Open MakakWasTaken opened 1 month ago
@MakakWasTaken please be aware, that BDEW does NOT work out of the box, because the key exchange stuff is not available in the underlying WSS4J library. Please see the respective entry in the discussion area. Also please bare in mind, that BDEW wants Elliptic Curve (EC) based certificates instead of RSA ones. So this will be more than just adding some PModes....
I am guessing that you're referring to #105. I am however a bit unsure on where to start with the implementation. I am guessing that I need some sort of PMode aware crypto factory to customize the handling of the encrypt/sign based on the PMode resolver.
So if the PMode ID starts with BDEW it would handle it with the EC based certificates. And likewise if it starts with ENTSOG I would just continue to handle it in the same way as before.
that BDEW does NOT work out of the box, because the key exchange stuff is not available in the underlying WSS4J library.
I read the discussion that you referred to, I however understood https://github.com/phax/phase4/discussions/105#discussioncomment-8619686 as if the problem had been resolved and it was now implemented (from 2.7.5 and onwards). Is there anything else that I need to implement in order to start receiving with the BDEW profile.
Another thing is that when I started implementing the new BDEW profile, it caused the existing sending of ENTSOG to start failing. The following code is what is used for sending the message that seems to cause an error.
Phase4ENTSOGSender.ENTSOGPayloadParams entsogParams = new Phase4ENTSOGSender.ENTSOGPayloadParams();
eResult = Phase4ENTSOGSender.builder()
// Certificate
.cryptoFactory(CryptoHelper.cryptoFactory)
.receiverCertificate(certificate)
// Setup
.endpointURL(endpointURL)
.action("http://docs.oasis-open.org/ebxml-msg/as4/200902/action")
.service(serviceType, service)
.agreementRef(agreement)
.httpRetrySettings(new HttpRetrySettings().setMaxRetries(0))
// From Partner
.fromRole(senderRole)
.fromPartyID(senderId)
.fromPartyIDType("http://www.entsoe.eu/eic-codes/eic-party-codes-x")
// To Partner
.toRole(receiverRole)
.toPartyID(receiverId)
.toPartyIDType("http://www.entsoe.eu/eic-codes/eic-party-codes-x")
.pmodeID(as4Type)
// Payload
.payload(aPayloadElement, entsogParams)
.signalMsgConsumer(signalConsumer)
.setSigningKeyIdentifierType(ECryptoKeyIdentifierType.BST_DIRECT_REFERENCE)
.encryptionKeyIdentifierType(ECryptoKeyIdentifierType.BST_DIRECT_REFERENCE)
// Send the message
.sendMessageAndCheckForReceipt(responseMessage::set);
Running this code gives me the InvalidKeyException. Which I thought was only needed when handling the BDEW profile. Is there some extra that I need to do in my CryptoFactory to account for this. If there are questions to any of the variables please feel free to ask 😄
Thanks in advance :D
I figured part of the problem out. I noticated that a default profile was being selected (bdew). Which caused the validation to fail. I temporarily fixed the problem by using the MetaAS4Manager.getProfileMgr().setDefaultProfileID
method to set the profile id to the selected profile type right before sending. I was however wondering if there was a better solution to this? I tried using the incomingProfileSelector on Phase4ENTSOGSender, but without success.
An example of how to properly do this would be much appreciated.
EDIT: I just found this https://github.com/phax/phase4/issues/244#issue-2359337219 😄
Is it possible to change the receiving profile dynamically or is this done automatically?
As handling multiple AS4 profiles becomes more and more of an issue, I started assembling a Wiki page that should deal with that topic: https://github.com/phax/phase4/wiki/Multi-Profile-Handling - that page is not yet finalized but it should provide a good starting point
One of the points mentioned there is also the AS4 profile ID for sending. This has indeed been resolved by #244 and will be part of the upcoming 2.8.2 release.
An indeed the implementation of https://issues.apache.org/jira/browse/SANTUARIO-511 in the 3.x branch of Apache Santuario opened up for an easier key exchange, but you need to implement it yourself. It's not "hidden" in the phase4 code atm.
hth
I have recently started receiving the following error:
java.security.InvalidKeyException: Not an EC key: RSA
I am not really sure what causes the error, but suspect some sort of CryptoFactory problem.The error started appearing after I added a second profile. I wanted my AS4 server to be able to both receive/send ENTSOG aswell as BDEW. This started with providing some problems with the PMode, which was handled by setting a custom PModeResolver:
The error then shifted to the sending end of the application. It won't let me set outbound files now because of the beforementioned error.
If there are any guides on how to set up multiple profiles in the same servlet it would be much appreciated. I am also aware that I could create two different endpoints for the different types of profiles, but I would prefer having them as a single endpoint instead as the handling is mostly the same for the received files.
Some configuration and the full stacktrace:
pom.xml
```xmlFull stacktrace