It is forbidden to use algorithm http://www.w3.org/2000/09/xmldsig#rsa-sha1 when secure validation is enabled

[tonytram]

Hi @phax, This is my primary github account in case you find out that one guy asked similar questions to Phase4 in different github accounts :D. Finally, I can have Phase up and running on test environment, thank a lot for your support and the great project. I got a new issue while trying to send out AS4 message which is: It is forbidden to use algorithm http://www.w3.org/2000/09/xmldsig#rsa-sha1 when secure validation is enabled. As the error clearly state that something wrong with configuration, but I don't know which one is it, and do we have any other Algorithm rather than rsa-sha1 implemented in Phase4, and if yes, how to can switch to that one.

Thank you so much again.

PS: for more information about which receiver I sent AS4 message to: https://peppol.helger.com/public/locale-en_US/menuitem-tools-participant?scheme=iso6523-actorid-upis&value=9922%3ANGTBCNTRLP1001&sml=autodetect&querybc=true&__querybc=true&__showtime=true&xsdvalidation=true&__xsdvalidation=true&verifysignatures=true&__verifysignatures=true&action=perform

[phax]

This is an issue when using Java 17+ with the existing Peppol SMP specification which enforces the usage of SHA-1 for XMLDsig signature. By calling smpClient.setSecureValidation (false) you disable the "deprecation" check inside the XMLDsig library, but of course the signature validation is still performed.

[tonytram]

Sorry to select wrong type of this topic. Thank you so much. It's working now.

[phax]

No worries - all good. Happy that you created an issue and happy that it was easy to resolve :)

[tonytram]

Hi @phax ,

After I added this smpClient.setSecureValidation (false) then the smpclient can find the AS4 server endpoint of receipient and sending out the message correctly, but at the same time once receiving the ACK/receipt, there is an error inside the SignalMessage which is [Ebms3Description@0x72dea375: lang=en; value=Invoked AS4 message processor SPI com.helger.phase4.peppol.servlet.Phase4PeppolServletMessageProcessorSPI@d8606a4 on '1ec457b5-ca7b-4b5b-ba46-28ade55948dd' returned a failure: TBErrorResponse{errorCode='-4109', errorDescription='Was able to correlate request related to AuditTestSuiteId=366 and TestCaseId=232 but the Test Case is NOT in status RUNNING. Start your test case before sending your request.', trace='c4970526-9336-45f8-8716-661eab814db4'}]

result in the error _AS4_ERROR_MESSAGE_RECEIVED_ at the end. I try to send out with another ReceipientId who doesn't require this check smpClient.setSecureValidation (false) to be false, then everything works perfectly. So I guess disable this check doesn't stop the receipient from verifying the signature, isn't it? If it is the case, then do we have anyway to choose what alrogithm we need to encrypt the message then we don't need to disable the secure validation check?

[phax]

What you get back is a message from the Peppol-Testbed, that it is not running - it has nothing to do with the SMPClient setting.

The smpClient.setSecureValidation (false) only disables the check for "deprecated algorithms" (such as SHA-1) but does NOT disable the validation of the signatures. This "setSecureValidation" is purely a workaround for that particular error that only occurs when using Java 17.

Once the Peppol SMP 1.3.0 specification is implemented in the whole network, SHA-1 is no longer used and this specific setting is no longer required.

The algorithm for encryption is fixed to AES-128 - no way to customize this for Peppol. This however has nothing to do with the SMP, as the SMP only signs.