.com/SK-EID/MID/wiki/Test-number-for-automated-testing-in-DEMO lists EXPIRED_TRANSACTION as one of the possible error codes, but the current live demo server and https://github.com/SK-EID/MID#338-session-end-result-codes list it as TIMEOUT. Might want to fix the wiki there.

Cheers

Is (or will be) there a way for the Relying Party to retrieve the End User personal details using the new REST API such as Name, Surname, Date of birth, gender... and so on?

From API documentation on 'timeoutMs':

For very low values the service silently reverts to configuration specific minimum value (can change, value around 1000ms)

So each authentication session status check request waits minimum 1 second before returning a response.

Currently implementing Mobile-ID authentication in a service where it is not practical to keep threads open by long-polling styled solution.
We are querying authentication session status multiple times (with delayed ~5 second timeout in between) in a synchronous manner and expect response to be returned immediately.
That minimum 1 second adds up in keeping the threads busy and might become a burden as load increases.

Could that limit be removed or lowered?
Is the only reason of that minimum to prevent incorrectly implementing clients from spamming the service?