Security Problem
JuliusIT
Hermes 2.0.
This is the exception when I try to sign the outgoing message:
hk.hku.cecid.piazza.commons.security.SMimeException: Unable to sign
body part
by java.lang.NullPointerException
at
hk.hku.cecid.piazza.commons.security.SMimeMessage.sign(SMimeMessage.java:
258)
at
hk.hku.cecid.edi.as2.module.OutgoingPayloadTask.execute(OutgoingPayloadTask.java:
117)
at
hk.hku.cecid.piazza.commons.module.ActiveThread.run(ActiveThread.java:
90)
at java.lang.Thread.run(Thread.java:595)
Caused by: java.lang.NullPointerException
at
hk.hku.cecid.piazza.commons.security.SMimeMessage.sign(SMimeMessage.java:
224)
... 3 more
Line 224 in the code of SMimeMessage is:
attributes.add(new SMIMEEncryptionKeyPreferenceAttribute(
new IssuerAndSerialNumber(new
X509Name(cert.getIssuerDN().getName()), cert.getSerialNumber()))
);
so only cert could be null. So the problem is in 'cert' value that is
set via the costructor of the class. I wasn't able to understood how
this value was set.
Trying to decrypt the body of a message gives this exception (I can
encrypt the message with no problems):
hk.hku.cecid.piazza.commons.security.SMimeException: Unable to decrypt
body part
by java.lang.NullPointerException
at
hk.hku.cecid.piazza.commons.security.SMimeMessage.decrypt(SMimeMessage.java:
426)
at
hk.hku.cecid.piazza.commons.security.SMimeMessage.decrypt(SMimeMessage.java:
391
Caused by: java.lang.NullPointerException
at
hk.hku.cecid.piazza.commons.security.SMimeMessage.decrypt(SMimeMessage.java:
412)
... 23 more
again line 412 of SMimeMessage message is:
recId.setSerialNumber(cert.getSerialNumber());
and again only cert could be null as recId is istantiate in the same
method.
I used as2.p12 keystore for the test (The certificate inside is out of
date as it expired on 2006). I substitute the out of date certificate
with this command:
keytool -selfcert -alias corvusas2 -validity 3650 -storetype pkcs12 -
keystore as2.p12 -storepass password -providerClass
org.bouncycastle.jce.provider.BouncyCastleProvider
then I extract the certificate with:
keytool -export -alias corvusas2 -file as2.cer -keystore as2.p12 -
storepass password -storetype "pkcs12" -providerClass
org.bouncycastle.jce.provider.BouncyCastleProvider
As i can encrypt the message on the outgoing and I'm not able to sign
the message on the outgoing, I think that the problem is in how the
Hermes server get the certificate from the pkcs12 keystore.
The same problem if I build the certificate, private key and keystore
from scratch.
Please help me, as I can't understand if I'm doing something wrong or
if is a Hermes problem, I can't find an example on how to set up
hermes to sign and encrypt, so I don't even know if Hermes work with
encrypting and signing features on. The loopback test demostrate only
that Hermes can send and receive plain text message.
Best regards
Giulio
Ronnie Kwok
I am now stuck on something but will get back to you on this issue
ASAP.
BTW, I suppose you placed the keystore in the same location as the
as2.p12 and all the alias and password remains the same? Besides, the
partnership for both incoming and outgoing are configured accordingly
(i.e. with signing and encryption enabled) and having the certificate
loaded into the partnership, too.
Regards,
ronnie
JuliusIT
Thanks for you're help. Sorry for asking twice but we must put the
server on before the first week of september and all goes well except
for this problem, we can encrypt with Hermes the message to our
partner and he can decrypt the message (but they don't use Hermes)
but we can't decrypt their messages.
> BTW, I suppose you placed the keystore in the same location as the
> as2.p12 and all the alias and password remains the same?
I put two files in the {home}/hermes2/plugins/hk.hku.cecid.edi.as2/
security
as2.cer, this is the certificate I exported from the as2.p12 key that
comes with the distribution, modified for the problem I told before of
the expiring time. This is the certificate I give to the partner to
encrypt the message to send to us.
as2.p12, this is the keystore that come with the distribution that
I've modified as I state above.
The alias is corvusas2 and the password 'password', I left this values
in the
{home}/hermes2/plugins/hk.hku.cecid.edi.as2/conf/hk/hku/cecid/edi/as2/
conf/as2.module.core.xml
<component id="keystore-manager" name="AS2 Key Store Manager">
<class>
hk.hku.cecid.piazza.commons.security.KeyStoreManager
</class>
<parameter name="keystore-location" value="amgas2.p12"/>
<parameter name="keystore-password" value="R0b3r70"/>
<parameter name="key-alias" value="horst"/>
<parameter name="key-password" value="R0b3r70"/>
<parameter name="keystore-type" value="PKCS12"/>
<parameter name="keystore-provider"
value="org.bouncycastle.jce.provider.BouncyCastleProvider"/>
</component>
JuliusIT
Sorry, I press enter by mistake, i continue from here, the previous
configuration was from another test with our key, this is actual
configuration:
<component id="keystore-manager" name="AS2 Key Store Manager">
<class>
hk.hku.cecid.piazza.commons.security.KeyStoreManager
</class>
<parameter name="keystore-location" value="as2.p12"/>
<parameter name="keystore-password" value="password"/>
<parameter name="key-alias" value="corvus"/>
<parameter name="key-password" value=""/>
<parameter name="keystore-type" value="PKCS12"/>
<parameter name="keystore-provider"
value="org.bouncycastle.jce.provider.BouncyCastleProvider"/>
</component>
I've try to change the value of some properties and Hermes correctly
states that the private key could not be found or that the keystore
was in incorrect format, so I suppose that hermes load correctly the
keystore and the private key.
>Besides, the partnership for both incoming and outgoing are configured accordingly
>(i.e. with signing and encryption enabled) and having the certificate
>loaded into the partnership, too.
I think yes, our sending partnership has the following properties:
Message Signing Required? true
Message Encryption Required? true
Certificate For Encryption: the partner public certificate for the
encryption
Our receiving configuration has the following properties:
Message Signature Enforced? true
Message Encryption Enforced? true
Certificate For Verification: the partner public certificate for the
encryption
Thank you very much for your help.
Best regards
Giulio
p.s.: sorry for my english level.
Ronnie Kwok
The way we generate the keystore and certificate differs from what you
have specified. I am wondering if the format of the keystore and cert
is the reason for the failure.
Below please find our way of the keystore and certificate generation.
The keystore used is limited to be in the format of PKCS12 and the
certificate inside should be signed in SHA1 algorithm. You will need
to prepare a private key and a signed certificate and combine it into
a PKCS12 keystore.
Firstly, we will need to generate the private key,
"Openssl genrsa -out server.key 1024"
Secondly, we will generate a CSR,
"Openssl req -new -key server.key -out server.csr"
Finally, we will generate a self-signed certificate as follows,
"Openssl x509 -req -days 60 - in server.csr -signkey server.key -sha1 -
out server.crt"
This statement will generate a self-signed certificate, using SHA1 as
the signing algorithm and having an alias called "hello".
To combine the certificate and the key into a PKCS12 keystore, we
issue the follwing command,
"openssl pkcs12 -name haha -export -in server.crt -inkey server.key -
out server.p12"
This will generate the keystore in the format of PKCS12 and having a
key alias named "haha".
The command below will export the certificate from the keystore
provided.
"openssl pkcs12 -in server.p12 -out /tmp/default_pub.crt -clcerts -
nokeys"
Let me know if this help.
Regards,
ronnie
JuliusIT
your solution works just fine, now we are able to comunicate with our
partner
with signed and encrypted message.
I really thanks you for you help.
best regards
Giulio
Ronnie Kwok
I am so glad that it works!
Btw, I am curious to learn more on how H2O is being used in your
project. I understand you will need to focus on the project roll out
at this moment but I would be very glad if you can kindly share more
about the project when you have settled.
All the best on your project!
ronnie
JuliusIT
we are an EDI clearing center and we are setting up a server for
supporting AS2 comunication.
We choose Hermes 2 because it was an open source project, well
documented.
If you want to know more on the project I'll be glad to go in deeper
details, but not on a forum.
best regards.
Giulio
andy98
I get the following error:
2007-09-23 22:11:42 [-Processor24] <ERROR> <Unable to decrypt AS2
Message [20070923-2...@127.0.0.1, From: Sender, To: Receiver]>
hk.hku.cecid.piazza.commons.security.SMimeException: Private key not
found
Any ideas, please??
Andy
On Aug 28, 10:12 am, Ronnie Kwok <paperd...@gmail.com> wrote:
andy98
On 23 Sep., 22:18, andy98 <ai_muel...@freenet.de> wrote:
> Ronnie,
>
> I get the following error:
>
> 2007-09-23 22:11:42 [-Processor24] <ERROR> <Unable to decrypt AS2
> Message [20070923-221142-03...@127.0.0.1, From: Sender, To: Receiver]>
Ronnie Kwok
Sorry in replying late.
Good to know that it works now! I am curious to know on how do you get
it to work?
Regards,
ronnie