andrew-svirin
french bank and certificates
The bank gave me the userId and partnerId and other settings, along with 3 certificates for A005, E002 and X002 and 2 others for bank. They are marked like CERTIFICATE. They send them in 2 pdf files, very userfull, I love French banks… anyway…😊, I will ask .pem or crt files
Their doc is not clear. It is said on a pdf file, "the client must send public key to ebics server" , I think they send these in the pdf file and another pdf said ebics T , certificate auto-generated (by the bank I presume)
How can I use these certificates with your library, please ? Do I have to use setBankSignature or setUserSignature on $keyring ? but doing so, I need private keys that I don't have.
Thanks
This seems weird. As far as I have (small) experience, you should get only two fingerprints (of E002 and X002) from the bank, but not three and not certificates. They just want to make you sure that later you really communicate with them. Then you should generate (or maybe buy somewhere) your own three certificates (A005, E002 and X002) and send them the public keys of these certificates. (With some letter meaning "these three certificates are really mine.")
(Don't those three certificates you got from them have private keys? Can't that be some certificates generated especially for you?)
First extract private key + certificate.
Then use it like here https://github.com/ebics-api/ebics-client-php/blob/2.x/tests/EbicsClientV30Test.php#L76
problem solved, the bank gave me the wrong userId for the partnerId. You can close it
Thnaks
First extract private key + certificate.
Then use it like here https://github.com/ebics-api/ebics-client-php/blob/2.x/tests/EbicsClientV30Test.php#L76
I got exactly the same issue, i only have some CERTIFICATE but setting up manually like you suggest doesn't work. What's the best way to include those CERTIFICATES ?
Best regards !
You have to generate them on your side like ask in the documentation (in France bank use client autogenerated certificate). Then the INI and HIA comamnds send them to the bank. If ok, send edit the bankletter too. the bank has to validate the certiciates (I've called the contact in the bank and he validate them on live). At the end send HPB to get bank certificate and all init pahse is done. If your ebics flow is allready used by another app, you have to get the initated keyring file with the same certificate. I did something like this in an init function :
// Informations de la banque
$hostId = $_SERVER['EBICS_HOST_ID'] ?? null;
$hostURL = $_SERVER['EBICS_HOST_URL'] ?? null;
$partnerId = $_SERVER['EBICS_PARTNER_ID'] ?? null;
$userId = $_SERVER['EBICS_USER_ID'] ?? null;
$ebicsVersion = Keyring::VERSION_25;
$rootPath = dirname(__DIR__, 2);
// Mot de passe pour protéger votre KeyRing
$keyringPassword = "";
$user = new User($partnerId, $userId);
$bank = new Bank($hostId, $hostURL);
$bank->setCountryCode('FR');
// Initialisation du gestionnaire de KeyRing
$this->keyringPath = $rootPath . '/security/ebics/keyring.json';
$this->keyringManager = new FileKeyringManager();
if (file_exists($this->keyringPath)) {
$this->keyring = $this->keyringManager->loadKeyring($this->keyringPath, $keyringPassword, $ebicsVersion);
} else {
$this->keyring = $this->keyringManager->createKeyring($ebicsVersion);
$this->keyring->setPassword($keyringPassword);
}
$certificateGenerator = (new BankX509Generator());
$certificateGenerator->setCertificateOptionsByBank($bank);
$this->keyring->setCertificateGenerator($certificateGenerator);
$this->client = new EbicsClient($bank, $user, $this->keyring);
if (!is_file($this->keyringPath)) {
$this->client->createUserSignatures(SignatureInterface::A_VERSION5);
$this->keyringManager->saveKeyring($this->client->getKeyring(), $this->keyringPath);
}
then call client->INI etc... my bank use ebics T 2.5, hope this help :)
Ok thank's you for the code provided, i got exactly the same but still have issues.
INI request failed. EBICS Error code : 091216 Message : [EBICS_OK] OK Meaning : The basic constraints are not valid when determining certificate verification.
I don't understand your point here :
You have to generate them on your side like ask in the documentation
The lib actually already generate some private, public and certificates, line $this->client->createUserSignatures(SignatureInterface::A_VERSION5); so, should i use the bank certificate here directly ? If i have to generate some myself, what algo should i use ?
Thanks !
For your information, i impleted it as a service like that :
/**
* Create a new EbicsService instance.
*/
public function __construct(
string $hostUrl,
string $hostId,
string $partnerId,
string $userId,
string $keysPath
) {
$this->keysPath = $keysPath;
$this->keyringManager = new FileKeyringManager();
$user = new User($partnerId, $userId);
$bank = new Bank($hostId, $hostUrl);
// Load keyring if exists
if (is_file($this->keysPath)) {
$this->keyring = $this->keyringManager->loadKeyring($this->keysPath, "XXXXXX", config('ebics.version'));
} else {
$this->keyring = $this->keyringManager->createKeyring(config('ebics.version'));
$this->keyring->setPassword('XXXXXX');
}
$certificateGenerator = (new BankX509Generator());
$certificateGenerator->setCertificateOptionsByBank($bank);
$this->keyring->setCertificateGenerator($certificateGenerator);
$this->client = new EbicsClient($bank, $user, $this->keyring);
if (!is_file($this->keysPath)) {
$this->client->createUserSignatures(SignatureInterface::A_VERSION5);
$this->keyringManager->saveKeyring($this->client->getKeyring(), $this->keysPath);
}
}
Then
public function initialize()
{
try {
$this->client->INI();
$this->keyringManager->saveKeyring($this->keyring, $this->keysPath);
} catch (EbicsResponseExceptionInterface $exception) {
echo sprintf(
"INI request failed. EBICS Error code : %s\nMeaning : %s",
$exception->getResponseCode(),
$exception->getMeaning()
);
}
}
vous n'avez pas besoin des certifs de bank, c'est la bank qui vous les envoi via la commande HPB apres validation des certificats client chez eux. Ici vous etes coincé sur l"init de vos certifs et surtout sur leur envoi vers la banque. Supprimez le fichier keyring généré, mettez en version ebics 2.5, j'ai pas mis de mot de passe sur le keyring non plus. S'assureer que partnerId et userID vont de paire. Quand INI a été lancé corectement , je ne sais pas si on peut le renvoyer. Quand INI et. HIA sont ok, c'est a la baque de valider les certifs
Hi,
Thanks for your reply. I have to admit it's still not working, and it seems to be related to ``509InvalidBasicConstraintsException`. However, I don’t quite understand why — despite my tests and modifications to the library, it's still not working, and I keep getting error 091216.
My bank only supports version 2.4 or 3.0, not 2.5.
I feel like i have tested every solution....
Thanks you !
Oui je les ai appelé pour avoir des informations sur les versions (ils savaient pas trop) mais j'ai une erreur de version lorsque je met A006 ou 2.5, donc j'imagine que ça c'est bien fait au moins
Solved for my case on https://github.com/ebics-api/ebics-client-php/issues/215