search

phax / phase4

phase4 - AS4 client and server for integration into existing systems. Specific support for Peppol and CEF eDelivery built-in.
Apache License 2.0
147 stars 48 forks source link

BDEW profile: Curve not supported: brainpoolP256r1 (1.3.36.3.3.2.8.1.1.7) #236

Closed michaldaniel closed 4 months ago

michaldaniel commented 5 months ago

Hi, Using the library 2.7.5 that comes with updated WSS4J 3.0.3 and xmlsec I'm getting exception when attempting message sendout:

Caused by: org.apache.wss4j.common.ext.WSSecurityException: java.security.SignatureException: Curve not supported: brainpoolP256r1 (1.3.36.3.3.2.8.1.1.7)
    at org.apache.wss4j.dom.message.WSSecSignature.computeSignature(WSSecSignature.java:637)
    at org.apache.wss4j.dom.message.WSSecSignature.computeSignature(WSSecSignature.java:554)
    at org.apache.wss4j.dom.message.WSSecSignature.build(WSSecSignature.java:414)
    at com.helger.phase4.messaging.crypto.AS4Signer._createSignedMessage(AS4Signer.java:152)
    at com.helger.phase4.messaging.crypto.AS4Signer.createSignedMessage(AS4Signer.java:216)
    at com.helger.phase4.client.AS4ClientUserMessage.buildMessage(AS4ClientUserMessage.java:713)
    at com.helger.phase4.client.AbstractAS4Client.sendMessageWithRetries(AbstractAS4Client.java:561)
    at com.helger.phase4.sender.AS4BidirectionalClientHelper.sendAS4UserMessageAndReceiveAS4SignalMessage(AS4BidirectionalClientHelper.java:137)
    at com.helger.phase4.sender.AbstractAS4UserMessageBuilderMIMEPayload.mainSendMessage(AbstractAS4UserMessageBuilderMIMEPayload.java:211)
    ... 165 common frames omitted
Caused by: javax.xml.crypto.dsig.XMLSignatureException: java.security.SignatureException: Curve not supported: brainpoolP256r1 (1.3.36.3.3.2.8.1.1.7)
    at org.apache.jcp.xml.dsig.internal.dom.DOMSignatureMethod.sign(DOMSignatureMethod.java:348)
    at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.sign(DOMXMLSignature.java:417)
    at org.apache.wss4j.dom.message.WSSecSignature.computeSignature(WSSecSignature.java:630)
    ... 173 common frames omitted
Caused by: java.security.SignatureException: Curve not supported: brainpoolP256r1 (1.3.36.3.3.2.8.1.1.7)
    at jdk.crypto.ec/sun.security.ec.ECDSASignature.engineSign(ECDSASignature.java:485)
    at java.base/java.security.Signature$Delegate.engineSign(Signature.java:1423)
    at java.base/java.security.Signature.sign(Signature.java:712)
    at org.apache.jcp.xml.dsig.internal.dom.DOMSignatureMethod.sign(DOMSignatureMethod.java:346)
    ... 175 common frames omitted

Was the support for brainpoolP256r1 not merged yet upstream or am I possibly missing some configuration steps that would allow for using brainpoolP256r1 certificates?

phax commented 5 months ago

Currently you need to use the implementation of BouncyCastle - it's not yet published in a release of xmlsec 3.x to the best of my knowledge. Link: https://github.com/apache/santuario-xml-security-java/pull/293

michaldaniel commented 5 months ago

@phax Do I understand you correctly that there is a way to circumvent this using BC implementation? I would really appreciate if you found time to elaborate.

Other way to understand your answer is that we would either have to wait for Santuario release or build it from sources and force dependency usage.

phax commented 5 months ago

Well, I never did it myself - I only saw it in implementations using phase4. You need to be familiar with the concepts of "Security Providers" in Java. By using Bouncy Castle (BC) as your Security Provider you are capable of using the Brainpool Curves with Java 11 and onwards. The Security Provider can be provided on many levels - for certificate factory as well as for JSSE setups etc. Please refer to the regular Java documentation and the BC documentation on the details.

phax commented 4 months ago

@michaldaniel Did that solve your issue?