ebics-client-php How to use 3skey token ?

Hello,

To use EBICS TS with a French bank, they send a USB token for SWIFT 3skey's certificate.

Can anyone please help me to understand how I can use these certificate with the code ?

Thanks.

Sep 20 '23 15:09 abdelmajidhafidi

Hi, I think you need to add this key in certificate generation. But I am not sure that library supports that. Or you can already have certificate in your 3SKey storage that need to use instead generate new one.

Sep 20 '23 18:09 andrew-svirin

Hello @andrew-svirin, I'm sorry for my late reply. I exported the certificate that is on 3SKey storage and tried to use it as the signing certificate for the INI request, but I get an error when I call it: Error Code: 091214 - EBICS_X509_UNKNOWN_CERTIFICATE_AUTHORITY

I found this recommended measure for this error:

If OrderType = INI, PUB or HCS and X509v3 supported:
Rejection of the Request is mandatory, if signature class <> “T”
If OrderType = FUL and X509v3 supported:
Rejection of the Request is mandatory, if OrderAttributes = “OZHNN”

I used an INI request to get this error, it means the signature class is not T, but I don't understand what that means

Oct 24 '23 11:10 abdelmajidhafidi

Hello @abdelmajidhafidi Interesting error EBICS_X509_UNKNOWN_CERTIFICATE_AUTHORITY, never seen in. You can check what is in authority when you use it with INI request.

Oct 24 '23 15:10 andrew-svirin

Hello @andrew-svirin , I found out that I got the error "EBICS_X509_UNKNOWN_CERTIFICATE_AUTHORITY" because the certificate I exported from the USB token was not yet activated on the "3skey" website. Now after activating it and exporting it again, I executed the INI command and the HIA command without getting any errors, and now I'm waiting to see if the bank will validate the certificates or not because their is some problem with the contract we signed with them, I will inform you if there is any news.

Nov 02 '23 08:11 abdelmajidhafidi

Hello @andrew-svirin, the keys have been validated by the bank but unfortunately we cannot use the "BTU" command because we need the private key of the signature certificate and we don't have it since we can't get it export from the USB token, and now we are stuck

Nov 16 '23 14:11 abdelmajidhafidi

Hello @abdelmajidhafidi Do you have all values in keyring like this? https://github.com/andrew-svirin/ebics-client-php/blob/2.x/tests/_data/workspace/keyring_1.json

Nov 16 '23 14:11 andrew-svirin

Hello @abdelmajidhafidi Do you have all values in keyring like this? https://github.com/andrew-svirin/ebics-client-php/blob/2.x/tests/_data/workspace/keyring_1.json

No, for the signature (USER->A) we have the certificate because we can exported from the USB token, and we can also extract the public key from the certificate but we don't have the private key and we can't export it

Nov 16 '23 17:11 abdelmajidhafidi

@abdelmajidhafidi If there is PK in 3SKey then should be some interface for use it to encrypt data.

Nov 16 '23 19:11 andrew-svirin

@andrew-svirin The private key is stored in the USB Token but we can't export it (as 3Skey Support said to us) to put it on the json file.

Nov 20 '23 11:11 abdelmajidhafidi

Is 3Skey supports to encrypt with Private key?

Nov 20 '23 11:11 andrew-svirin

Is 3Skey supports to encrypt with Private key?

Sorry I don't understand what do you mean

Nov 23 '23 14:11 abdelmajidhafidi

https://github.com/andrew-svirin/ebics-client-php/blob/7e86066d41236bc8ddad3ed22a6eb634df4b4419/src/Services/CryptService.php#L123 here is uses private key for encryption. So if it possible to have with 3Skey then it possible to adopt it for library.

Nov 23 '23 15:11 andrew-svirin

I don't know because I didn't find yet a way to encrypt or sign directly with the USB Token using PHP. By the way, the USB Token is a "Token 5110" model.

Nov 27 '23 09:11 abdelmajidhafidi