Verification failed when retrieve mdn sync

[Gentle-Chen]

Hi Philip,

When I sync retrieve the mdn from partner, it show the verification failed exception while I use sign algorithm SHA256 and encryption algorithm aes256.

Could you advise the reason it may be?

Thanks for you help.

[phax]

Well, my assumption is, that the receiving side does not honor the name of signing/encryption algorithms and instead just uses SHA-256 and AES256 independent of the sender?

Please try to contact the receiver and figure out there configuration settings and there requirements.... Basically they are not adhering to the AS2 specification but not honoring the requested algorithms. If they don't support an algorithm, they should instead return a negative MDN with the respective description.

[Gentle-Chen]

so do you mean to the matched sign algorithm SHA256 and encryption algorithm aes256 are not matched between our side and partner's side?

[phax]

Yes that would be my suggestion without knowing the details of your nor the other system

[Gentle-Chen]

Hi Philip,

It seems at partner side, they can receive the message and successfully verify it, and there is no error at their side..

Do you know why, according to your experience?

[phax]

Hi @Gentle-Chen okay, I was try read the screenshot in more detail. According to my understanding:

1. you are not using the latest version of as2-lib (v4.5.0) - correct?
2. you are sending an AS2 message - correct?
3. In that AS2 message your are requesting a sync MDN - correct?
4. You are requesting a signed MDN - correct?
5. That signature verification fails - correct?

Possible parameters and reasons for this:

• You don't have the correct certificate configured in your partnership
• In certain configurations the certificate is contained in the MDN and the signature is verified against this certificate

To log the effective certificate that is used to verify the signature, the AS2ClientSettings have a method setVerificationCertificateConsumer to provide a consumer that exactly receives this certificate and than you can log it. This method is available since v4.4.5

[Gentle-Chen]

Hi @phax

Plz see my answer below.

1. you are not using the latest version of as2-lib (v4.5.0) - correct? Gentle: yes, i am using as2-lib v4.1.0, and due to it cannot support AES256 in v4.1.0, so I manually add the AES256 algorithm in the class ECryptoAlgorithmCrypt, also I changed some code for my business in the as2-lib.
2. you are sending an AS2 message - correct? Gentle: yes
3. In that AS2 message your are requesting a sync MDN - correct? Gentle: yes
4. You are requesting a signed MDN - correct? Gentle: yes
5. That signature verification fails - correct? Gentle: yes

So do you mean to it due to the wrong certificate in my side? And for the setVerificationCertificateConsumer, where should I use it, when I receiver the MDN?

By the way, I will try to upgrade the as2-lib from v4.1.0 to the latest version.

[Gentle-Chen]

Hi @phax

I upgraded the as2-lib to the latest version and then retry, here is the error log.

Could you help to advise?

as2-log.txt

BTW as2_mdn_options: signed-receipt-protocol=optional, pkcs7-signature; signed-receipt-micalg=optional, SHA256 sign_algorithm: sha256 encrypt_algorithm: aes256-cbc

[phax]

Hi @Gentle-Chen

Okay, you have a "partnership" between you and your customer. That partnership also contains the certificate of your partner. It seems like this certificate differs from the certificate they are using when signing the MDN (based on BCCryptoHelper - Verifying signature using the provided certificate (partnership)).

Does that sound reasonable to you?

[Gentle-Chen]

hi @phax

Yes, I have partner's certificate on my side, I would get their certificate from my own keystore(the keystore already archived their certificate) and then verify.

So do you mean to it due to the different certificate between my side and theirs?

[Gentle-Chen]

BTW, I also saw this log:

"The message you sent on "[0x1f][0x1f][0xc2][0x8c], 21 [0x0][0x8] 2020 09:32:55 +0800" from "CARGOSMART" to[\r][\n]"
2020-01-21 09:32:56  [               DefaultMessageListenerContainer-1]  [DEBUG]                      Wire  -  http-outgoing-0 << ""KNTEST" with subject "CARGOSMART TEST 01" has been received on 21 Jan 2020[\r][\n]"
2020-01-21 09:32:56  [               DefaultMessageListenerContainer-1]  [DEBUG]                      Wire  -  http-outgoing-0 << "01:32:56 GMT, but cannot be processed because the following error occured:[\r][\n]"
2020-01-21 09:32:56  [               DefaultMessageListenerContainer-1]  [DEBUG]                      Wire  -  http-outgoing-0 << "[\r][\n]"
2020-01-21 09:32:56  [               DefaultMessageListenerContainer-1]  [DEBUG]                      Wire  -  http-outgoing-0 << " No matching decryption key found[\r][\n]"
2020-01-21 09:32:56  [               DefaultMessageListenerContainer-1]  [DEBUG]                      Wire  -  http-outgoing-0 << "[\r][\n]"

It shows no decryption key found, what it means to?

[phax]

Symmetric encryption works so, that you are encrypting with the public key of the other side, and the other side decrypts with its private key. In that case the other side sent you an encrypted MDN and it seems like the other side used a wrong certificate to encrypt the message? Does the other side eventually use an old certificate from you?

[Gentle-Chen]

does the work flow like this? I use my key to encrypt -> send msg to partner -> partner use my cert to decrypt -> partner use their key to encrypt -> send MDN to me -> I use partner's cert to decrypt.

[phax]

Close - you use your partners public key to encrypt, send it over, partner decrypts with his private key. Partner encrypts MDN with your public key, sends it over, you decrypt with your private key.

And with signing: you sign with your private key, send it, partner verifies with your public key. Partner creates MDN, signs it with his private key, sends it over, you verify with public key of Partner.

Hth

[Gentle-Chen]

So according to your above words, do you mean to during signing, partner used the old cert from me to verify

[phax]

Yes there seems to be an inconsistency between the certificate they use for signing and the one you are using to verify....

[Gentle-Chen]

And dose it like this?

I used partners public key to encrypt, and used my private key to sign, and then send, partner used my public key to verify, and then use his private key to decrypt. and then create MDN, sign with his private key and send to me, finally i verify with his public key?

[phax]

Yes that's how it should be

[Gentle-Chen]

ok, thanks for your help. @phax . I will check the cert between partner side and my side. I will close this issue.

Thanks a lot~

[phax]

Close it when the issue is resolved. No need to hurry....

[Gentle-Chen]

BTW, how should I use this method? Could you advise?

AS2ClientSettingshave a method setVerificationCertificateConsumer

[phax]

You need to update to v4.5.0, than it is part of the AS2 Client Builder. Just add a small consumer that logs the provided certificate to sysout or so. It should be the certificate used for signature verification

[phax]

Closing this because of inactivity. If this is still an issue, please reopen