[eid-applet] Missing exception handIing during verification of identity integrity
43 views
Skip to first unread message
bgillis
Feb 16, 2012, 10:17:35 AM2/16/12
to eID Applet
Hi Franck,
To continue our discussion on eID validation workflow (https://
groups.google.com/group/eid-applet/browse_thread/thread/
7e76efc291fd9683/545406549ce6c2df#545406549ce6c2df), I think I've
found another issue with exception handling.
In the method
be.fedict.eid.applet.service.impl.handler.IdentityDataMessageHandler.handleMessage(),
exception handling for the call
identityIntegrityService.checkNationalRegistrationCertificate(rrnCertificateChain)
is missing, isn't it ?
As far as I understand, without any specific exception handling,
SecurityException thrown from identityIntegrityService will not be
catched by IdentityDataMessageHandler because theses exception are
RuntimeException. So we will not be notified on the applet about an
invalid revocation status nor an invalid validity interval of the NR
certificate.
This line of code should be replaced by
try
{ identityIntegrityService.checkNationalRegistrationCertificate(rrnCertificateChain);
} catch (ExpiredCertificateSecurityException e) {
return new FinishedMessage(ErrorCode.CERTIFICATE_EXPIRED);
} catch (RevokedCertificateSecurityException e) {
return new FinishedMessage(ErrorCode.CERTIFICATE_REVOKED);
} catch (TrustCertificateSecurityException e) {
return new FinishedMessage(ErrorCode.CERTIFICATE_NOT_TRUSTED);
} catch (CertificateSecurityException e) {
return new FinishedMessage(ErrorCode.CERTIFICATE);
}
catch (Exception e)
{
if ("javax.ejb.EJBException".equals(e.getClass().getName())) {
Exception exception;
try { Method getCausedByExceptionMethod =
e.getClass().getMethod("getCausedByException", new Class[0]);
exception = (Exception)getCausedByExceptionMethod.invoke(e,
new Object[0]);
} catch (Exception e2)
{
LOG.debug("error: " + e.getMessage(), e);
throw new SecurityException("error retrieving the root
cause: " + e2.getMessage());
}
if ((exception instanceof
ExpiredCertificateSecurityException)) {
return new FinishedMessage(ErrorCode.CERTIFICATE_EXPIRED);
}
if ((exception instanceof
RevokedCertificateSecurityException)) {
return new FinishedMessage(ErrorCode.CERTIFICATE_REVOKED);
}
if ((exception instanceof TrustCertificateSecurityException))
{
return new
FinishedMessage(ErrorCode.CERTIFICATE_NOT_TRUSTED);
}
if ((exception instanceof CertificateSecurityException)) {
return new FinishedMessage(ErrorCode.CERTIFICATE);
}
}
throw new SecurityException("identity service error: " +
e.getMessage());
}
Moreover I don't understand why there isn't any FinishedMessage send
back to the applet from the method
be.fedict.eid.applet.performEidIdentificationOperation() (as the other
available methods).
So what's the purpose of validating the NR certificate if any
exception (SecurityException) is not sent back to the applet ?
Thanks for your answer,
Bertrand
To continue our discussion on eID validation workflow (https://
groups.google.com/group/eid-applet/browse_thread/thread/
7e76efc291fd9683/545406549ce6c2df#545406549ce6c2df), I think I've
found another issue with exception handling.
In the method
be.fedict.eid.applet.service.impl.handler.IdentityDataMessageHandler.handleMessage(),
exception handling for the call
identityIntegrityService.checkNationalRegistrationCertificate(rrnCertificateChain)
is missing, isn't it ?
As far as I understand, without any specific exception handling,
SecurityException thrown from identityIntegrityService will not be
catched by IdentityDataMessageHandler because theses exception are
RuntimeException. So we will not be notified on the applet about an
invalid revocation status nor an invalid validity interval of the NR
certificate.
This line of code should be replaced by
try
{ identityIntegrityService.checkNationalRegistrationCertificate(rrnCertificateChain);
} catch (ExpiredCertificateSecurityException e) {
return new FinishedMessage(ErrorCode.CERTIFICATE_EXPIRED);
} catch (RevokedCertificateSecurityException e) {
return new FinishedMessage(ErrorCode.CERTIFICATE_REVOKED);
} catch (TrustCertificateSecurityException e) {
return new FinishedMessage(ErrorCode.CERTIFICATE_NOT_TRUSTED);
} catch (CertificateSecurityException e) {
return new FinishedMessage(ErrorCode.CERTIFICATE);
}
catch (Exception e)
{
if ("javax.ejb.EJBException".equals(e.getClass().getName())) {
Exception exception;
try { Method getCausedByExceptionMethod =
e.getClass().getMethod("getCausedByException", new Class[0]);
exception = (Exception)getCausedByExceptionMethod.invoke(e,
new Object[0]);
} catch (Exception e2)
{
LOG.debug("error: " + e.getMessage(), e);
throw new SecurityException("error retrieving the root
cause: " + e2.getMessage());
}
if ((exception instanceof
ExpiredCertificateSecurityException)) {
return new FinishedMessage(ErrorCode.CERTIFICATE_EXPIRED);
}
if ((exception instanceof
RevokedCertificateSecurityException)) {
return new FinishedMessage(ErrorCode.CERTIFICATE_REVOKED);
}
if ((exception instanceof TrustCertificateSecurityException))
{
return new
FinishedMessage(ErrorCode.CERTIFICATE_NOT_TRUSTED);
}
if ((exception instanceof CertificateSecurityException)) {
return new FinishedMessage(ErrorCode.CERTIFICATE);
}
}
throw new SecurityException("identity service error: " +
e.getMessage());
}
Moreover I don't understand why there isn't any FinishedMessage send
back to the applet from the method
be.fedict.eid.applet.performEidIdentificationOperation() (as the other
available methods).
So what's the purpose of validating the NR certificate if any
exception (SecurityException) is not sent back to the applet ?
Thanks for your answer,
Bertrand
Frank Cornelis
Feb 16, 2012, 10:41:52 AM2/16/12
to eid-a...@googlegroups.com
Hi Bertrand,
Interesting topic you're touching here.
The eID Applet will always be notified in case of a server-side
exception being thrown (because the protocol run simply explodes via a
servlet container error page). Of course, without sending an explicit
FinishedMessage for the specific exception, the eID Applet will simply
show a "Generic Error". The reason why I let the exception handling of
the national registration certificate validation to default instead of
also sending specific FinishedMessages (like it is the case for the
end-entity certificates) is that these events never occur in practice. I
only explicitly capture exceptions to customize error messages in case
these events can actually happen in the field.
Notifying an end-user that the national registration certificate of his
eID card is invalid, wouldn't mean anything to the average citizen
anyway. Even I would gaze at the screen like wtf?
Kind Regards,
Frank.
bgillis
Feb 17, 2012, 3:20:19 AM2/17/12
to eID Applet
Thank Franck for your quick reply ;-)
However I'm a little confuse now about eID validation workflow...
... please let me explain my use case.
Our end users want to "validate customer's eID" when our retail
banking application is grabbing all data from customer's eID.
In end users understanding, it's a one step operation only.. "just
check that eID certificate is valid (validity interval + revocation
status)".
They don't really understand that eID chipset is hosting several
certificates for different purposes instead of a unique certificate.
Moreover they don't want the customer to authenticate himself through
eID (eID reading + pin code validation).
In their opinion, authenticating the customer through a visual
recognition is sufficient !
Well... I don't really agree with all this but I can't force them to
do so.
However maybe you can provide me some good arguments to convince them
to do so ;-)
So instead of just configuring the eID Applet with implementations of
AuthenticationService and IdentityIntegrityService, I've guessed I
would configure only an implementation of IdentityIntegrityService.
But with your latest reply, I'm now a bit lost because I can't obtain
any status message about NR certificate validation through eID
applet... only a generic exception.
Any suggestion or recommendation about this use case is very welcome !
Thanks for your assistance,
Bertrand
However I'm a little confuse now about eID validation workflow...
... please let me explain my use case.
Our end users want to "validate customer's eID" when our retail
banking application is grabbing all data from customer's eID.
In end users understanding, it's a one step operation only.. "just
check that eID certificate is valid (validity interval + revocation
status)".
They don't really understand that eID chipset is hosting several
certificates for different purposes instead of a unique certificate.
Moreover they don't want the customer to authenticate himself through
eID (eID reading + pin code validation).
In their opinion, authenticating the customer through a visual
recognition is sufficient !
Well... I don't really agree with all this but I can't force them to
do so.
However maybe you can provide me some good arguments to convince them
to do so ;-)
So instead of just configuring the eID Applet with implementations of
AuthenticationService and IdentityIntegrityService, I've guessed I
would configure only an implementation of IdentityIntegrityService.
But with your latest reply, I'm now a bit lost because I can't obtain
any status message about NR certificate validation through eID
applet... only a generic exception.
Any suggestion or recommendation about this use case is very welcome !
Thanks for your assistance,
Bertrand
Frank Cornelis
Feb 17, 2012, 7:07:53 AM2/17/12
to eid-a...@googlegroups.com
Hi Bertrand,
There's nothing wrong with a face-to-face 'authentication'. It's even
easier for the customers as they don't have to guess their eID PIN code.
Indeed you just need to implement the IdentityIntegrityService.
In the eID Applet identification flow, every exception will result in a
'Generic Error' being displayed within the eID Applet.
If you're not happy with that, we could add a more specific error
message in case there is something wrong with the national registration
certificate. But as I said before, whether you display 'Generic Error'
or 'Security Error', the end result will still be the same. Being a call
to you to check out what the hell happened.
Kind Regards,
Frank.
bgillis
Feb 17, 2012, 10:18:16 AM2/17/12
to eID Applet
Frank,
One last question for my own understanding...
When an eID card is renewed, does NR certificate is also renewed or
only authentification and non-repudiation certificates ?
If only authentification and non-repudiation are renewed, I do now
understand why you said that revocation of NR never occurs in
practice.
So why do we need to validate the integrity of the identity data
through a validation of the NR certificate if it is always valid in
practice ?
What will cause a revocation of a NR certificate ?
Thanks,
Bertrand
One last question for my own understanding...
When an eID card is renewed, does NR certificate is also renewed or
only authentification and non-repudiation certificates ?
If only authentification and non-repudiation are renewed, I do now
understand why you said that revocation of NR never occurs in
practice.
So why do we need to validate the integrity of the identity data
through a validation of the NR certificate if it is always valid in
practice ?
What will cause a revocation of a NR certificate ?
Thanks,
Bertrand
bgillis
Feb 17, 2012, 9:56:56 AM2/17/12
to eID Applet
Thanks Frank for the clarification... I'm more confident now ;-)
As a matter of fact, having a specific error like in
AuthenticationService would be better IMHO (through FinishedMessage).
Our retail banking application needs to execute automatically a
specific flow in case of an invalid NR certificate (through eID Applet
messageCallbackEx()). As we currently have a generic exception, we
can't differentiate an invalid revocation status or validity interval
from a technical exception (eg. SecurityException)... and can't start
automatically this specific flow when necessary.
Do you think you might add this feature in your next eID applet
release ?
Do you have already an estimate release date (next month, next
quarter, next year) ?
Thank you,
Bertrand
As a matter of fact, having a specific error like in
AuthenticationService would be better IMHO (through FinishedMessage).
Our retail banking application needs to execute automatically a
specific flow in case of an invalid NR certificate (through eID Applet
messageCallbackEx()). As we currently have a generic exception, we
can't differentiate an invalid revocation status or validity interval
from a technical exception (eg. SecurityException)... and can't start
automatically this specific flow when necessary.
Do you think you might add this feature in your next eID applet
release ?
Do you have already an estimate release date (next month, next
quarter, next year) ?
Thank you,
Bertrand
Frank Cornelis
Feb 19, 2012, 6:24:54 AM2/19/12
to eid-a...@googlegroups.com
Hi Bertrand,
I've scheduled this feature for the next eID Applet release. Normally beginning of this week I'll push out a version 1.0.5.Beta2 which will include this.
FYI the issue description:
Kind Regards,
Frank.
I've scheduled this feature for the next eID Applet release. Normally beginning of this week I'll push out a version 1.0.5.Beta2 which will include this.
FYI the issue description:
Security Error on IdentityIntegrityService.checkNationalRegistrationCertificate
When IdentityIntegrityService.checkNationalRegistrationCertificate throws a SecurityException, the eID Applet should display "Security Error" instead of "Generic Error".
See also: http://groups.google.com/group/eid-applet/browse_thread/thread/ccb10fe3c7984c8b
Kind Regards,
Frank.
Frank Cornelis
Feb 19, 2012, 6:32:49 AM2/19/12
to eid-a...@googlegroups.com
Hi Bertrand,
The NRN certificate renews every year. Under normal circumstances a NRN
certificate should never need to be revoked. If it has been revoked,
this means that they are in big trouble at the national registration
authority.
You want to validate the integrity of the identity data to make sure
that the eID card has not been tampered with. The eID Applet Service
implementation itself checks this integrity. The only thing that the eID
Applet Service cannot do on its own, is to check the validity of the NRN
certificate. That's why it delegates this task to the
IdentityIntegrityService SPI implementation.
Kind Regards,
Frank.
bgillis
Feb 20, 2012, 3:07:52 AM2/20/12
to eID Applet
Thanks Frank !
On Feb 19, 12:24 pm, Frank Cornelis <frank.corne...@gmail.com> wrote:
> Hi Bertrand,
>
> I've scheduled this feature for the next eID Applet release. Normally
> beginning of this week I'll push out a version 1.0.5.Beta2 which will
> include this.
>
> FYI the issue description:
>
> Security Error on
> IdentityIntegrityService.checkNationalRegistrationCertificate
>
> When IdentityIntegrityService.checkNationalRegistrationCertificate
> throws a SecurityException, the eID Applet should display "Security
> Error" instead of "Generic Error".
>
> See also:
> http://groups.google.com/group/eid-applet/browse_thread/thread/ccb10f...
On Feb 19, 12:24 pm, Frank Cornelis <frank.corne...@gmail.com> wrote:
> Hi Bertrand,
>
> I've scheduled this feature for the next eID Applet release. Normally
> beginning of this week I'll push out a version 1.0.5.Beta2 which will
> include this.
>
> FYI the issue description:
>
> Security Error on
> IdentityIntegrityService.checkNationalRegistrationCertificate
>
> When IdentityIntegrityService.checkNationalRegistrationCertificate
> throws a SecurityException, the eID Applet should display "Security
> Error" instead of "Generic Error".
>
> See also:
bgillis
Feb 20, 2012, 3:20:17 AM2/20/12
to eID Applet
Thanks Frank for taking the time to explain me all this...
... I've got the all picture now ;-)
Could you add also a specific exception to the validation of the
integrity of the identity data ? As a matter of fact, if anything goes
wrong during the IdentityDataMessageHandler.verifySignature() only a
generic ServletException is thrown ? We loose the context of the
exception on the applet side. It would be great as for the
IdentityService implementation to know what goes wrong: a business
exception (invalid signature, certificate revoked, certificate
expired, certificate not trusted) or an unrecoverable technical
exception (Security exception). Depending on the FinishedMessage you
will then add to Controller.performEidIdentificationOperation(), a
specific callback in javascript could then execute specific workflow
accordingly.
Kind regards,
Bertrand
... I've got the all picture now ;-)
Could you add also a specific exception to the validation of the
integrity of the identity data ? As a matter of fact, if anything goes
wrong during the IdentityDataMessageHandler.verifySignature() only a
generic ServletException is thrown ? We loose the context of the
exception on the applet side. It would be great as for the
IdentityService implementation to know what goes wrong: a business
exception (invalid signature, certificate revoked, certificate
expired, certificate not trusted) or an unrecoverable technical
exception (Security exception). Depending on the FinishedMessage you
will then add to Controller.performEidIdentificationOperation(), a
specific callback in javascript could then execute specific workflow
accordingly.
Kind regards,
Bertrand
bgillis
Feb 27, 2012, 10:11:45 AM2/27/12
to eID Applet
Hi Frank,
We've just tested today your latest release of eID Applet
(1.0.5.Beta2).
Everything is working as expected now... excellent work ! ;-)
Would it be also possible to add my last suggestion in the next beta
release ?
In particular, I'm talking about the method
IdentityDataMessageHandler.verifySignature().
This method throws currently only a generic ServletException.
That would be very useful to have another specific code in
be.fedict.eid.applet.shared.ErrorCode for this use case.
What about SIGNATURE_NOT_VALID ?
As explained previously, on the user side, it is quite interesting to
be able to distinguish an exception from a business error (invalid
exception, ServletException).
Kind regards,
Bertrand
We've just tested today your latest release of eID Applet
(1.0.5.Beta2).
Everything is working as expected now... excellent work ! ;-)
Would it be also possible to add my last suggestion in the next beta
release ?
In particular, I'm talking about the method
IdentityDataMessageHandler.verifySignature().
This method throws currently only a generic ServletException.
That would be very useful to have another specific code in
be.fedict.eid.applet.shared.ErrorCode for this use case.
What about SIGNATURE_NOT_VALID ?
As explained previously, on the user side, it is quite interesting to
be able to distinguish an exception from a business error (invalid
signature, certificate revoked, certificate expired, certificate not
trusted) from an unrecoverable technical exception (Security
exception, ServletException).
Kind regards,
Bertrand
Reply all
Reply to author
Forward
0 new messages