search

phax / phase4

phase4 - AS4 client and server for integration into existing systems. Specific support for Peppol and CEF eDelivery built-in.
Apache License 2.0
154 stars 47 forks source link

AS4RequestHandler does not use correct BDEW profile crypto and signing params #166

Closed problemzebra2 closed 1 year ago

problemzebra2 commented 1 year ago

AS4RequestHandler for handling incoming AS 4 messages seems to construct new instances of AS4SigningParams and AS4CryptParams. The required parameters according to the official BDEW profile are only set in Phase4BDEWSender.AbstractBDEWUserMessageBuilder

// Other crypt parameters are located in the PMode security part
cryptParams ().setKeyIdentifierType (DEFAULT_KEY_IDENTIFIER_TYPE);
cryptParams ().setKeyEncAlgorithm (ECryptoKeyEncryptionAlgorithm.ECDH_ES_KEYWRAP_AES_128);
cryptParams ().setEncryptSymmetricSessionKey (false);

/**
 * Assumption: the BST "ValueType" attribute is set to
 * "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1"
 * by WSS4J automatically (see WSSecSignature#addBST)
 */

// See BDEW specs 2.2.6.2
// Other signing parameters are located in the PMode security part
signingParams ().setKeyIdentifierType (DEFAULT_KEY_IDENTIFIER_TYPE);
signingParams ().setAlgorithmC14N (ECryptoAlgorithmC14N.C14N_EXCL_OMIT_COMMENTS);
// Use the BST value type "#X509PKIPathv1"
signingParams ().setUseSingleCertificate (false);

Is this a bug or is there a way to specify the required crypto and signing params for the AS4RequestHandler used for incoming AS 4 messages?

phax commented 1 year ago

That seems to be very related to #165 isn't it?

problemzebra2 commented 1 year ago

Yes, this seems to be a more general issue. #165 refers to a specific signing setting.

phax commented 1 year ago

I am trying to get a hold of this - I totally see the issue here

problemzebra2 commented 1 year ago

By the way cryptParams ().setKeyIdentifierType (DEFAULT_KEY_IDENTIFIER_TYPE); seems to be wrong. According to the BDEW profile SKI_KEY_IDENTIFIER should be used. I will make a own issue for this.

problemzebra2 commented 1 year ago

-> #167

phax commented 1 year ago

The resolution is implemented in https://github.com/phax/phase4/commit/a02ebf6867b50f757e965596f0d29abcb83547ab It changes IAS4IncomingSecurityConfiguration to include the full AS4SigningParams and AS4CryptParams objects.

phax commented 1 year ago

This should be resolved with the 2.3.0 release