Unable to construct the xenc:EncryptedKey element despite using KeyTransport and its child elements

[ilicalex]

Following ENTSOG AS4 profile, I must encrypt the payload (XML attachment). Based on P-Mode documentation (http://holodeck-b2b.org/documentation/p-mode-schema/): “Element tns:EncryptionConfiguration / tns:KeyTransport This OPTIONAL element contains the settings to add the key transport information to the WS-Security header, i.e. to construct the xenc:EncryptedKey element. NOTE: If this element is included in the P-Mode it SHOULD contain at least one child element.” Instead of full XML structure I end up without the second half of the XML structure (xenc:EncryptedKey and xenc:EncryptedData):

Used P-Mode part: `

PartnerA

<Role>ZSO</Role>                
<SecurityConfiguration>
     <Signing>
        <KeystoreAlias password="12345678">testCertPrivate</KeystoreAlias>
        <KeyReferenceMethod>KeyIdentifier</KeyReferenceMethod>
    </Signing>          
    <Encryption>                
        <KeystoreAlias>testCertPublic</KeystoreAlias>               
        <Algorithm>http://www.w3.org/2009/xmlenc11#aes128-gcm</Algorithm>
        <KeyTransport>                    
            <Algorithm>http://www.w3.org/2009/xmlenc11#rsa-oaep</Algorithm>
            <MGFAlgorithm>http://www.w3.org/2009/xmlenc11#mgf1sha256</MGFAlgorithm>
            <DigestAlgorithm>http://www.w3.org/2001/04/xmlenc#sha256</DigestAlgorithm>
            <KeyReferenceMethod>KeyIdentifier</KeyReferenceMethod>
         </KeyTransport>                
    </Encryption>           
</SecurityConfiguration>            

`

[sfieten]

Dear @ilicalex, can you please be more specific of the issue you're experiencing as it is not clear to me? The included XML extract does not seem from a AS4 message generated by Holodeck B2B...

[ilicalex]

Dear Mr. Sander Fieten,

Steps to reproduce the problem:

1. Set P-Mode on both sides to send/receive attachment, which is gzipped and encrypted.

Sender: ex-pm-push-init.xml, receiver: plinovodi.xml

2. Digitally sign the whole message

I used the same certificate, but I used public key part to encrypt attachment and private key part to sign the message on sender side. On receiver side, I used public key to check signature and private key to decrypt the content.

3. Renamed the file in msg_out folder (simple wrapper) for simple xml payload to .mmd. I used WireShark to capture SOAP request on the receiver side. The message was delivered and I was able to see the TEST XML content as payload on the receiver side. However, captured SOAP was unexpected. Check the soap part in attached wireshark text. I was hoping to get XML (SOAP request) which has xenc:EncryptedKey part in wsse:security SOAP structure as stated in the documentation.

The actual cause of the problem was my intention to set P-Mode correctly on receiver side. I captured partner’s SOAP request with wireshark (plinovodi-SOAP.txt contains security part only) and used my infrastructure (holodeckb2b on both sides) to simulate partner’s request. However I am unable to produce partner’s xenc:EncryptedKey part in wsse:security SOAP structure.

Best regards!

POST /msh HTTP/1.1 Content-Type: multipart/related; boundary="MIMEBoundary_01a7ae05ba6da9f4b06102888a8109f8fee1ea4a324462e4"; type="application/soap+xml"; start="0.31a7ae05ba6da9f4b06102888a8109f8fee1ea4a324462e4@apache.org" User-Agent: HolodeckB2B/2.1 Host: geniljas401:9090 Content-Length: 5195

--MIMEBoundary_01a7ae05ba6da9f4b06102888a8109f8fee1ea4a324462e4 Content-Type: application/soap+xml; charset=UTF-8 Content-Transfer-Encoding: binary Content-ID: 0.31a7ae05ba6da9f4b06102888a8109f8fee1ea4a324462e4@apache.org

<?xml version='1.0' encoding='UTF-8'?></ds:CanonicalizationMethod></ds:Transform></ds:Transforms>VwpgCysiwee49MYUVD1446a+PPJ4ldGsuLtSM3gDcKM=</ds:DigestValue></ds:Reference></ds:Transform></ds:Transforms>TCJJRn649nvziZyz6pw/KKOMiRn2+N+rr78i9JlolBg=</ds:DigestValue></ds:Reference></ds:Transforms>KyZnidR8OkDdCLavLK1VR9c2oyZy9kIjvPfFyuz6ND4=</ds:DigestValue></ds:Reference></ds:SignedInfo>LWYnLVvdCR/oY8WuZZM5iDCBYaWX+hQ05hn+nBKFOzqmX3iOHUdOm7w4pT/P7IO5+0xukQo/drmQqCfAcm/DSKRxm22z4xGRAk3EPskJ+V/m0zfgbgDNDe2EBEJggoEcCJEzAjtrl7RKej0vBn/aMuD6/vFeDEagGL3rsSQ8x5XXfqdhkRlGAUkMa9xg5VQKZUb+BnGcvBhYEGOI5dH5awK47xU9W4sb2IluiK24O2PvX1PEvdYwxgVrPtb5nXl8OSAwFNoDHjUusNWJ39PhL6FlWmQ/wOc9jcNX66Q+ugcRhn50l+eGRLR1qgRh83jlxGDQzQbzKYR4cqlskHPnoA==</ds:SignatureValue>Tb0qJJsYffM=</wsse:KeyIdentifier></wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature></wsse:Security>eb3:UserMessage><eb3:MessageInfo><eb3:Timestamp>2017-06-14T08:24:19.102Z</eb3:Timestamp><eb3:MessageId>75d8cc63-43fb-488a-b6ff-e1d5ebd61248@GENISIDT526.CORP.IGES.SI</eb3:MessageId</eb3:MessageInfo>21X-SI-A-A0A0A-8</eb3:PartyId>ZSO</eb3:Role></eb3:From>11XIGET--------D</eb3:PartyId>ZSH</eb3:Role></eb3:To></eb3:PartyInfo>http://entsog.eu/communication/agreements/21X-SI-A-A0A0A-8/11XIGET--------D/1</eb3:AgreementRef>Examples</eb3:Service>A06</eb3:Action>org:holodeckb2b:test:conversation</eb3:ConversationId></eb3:CollaborationInfo>application/gzip</eb3:Property>text/xml</eb3:Property></eb3:PartProperties></eb3:PartInfo></eb3:PayloadInfo></eb3:UserMessage></eb3:Messaging></soapenv:Header></soapenv:Envelope> --MIMEBoundary_01a7ae05ba6da9f4b06102888a8109f8fee1ea4a324462e4 Content-Type: application/gzip Content-Transfer-Encoding: binary Content-ID: 75d8cc63-43fb-488a-b6ff-e1d5ebd6124-45007252@GENISIDT526.CORP.IGES.SI

...........I.I..I-......../..... --MIMEBoundary_01a7ae05ba6da9f4b06102888a8109f8fee1ea4a324462e4-- HTTP/1.1 200 OK Server: HolodeckB2B/2.1 Date: Wed, 14 Jun 2017 08:24:26 GMT Transfer-Encoding: chunked Content-Type: application/soap+xml; charset=UTF-8; action="urn:ReceiveResponse"

9d6 <?xml version='1.0' encoding='UTF-8'?>eb3:SignalMessage><eb3:MessageInfo><eb3:Timestamp>2017-06-14T08:24:26.629Z</eb3:Timestamp><eb3:MessageId>59869e20-0783-45e0-b7c5-7d9ebaf302f5@GENILJAS401.CORP.IGES.SI</eb3:MessageIdeb3:RefToMessageId>75d8cc63-43fb-488a-b6ff-e1d5ebd61248@GENISIDT526.CORP.IGES.SI</eb3:RefToMessageId</eb3:MessageInfo></ds:Transform></ds:Transforms>VwpgCysiwee49MYUVD1446a+PPJ4ldGsuLtSM3gDcKM=</ds:DigestValue></ds:Reference></ebbp:MessagePartNRInformation></ds:Transform></ds:Transforms>TCJJRn649nvziZyz6pw/KKOMiRn2+N+rr78i9JlolBg=</ds:DigestValue></ds:Reference></ebbp:MessagePartNRInformation></ds:Transforms>KyZnidR8OkDdCLavLK1VR9c2oyZy9kIjvPfFyuz6ND4=</ds:DigestValue></ds:Reference></ebbp:MessagePartNRInformation></ebbp:NonRepudiationInformation></eb3:Receipt></eb3:SignalMessage></eb3:Messaging></soapenv:Header></soapenv:Envelope> 0

pV1wnmiJ/7/EY4wZLHQGsAislJ60xVrYetZgmFlTY5I= I58roIF8KVTbhmVUn9KvF/OrxwK+2+zqUxUlLzr7E58= DVFBEqDzeRhIqoVWSHMcl0IO0Mbr7Wujt0Jg8eY23dh3ZrViDM0wcwRAXN9+Sv82BujM+a1mdEfP o/MaAcx0etzLkkn7ce7GAgju55dr5d7g0c3AZ9FhlJ/vrtoRRC9jvx4wsVc2Em0BbwDiG1URuCqQ yO8bV0CmUC8CewV/w4Y3NhbcN5dOI/yiVXGzYfewbAwXaGo8jPx71BJSBkI0Zl7JTIpNKyNv1NOH v0iOAGRT6T+XSDqZDK5l4psGu6aQaD3CWuUE+tInd65wsIT7zUkGfplo62Td2/01XsYmkRv08Wc/ x5Ur41zQpH2zxsQjdPktByzvWX9YCccaZ9ACQQ== C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K 1356075869 y05urqRDJYFDfdBCvT+6qivB4gNWoNs1yNhslAyafat9BAlFUdBWP7S4Fpbik+V+Obu6+h4a612T OW5xZW4wbgHzkDC4cFBjDK30L7Aln4uxmI5W8M69I2BmhIMdT1mDZyMJdWPO22/tlOUbOl3udP3y IJkoaiDGLInCoiNZ9CNYJRZbsjakY/DIWHrywjymjRz76/zg1O0lZnN6rBr+BBjp6NhqlBwqbDUp 6xi0gmkBIYNBUoiabCU0LJ6JD/o79SGU7hoFENOk20TliKaYJ4yVF8HrdX+FrbPPpmkOrgJw9Qc0 O3lF+qd0ijLLQKclotFcCT5YakeoWGIBpL5Umsr4qKCfjQBrzpz1JYV1/yoUsBLOGeac160Bh5c+ NIsDqD6YLZqU3a65aY3SUi23I70K4QjgEVKZZGNhJqemrKuO0rbV9C6QI5zyy2Jw/zclXai4i1q6 mR4zihXm5AOOcyq4aXCST5jm+l0GCr4u9/D8E/4TbUzj1jd4vm4lGCej C=SI, O=Republika Slovenija, OID.2.5.4.97=VATSI-17659957, CN=SI-TRUST Root 12615859262339629763169997031

[sfieten]

HI @ilicalex, I guess the sender's P-Mode does not specify encryption, so I advice to check the P-Mode again. As this seems more a support question then a technical problem in the software I like to point you to http://holodeck-b2b.org/support for more information on getting support.

[ilicalex]

Hi @sfieten, Part of sender's P-Mode is visible in original post (Used P-Mode part). I used encryption as specified in the documentation. Is there any newer version of P-Mode documentation other than one on the holodeckb2b site. If not, this is a technical problem.

[sfieten]

Hi @ilicalex, the P-Mode documentation regarding the security configuration has not changed. I just looked at the P-Mode extract in the description and notice the encryption configuration is in the wrong place. As described in the P-Mode documentation you need to configure the encryption as a descendant of the Initiator/Responder element corresponding to the partner to which the message are sent. In your case this is the Responder.

[ilicalex]

Thank you @sfieten. Based on your hint I was able to get encrypted attachment in signed message. Sender (initiator) and responder security part on the sender side was: `

OurId

    <Role>ZSO</Role>                        
    <SecurityConfiguration>
         <Signing>
            <KeystoreAlias password="12345678">privateCert</KeystoreAlias>
            <KeyReferenceMethod>KeyIdentifier</KeyReferenceMethod>
        </Signing>
    </SecurityConfiguration>
</Initiator>

PartyId ZSH publicCert http://www.w3.org/2009/xmlenc11#aes128-gcm http://www.w3.org/2009/xmlenc11#rsa-oaep http://www.w3.org/2009/xmlenc11#mgf1sha256 http://www.w3.org/2001/04/xmlenc#sha256 KeyIdentifier ` On the receiver side: ` PartyId ZSO publicCert KeyIdentifier OurId ZSH geniprivate http://www.w3.org/2009/xmlenc11#aes128-gcm http://www.w3.org/2009/xmlenc11#rsa-oaep http://www.w3.org/2009/xmlenc11#mgf1sha256 http://www.w3.org/2001/04/xmlenc#sha256 KeyIdentifier `