search

phax / phase4

phase4 - AS4 client and server for integration into existing systems. Specific support for Peppol and CEF eDelivery built-in.
Apache License 2.0
148 stars 48 forks source link

java.security.InvalidKeyException: Not an EC key: RSA #259

Open MakakWasTaken opened 1 month ago

MakakWasTaken commented 1 month ago

I have recently started receiving the following error: java.security.InvalidKeyException: Not an EC key: RSA I am not really sure what causes the error, but suspect some sort of CryptoFactory problem.

The error started appearing after I added a second profile. I wanted my AS4 server to be able to both receive/send ENTSOG aswell as BDEW. This started with providing some problems with the PMode, which was handled by setting a custom PModeResolver:

AS4XServletHandler handler = new AS4XServletHandler();

handler.setPModeResolver((sPModeID, sService, sAction, sInitiatorID, sResponderID, sAgreementRef, sAddress) -> {
    if (sPModeID != null) {
        if (sPModeID.equals("ENTSOG")) {
            return ENTSOGPMode.createENTSOGPMode(sInitiatorID, sResponderID, sAddress,
                    (i, j) -> sPModeID, false);
        } else if (sPModeID.equals("BDEW")) {
            return BDEWPMode.createBDEWPMode(sInitiatorID,
                    BDEWPMode.BDEW_PARTY_ID_TYPE_BDEW, sResponderID,
                    BDEWPMode.BDEW_PARTY_ID_TYPE_BDEW, sAddress,
                    (i, j) -> sPModeID,
                    false);
        }
    }
    if (sAgreementRef.contains("entsog.eu")) {
        return ENTSOGPMode.createENTSOGPMode(sInitiatorID, sResponderID, sAddress,
                (i, j) -> "ENTSOG-" + i.getID() + "-" + j.getID(), false);
    } else if (sAgreementRef.contains("bdew.de")) {

        return BDEWPMode.createBDEWPMode(sInitiatorID, BDEWPMode.BDEW_PARTY_ID_TYPE_BDEW, sResponderID,
                BDEWPMode.BDEW_PARTY_ID_TYPE_BDEW, sAddress,
                (i, j) -> "BDEW-" + i.getID() + "-" + j.getID(), false);
    }

    LOGGER.warn("Unable to determine pMode type: " + sPModeID + ", " + sService + ", " + sAction + ", "
            + sInitiatorID + ", " + sResponderID + ", " + sAgreementRef + ", " + sAddress);

    return null;
});

The error then shifted to the sending end of the application. It won't let me set outbound files now because of the beforementioned error.

If there are any guides on how to set up multiple profiles in the same servlet it would be much appreciated. I am also aware that I could create two different endpoints for the different types of profiles, but I would prefer having them as a single endpoint instead as the handling is mostly the same for the received files.

Some configuration and the full stacktrace:

pom.xml ```xml com.helger.phase4 phase4-parent-pom 2.8.1 pom import [...] org.bouncycastle bcjmail-jdk15to18 1.78 com.helger.phase4 phase4-lib com.helger.phase4 phase4-profile-entsog com.helger.phase4 phase4-profile-bdew ```
Full stacktrace 

2024-08-15T00:14:03.578160262Z 2024-08-15T00:14:03.578Z  INFO 39 --- [p-nio-80-exec-6] c.n.c.communication.AS4Helper            : ENTSOG send result: TRANSPORT_ERROR
2024-08-15T00:14:03.585792849Z com.helger.phase4.util.Phase4Exception: Wrapped Phase4Exception
2024-08-15T00:14:03.587141664Z  at com.nomnom.communicationserver.entsog.Phase4ENTSOGSender$AbstractENTSOGUserMessageBuilder.mainSendMessage(Phase4ENTSOGSender.java:219)
2024-08-15T00:14:03.587159864Z  at com.helger.phase4.sender.AbstractAS4MessageBuilder.sendMessage(AbstractAS4MessageBuilder.java:856)
2024-08-15T00:14:03.587164864Z  at com.helger.phase4.sender.AbstractAS4UserMessageBuilder.sendMessageAndCheckForReceipt(AbstractAS4UserMessageBuilder.java:816)
2024-08-15T00:14:03.587168964Z  at com.nomnom.communicationserver.communication.AS4Helper.sendMessage(AS4Helper.java:155)
2024-08-15T00:14:03.587173264Z  at com.nomnom.communicationserver.servlet.SenderServlet.doPost(SenderServlet.java:204)
2024-08-15T00:14:03.587176864Z  at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:590)
2024-08-15T00:14:03.587180464Z  at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:658)
2024-08-15T00:14:03.587184364Z  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:205)
2024-08-15T00:14:03.587188265Z  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149)
2024-08-15T00:14:03.587191765Z  at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
2024-08-15T00:14:03.587205665Z  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174)
2024-08-15T00:14:03.587209465Z  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149)
2024-08-15T00:14:03.587213065Z  at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100)
2024-08-15T00:14:03.587216865Z  at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
2024-08-15T00:14:03.587220665Z  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174)
2024-08-15T00:14:03.587224065Z  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149)
2024-08-15T00:14:03.587227965Z  at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93)
2024-08-15T00:14:03.587232665Z  at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
2024-08-15T00:14:03.587236265Z  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174)
2024-08-15T00:14:03.587240265Z  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149)
2024-08-15T00:14:03.587244965Z  at org.springframework.web.filter.ServerHttpObservationFilter.doFilterInternal(ServerHttpObservationFilter.java:109)
2024-08-15T00:14:03.587248565Z  at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
2024-08-15T00:14:03.587253465Z  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174)
2024-08-15T00:14:03.587257365Z  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149)
2024-08-15T00:14:03.587261065Z  at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
2024-08-15T00:14:03.587264565Z  at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
2024-08-15T00:14:03.587268565Z  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174)
2024-08-15T00:14:03.587272265Z  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149)
2024-08-15T00:14:03.587276466Z  at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:166)
2024-08-15T00:14:03.587280066Z  at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
2024-08-15T00:14:03.587283366Z  at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:482)
2024-08-15T00:14:03.587286766Z  at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:115)
2024-08-15T00:14:03.587290466Z  at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
2024-08-15T00:14:03.587294566Z  at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
2024-08-15T00:14:03.587302766Z  at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:738)
2024-08-15T00:14:03.587306866Z  at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:341)
2024-08-15T00:14:03.587310766Z  at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:391)
2024-08-15T00:14:03.587314466Z  at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
2024-08-15T00:14:03.587318266Z  at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:894)
2024-08-15T00:14:03.587322266Z  at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1740)
2024-08-15T00:14:03.587326466Z  at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
2024-08-15T00:14:03.587330266Z  at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
2024-08-15T00:14:03.587334966Z  at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
2024-08-15T00:14:03.587338966Z  at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
2024-08-15T00:14:03.587342766Z  at java.base/java.lang.Thread.run(Thread.java:840)
2024-08-15T00:14:03.587346566Z Caused by: org.apache.wss4j.common.ext.WSSecurityException: java.security.InvalidKeyException: Not an EC key: RSA
2024-08-15T00:14:03.587350466Z Original Exception was javax.xml.crypto.dsig.XMLSignatureException: java.security.InvalidKeyException: Not an EC key: RSA
2024-08-15T00:14:03.587354366Z  at org.apache.wss4j.dom.message.WSSecSignature.computeSignature(WSSecSignature.java:637)
2024-08-15T00:14:03.587358066Z  at org.apache.wss4j.dom.message.WSSecSignature.computeSignature(WSSecSignature.java:554)
2024-08-15T00:14:03.587361666Z  at org.apache.wss4j.dom.message.WSSecSignature.build(WSSecSignature.java:414)
2024-08-15T00:14:03.587365267Z  at com.helger.phase4.messaging.crypto.AS4Signer._createSignedMessage(AS4Signer.java:152)
2024-08-15T00:14:03.587369367Z  at com.helger.phase4.messaging.crypto.AS4Signer.createSignedMessage(AS4Signer.java:216)
2024-08-15T00:14:03.587373267Z  at com.helger.phase4.client.AS4ClientUserMessage.buildMessage(AS4ClientUserMessage.java:746)
2024-08-15T00:14:03.587377167Z  at com.helger.phase4.client.AbstractAS4Client.sendMessageWithRetries(AbstractAS4Client.java:561)
2024-08-15T00:14:03.587380967Z  at com.helger.phase4.sender.AS4BidirectionalClientHelper.sendAS4UserMessageAndReceiveAS4SignalMessage(AS4BidirectionalClientHelper.java:138)
2024-08-15T00:14:03.587384567Z  at com.nomnom.communicationserver.entsog.Phase4ENTSOGSender$AbstractENTSOGUserMessageBuilder.mainSendMessage(Phase4ENTSOGSender.java:199)
2024-08-15T00:14:03.587387967Z  ... 44 more
2024-08-15T00:14:03.587391667Z Caused by: javax.xml.crypto.dsig.XMLSignatureException: java.security.InvalidKeyException: Not an EC key: RSA
2024-08-15T00:14:03.587399567Z  at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.sign(DOMXMLSignature.java:420)
2024-08-15T00:14:03.587403867Z  at org.apache.wss4j.dom.message.WSSecSignature.computeSignature(WSSecSignature.java:630)
2024-08-15T00:14:03.587407367Z  ... 52 more
2024-08-15T00:14:03.587411267Z Caused by: java.security.InvalidKeyException: Not an EC key: RSA
2024-08-15T00:14:03.587414967Z  at jdk.crypto.ec/sun.security.ec.ECKeyFactory.engineTranslateKey(ECKeyFactory.java:139)
2024-08-15T00:14:03.587418867Z  at java.base/java.security.KeyFactory.translateKey(KeyFactory.java:469)
2024-08-15T00:14:03.587422767Z  at jdk.crypto.ec/sun.security.ec.ECKeyFactory.toECKey(ECKeyFactory.java:99)
2024-08-15T00:14:03.587426767Z  at jdk.crypto.ec/sun.security.ec.ECDSASignature.engineInitSign(ECDSASignature.java:372)
2024-08-15T00:14:03.587430267Z  at jdk.crypto.ec/sun.security.ec.ECDSASignature.engineInitSign(ECDSASignature.java:365)
2024-08-15T00:14:03.587434567Z  at java.base/java.security.Signature$Delegate.tryOperation(Signature.java:1327)
2024-08-15T00:14:03.587438067Z  at java.base/java.security.Signature$Delegate.chooseProvider(Signature.java:1276)
2024-08-15T00:14:03.587441667Z  at java.base/java.security.Signature$Delegate.engineInitSign(Signature.java:1373)
2024-08-15T00:14:03.587445167Z  at java.base/java.security.Signature.initSign(Signature.java:635)
2024-08-15T00:14:03.587448967Z  at org.apache.jcp.xml.dsig.internal.dom.DOMSignatureMethod.sign(DOMSignatureMethod.java:339)
2024-08-15T00:14:03.587452868Z  at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.sign(DOMXMLSignature.java:417)
2024-08-15T00:14:03.587456568Z  ... 53 more
2024-08-15T00:14:03.587472168Z 2024-08-15T00:14:03.586Z ERROR 39 --- [p-nio-80-exec-6] c.n.c.servlet.SenderServlet              : Wrapped Phase4Exception

phax commented 4 weeks ago

@MakakWasTaken please be aware, that BDEW does NOT work out of the box, because the key exchange stuff is not available in the underlying WSS4J library. Please see the respective entry in the discussion area. Also please bare in mind, that BDEW wants Elliptic Curve (EC) based certificates instead of RSA ones. So this will be more than just adding some PModes....

MakakWasTaken commented 4 weeks ago

I am guessing that you're referring to #105. I am however a bit unsure on where to start with the implementation. I am guessing that I need some sort of PMode aware crypto factory to customize the handling of the encrypt/sign based on the PMode resolver.

So if the PMode ID starts with BDEW it would handle it with the EC based certificates. And likewise if it starts with ENTSOG I would just continue to handle it in the same way as before.

that BDEW does NOT work out of the box, because the key exchange stuff is not available in the underlying WSS4J library.

I read the discussion that you referred to, I however understood https://github.com/phax/phase4/discussions/105#discussioncomment-8619686 as if the problem had been resolved and it was now implemented (from 2.7.5 and onwards). Is there anything else that I need to implement in order to start receiving with the BDEW profile.

Another thing is that when I started implementing the new BDEW profile, it caused the existing sending of ENTSOG to start failing. The following code is what is used for sending the message that seems to cause an error.

Phase4ENTSOGSender.ENTSOGPayloadParams entsogParams = new Phase4ENTSOGSender.ENTSOGPayloadParams();
eResult = Phase4ENTSOGSender.builder()
        // Certificate
        .cryptoFactory(CryptoHelper.cryptoFactory)
        .receiverCertificate(certificate)

        // Setup
        .endpointURL(endpointURL)
        .action("http://docs.oasis-open.org/ebxml-msg/as4/200902/action")
        .service(serviceType, service)
        .agreementRef(agreement)
        .httpRetrySettings(new HttpRetrySettings().setMaxRetries(0))

        // From Partner
        .fromRole(senderRole)
        .fromPartyID(senderId)
        .fromPartyIDType("http://www.entsoe.eu/eic-codes/eic-party-codes-x")

        // To Partner
        .toRole(receiverRole)
        .toPartyID(receiverId)
        .toPartyIDType("http://www.entsoe.eu/eic-codes/eic-party-codes-x")

        .pmodeID(as4Type)

        // Payload
        .payload(aPayloadElement, entsogParams)
        .signalMsgConsumer(signalConsumer)

        .setSigningKeyIdentifierType(ECryptoKeyIdentifierType.BST_DIRECT_REFERENCE)
        .encryptionKeyIdentifierType(ECryptoKeyIdentifierType.BST_DIRECT_REFERENCE)

        // Send the message
        .sendMessageAndCheckForReceipt(responseMessage::set);

Running this code gives me the InvalidKeyException. Which I thought was only needed when handling the BDEW profile. Is there some extra that I need to do in my CryptoFactory to account for this. If there are questions to any of the variables please feel free to ask 😄

Thanks in advance :D

MakakWasTaken commented 4 weeks ago

I figured part of the problem out. I noticated that a default profile was being selected (bdew). Which caused the validation to fail. I temporarily fixed the problem by using the MetaAS4Manager.getProfileMgr().setDefaultProfileID method to set the profile id to the selected profile type right before sending. I was however wondering if there was a better solution to this? I tried using the incomingProfileSelector on Phase4ENTSOGSender, but without success.

An example of how to properly do this would be much appreciated.

EDIT: I just found this https://github.com/phax/phase4/issues/244#issue-2359337219 😄

Is it possible to change the receiving profile dynamically or is this done automatically?

phax commented 3 weeks ago

As handling multiple AS4 profiles becomes more and more of an issue, I started assembling a Wiki page that should deal with that topic: https://github.com/phax/phase4/wiki/Multi-Profile-Handling - that page is not yet finalized but it should provide a good starting point

One of the points mentioned there is also the AS4 profile ID for sending. This has indeed been resolved by #244 and will be part of the upcoming 2.8.2 release.

An indeed the implementation of https://issues.apache.org/jira/browse/SANTUARIO-511 in the 3.x branch of Apache Santuario opened up for an easier key exchange, but you need to implement it yourself. It's not "hidden" in the phase4 code atm.

hth