For the e-webshops site I run I started implementing iDEAL because we have a lot customers in the Netherlands. iDEAL is a standard used in the Netherlands to do online payments.
We needed to open a bank account for that in the Netherlands, so we did that with ING in October. It first took them a month to reject us, stating we needed to register our company in Belgium. Of course we're already registered, we couldn't be in business in the first place if we weren't. After pointing them to the government website it seems to have sorted itself out a few days later.
So once we were approved I could actually start to test the software for iDEAL. It uses XML sig which I think is a horrible standard. Once I started testing it I directly ran into a problem. They give me an error back saying that the signature wasn't valid. So I contacted them about 2 weeks ago and have yet to get answer back that's useful.So far it went like this:
- I gave them a full explanation on how they could manually check this using openssl. I showed them the canonical versions of all the XML parts, and how to check that it's valid. I showed the fingerprint of my certificate and how that was the same as on the website.
- They replied saying that I either didn't upload a certificate or that it was expired, or that I did something else weird I didn't even understand.
- I found that the ideal standard says there is a limit of 5 years for certificates while their documentation says to generate one for 10 years. So I uploaded a new certificate but that didn't help, and said so.
- They replied back that my self-signed signature should have been one using sha256 and not sha1. This makes little sense for a self-signed certificate. The iDEAL standard does say that the signature needs to use at least sha256 in case you don't use a self-signed certificate though.
- So I mailed them back saying I created a new certificate with a sha256WithRSAEncryption signature algorithm, but that I still have the same problem.
- They mail me back saying I have an invalid certificate and that I should read the manual and they can't help me. They give no indication on exactly was is invalid about the certificate, just that it's invalid.
- So I say that I follow all requirements of the standard and used the commands they provided.
- They reply back that they checked the logs and that we're using the old version and that we should switch to the new version of iDEAL. Of course I'm using the new version and am sending this to the correct URL.
- They provide software (no license mentioned) in php, java and .NET. But that's of course is not integrated in anything, it's just the library to do the calls. So I tried the php version and send a request using the same certificate and actually do get a reply back now. Both my version and the php generated version properly verify.
So I'm now back to step 1.