Open MakakWasTaken opened 3 months ago
phax
commented
3 months ago @MakakWasTaken please be aware, that BDEW does NOT work out of the box, because the key exchange stuff is not available in the underlying WSS4J library. Please see the respective entry in the discussion area. Also please bare in mind, that BDEW wants Elliptic Curve (EC) based certificates instead of RSA ones. So this will be more than just adding some PModes....
MakakWasTaken
commented
3 months ago I am guessing that you're referring to #105. I am however a bit unsure on where to start with the implementation. I am guessing that I need some sort of PMode aware crypto factory to customize the handling of the encrypt/sign based on the PMode resolver.
So if the PMode ID starts with BDEW it would handle it with the EC based certificates. And likewise if it starts with ENTSOG I would just continue to handle it in the same way as before.
that BDEW does NOT work out of the box, because the key exchange stuff is not available in the underlying WSS4J library.
I read the discussion that you referred to, I however understood https://github.com/phax/phase4/discussions/105#discussioncomment-8619686 as if the problem had been resolved and it was now implemented (from 2.7.5 and onwards). Is there anything else that I need to implement in order to start receiving with the BDEW profile.
Another thing is that when I started implementing the new BDEW profile, it caused the existing sending of ENTSOG to start failing. The following code is what is used for sending the message that seems to cause an error.
Phase4ENTSOGSender.ENTSOGPayloadParams entsogParams = new Phase4ENTSOGSender.ENTSOGPayloadParams();
eResult = Phase4ENTSOGSender.builder()
// Certificate
.cryptoFactory(CryptoHelper.cryptoFactory)
.receiverCertificate(certificate)
// Setup
.endpointURL(endpointURL)
.action("http://docs.oasis-open.org/ebxml-msg/as4/200902/action")
.service(serviceType, service)
.agreementRef(agreement)
.httpRetrySettings(new HttpRetrySettings().setMaxRetries(0))
// From Partner
.fromRole(senderRole)
.fromPartyID(senderId)
.fromPartyIDType("http://www.entsoe.eu/eic-codes/eic-party-codes-x")
// To Partner
.toRole(receiverRole)
.toPartyID(receiverId)
.toPartyIDType("http://www.entsoe.eu/eic-codes/eic-party-codes-x")
.pmodeID(as4Type)
// Payload
.payload(aPayloadElement, entsogParams)
.signalMsgConsumer(signalConsumer)
.setSigningKeyIdentifierType(ECryptoKeyIdentifierType.BST_DIRECT_REFERENCE)
.encryptionKeyIdentifierType(ECryptoKeyIdentifierType.BST_DIRECT_REFERENCE)
// Send the message
.sendMessageAndCheckForReceipt(responseMessage::set);Running this code gives me the InvalidKeyException. Which I thought was only needed when handling the BDEW profile. Is there some extra that I need to do in my CryptoFactory to account for this. If there are questions to any of the variables please feel free to ask 😄
Thanks in advance :D
MakakWasTaken
commented
3 months ago I figured part of the problem out. I noticated that a default profile was being selected (bdew). Which caused the validation to fail. I temporarily fixed the problem by using the MetaAS4Manager.getProfileMgr().setDefaultProfileID method to set the profile id to the selected profile type right before sending. I was however wondering if there was a better solution to this? I tried using the incomingProfileSelector on Phase4ENTSOGSender, but without success.
An example of how to properly do this would be much appreciated.
EDIT: I just found this https://github.com/phax/phase4/issues/244#issue-2359337219 😄
Is it possible to change the receiving profile dynamically or is this done automatically?
phax
commented
3 months ago As handling multiple AS4 profiles becomes more and more of an issue, I started assembling a Wiki page that should deal with that topic: https://github.com/phax/phase4/wiki/Multi-Profile-Handling - that page is not yet finalized but it should provide a good starting point
One of the points mentioned there is also the AS4 profile ID for sending. This has indeed been resolved by #244 and will be part of the upcoming 2.8.2 release.
An indeed the implementation of https://issues.apache.org/jira/browse/SANTUARIO-511 in the 3.x branch of Apache Santuario opened up for an easier key exchange, but you need to implement it yourself. It's not "hidden" in the phase4 code atm.
hth
MakakWasTaken
commented
1 week ago I have finally had the time to sit down and have a look at this again. I have since last posting converted to version 3.0.0. I have also generated some certificates using openssl to get the EC certificates that I needed in order to prevent this error.
# Create Key openssl ecparam -name brainpoolP256r1 -genkey -out ecdsa_private_key.pem -param_enc named_curve # Create Certificate from key openssl req -new -x509 -key ecdsa_private_key.pem -out ecdsa_public_key.cer -days 99999 # Create .p12 keystore using the private key and public key. openssl pkcs12 -export -out keystore.p12 -inkey ecdsa_private_key.pem -in ecdsa_public_key.cer
I am attempting to send a BDEW message but have now ended up with the message:
java.security.SignatureException: Curve not supported: org.bouncycastle.jce.spec.ECNamedCurveSpec
I have tried looking around, both in phase4 but also just in general. And as I understand it there is a problem with the brainpoolP256r1 curve not being properly supported.
When I was looking up ECNamedCurveSpec I found the BrainpoolFuncTest and SecP256R1FuncTest test cases within the phase4-bdew-client. These seem to be running fine in my implementation with the certificates generated with the above commands. I have also tried listing the supported curves using ECNamedCurveTable.getNames() and it seems that brainpoolP256r1 is indeed included in the list.
This has now left me without any idea of how to continue. The way that I set up the BouncyCastleProvider is using the following script to do the initialization:
import org.apache.xml.security.Init;
import org.apache.xml.security.algorithms.JCEMapper;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.jsse.provider.BouncyCastleJsseProvider;
import java.security.Security;
public class GeneralConfig {
static {
// Initialize the XML Security library
Init.init();
// Register Bouncy Castle as a security provider
Security.addProvider(new BouncyCastleProvider());
Security.addProvider(new BouncyCastleJsseProvider());
// Set Bouncy Castle as the provider for specific algorithms
JCEMapper.setProviderId(BouncyCastleProvider.PROVIDER_NAME);
}
}The keystore I use is using PKCS12 and I start it using m_aKeyStore = EKeyStoreType.PKCS12.getKeyStore("BC"); in my crypto factory.
I have also tried looking in the #105 discussion, but it seems that the discussion has moved to a Slack channel which I am not apart of. In case there is some relevant information in the Slack, could you invite me? (makakwastaken@gmail.com)
I apologize if I have missed something obvious. Neither Java or Cryptography are my strong suite, but I am trying to learn as I go along :) If more information is needed do not hesitate to ask. If there are some good resources for learning more about the AS4 in general I would also happily accept any suggestions.
I have recently started receiving the following error:
java.security.InvalidKeyException: Not an EC key: RSAI am not really sure what causes the error, but suspect some sort of CryptoFactory problem.The error started appearing after I added a second profile. I wanted my AS4 server to be able to both receive/send ENTSOG aswell as BDEW. This started with providing some problems with the PMode, which was handled by setting a custom PModeResolver:
The error then shifted to the sending end of the application. It won't let me set outbound files now because of the beforementioned error.
If there are any guides on how to set up multiple profiles in the same servlet it would be much appreciated. I am also aware that I could create two different endpoints for the different types of profiles, but I would prefer having them as a single endpoint instead as the handling is mostly the same for the received files.
Some configuration and the full stacktrace:
pom.xml
```xmlFull stacktrace