Closed Gentle-Chen closed 4 years ago
Well, my assumption is, that the receiving side does not honor the name of signing/encryption algorithms and instead just uses SHA-256 and AES256 independent of the sender?
Please try to contact the receiver and figure out there configuration settings and there requirements.... Basically they are not adhering to the AS2 specification but not honoring the requested algorithms. If they don't support an algorithm, they should instead return a negative MDN with the respective description.
so do you mean to the matched sign algorithm SHA256 and encryption algorithm aes256 are not matched between our side and partner's side?
Yes that would be my suggestion without knowing the details of your nor the other system
Hi Philip,
It seems at partner side, they can receive the message and successfully verify it, and there is no error at their side..
Do you know why, according to your experience?
Hi @Gentle-Chen okay, I was try read the screenshot in more detail. According to my understanding:
Possible parameters and reasons for this:
To log the effective certificate that is used to verify the signature, the AS2ClientSettings
have a method setVerificationCertificateConsumer
to provide a consumer that exactly receives this certificate and than you can log it. This method is available since v4.4.5
Hi @phax
Plz see my answer below.
ECryptoAlgorithmCrypt
, also I changed some code for my business in the as2-lib.So do you mean to it due to the wrong certificate in my side?
And for the setVerificationCertificateConsumer
, where should I use it, when I receiver the MDN?
By the way, I will try to upgrade the as2-lib from v4.1.0 to the latest version.
Hi @phax
I upgraded the as2-lib to the latest version and then retry, here is the error log.
Could you help to advise?
BTW
as2_mdn_options: signed-receipt-protocol=optional, pkcs7-signature; signed-receipt-micalg=optional, SHA256
sign_algorithm: sha256
encrypt_algorithm: aes256-cbc
Hi @Gentle-Chen
Okay, you have a "partnership" between you and your customer.
That partnership also contains the certificate of your partner.
It seems like this certificate differs from the certificate they are using when signing the MDN (based on BCCryptoHelper - Verifying signature using the provided certificate (partnership)
).
Does that sound reasonable to you?
hi @phax
Yes, I have partner's certificate on my side, I would get their certificate from my own keystore(the keystore already archived their certificate) and then verify.
So do you mean to it due to the different certificate between my side and theirs?
BTW, I also saw this log:
"The message you sent on "[0x1f][0x1f][0xc2][0x8c], 21 [0x0][0x8] 2020 09:32:55 +0800" from "CARGOSMART" to[\r][\n]"
2020-01-21 09:32:56 [ DefaultMessageListenerContainer-1] [DEBUG] Wire - http-outgoing-0 << ""KNTEST" with subject "CARGOSMART TEST 01" has been received on 21 Jan 2020[\r][\n]"
2020-01-21 09:32:56 [ DefaultMessageListenerContainer-1] [DEBUG] Wire - http-outgoing-0 << "01:32:56 GMT, but cannot be processed because the following error occured:[\r][\n]"
2020-01-21 09:32:56 [ DefaultMessageListenerContainer-1] [DEBUG] Wire - http-outgoing-0 << "[\r][\n]"
2020-01-21 09:32:56 [ DefaultMessageListenerContainer-1] [DEBUG] Wire - http-outgoing-0 << " No matching decryption key found[\r][\n]"
2020-01-21 09:32:56 [ DefaultMessageListenerContainer-1] [DEBUG] Wire - http-outgoing-0 << "[\r][\n]"
It shows no decryption key found, what it means to?
Symmetric encryption works so, that you are encrypting with the public key of the other side, and the other side decrypts with its private key. In that case the other side sent you an encrypted MDN and it seems like the other side used a wrong certificate to encrypt the message? Does the other side eventually use an old certificate from you?
does the work flow like this? I use my key to encrypt -> send msg to partner -> partner use my cert to decrypt -> partner use their key to encrypt -> send MDN to me -> I use partner's cert to decrypt.
Close - you use your partners public key to encrypt, send it over, partner decrypts with his private key. Partner encrypts MDN with your public key, sends it over, you decrypt with your private key.
And with signing: you sign with your private key, send it, partner verifies with your public key. Partner creates MDN, signs it with his private key, sends it over, you verify with public key of Partner.
Hth
So according to your above words, do you mean to during signing, partner used the old cert from me to verify
Yes there seems to be an inconsistency between the certificate they use for signing and the one you are using to verify....
And dose it like this?
I used partners public key to encrypt, and used my private key to sign, and then send, partner used my public key to verify, and then use his private key to decrypt. and then create MDN, sign with his private key and send to me, finally i verify with his public key?
Yes that's how it should be
ok, thanks for your help. @phax . I will check the cert between partner side and my side. I will close this issue.
Thanks a lot~
Close it when the issue is resolved. No need to hurry....
BTW, how should I use this method? Could you advise?
AS2ClientSettings
have a methodsetVerificationCertificateConsumer
You need to update to v4.5.0, than it is part of the AS2 Client Builder. Just add a small consumer that logs the provided certificate to sysout or so. It should be the certificate used for signature verification
Closing this because of inactivity. If this is still an issue, please reopen
Hi Philip,
When I sync retrieve the mdn from partner, it show the verification failed exception while I use sign algorithm SHA256 and encryption algorithm aes256.
Could you advise the reason it may be?
Thanks for you help.