search

phax / phase4

phase4 - AS4 client and server for integration into existing systems. Specific support for Peppol and CEF eDelivery built-in.
Apache License 2.0
154 stars 48 forks source link

Encryption for BDEW profile does not work #144

Closed IamM4nu3l closed 1 year ago

IamM4nu3l commented 1 year ago

Hi all, First of all: thanks for this great library. I just tried to use the BDEW Client example for creating an encrypted Message. The default Client defines the encryption, but does not perform it due to missing Certificate (or alias). After I got the original version working (by adding an in memory crypto factory) I also trieds to encrypt the message by defining the receiver certifcate: eResult = Phase4BDEWSender.builder () .receiverCertificate(certificate) .encryptionKeyIdentifierType (ECryptoKeyIdentifierType.X509_KEY_IDENTIFIER) .signingKeyIdentifierType (ECryptoKeyIdentifierType.BST_DIRECT_REFERENCE)

The certificate itself has the following parameters:

For reading this certificate I had to add bouncycastle provider: ` Security.addProvider(new BouncyCastleProvider()); CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509", "BC");

        X509Certificate certificate = null;
        try (FileInputStream fis = new FileInputStream("C:\\path/to/my/cert.cer")) {
            certificate = (X509Certificate) certificateFactory.generateCertificate(fis);
        }`

But I get this error: [main] INFO com.helger.phase4.messaging.crypto.AS4Encryptor - Now encrypting AS4 MIME message. KeyIdentifierType=X509_KEY_IDENTIFIER; EncAlgo=http://www.w3.org/2009/xmlenc11#aes128-gcm; KeyEncAlgo=ECDH_ES_KEYWRAP_AES_128; MgfAlgo=http://www.w3.org/2009/xmlenc11#mgf1sha256; DigestAlgo=http://www.w3.org/2001/04/xmlenc#sha256; CertificateSubjectCN=C=DE,O=eDelivery,CN=client_red [main] ERROR com.helger.phase4.sender.AbstractAS4UserMessageBuilder - Exception sending AS4 user message com.helger.phase4.util.Phase4Exception: Wrapped Phase4Exception at com.helger.phase4.bdew.Phase4BDEWSender$AbstractBDEWUserMessageBuilder.mainSendMessage(Phase4BDEWSender.java:264) at com.helger.phase4.sender.AbstractAS4MessageBuilder.sendMessage(AbstractAS4MessageBuilder.java:630) at com.helger.phase4.sender.AbstractAS4UserMessageBuilder.sendMessageAndCheckForReceipt(AbstractAS4UserMessageBuilder.java:727) at com.helger.phase4.sender.AbstractAS4UserMessageBuilder.sendMessageAndCheckForReceipt(AbstractAS4UserMessageBuilder.java:696) at my.app.BDEWSender.main(BDEWSender.java:110) Caused by: org.apache.wss4j.common.ext.WSSecurityException: No installed provider supports this key: org.bouncycastle.jcajce.provider.asymmetric.ec.BCECPublicKey Original Exception was java.security.InvalidKeyException: No installed provider supports this key: org.bouncycastle.jcajce.provider.asymmetric.ec.BCECPublicKey at org.apache.wss4j.dom.message.WSSecEncryptedKey.encryptSymmetricKey(WSSecEncryptedKey.java:544) at org.apache.wss4j.dom.message.WSSecEncryptedKey.prepare(WSSecEncryptedKey.java:213) at org.apache.wss4j.dom.message.WSSecEncrypt.prepare(WSSecEncrypt.java:110) at org.apache.wss4j.dom.message.WSSecEncrypt.build(WSSecEncrypt.java:132) at com.helger.phase4.messaging.crypto.AS4Encryptor._encryptMimeMessage(AS4Encryptor.java:239) at com.helger.phase4.messaging.crypto.AS4Encryptor.encryptMimeMessage(AS4Encryptor.java:296) at com.helger.phase4.client.AS4ClientUserMessage.buildMessage(AS4ClientUserMessage.java:691) at com.helger.phase4.client.AbstractAS4Client.sendMessageWithRetries(AbstractAS4Client.java:457) at com.helger.phase4.sender.AS4BidirectionalClientHelper.sendAS4UserMessageAndReceiveAS4SignalMessage(AS4BidirectionalClientHelper.java:131) at com.helger.phase4.bdew.Phase4BDEWSender$AbstractBDEWUserMessageBuilder.mainSendMessage(Phase4BDEWSender.java:242) ... 4 more Caused by: java.security.InvalidKeyException: No installed provider supports this key: org.bouncycastle.jcajce.provider.asymmetric.ec.BCECPublicKey at java.base/javax.crypto.Cipher.chooseProvider(Cipher.java:959) at java.base/javax.crypto.Cipher.init(Cipher.java:1300) at java.base/javax.crypto.Cipher.init(Cipher.java:1237) at org.apache.wss4j.dom.message.WSSecEncryptedKey.encryptSymmetricKey(WSSecEncryptedKey.java:539) ... 13 more [main] INFO my.app.BDEWSender - BDEW send result: TRANSPORT_ERROR

Can someone help me to fix the error?

phax commented 1 year ago

The error is reproducible.

To me it seems to be a problem in WSS4J, that the BouncyCastle provider can not be provided in the following method. grafik

Class WSSecEncryptedKey method encryptSymmetricKey.

I would suggest filing a bug at the WSS4J project

IamM4nu3l commented 1 year ago

Hi phax, thanks for your fast reply, in the meantime I found the following discussion: https://github.com/phax/phase4/discussions/105 Could it be related?

At least for me the exception is thrown at another point: grafik

And forgot to note that I am using java version: corretto-18.0.2 (tested with other jdks as well)

phax commented 1 year ago

Yes indeed the discussion #105 is the "source" for the BDEW profile - and a lot of input is based on the BDEW requirements. In this particular case, it requires changes in the underlying Apache WSS4J library

phax commented 1 year ago

Okay, we did some kind of a deep dive today on exactly that topic, and the problem - as stated in #105 as well - is, that the explicit KeyAgreement structure is currently not supported. Additionally it seems like, that the encryption of the symmetric key with an asymmetric key that is based on Elliptic Curves is not supported (let alone, not from a different provider). So the interpretation we found, was that this is an issue in WSS4J and nothing that can be done in phase4 atm

sopgreg commented 1 year ago

Yes, it is because of a lack of support in WSS4J. The EncryptedKey part must currently be manually created outside of WSS4J.

phax commented 1 year ago

@IamM4nu3l I am closing this issue. Yes, it is an issue, but it's created based on false assumptions. So in the end, there is nothing I can do here, that effectively helps you - sorry.