You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@camel.apache.org by "Claus Ibsen (Jira)" <ji...@apache.org> on 2022/09/03 12:26:00 UTC

[jira] [Updated] (CAMEL-18017) camel-as2 - Signed content in MDN gets corrupted and is not possible to validate

     [ https://issues.apache.org/jira/browse/CAMEL-18017?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Claus Ibsen updated CAMEL-18017:
--------------------------------
    Priority: Minor  (was: Major)

> camel-as2 - Signed content in MDN gets corrupted and is not possible to validate
> --------------------------------------------------------------------------------
>
>                 Key: CAMEL-18017
>                 URL: https://issues.apache.org/jira/browse/CAMEL-18017
>             Project: Camel
>          Issue Type: Bug
>          Components: camel-as2
>    Affects Versions: 3.16.0
>            Reporter: Ted Lundqvist
>            Priority: Minor
>             Fix For: 3.x
>
>
> When the http response with an MDN is received it is parsed to a MultipartSignedEntity-object. 
> When the object is serialized back to an outputstream using the method AS2MessageDispositionNotificationEntity#writeTo the string is not guaranteed to be identical to the the string received in the original http-response.
> This makes it impossible to calculate an correct message-digest and the method MultipartSignedEntity#isValid returns false because the following exception is thrown:
> "org.bouncycastle.cms.CMSSignerDigestMismatchException: message-digest attribute value does not match calculated value"
> when calling: 
> signer.verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build(cert)
> I tried to use the AS2-client to send messeages to both IBM Datapower and ArcESB and it was not possible to validate the MDN from neither of them.
> A few examples of differences between the actual received string and the reconstructed string are (see the full examples further down):
>  # The order of the fields in the disposition-notification was in the wrong order:
> In the original string they where ordered as follows:
> Reporting-UA
> Original-Recipient
> Final-Recipient
> Original-Message-ID
> Disposition
> Received-content-MIC
> But in the reconstructed string the field Original-Recipient had been moved down and was placed before Received-content-MIC.
>  # Received-content-MIC returned from both Datapower and ArcESB had a space between the comma-sign and the algorithmId.
> In the reconstructed string the space-character was removed.
> According to the example in RFC4130 ([https://datatracker.ietf.org/doc/html/rfc4130)] is seems as if it should be ok to have a space-character.
>  # In the MDN from ArcESB the field Received-content-MIC the word content was written with a capital 'C' i.e. Received-Content-MIC.
> I'm not sure if that is valid according to the standard or not.
> The actual string received in the http-response:
> {code:java}
> Content-Type: multipart/report; report-type=disposition-notification; boundary=8e7e662d-3449-4777-96dc-7a6ba5ddbfb3
> --8e7e662d-3449-4777-96dc-7a6ba5ddbfb3
> Content-Type: text/plain; charset=us-asciiThis MDN response message is for:Original-Message-ID: <52...@camel.apache.org>
> From: AMFAutoTest_AS2--8e7e662d-3449-4777-96dc-7a6ba5ddbfb3
> Content-Type: message/disposition-notificationReporting-UA: DataPower
> Original-Recipient: rfc822; "TEST"
> Final-Recipient: rfc822; "TEST"
> Original-Message-ID: <52...@camel.apache.org>
> Disposition: automatic-action/MDN-sent-automatically; processed
> Received-content-MIC: vUE91/gKwRCPdosfVE3H/VQNy1xHgZ+YWoVgcM5mVBya/ggZb7KxjozNUk7ewsrHOxoI9BDY2uURCcxpKU9dYA==, sha-512
> --8e7e662d-3449-4777-96dc-7a6ba5ddbfb3-- {code}
> The String reconstructed from the MultipartSignedEntity:
> {code:java}
> Content-Type: multipart/report; report-type=disposition-notification; boundary=8e7e662d-3449-4777-96dc-7a6ba5ddbfb3
> --8e7e662d-3449-4777-96dc-7a6ba5ddbfb3
> Content-Type: text/plain; charset=us-asciiThis MDN response message is for:Original-Message-ID: <52...@camel.apache.org>
> From: AMFAutoTest_AS2--8e7e662d-3449-4777-96dc-7a6ba5ddbfb3
> Content-Type: message/disposition-notificationReporting-UA: DataPower
> Final-Recipient: rfc822;"TEST"
> Original-Message-ID: <52...@camel.apache.org>
> Disposition: automatic-action/MDN-sent-automatically;processed
> Original-Recipient: rfc822; "TEST"
> Received-content-MIC: vUE91/gKwRCPdosfVE3H/VQNy1xHgZ+YWoVgcM5mVBya/ggZb7KxjozNUk7ewsrHOxoI9BDY2uURCcxpKU9dYA==,sha-512
> --8e7e662d-3449-4777-96dc-7a6ba5ddbfb3-- {code}
> In order to always being able to calculate a correct digest the original string that was signed should be preserved as is.
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)