roelderickx / connective-plugin-linux Goto Github PK

Implement the commands

• SELECT_MAESTRO
• GET_PROCESSING_OPTIONS
• READ_RECORD
• COMPUTE_SIGN_CHALLENGE

Thank you for this! It's unbelievable that citizens running Linux are excluded from now essential services such as itsme...

I was able to use this tool but had some issues with the python executable being used; on ubuntu and derivatives python2 and python3 still coexist, and python points to python2 by default. Since I had installed the dependencies for python3, I had to change the shebang to python3 in https://github.com/roelderickx/connective-plugin-linux/blob/main/connective-backend.py. Is there another way to tell Firefox which python to use?

The error codes returned by the Connective plugin are not very helpful, and they were copied to connective-plugin-linux for compatibility reasons. To help users detect what is going wrong and to improve the quality of the bug reports a troubleshoot guide must be added.

Connective signing extension 1.0.6 is the only one I can install from the Chrome web store https://chromewebstore.google.com/detail/connective-signing-extens/kclpjmhngbacampgcdojmiedamjbgjjm?utm_source=chrome-app-launcher-info-dialog Did not manage to install the xpi file, even with Foxified. With 1.0.6 it reports some errors though: "An error occured while handling your request." with no issues but no answer either when testing. Thank you for the help.

The new belgian identity cards (belpic v1.8) only support the ECDSA signing algorithm, while previous versions only support the RSA signing algorithm. It is not clear how the Connective application deals with this. To be investigated and implemented.

I was able to use the tool to connect to a web banking page using connective, but got an error when trying to create an itsme account. During account creation, the information could be read from my eID card successfully at first, and entering the PIN through the tkinter numpad worked fine, but later in the process it failed when trying to sign a document. In the firefox web console I saw this message:

stderr output from native app com.connective.signer: 
OUT {"error": {"code": 99, "id": 99, "message": "Error handling JSON message [{\"cmd\":\"PIN_PAD_AVAILABLE\",\"reader\":\"ACS ACR38U-CCID 00 00\",\"activationToken\":\"blah\",\"isRequest\":true}]. Unknown command [PIN_PAD_AVAILABLE]"}}

Older versions of identity cards (v1.1) require an extra delay after a 0x6C response. The card version should be detected at the beginning and the delay must be added.

Hello,
I tried using this workaround to be able to use connective signing on ubuntu. I think I have managed to install correctly the extension since the protocoltest in browser returns no errors on the different demands. Except on the Maestro ones which returns these messages (but it's reading an id card so I brushed it off as normal since it's not a Maestro card) :

Request sent: {"cmd":"SELECT_MAESTRO","reader":"VASCO DP905v1.1 00 00","activationToken":"","isRequest":true} Response received: {"error":{"code":99,"id":99,"message":"error calling SCardConnect (0x80100069) (0x0)"},"resp":"SELECT_MAESTRO"}
Request sent: {"cmd":"GET_PROCESSING_OPTIONS","reader":"VASCO DP905v1.1 00 00","activationToken":"","data":"8300","isRequest":true} Response received: {"error":{"code":99,"id":99,"message":"error calling SCardConnect (0x80100069) (0x0)"},"resp":"GET_PROCESSING_OPTIONS"}
Request sent: {"cmd":"READ_RECORD","reader":"VASCO DP905v1.1 00 00","activationToken":"","record":"01","sfi":"02","isRequest":true} Response received: {"error":{"code":99,"id":99,"message":"error calling SCardConnect (0x80100069) (0x0)"},"resp":"READ_RECORD"}

However, when trying to connect to the card on Itsme, these messages appear on the browser page and afterwards displays "an error occured while handling your request"
"Connect a card reader and insert a valid ID
Reading personal information
Reading address information (doesn't always appear)"

Does someone have any idea what could be the issue ?
Regards,

I've been trying to log in to AG insurance with the help of your great effort at making things work even though Connective doesn't support Linux. I got the browser extension easily set up, but it seems things aren't working correctly anymore.

Specifically, I'm seeing a 409 Conflict on a version check GET request, followed by "could not fetch latest signid version info. Defaulting to no version restrictions... The SignIdPlugin setting is not enabled. Check configuration for tenant 2.". I fear this might mean they changed something that broke this code.

The application should show an on-screen numpad and verify the given pincode with an MVP:VERIFY command. The user interface should preferably be developed using tkinter, since this is supported with most python versions.

Hello,

On both Firefox and Chrome,
communication with the cardreader works (html protocol tester), PIN Tkinter window functionality VERIFY_PIN OK,
but when reading the info with "READ_FILE", itsme account activation always fails with {"error": {"code": 5, "id": 5, "message": "Error reading file (Comm 0x6a87) (0xa4080c)"}}

As far as I could see in the firefox log (see below at end message) 5 files are read in sequence
fileId":"3F00DF014031" to "fileId":"3F00DF014035
failure occurs sometimes at fileId":"3F00DF014032, once at 4034, but always at 3F00DF014035 (foto?)
[so I never get the Tkinter window to enter PIN]

This is reproduced in the html protocol tester with
{"cmd":"READ_FILE","reader":"ACS ACR 38U-CCID 00 00","activationToken":"","fileId":"3F00DF014035","isRequest":true}
which clearly takes much longer than the 4031-4034 fileIds, and when executing the next request before the previous has -completely (there is still card reader activity after the response/output appears in the protocol tester) - finished generates the identical error as above

Request sent: {"cmd":"READ_FILE","reader":"ACS ACR 38U-CCID 00 00","activationToken":"","fileId":"3F00DF014035","isRequest":true}
Response received: {"error":{"code":5,"id":5,"message":"Error reading file (Comm 0x6a87) (0xa4080c)"},"resp":"READ_FILE"}

[Simply clicking too fast generates Response received: {"error":{"code":99,"id":99,"message":"No request received after 10 seconds"},"resp":"READ_FILE"}]
For FileId 3F00DF014032 the "5/5 Error reading file" error is much harder to generate this way.

On chrome the 409 conflict / signid version info appears, in the 3th line "unspecified error" here below the same {code: 5, id: 5, message: 'Error reading file (Comm 0x6a87) error.) as in firefox is listed ...

GET https://bmid-id.connective.eu/configuration/plugin/latestversion/8637d59cdc9447dda9ee8d260137b439 409 (Conflict)

could not fetch latest signid version info. Defaulting to no version restrictions... The SignIdPlugin setting is not enabled. Check configuration for tenant 4.

t {code: 99, message: 'An unspecified error occured', stack: 'Error\n at new t (https://bmid-id.connective.eu/…d.connective.eu/resources/bundle-legacy.js:2:4911', e: {…}}code: 99e: {code: 5, id: 5, message: 'Error reading file (Comm 0x6a87) (0xa4080c)'}message: "An unspecified error occured"stack: "Error\n at new t (https://bmid-id.connective.eu/resources/bundle-legacy.js:9:143)\n at _.getErrorForResponse (https://bmid-id.connective.eu/resources/bundle-legacy.js:20:1963)\n at https://bmid-id.connective.eu/resources/bundle-legacy.js:22:1225\n at https://bmid-id.connective.eu/resources/bundle-legacy.js:2:4911"[[Prototype]]: Error

### Firefox console LOG:
stderr output from native app com.connective.signer: IN {"cmd":"GET_INFO","isRequest":true}
stderr output from native app com.connective.signer: OUT {"version": "2.0.2", "binVersion": "2.0.9"}
stderr output from native app com.connective.signer: IN {"cmd":"GET_INFO","isRequest":true}
stderr output from native app com.connective.signer: OUT {"version": "2.0.2", "binVersion": "2.0.9"}
stderr output from native app com.connective.signer: IN {"cmd":"GET_READERS","activationToken":"KffI8Yw+tmG7zrwgAQvVIIWCH2QP421ZhEoLCoYZZ6oBKGRi2+OhaUZM3+ON0GeXU34fHMTdu69ErhXOtAbBcT4hQskBrLrfqhB4hp7PUzDMSufGlBpMIuxwSY8A1h6qeFm2z3sNNIOtO7Riwpx6LMx0sX7/wvYbKFJoyLG1sefannULQmlmJfXR3Gn72FJPhjzG1py+yjt5J8WyS9poihK+F4TlzhgVkwOZ8lOZHIpQWcXOn3qO8Hr8r1vBb/HP7Xd3nQUJ/Sw43tWsb1dRpfhxhgavdBH7GmPugqILbucM1H7e+0VWqAAmC+Nu6BLAaSqcVuKZdCs7kISYqjtQuA==","isRequest":true}
stderr output from native app com.connective.signer: Card applet version: 17
stderr output from native app com.connective.signer: Card 0x6C delay required: 0 ms
stderr output from native app com.connective.signer: OUT {"readerList": [{"index": 0, "library": "cardcomm", "name": "ACS ACR 38U-CCID 00 00", "atr": "3B9813400AA503010101AD1311", "cardPresent": true, "cardType": 1}]}
stderr output from native app com.connective.signer: IN {"cmd":"READ_FILE","reader":"ACS ACR 38U-CCID 00 00","fileId":"3F00DF014031","activationToken":"KffI8Yw+tmG7zrwgAQvVIIWCH2QP421ZhEoLCoYZZ6oBKGRi2+OhaUZM3+ON0GeXU34fHMTdu69ErhXOtAbBcT4hQskBrLrfqhB4hp7PUzDMSufGlBpMIuxwSY8A1h6qeFm2z3sNNIOtO7Riwpx6LMx0sX7/wvYbKFJoyLG1sefannULQmlmJfXR3Gn72FJPhjzG1py+yjt5J8WyS9poihK+F4TlzhgVkwOZ8lOZHIpQWcXOn3qO8Hr8r1vBb/HP7Xd3nQUJ/Sw43tWsb1dRpfhxhgavdBH7GmPugqILbucM1H7e+0VWqAAmC+Nu6BLAaSqcVuKZdCs7kISYqjtQuA==","isRequest":true}
stderr output from native app com.connective.signer: Card applet version: 17
stderr output from native app com.connective.signer: Card 0x6C delay required: 0 ms
stderr output from native app com.connective.signer: OUT {"data": "redacted"}
stderr output from native app com.connective.signer: IN {"cmd":"READ_FILE","reader":"ACS ACR 38U-CCID 00 00","fileId":"3F00DF014032","activationToken":"KffI8Yw+tmG7zrwgAQvVIIWCH2QP421ZhEoLCoYZZ6oBKGRi2+OhaUZM3+ON0GeXU34fHMTdu69ErhXOtAbBcT4hQskBrLrfqhB4hp7PUzDMSufGlBpMIuxwSY8A1h6qeFm2z3sNNIOtO7Riwpx6LMx0sX7/wvYbKFJoyLG1sefannULQmlmJfXR3Gn72FJPhjzG1py+yjt5J8WyS9poihK+F4TlzhgVkwOZ8lOZHIpQWcXOn3qO8Hr8r1vBb/HP7Xd3nQUJ/Sw43tWsb1dRpfhxhgavdBH7GmPugqILbucM1H7e+0VWqAAmC+Nu6BLAaSqcVuKZdCs7kISYqjtQuA==","isRequest":true}
stderr output from native app com.connective.signer: Card applet version: 17
stderr output from native app com.connective.signer: Card 0x6C delay required: 0 ms
stderr output from native app com.connective.signer: OUT {"data": "redacted"}
stderr output from native app com.connective.signer: IN {"cmd":"READ_FILE","reader":"ACS ACR 38U-CCID 00 00","fileId":"3F00DF014033","activationToken":"KffI8Yw+tmG7zrwgAQvVIIWCH2QP421ZhEoLCoYZZ6oBKGRi2+OhaUZM3+ON0GeXU34fHMTdu69ErhXOtAbBcT4hQskBrLrfqhB4hp7PUzDMSufGlBpMIuxwSY8A1h6qeFm2z3sNNIOtO7Riwpx6LMx0sX7/wvYbKFJoyLG1sefannULQmlmJfXR3Gn72FJPhjzG1py+yjt5J8WyS9poihK+F4TlzhgVkwOZ8lOZHIpQWcXOn3qO8Hr8r1vBb/HP7Xd3nQUJ/Sw43tWsb1dRpfhxhgavdBH7GmPugqILbucM1H7e+0VWqAAmC+Nu6BLAaSqcVuKZdCs7kISYqjtQuA==","isRequest":true}
stderr output from native app com.connective.signer: Card applet version: 17
stderr output from native app com.connective.signer: Card 0x6C delay required: 0 ms
stderr output from native app com.connective.signer: OUT {"data": "redacted"}
stderr output from native app com.connective.signer: IN {"cmd":"READ_FILE","reader":"ACS ACR 38U-CCID 00 00","fileId":"3F00DF014034","activationToken":"KffI8Yw+tmG7zrwgAQvVIIWCH2QP421ZhEoLCoYZZ6oBKGRi2+OhaUZM3+ON0GeXU34fHMTdu69ErhXOtAbBcT4hQskBrLrfqhB4hp7PUzDMSufGlBpMIuxwSY8A1h6qeFm2z3sNNIOtO7Riwpx6LMx0sX7/wvYbKFJoyLG1sefannULQmlmJfXR3Gn72FJPhjzG1py+yjt5J8WyS9poihK+F4TlzhgVkwOZ8lOZHIpQWcXOn3qO8Hr8r1vBb/HP7Xd3nQUJ/Sw43tWsb1dRpfhxhgavdBH7GmPugqILbucM1H7e+0VWqAAmC+Nu6BLAaSqcVuKZdCs7kISYqjtQuA==","isRequest":true}
stderr output from native app com.connective.signer: Card applet version: 17
stderr output from native app com.connective.signer: Card 0x6C delay required: 0 ms
stderr output from native app com.connective.signer: OUT {"data": "redacted"}
stderr output from native app com.connective.signer: IN {"cmd":"READ_FILE","reader":"ACS ACR 38U-CCID 00 00","fileId":"3F00DF014035","activationToken":"KffI8Yw+tmG7zrwgAQvVIIWCH2QP421ZhEoLCoYZZ6oBKGRi2+OhaUZM3+ON0GeXU34fHMTdu69ErhXOtAbBcT4hQskBrLrfqhB4hp7PUzDMSufGlBpMIuxwSY8A1h6qeFm2z3sNNIOtO7Riwpx6LMx0sX7/wvYbKFJoyLG1sefannULQmlmJfXR3Gn72FJPhjzG1py+yjt5J8WyS9poihK+F4TlzhgVkwOZ8lOZHIpQWcXOn3qO8Hr8r1vBb/HP7Xd3nQUJ/Sw43tWsb1dRpfhxhgavdBH7GmPugqILbucM1H7e+0VWqAAmC+Nu6BLAaSqcVuKZdCs7kISYqjtQuA==","isRequest":true}
stderr output from native app com.connective.signer: Card applet version: 17
stderr output from native app com.connective.signer: Card 0x6C delay required: 0 ms
stderr output from native app com.connective.signer: OUT {"error": {"code": 5, "id": 5, "message": "Error reading file (Comm 0x6a87) (0xa4080c)"}}

On ubuntu 24.04, with no snap firefox, the connective plugin is not working.

How to debug? test page gives nothing.
in terminal i can get reader.

In google-chrome it works.

@ghpille [...] you may be able to reduce the GUI code a lot. Let me give you an example:

import tkinter as tk
from tkinter import ttk

def bHit(what):
  print(what)

root = tk.Tk()
root.geometry('200x600')
root.resizable(False, True)
root.title('Button Demo')

buttons = []
for i in range(10):
  buttons.append(ttk.Button(root,text=i,command=lambda i=i: bHit(i)));

for b in buttons:
  b.pack()

exit_button = ttk.Button(    root,    text='Exit',    command=lambda: root.quit())
exit_button.pack(    ipadx=5,    ipady=5,    expand=True)

root.mainloop()

Hi there!

Thanks for going through all this effort (to support some proprietary solution that doesn't support linux but is sometimes the only solution provided 😞 ).

Although I have an understanding of basic security principles, I feel like I don't fully grasp what the possible implications of following paragraph in the readme might be when I use this tool with a party that I otherwise trust.

There is also one security feature which is not implemented, because the algorithm is unknown. Whether this security through obscurity feature is really improving the security or not is debatable, but you should be aware that your personal data may be sent to anyone on the internet when using this application.

For the non-implemented feature, could you add some reference (to the relevant part in the implementation maybe) as to provide some context on where this is situated?
As to the "sent to anyone on the internet": what does this mean exactly? I understand that if you use this tool on a domain you don't trust, or if some payload sent contains sensitive info and is unencrypted that one could say "to anyone on the internet". Otherwise not so much 🤔 Could you please clarify?

Thanks again!

Michaël

The very informative "An unspecified error occured" (can't even get their error messages correct) when trying to register. The older version I had (both report binversion 2.0.9) still gets further, but fails when trying to sign (this is the first time I try to sign).

Object { code: 99, message: "An unspecified error occured", stack: "t@https://bmid-id.connective.eu/resources/bundle-legacy.js:9:143\n_.prototype.getErrorForResponse@https://bmid-id.connective.eu/resources/bundle-legacy.js:20:1963\nn.prototype.readFile/</<@https://bmid-id.connective.eu/resources/bundle-legacy.js:22:1225\nn.prototype.processMessage/<@https://bmid-id.connective.eu/resources/bundle-legacy.js:2:4912\n", e: {�~@�} }
bundle.js:6:287253

Installed the browser plugin.xpi in firefox
Verified that native-hosts installed correctly according to this link

Test fails when running
../connective-backend.py < get_readers.txt

Traceback (most recent call last): File "/home/roeland/Downloads/connective-plugin-linux-main/test/../connective-backend.py", line 14, in <module> import smartcard ModuleNotFoundError: No module named 'smartcard'

Getting following error when running
pip install pyscard

`Defaulting to user installation because normal site-packages is not writeable
Collecting pyscard
Using cached pyscard-2.0.7.tar.gz (152 kB)
Preparing metadata (setup.py) ... done
Building wheels for collected packages: pyscard
Building wheel for pyscard (setup.py) ... error
error: subprocess-exited-with-error

× python setup.py bdist_wheel did not run successfully.
│ exit code: 1
╰─> [12 lines of output]
Package libpcsclite was not found in the pkg-config search path.
Perhaps you should add the directory containing `libpcsclite.pc'
to the PKG_CONFIG_PATH environment variable
Package 'libpcsclite', required by 'virtual:world', not found
running bdist_wheel
running build
running build_py
running build_ext
building 'smartcard.scard._scard' extension
swigging smartcard/scard/scard.i to smartcard/scard/scard_wrap.c
swig -python -outdir smartcard/scard -DPCSCLITE -o smartcard/scard/scard_wrap.c smartcard/scard/scard.i
error: command 'swig' failed: No such file or directory
[end of output]

note: This error originates from a subprocess, and is likely not a problem with pip.
ERROR: Failed building wheel for pyscard
Running setup.py clean for pyscard
Failed to build pyscard
ERROR: Could not build wheels for pyscard, which is required to install pyproject.toml-based projects`

Hello @roelderickx ,
I downloaded your package, ran get_connective_plugin.py which created a connective-downloads directory with connective-plugin-installer-local-2.0.9.msi and connective_signing_extension-1.0.4.xpi.
I installed successfully .xpi extension into firefox (96.0.3 under Ubuntu 20.04). From Addons page, I see the plugin "Connective signing extension".
When I connect to the istme website, after having entered my phone number, itsme still requires me to install the Connective plugin.
Is it supposed to work or should I do additional installs?
Is it possible to debug what is happening?
BTW, the client server solution is not an alternative for me, because I have Ubuntu only.

I failed to install connective_signing_extension-1.0.4.xpi in Seamonkey, which failed (xpi corrupt), so I tried Firefox ESR from debian, which apparantly succeeded. But trying to register on itsme.be, the page https://bmid-id.connective.eu/readout.html still wants to install its package, which it doesn't have for my operating system. End of story.

When I asked Itsme support when the package for Linux would be available, I got an explanation how to use Virtualbox.

Kind regards,
Gerard

I'm using a ACS ACR38U 00 00 cardreader and was getting the following error when trying to run commands that require pin authentication: stderr output from native app com.connective.signer: Failed to control Feature not supported.

I tracked the issue down to this function call features = self._connection.control(smartcard.scard.SCARD_CTL_CODE(3400), []) which is part of the smartcard library if I understand correctly.

I commented out self.__get_reader_features() and L511-530 and the commands worked just fine.

Since it started working I didn't really dig any deeper and I'm not sure if there's anything to fix for you, but I figured this might help some people.