View Issue Details

IDProjectCategoryView StatusLast Update
0005972Talerlibeufin-nexuspublic2023-04-13 21:31
ReporterMarcello Stanisci Assigned ToMarcello Stanisci  
PrioritynormalSeverityminorReproducibilityhave not tried
Status acknowledgedResolutionopen 
Target Version0.9.3 
Summary0005972: Avoid sending signed data before key exchange
DescriptionThe Nexus should check if their keys were accepted by the bank (via INI / HIA) before performing any operation using those.

This is useful because some banks may simply respond "signature invalid" without telling what the real cause is.
TagsNo tags attached.


Marcello Stanisci

2020-05-15 19:19

viewer   ~0015917

This happens here (1) for example, where the 'makeEbicsHpbRequest()' function just
makes the message without checking the state of the key used to sign the message.

But possibly, this is not a real problem. If errors are nicely reported, then the user
will be correctly warned about the impossibility of the attempted operation.



2023-04-11 11:14

manager   ~0020067

Last edited: 2023-04-11 11:22

This can be closed after testing how Postfinance reacts to such scenario,
but using keys that were never shared with the bank should be avoided.

Issue History

Date Modified Username Field Change
2019-11-18 19:28 Marcello Stanisci New Issue
2020-05-15 19:19 Marcello Stanisci Note Added: 0015917
2020-05-15 19:19 Marcello Stanisci Assigned To => Marcello Stanisci
2020-05-15 19:19 Marcello Stanisci Status new => feedback
2020-11-10 12:07 MS Target Version => 0.9.2
2020-11-10 16:26 MS Target Version 0.9.2 => 0.9.3
2023-04-11 11:14 MS Note Added: 0020067
2023-04-11 11:22 MS Note Edited: 0020067
2023-04-11 11:24 MS Status feedback => assigned
2023-04-11 11:25 MS Status assigned => acknowledged
2023-04-13 20:26 Florian Dold Project libeufin => Taler
2023-04-13 20:26 Florian Dold Category nexus => General
2023-04-13 21:31 Florian Dold Category General => libeufin-nexus