HegeErdal
commented
1 year ago We experience the same issue, and is currently a blocker for updating to oxalis 5.5.0
Closed post-svejk closed 3 weeks ago
HegeErdal
commented
1 year ago We experience the same issue, and is currently a blocker for updating to oxalis 5.5.0
aaron-kumar
commented
1 year ago Peppol AS4 specification is based on CEF eDelivery AS4 profile - 1.14. Section 3.2.6 in this specification recommend that Signature Algorithm MUST be set to http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 (which we set in OxalisAlgorithmSuiteLoader).
SMP Specification at page#24, line 486/487 says that Signature Method MUST be http://www.w3.org/2000/09/xmldsig#rsa-sha1. Every SMP service provider MUST adhere to these specification until OpenPeppol make required changes in specification to allow both SHA1 and SHA256. Peppol AP software like Oxalis also use these specifications for lookup. Java 17 disabled SHA1 algorithm by default : https://bugs.openjdk.java.net/browse/JDK-8261246 which made it difficult to support OpenPeppol specification with latest java runtime e.g. Java 17. Because of above mentioned constraints we are Not moving ahead with Oxalis Java 17 upgrade until OpenPeppol make required adjustment in specification. Though there is Oxalis plan to support Java 11 LTS in near future.
Now after said that in order to clearly understand your problem, can you please clarify whether Oxalis 5.4.0 was working fine with Java 17 and Oxalis 5.5.0 stopped working? @post-svejk , @HegeErdal? At least, from the description of the problem, it look like Oxalis 5.4.0 was working fine with Java 17. Though as of now, we don't have tests & plan to test Oxalis releases with Java 17.
P.S: It is found that Oxalis 5.5.0 is working fine with Java 8 (supported Java version). Please report if this is Not the case for you.
post-svejk
commented
1 year ago ...
Now after said that in order to clearly understand your problem, can you please clarify whether Oxalis 5.4.0 was working fine with Java 17 and Oxalis 5.5.0 stopped working? @post-svejk , @HegeErdal? At least, from the description of the problem, it look like Oxalis 5.4.0 was working fine with Java 17. Though as of now, we don't have tests & plan to test every new Oxalis releases with Java 17.
P.S: It is found that Oxalis 5.5.0 is working fine with Java 8 (supported Java version). Please report if this is Not the case for you.
Yes, Oxalis 5.4.0 works fine on Java 17 for us. But it has vulnerabilities in CXF and WSS4J. It seems there is something in the newer versions of CXF or WSS4J that triggered the algorithm signature error.
aaron-kumar
commented
1 year ago It's WSS4J (xmlsec).
Oxalis 5.4.0 use WSS4J version 2.2.7 which in turn use xmlsec version 2.1.7. Oxalis 5.5.0 use WSS4J version 2.4.1 which in turn use xmlsec version 2.3.0.
If you can check xmlsec release note, Apache XML Security for Java 2.3.0 mention [SANTUARIO-574] - Enable secure validation by default - commit : https://github.com/apache/santuario-xml-security-java/commit/bf85dbe923b156d605033abdf7807c3752e913f4
Can you try if excluding & downgrading xmlsec version work for you?
HegeErdal
commented
1 year ago Only downgrading xmlsec don't work (get an error with wss4j). If I also downgrade wss4j, I get this error:
Caused by: java.lang.NoSuchMethodError: 'void org.apache.wss4j.policy.model.AlgorithmSuite$AlgorithmSuiteType.setAsymmetricSignature(java.lang.String)' fiks-peppol-aksesspunkt-peppol-service-1 | at network.oxalis.as4.util.OxalisAlgorithmSuiteLoader$OxalisAlgorithmSuite.parseCustomAssertion(OxalisAlgorithmSuiteLoader.java:140)
So this doesn't work unfortunately
post-svejk
commented
1 year ago Only downgrading xmlsec don't work (get an error with wss4j). If I also downgrade wss4j, I get this error:
Caused by: java.lang.NoSuchMethodError: 'void org.apache.wss4j.policy.model.AlgorithmSuite$AlgorithmSuiteType.setAsymmetricSignature(java.lang.String)' fiks-peppol-aksesspunkt-peppol-service-1 | at network.oxalis.as4.util.OxalisAlgorithmSuiteLoader$OxalisAlgorithmSuite.parseCustomAssertion(OxalisAlgorithmSuiteLoader.java:140)
So this doesn't work unfortunately
I get similar results.
dladlk
commented
1 year ago Please take a look at
maybe it helps.
HegeErdal
commented
7 months ago @aaron-kumar Hi! I just looked at the newest SMP-specification (from june 2023), and I see here that the required signature method has been changed to SHA-256. I guess this means that the signature method in Oxalis should be changed accordingly so we don't have this problem anymore?
Edit: I also see from the (implementation guideline that this has to be implemented by June 1st, and that the receiving AP should have implemented this from December 1st.
dladlk
commented
7 months ago Algorithm http://www.w3.org/2000/09/xmldsig#rsa-sha1 is blocked not by Oxalis, but by Java since something like v.17.
Until 01.06.2024, in order to run on new Java versions starting from 17, you should manually modify java.security on your AP which makes SMP lookup to be able to trust SHA1 signed SMP responses, by deleting lines:
disallowAlg http://www.w3.org/2000/09/xmldsig#sha1,\
disallowAlg http://www.w3.org/2000/09/xmldsig#rsa-sha1,\on jdk.xml.dsig.secureValidationPolicy property.
Since 01.06.2024 you should return them back.
HegeErdal
commented
7 months ago Sure, I understand that I have to include these algorithms again in order to make Oxalis run with java17+ and WSS4J version 2.2.7. It was my understanding that the signature method SHA-1 is used/implemented in Oxalis due to Peppol-specifications, and that this couldn't be changed untill Peppol decided otherwise. However, the links I provided over says that Peppol now wants to change away from SHA1 and start using SHA256, with final date June 1st, but the migration policy says that we can already start implementing it now. Thus, my question is more related to the timelife of implementing this in Oxalis. Is there a plan to change to SHA-256 so that we don't have to change our local code to allow/start using SHA-1? I'm guessing this is not happening automatically, but is a code-change required in Oxalis itself?
dladlk
commented
7 months ago Oxalis does not limit SHA1 or SHA256 - it is Java core limitation. And there is no possible switch from SHA1 to SHA256, because it is SMP response whose digest is calculated by SHA1... So there is no need in any code change for Oxalis, as it is Access Point. There is a need in code change of SMP instances to fully switch to SHA256 since June 2024.
HegeErdal
commented
7 months ago Ah, ok, then I understand! So I should ask our SMP-provider if they plan to do the change before June 1st, and not Oxalis. Thank you for the quick reply!
When sending with
oxalis-outboundon Java 17 most (if not all) attempts run into:As far as I understand, this is caused by the receiving access point having the problematic algorithm configured in the metadata. There may be a workaround in using JDKs older than 17, as the change to forbid the algorithm seems to have arisen there: https://bugs.openjdk.org/browse/JDK-8261246
Is it possible to allow the old algorithm to coexist with the updated one in
OxalisAlgorithmSuiteLoader, at least in an interim period? So that oxalis-outbound can work with both older and newer Oxalis endpoints (assuming that the algorithm change propagates the SML metadata)?