RSSBUS partner test #12
Comments
|
You are talking about sending or receiving an AS2 message? |
|
Wow fast response 👍 I sent the message from RSSBUS and the exception is thrown when receiving it (verifying the signature on the message). The test file is not private. It is created by RSSBUS, and I have uploaded it here with extension PNG as that is required by GitHub apparently:
And the AS2 message that is created by RSSBUS for this content is:
|
|
I could be more clear here I think. When sending a signed message from RSSBUS to openas2 server, the problem occurs when verifying signature. For this one I attached the test file. When sending an unsigned message from RSSBUS to openas2 server and requesting a signed MDN, the problem occurs when RSSBUS verifies the signature on the response MDN. So I was describing two different scenarios in my previous post. |
|
So this is the test request - just for improved clarity: |
|
Yes and please note that the test request (content) uses LF to end a line. The problem was reproducible with a simple 1 line test file that had one LF in it (instead of CRLF) when sent as as2 message with signature from RSSBUS.
|
|
I think the problem is something else, but I'm just investigating. Give me 2 more minutes :) |
|
My thought was, that if the signature contains a certificate, that this certificate is potentially the wrong one and therefore the verification fails. But that was not the case. |
|
No matter whether the certificate from the MIME body part or the certificate from the partnership is used, I get an error. If you
|
|
And for sending your may include |
|
I get the same exception with both the attributes enabled. |
|
Now it gets difficult. Do you know what kind of certificate RSSBUS is using to send signed messages? Is an encrypted test message contained? Does the decryption work? |
|
I have configured RSSBUS as partner OpenAS2B and uploaded certs.p12 as private key and uploaded OpenAS_B.cer as public certificate. Encryption and decryption works for all test messages. I am not so sure the headers are the issue. Uploading the same test file but with carriage returns added, results in a matching MIC for that particular test file. However taking one of the test files that processes correctly and changing the CRLFs in LFs result in the same MIC mismatch exception. (all content changes done before RSSBUS creates as2 message and calculating digest of course). I will be going home soonish, so I will be happy to read any new comments tomorrow. |
|
This is my spare time too :) Don't expect too much ;-) |
|
So do I understand you correctly: RSSBUS seems to create the signature and MIC with "CRLF" (\r\n) characters, but the transmission happens wit "LF" (\n) characters only and that's why the mismatch occurs? Is that what you are trying to say? |
|
It seems that RSSBUS calculates a different hash than as2lib when the content has LF (\n) opposed to CRLF (\r\n). From: Philip Helger [mailto:notifications@github.com] So do I understand you correctly: RSSBUS seems to create the signature and MIC with "CRLF" (\r\n) characters, but the transmission happens wit "LF" (\n) characters only and that's why the mismatch occurs? Is that what you are trying to say? — |
|
I stumbled upon this issue which I think relates to the same problem: |
|
|
|
Take all the time you need ☺ I am very glad you are so invested in your product! I created a few junit tests concerning the problematic test messages in attached zip. Perhaps they can be of use. Kind regards, |
|
Okay so here's my update: the MIC calculation should now honor the line ending canonicalization (if the content transfer encoding is not binary). @mhofland: ZIP? what ZIP? |
|
Please check the example mentioned in the previous commit. I managed to get the verification done by handling the line endings correctly - see the overlong string. Requires both components to be 2.2.3-SNAPSHOT |
|
I tried your test, but it fails for me on identifying the sender. For some reason it does not get the first header across (AS2-To), so it responds with processed/Error:authentication-failed If I duplicate that first header it continues, but ends up with the verification error again: processed/Error:integrity-check-failed Did I do something wrong and did you get it verified? |
|
Yep sorry - my mistake. I forgot the HTTP status line. Current version has it, and validation still fails. |
|
I configured RSSBUS as partner OpenAS2B and uploaded certs.p12 as private certificate. From: Philip Helger [mailto:notifications@github.com] Yep sorry - my mistake. I forgot the HTTP status line. Current version has it, and validation still fails. — |
|
I tried several variants in the example, but can't get it working :( It's strange because the decryption works. So potentially there is some othe kind of canonicalization going on??? |
|
Hi. I haven't followed every part of discussion. Anyway I have before struggled against one implementation which didn't write content encoding for actual message. In bouncy castle (smime) this kind of message is not understood as binary by default, but in as2 specification it is defined that if encoding is missing default encoding should be assumed as binary. In BCCryptoHelper I had to make following change to get signature verification to work: So if this doesn't make sense in this case just omit it. Just wanted to share if it helps. |
|
You are my hero! Thanks for pointing out that difference!!! It solved the problem! |
|
The junit tests are now successful, so it succeeds in verifying the message. So many thanks to both of you! 👍 FAILURE: The Message Integrity Check returned by the server is incorrect. Expected: at/9v/j0Bth6KTBNxkUmv1xHhOo=; Received : nNEzTj34B9XDL07aBLQV9lHHZmQ= Is it possible that the fix is not applied to calculating MIC for MDN creation or is there still a difference in message digest calculation? |
|
Just to confirm that this is not a RSSBUS issue, I configured RSSBUS to send the same message to another Drummond certified product my company has access to, called XFB Gateway. And it calculates the same MIC as RSSBUS: (Received-content-MIC: at/9v/j0Bth6KTBNxkUmv1xHhOo=, sha1) So I am assuming that that is the correct MIC. |
|
I got it to match MIC by disabling the code that creates a CRLFOutputStream in BCCryptoHelper.
I am not sure of the implications, but the default test files from RSSBUS are processing correctly now. (calculate the same MIC) |
|
Thanks for testing. This was one thing I added yesterday because I though the stuff for the MIC must also be canonicalized, but it must not. So basically your suggested fixed is exactly what I did. Can we therefore close the issue? |
|
Thank you for all the hard work! kind regards, |
|
Thanks for confirming that it works. Seems like I can create a release 2.2.3 now :) |
|
I see this issue fixed some time back. But I still get this error when running against RSSBus |
|
Hi. Please try the latest 4.4.0 version. I finally found the issue that caused the MIC mismatch when using Base64 encoding. |
|
Thanks.. I will test it with 4.4.0 and will let you know.. |
|
this is what I was doing to read the http payload I see this method 'isHTTPHelper.readHttpPayload()' no longer exists in the new version. May I know what is the alternative for getting the DataSource. I tried this: But that gives java.io.IOException: Invalid HTTP Request (0� *�H� |
|
Unfortunately upgrading to 4.4.0 didn't work.. |
|
Okay. Thanks for checking. Than I need the following information:
|
|
Thanks for looking into it. Please let me know if there is any more info I can provide you on this.
|
|
Are these |
|
Thanks Philip. In AS2ReceiverHandler#handleIncomingMessage(), aMsg gets some value populated, but the above aMsg.partnership algorithm values are not set. So bIncludeHeadersInMIC = false. If I explicitly set this value to true, its working fine.. I can see AS2ReceiverHandler.verify() method setting Is this something that can be fixed in the library itself? |
|
Congratulations on finding it. I will see, if I find a way to determine the used algorithms. This is hidden somewhere in BouncyCastle atm. |
|
I understand that if message is signed, headers must be included in MIC calculation. However, the verification on if the message is signed or not is happening down in the code AS2ReceiverHandler#handleIncomingMessage().verify(). and aMsg attr() is updated with would it be safe to extend bIncludeHeadersInMIC to the following (one last check on isSigned) before calling calculateMIC() final boolean bIncludeHeadersInMIC = aMsg.partnership ().getSigningAlgorithm () != null || |
|
Thanks Philip for all the help. Really appreciate your prompt replies. |
|
Glad it worked. Nevertheless I recommend you to switch to v4.4.0 because it fixes an issue with MIC calculation if Base64 CTE is used. |
Hello Philip,
first of, great work on this project!
I hope you can help me with a problem I encountered.
I have been testing your library against another AS2 product called RSSBUS. This product comes default with 4 test files of which 1 causes a "org.bouncycastle.cms.CMSSignerDigestMismatchException: message-digest attribute value does not match calculated value" authentication error every time. The other 3 default test files are processed fine.
I reproduced the issue in your latest standalone server version (2.2.3-SNAPSHOT) and used the default (certs.p12) certificates for the test. It seems that any uploaded test file that has linefeeds without carriage returns causes this exception.
I am running as2-server in an IDE on Windows.
Any help would be appreciated.
Kind regards,
Martijn
The text was updated successfully, but these errors were encountered: