Unable to verify AS2 Message
297 views
Skip to first unread message
michel...@gmail.com
Jun 16, 2009, 4:18:14 PM6/16/09
to Hermes 2.0 Discussion List
when receiving a crypted, signed message we are receiving the
following error.
2009-06-16 22:05:31,603 2977222 ERROR [hk.hku.cecid.edi.as2]
(Thread-365:) Unable to verify AS2 Message [xxxxxx@yyyyyyy, From:
xxxxxxxxxxxxxxxx, To: yyyyyyyyyyyyyyyyyyyy]
hk.hku.cecid.piazza.commons.security.SMimeException: Unable to verify
body part
by hk.hku.cecid.piazza.commons.security.SMimeException:
Verification failed
at hk.hku.cecid.piazza.commons.security.SMimeMessage.verify
(SMimeMessage.java:336)
at hk.hku.cecid.edi.as2.module.IncomingMessage.processSMime
(IncomingMessage.java:135)
at
hk.hku.cecid.edi.as2.module.IncomingMessageProcessor.processReceivedMessage
(IncomingMessageProcessor.java:179)
at hk.hku.cecid.edi.as2.module.IncomingMessageTask.execute
(IncomingMessageTask.java:71)
at hk.hku.cecid.piazza.commons.module.ActiveThread.run
(ActiveThread.java:90)
at java.lang.Thread.run(Thread.java:619)
Caused by: hk.hku.cecid.piazza.commons.security.SMimeException:
Verification failed
at hk.hku.cecid.piazza.commons.security.SMimeMessage.verify
(SMimeMessage.java:320)
... 5 more
it seems the message is properly decrypted but we are unable to verify
the signature.
Any hint of good method to identify the root cause of the problem.
extra information :
- if we receive a crypted but not signed message, it works
- the certificate for verification is set to the public key
dedicated to signing delivered by the partner.
- the public key is certified by two level of CA (both have been
included in the keystore)
- the partner application is gentran IS
following error.
2009-06-16 22:05:31,603 2977222 ERROR [hk.hku.cecid.edi.as2]
(Thread-365:) Unable to verify AS2 Message [xxxxxx@yyyyyyy, From:
xxxxxxxxxxxxxxxx, To: yyyyyyyyyyyyyyyyyyyy]
hk.hku.cecid.piazza.commons.security.SMimeException: Unable to verify
body part
by hk.hku.cecid.piazza.commons.security.SMimeException:
Verification failed
at hk.hku.cecid.piazza.commons.security.SMimeMessage.verify
(SMimeMessage.java:336)
at hk.hku.cecid.edi.as2.module.IncomingMessage.processSMime
(IncomingMessage.java:135)
at
hk.hku.cecid.edi.as2.module.IncomingMessageProcessor.processReceivedMessage
(IncomingMessageProcessor.java:179)
at hk.hku.cecid.edi.as2.module.IncomingMessageTask.execute
(IncomingMessageTask.java:71)
at hk.hku.cecid.piazza.commons.module.ActiveThread.run
(ActiveThread.java:90)
at java.lang.Thread.run(Thread.java:619)
Caused by: hk.hku.cecid.piazza.commons.security.SMimeException:
Verification failed
at hk.hku.cecid.piazza.commons.security.SMimeMessage.verify
(SMimeMessage.java:320)
... 5 more
it seems the message is properly decrypted but we are unable to verify
the signature.
Any hint of good method to identify the root cause of the problem.
extra information :
- if we receive a crypted but not signed message, it works
- the certificate for verification is set to the public key
dedicated to signing delivered by the partner.
- the public key is certified by two level of CA (both have been
included in the keystore)
- the partner application is gentran IS
Steve Chan
Jun 16, 2009, 10:19:12 PM6/16/09
to Hermes 2.0 Discussion List
michel colin,
I suppose you are using your own keystore for signing. May i know
where did you locate your keystore file?
Actually.. if you are using your own keystore, you possibly need to
modify the "ebms.module.xml" file.
inside <HERMES_HOME>/plugins/hk.hku.cecid.ebms/conf/hk/hku/cecid/ebms/
spa/conf
change the keystore location and its username/password.
Hope this helps.
Regards,
Steve
I suppose you are using your own keystore for signing. May i know
where did you locate your keystore file?
Actually.. if you are using your own keystore, you possibly need to
modify the "ebms.module.xml" file.
inside <HERMES_HOME>/plugins/hk.hku.cecid.ebms/conf/hk/hku/cecid/ebms/
spa/conf
change the keystore location and its username/password.
Hope this helps.
Regards,
Steve
Steve Chan
Jun 17, 2009, 3:36:38 AM6/17/09
to Hermes 2.0 Discussion List
Oops, i made a mistake..
You are talking about AS2
so the file and the path should be:
as2.module.core.xml
&
<HERMES_HOME>/plugins/hk/hku.cecid.edi.as2/conf/hk/hku/cecid/edi/as2/
conf
You are talking about AS2
so the file and the path should be:
as2.module.core.xml
&
<HERMES_HOME>/plugins/hk/hku.cecid.edi.as2/conf/hk/hku/cecid/edi/as2/
conf
Message has been deleted
michel...@gmail.com
Jun 17, 2009, 11:47:03 AM6/17/09
to Hermes 2.0 Discussion List
no problem ;)
the issue we are encountering is not at all coming from the
encryption
but from the signature.
the following scenarios were tested
1. we receive an encrypted message from that partner and we can
decrypt it
2. we receive an signed / encrypted message from the same partner and
we can decrypt it but not verify the signature
3. we receive an mdn (signed) from the same partner and we can verify
the signature.
the signature used by the partner to sign message & mdn is exactly
the
same and the one we have in the certifice for verification.
at this stage of investigation we are more in favor of a
misinterpretation of the encoding of the body part containing the
SHA-1 signature.
the issue we are encountering is not at all coming from the
encryption
but from the signature.
the following scenarios were tested
1. we receive an encrypted message from that partner and we can
decrypt it
2. we receive an signed / encrypted message from the same partner and
we can decrypt it but not verify the signature
3. we receive an mdn (signed) from the same partner and we can verify
the signature.
the signature used by the partner to sign message & mdn is exactly
the
same and the one we have in the certifice for verification.
at this stage of investigation we are more in favor of a
misinterpretation of the encoding of the body part containing the
SHA-1 signature.
math
Jun 17, 2009, 3:22:26 PM6/17/09
to Hermes 2.0 Discussion List
Hi,
We have investigated further this issue... The decryption is fine but
the verification signature of the signature fails. However if in the
class :hk.hku.cecid.piazza.commons.security.SMimeMessage , if I change
the line 312 from:
-> SMIMESigned signed = new SMIMESigned((MimeMultipart)
bodyPart.getContent());
to
-> SMIMESigned signed = new SMIMESigned((MimeMultipart)
bodyPart.getContent(), "binary");
the signature is found valid.
If we look in the structure of the smime message we can see that it is
composed by:
((MimeMultipart) bodyPart.getContent()).getBodyPart(0).getContent
().toString(); -> java.lang.String
((MimeMultipart) bodyPart.getContent()).getBodyPart(1).getContent
().toString(); -> java.io.ByteArrayInputStream
My partner is using a AS2 software from sterling.
Do you know this situation? Is there a way to force the encrypted
content encoding? Is it valid to a have a simple string as BodyPart
(0)? Is there a setting my partner can do?
Thanks for your help,
Mathieu
We have investigated further this issue... The decryption is fine but
the verification signature of the signature fails. However if in the
class :hk.hku.cecid.piazza.commons.security.SMimeMessage , if I change
the line 312 from:
-> SMIMESigned signed = new SMIMESigned((MimeMultipart)
bodyPart.getContent());
to
-> SMIMESigned signed = new SMIMESigned((MimeMultipart)
bodyPart.getContent(), "binary");
the signature is found valid.
If we look in the structure of the smime message we can see that it is
composed by:
((MimeMultipart) bodyPart.getContent()).getBodyPart(0).getContent
().toString(); -> java.lang.String
((MimeMultipart) bodyPart.getContent()).getBodyPart(1).getContent
().toString(); -> java.io.ByteArrayInputStream
My partner is using a AS2 software from sterling.
Do you know this situation? Is there a way to force the encrypted
content encoding? Is it valid to a have a simple string as BodyPart
(0)? Is there a setting my partner can do?
Thanks for your help,
Mathieu
math
Jun 24, 2009, 2:29:09 AM6/24/09
to Hermes 2.0 Discussion List
Any update on this?
Kamil Czyżnielewski
Sep 9, 2014, 9:46:35 AM9/9/14
to cecid-...@googlegroups.com
I am facing the same problem with certificates:
hk.hku.cecid.piazza.commons.security.SMimeException: Unable to verify body part
by hk.hku.cecid.piazza.commons.security.SMimeException: No certificate for verificationDoes anyone know why this exception is thrown?
at hk.hku.cecid.piazza.commons.security.SMimeMessage.verify(SMimeMessage.java:336)
at hk.hku.cecid.edi.as2.module.IncomingMessage.processSMime(IncomingMessage.java:135)
at hk.hku.cecid.edi.as2.module.IncomingMessageProcessor.processReceivedMessage(IncomingMessageProcessor.java:179)
at hk.hku.cecid.edi.as2.module.IncomingMessageProcessor.processMessage(IncomingMessageProcessor.java:152)
at hk.hku.cecid.edi.as2.listener.AS2InboundListener.processRequest(AS2InboundListener.java:36)
at hk.hku.cecid.edi.as2.listener.AS2RequestAdaptor.processRequest(AS2RequestAdaptor.java:61)
at hk.hku.cecid.piazza.commons.servlet.http.HttpDispatcher.processRequest(HttpDispatcher.java:126)
at hk.hku.cecid.piazza.commons.servlet.http.HttpDispatcher.doPost(HttpDispatcher.java:277)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:409)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1044)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1721)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1679)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918)
at java.lang.Thread.run(Thread.java:662)
Caused by: hk.hku.cecid.piazza.commons.security.SMimeException: No certificate for verification
at hk.hku.cecid.piazza.commons.security.SMimeMessage.verify(SMimeMessage.java:307)
... 25 more
Thanks for help,
Kamil
Methnani Web Develop
Sep 10, 2014, 6:04:03 AM9/10/14
to cecid-...@googlegroups.com
Can you post your partnership configurations?
--
You received this message because you are subscribed to the Google Groups "Hermes 2.0 Discussion List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cecid-hermes...@googlegroups.com.
To post to this group, send email to cecid-...@googlegroups.com.
Visit this group at http://groups.google.com/group/cecid-hermes2.
For more options, visit https://groups.google.com/d/optout.
Kamil Czyżnielewski
Sep 11, 2014, 2:05:30 AM9/11/14
to cecid-...@googlegroups.com
I set up second partner as a MendelsonAS2 Instance. Please see attached file partnership.csv. Those <binary data> are certificates. I am wondering why in web app of hermes2 there is empty place after I upload certificate -> http://scr.hu/0fxu/09yn0
If you are going to have questions please ask!
Thanks for help! :)
Methnani Web Develop
Sep 11, 2014, 3:36:37 AM9/11/14
to cecid-...@googlegroups.com
Hello Kamil,
can you post your partnership.XML file?
I am wondering why in web app of hermes2 there is empty place after I upload certificate: Yes AS2 always show an empty string there even if you got a certif attached. (Depend on the AS2 version it's bug for previous realize.)
Kind Regards.Computer engineer
Mohamed Methnani
(+216) 27 567 985
Kamil Czyżnielewski
Sep 11, 2014, 6:24:46 AM9/11/14
to cecid-...@googlegroups.com
Hi Mohamed,
Could you tell me where do I find partnership.xml? I only have as2-partnership.xml in sample folder.
No, in database those columns are filled with binary data and I checked those binary data are correct X.509 certificates.
Best Regards,
Kamil Czyżnielewski
Methnani Web Develop
Sep 11, 2014, 7:20:07 AM9/11/14
to cecid-...@googlegroups.com
Send me your skype ID. I'm free for 30 minutes please be quick!
Kamil Czyżnielewski
Sep 11, 2014, 7:20:54 AM9/11/14
to cecid-...@googlegroups.com
My skype id is kamil.czyznielewski.
Methnani Web Develop
Sep 11, 2014, 11:11:07 AM9/11/14
to cecid-...@googlegroups.com
Kamil Czyżnielewski
Sep 11, 2014, 11:23:56 AM9/11/14
to cecid-...@googlegroups.com
Unfortunately no. I will try tomorrow but to be honest I am out of clue.
>>>>>> <http://localhost/phpmyadmin/sql.php?db=as2&table=partnership&token=921b1fce89ea4f489e9a0c2368f012ae>,
>>>>>>>>>> Message(IncomingMessageProcessor.java:152)
>>>>>>>>>> at hk.hku.cecid.edi.as2.listener.AS2InboundListener.processRequ
>>>>>>>>>> est(AS2InboundListener.java:36)
>>>>>>>>>> at
>>>>>>>>>> hk.hku.cecid.edi.as2.listener.AS2RequestAdaptor.processRequest(
>>>>>>>>>> AS2RequestAdaptor.java:61)
>>>>>>>>>> at hk.hku.cecid.piazza.commons.servlet.http.HttpDispatcher.proc
>>>>>>>>>> essRequest(HttpDispatcher.java:126)
>>>>>>>>>> at hk.hku.cecid.piazza.commons.servlet.http.HttpDispatcher.doPo
>>>>>>>>>> meMessage.java:336)
>>>>>>>>>> at hk.hku.cecid.edi.as2.module.IncomingMessage.processSMime(Inc
>>>>>>>>>> omingMessage.java:135)
>>>>>>>>>> at hk.hku.cecid.edi.as2.module.IncomingMessageProcessor.process
>>>>>>>>>> ReceivedMessage(IncomingMessageProcessor.java:179)
>>>>>>>>>> at hk.hku.cecid.edi.as2.module.IncomingMessageProcessor.process
>>>>>>>>>> at hk.hku.cecid.edi.as2.module.IncomingMessage.processSMime(Inc
>>>>>>>>>> omingMessage.java:135)
>>>>>>>>>> at hk.hku.cecid.edi.as2.module.IncomingMessageProcessor.process
>>>>>>>>>> ReceivedMessage(IncomingMessageProcessor.java:179)
>>>>>>>>>> Message(IncomingMessageProcessor.java:152)
>>>>>>>>>> at hk.hku.cecid.edi.as2.listener.AS2InboundListener.processRequ
>>>>>>>>>> est(AS2InboundListener.java:36)
>>>>>>>>>> at
>>>>>>>>>> hk.hku.cecid.edi.as2.listener.AS2RequestAdaptor.processRequest(
>>>>>>>>>> AS2RequestAdaptor.java:61)
>>>>>>>>>> at hk.hku.cecid.piazza.commons.servlet.http.HttpDispatcher.proc
>>>>>>>>>> essRequest(HttpDispatcher.java:126)
>>>>>>>>>> at hk.hku.cecid.piazza.commons.servlet.http.HttpDispatcher.doPo
Methnani Web Develop
Sep 11, 2014, 11:25:14 AM9/11/14
to cecid-...@googlegroups.com
If you want me to take a look with you now we can have some time.
Kamil Czyżnielewski
Sep 11, 2014, 11:27:03 AM9/11/14
to cecid-...@googlegroups.com
I am out of work today and I did not take my company computer with me. Maybe tomorrow?
Methnani Web Develop
Sep 11, 2014, 11:27:48 AM9/11/14
to cecid-...@googlegroups.com
Maybe, ...
Ok good night.
Reply all
Reply to author
Forward
0 new messages