Support non standard sha designations (#351)

* Use RFC5751 algorithm identifiers * Unit rtest for converting to FRC5751 identiifiers * Update to latest libraries and OpenAS2 version * Updated documentation around algorithm identifiers * Standalone method for reuse to adjust algorithm to standard format * Test different forms of the signing algorithm * Release notes
OpenAS2 · Dec 20, 2023 · 71fcd22 · 71fcd22
1 parent 443c681
commit 71fcd22
Show file tree

Hide file tree

Showing 13 changed files with 103 additions and 42 deletions.
diff --git a/RELEASE-NOTES.md b/RELEASE-NOTES.md
@@ -1,19 +1,19 @@
 #              OpenAS2 Server
-#              Version 3.8.0
+#              Version 3.9.0
 #              RELEASE NOTES
 -----
-The OpenAS2 project is pleased to announce the release of OpenAS2 3.8.0
+The OpenAS2 project is pleased to announce the release of OpenAS2 3.9.0
 
-The release download file is: OpenAS2Server-3.8.0.zip
+The release download file is: OpenAS2Server-3.9.0.zip
 
 The zip file contains a PDF document (OpenAS2HowTo.pdf) providing information on installing and using the application.
 ## NOTE: Testing covers Java 8 to 17. The application should work for older versions down to Java 7 but they are not tested as part of the CI/CD pipeline.
 
-Version 3.8.0 - 2023-11-07
+Version 3.9.0 - 2023-12-20
 This is an enhancement release:
        **IMPORTANT NOTE**: Please review upgrade notes below if you are upgrading
 
-  1. Support for configurable dynamic Content-Type based on the file extension. See documentation section 7.5 "Setting Content Type"
+ 1. Support for non-standard algorithm strings for partners that do not conform to the RFC standard. See documentation section 7.2.1 "Signing"
 
 ##Upgrade Notes
  See the openAS2HowTo appendix for the general process on upgrading OpenAS2.

diff --git a/Remote/pom.xml b/Remote/pom.xml
@@ -4,7 +4,7 @@
     <parent>
         <groupId>net.sf.openas2</groupId>
         <artifactId>OpenAS2</artifactId>
-        <version>3.8.0</version>
+        <version>3.9.0</version>
     </parent>
 
     <modelVersion>4.0.0</modelVersion>

diff --git a/Server/pom.xml b/Server/pom.xml
@@ -7,7 +7,7 @@
         <!-- DO NOT CHANGE THIS "groupId" WITHOUT CHANGING XMLSession.getManifestAttributes.MANIFEST_VENDOR_ID_ATTRIB -->
         <groupId>net.sf.openas2</groupId>
         <artifactId>OpenAS2</artifactId>
-        <version>3.8.0</version>
+        <version>3.9.0</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
 

diff --git a/Server/src/config/partnerships.xml b/Server/src/config/partnerships.xml
@@ -38,7 +38,7 @@
          -->
 
         <attribute name="encrypt" value="3DES"/>
-        <attribute name="sign" value="SHA256"/>
+        <attribute name="sign" value="SHA-256"/>
         <attribute name="resend_max_retries" value="3"/>
         <attribute name="prevent_canonicalization_for_mic" value="false"/>
         <attribute name="rename_digest_to_old_name" value="false"/>
@@ -92,7 +92,7 @@
             <attribute name="as2_receipt_option" value="$properties.as2_async_mdn_url$"/> 
          -->
         <attribute name="encrypt" value="3DES"/>
-        <attribute name="sign" value="SHA1"/>
+        <attribute name="sign" value="SHA-1"/>
         <attribute name="resend_max_retries" value="3"/>
         <attribute name="prevent_canonicalization_for_mic" value="false"/>
         <attribute name="rename_digest_to_old_name" value="false"/>

diff --git a/Server/src/main/java/org/openas2/lib/helper/BCCryptoHelper.java b/Server/src/main/java/org/openas2/lib/helper/BCCryptoHelper.java
@@ -81,6 +81,8 @@
 import java.util.Collection;
 import java.util.Iterator;
 import java.util.Map;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 
 public class BCCryptoHelper implements ICryptoHelper {
     private Log logger = LogFactory.getLog(BCCryptoHelper.class.getSimpleName());
@@ -289,7 +291,6 @@ public MimeBodyPart sign(MimeBodyPart part, Certificate cert, Key key, String di
         PrivateKey privKey = castKey(key);
         String encryptAlg = cert.getPublicKey().getAlgorithm();
 
-        // Fix copied from https://github.com/phax/as2-lib/commit/ed08dd00b6d721ec3e3e7255f642045c9cbee9c3
         SMIMESignedGenerator sGen = new SMIMESignedGenerator(adjustDigestToOldName ? SMIMESignedGenerator.RFC3851_MICALGS : SMIMESignedGenerator.RFC5751_MICALGS);
         sGen.setContentTransferEncoding(getEncoding(contentTxfrEncoding));
         SignerInfoGenerator sig;
@@ -298,10 +299,8 @@ public MimeBodyPart sign(MimeBodyPart part, Certificate cert, Key key, String di
                 logger.debug("Params for creating SMIME signed generator:: SIGN DIGEST: " + digest + " PUB ENCRYPT ALG: " + encryptAlg + " X509 CERT: " + x509Cert);
                 logger.debug("Signing on MIME part containing the following headers: " + AS2Util.printHeaders(part.getAllHeaders()));
             }
-            // Remove the dash for SHA based digest for signing call
-            if (digest.toUpperCase().startsWith("SHA-")) {
-                digest = digest.replaceAll("-", "");
-            }
+            // Standardise identifier and remove the dash for SHA based digest for signing call
+            digest = standardiseAlgorithmIdentifier(digest, false);
             JcaSimpleSignerInfoGeneratorBuilder jSig = new JcaSimpleSignerInfoGeneratorBuilder().setProvider("BC");
             sig = jSig.build(digest + "with" + encryptAlg, privKey, x509Cert);
             // Some AS2 systems cannot handle certain OID's ...
@@ -481,14 +480,31 @@ protected PrivateKey castKey(Key key) throws GeneralSecurityException {
         return (PrivateKey) key;
     }
 
-    protected String convertAlgorithm(String algorithm, boolean toBC) throws NoSuchAlgorithmException {
+    /**
+     * Standard for Algorithm identifiers is RFC5751. Cater for non-standard algorithm identifiers by converting the identifier
+     * as needed.
+     * @param algorithm - the string identifier of the algorithm to be used
+     * @param useHyphenSeparator - use the hyphen between SHA and the key size designator or not
+     * @return
+     */
+    public String standardiseAlgorithmIdentifier(String algorithm, boolean useHyphenSeparator) {
+        String matchStr = "(sha)[0-9]+[-_]+(.*)$" + (useHyphenSeparator?"|(sha)([0-9]+)$":"|(sha)-([0-9]+)$");
+        Pattern pttrn = Pattern.compile(matchStr, Pattern.CASE_INSENSITIVE);
+        Matcher matcher = pttrn.matcher(algorithm);
+        if (matcher.matches()) {
+            int baseMatchGroup = matcher.group(2) == null?3:1;
+            algorithm = matcher.group(baseMatchGroup) + (useHyphenSeparator?"-":"") + matcher.group(baseMatchGroup+1);
+        }
+        return algorithm;
+
+    }
+
+    public String convertAlgorithm(String algorithm, boolean toBC) throws NoSuchAlgorithmException {
         if (algorithm == null) {
             throw new NoSuchAlgorithmException("Algorithm is null");
         }
+        algorithm = standardiseAlgorithmIdentifier(algorithm, true);
         if (toBC) {
-            if (algorithm.toUpperCase().startsWith("SHA-")) {
-                algorithm = algorithm.replaceAll("-", "");
-            }
             if (algorithm.equalsIgnoreCase(DIGEST_MD5)) {
                 return SMIMESignedGenerator.DIGEST_MD5;
             } else if (algorithm.equalsIgnoreCase(DIGEST_SHA1)) {

diff --git a/Server/src/main/java/org/openas2/lib/helper/ICryptoHelper.java b/Server/src/main/java/org/openas2/lib/helper/ICryptoHelper.java
@@ -18,11 +18,11 @@ public interface ICryptoHelper {
 
     String DIGEST_MD2 = "md2";
     String DIGEST_MD5 = "md5";
-    String DIGEST_SHA1 = "sha1";
-    String DIGEST_SHA224 = "sha224";
-    String DIGEST_SHA256 = "sha256";
-    String DIGEST_SHA384 = "sha384";
-    String DIGEST_SHA512 = "sha512";
+    String DIGEST_SHA1 = "sha-1";
+    String DIGEST_SHA224 = "sha-224";
+    String DIGEST_SHA256 = "sha-256";
+    String DIGEST_SHA384 = "sha-384";
+    String DIGEST_SHA512 = "sha-512";
     String CRYPT_CAST5 = "cast5";
     String CRYPT_3DES = "3des";
     String CRYPT_IDEA = "idea";

diff --git a/Server/src/test/java/org/openas2/lib/HelperMethods.java b/Server/src/test/java/org/openas2/lib/HelperMethods.java
@@ -0,0 +1,39 @@
+package org.openas2.lib;
+
+import org.bouncycastle.mail.smime.SMIMEEnvelopedGenerator;
+import org.bouncycastle.mail.smime.SMIMESignedGenerator;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.openas2.lib.helper.BCCryptoHelper;
+import org.openas2.lib.helper.ICryptoHelper;
+
+import static org.hamcrest.Matchers.equalTo;
+
+import java.security.NoSuchAlgorithmException;
+import java.util.HashMap;
+import java.util.Map;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+
+@ExtendWith(MockitoExtension.class)
+
+public class HelperMethods {
+
+    @Test
+    public void convertAlgorithmString() throws NoSuchAlgorithmException {
+        Map<String, String> algorithmChecks = new HashMap<String, String>();
+        algorithmChecks.put(ICryptoHelper.AES128_CBC, SMIMEEnvelopedGenerator.AES128_CBC);
+        algorithmChecks.put(ICryptoHelper.DIGEST_SHA1.replaceAll("-", ""), SMIMESignedGenerator.DIGEST_SHA1);
+        algorithmChecks.put(ICryptoHelper.DIGEST_SHA256.replaceAll("-", ""), SMIMESignedGenerator.DIGEST_SHA256);
+        algorithmChecks.put(ICryptoHelper.DIGEST_SHA256.replaceAll("-", "2_"), SMIMESignedGenerator.DIGEST_SHA256);
+        algorithmChecks.put(ICryptoHelper.DIGEST_SHA256.replaceAll("-", "2-"), SMIMESignedGenerator.DIGEST_SHA256);
+        algorithmChecks.put(ICryptoHelper.DIGEST_SHA384.replaceAll("-", "2-"), SMIMESignedGenerator.DIGEST_SHA384);
+
+        BCCryptoHelper bch = new BCCryptoHelper();
+        for (Map.Entry<String, String> entry : algorithmChecks.entrySet()) {
+            String convertedAlgo = bch.convertAlgorithm(entry.getKey(), true);
+            assertThat("Algorithm matches expected", convertedAlgo, equalTo(entry.getValue()));
+        }
+    }
+}
diff --git a/Server/src/test/resources/OpenAS2ServerTest/OpenAS2A/config/partnerships.xml b/Server/src/test/resources/OpenAS2ServerTest/OpenAS2A/config/partnerships.xml
@@ -25,7 +25,7 @@
                    value="signed-receipt-protocol=optional, pkcs7-signature; signed-receipt-micalg=optional, $attribute.sign$"/>
         -->
         <attribute name="encrypt" value="3DES"/>
-        <attribute name="sign" value="SHA1"/>
+        <attribute name="sign" value="SHA2_256"/>
         <attribute name="resend_max_retries" value="3"/>
         <attribute name="prevent_canonicalization_for_mic" value="false"/>
         <attribute name="rename_digest_to_old_name" value="true"/>
@@ -46,7 +46,7 @@
         <attribute name="as2_mdn_options"
                    value="signed-receipt-protocol=optional, pkcs7-signature; signed-receipt-micalg=optional, SHA256"/>
         <attribute name="encrypt" value="3DES"/>
-        <attribute name="sign" value="SHA256"/>
+        <attribute name="sign" value="SHA-256"/>
         <attribute name="prevent_canonicalization_for_mic" value="false"/>
         <attribute name="rename_digest_to_old_name" value="false"/>
         <attribute name="remove_cms_algorithm_protection_attrib" value="false"/>

diff --git a/Server/src/test/resources/SingleServerTest/MyCompany/config/partnerships.xml b/Server/src/test/resources/SingleServerTest/MyCompany/config/partnerships.xml
@@ -27,7 +27,7 @@
         <attribute name="as2_mdn_options"
                    value="signed-receipt-protocol=optional, pkcs7-signature; signed-receipt-micalg=optional, $attribute.sign$"/>
         <attribute name="encrypt" value="3DES"/>
-        <attribute name="sign" value="SHA256"/>
+        <attribute name="sign" value="SHA-256"/>
         <attribute name="resend_max_retries" value="3"/>
         <attribute name="prevent_canonicalization_for_mic" value="false"/>
         <attribute name="rename_digest_to_old_name" value="false"/>

diff --git a/changes.txt b/changes.txt
@@ -1,3 +1,9 @@
+Version 3.9.0 - 2023-12-20
+This is an enhancement release:
+       **IMPORTANT NOTE**: Please review upgrade notes in the RELEASE-NOTES.md if you are upgrading
+
+ 1. Support for non-standard algorithm strings for partners that do not conform to the RFC standard. See documentation section 7.2.1 "Signing"
+
 Version 3.8.0 - 2023-11-07
 This is an enhancement and minor bugfix release:
        **IMPORTANT NOTE**: Please review upgrade notes in the RELEASE-NOTES.md if you are upgrading

diff --git a/docs/OpenAS2HowTo.odt b/docs/OpenAS2HowTo.odt
diff --git a/docs/OpenAS2HowTo.pdf b/docs/OpenAS2HowTo.pdf
diff --git a/pom.xml b/pom.xml
@@ -5,7 +5,7 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>net.sf.openas2</groupId>
     <artifactId>OpenAS2</artifactId>
-    <version>3.8.0</version>
+    <version>3.9.0</version>
     <name>OpenAS2</name>
     <packaging>pom</packaging>
 
@@ -52,32 +52,32 @@
             <dependency>
                 <groupId>org.bouncycastle</groupId>
                 <artifactId>bcmail-jdk18on</artifactId>
-                <version>1.76</version>
+                <version>1.77</version>
             </dependency>
             <dependency>
                 <groupId>org.bouncycastle</groupId>
                 <artifactId>bcpkix-jdk18on</artifactId>
-                <version>1.76</version>
+                <version>1.77</version>
             </dependency>
             <dependency>
                 <groupId>org.bouncycastle</groupId>
                 <artifactId>bcprov-jdk18on</artifactId>
-                <version>1.76</version>
+                <version>1.77</version>
             </dependency>
             <dependency>
                 <groupId>org.bouncycastle</groupId>
                 <artifactId>bcprov-ext-jdk18on</artifactId>
-                <version>1.76</version>
+                <version>1.77</version>
             </dependency>
             <dependency>
                 <groupId>org.bouncycastle</groupId>
                 <artifactId>bcpg-jdk18on</artifactId>
-                <version>1.76</version>
+                <version>1.77</version>
             </dependency>
             <dependency>
                 <groupId>org.apache.commons</groupId>
                 <artifactId>commons-lang3</artifactId>
-                <version>3.13.0</version>
+                <version>3.14.0</version>
             </dependency>
             <dependency>
                 <groupId>commons-cli</groupId>
@@ -87,7 +87,7 @@
             <dependency>
                 <groupId>commons-logging</groupId>
                 <artifactId>commons-logging</artifactId>
-                <version>1.2</version>
+                <version>1.3.0</version>
             </dependency>
             <dependency>
                 <groupId>com.sun.mail</groupId>
@@ -120,7 +120,7 @@
             <dependency>
                 <groupId>org.junit.jupiter</groupId>
 		        <artifactId>junit-jupiter</artifactId>
-		        <version>5.10.0</version>
+		        <version>5.10.1</version>
                 <scope>test</scope>
             </dependency>
             <!-- https://mvnrepository.com/artifact/org.mockito/mockito-core -->
@@ -148,7 +148,7 @@
             <dependency>
                 <groupId>commons-io</groupId>
                 <artifactId>commons-io</artifactId>
-                <version>2.15.0</version>
+                <version>2.15.1</version>
             </dependency>
 			<!-- https://mvnrepository.com/artifact/javax.ws.rs/javax.ws.rs-api -->
 			<dependency>
@@ -165,30 +165,30 @@
            <dependency>
                <groupId>org.glassfish.jersey.containers</groupId>
                <artifactId>jersey-container-grizzly2-http</artifactId>
-               <version>3.1.3</version>
+               <version>3.1.5</version>
                <type>jar</type>
            </dependency>
            <dependency>
                <groupId>com.fasterxml.jackson.core</groupId>
                <artifactId>jackson-databind</artifactId>
-               <version>2.15.3</version>
+               <version>2.16.0</version>
                <type>jar</type>
            </dependency>
 		   <dependency>
 		        <groupId>com.fasterxml.jackson.module</groupId>
 		        <artifactId>jackson-module-jaxb-annotations</artifactId>
-		        <version>2.15.3</version>
+		        <version>2.16.0</version>
 		   </dependency>
            <dependency>
                <groupId>org.glassfish.jersey.media</groupId>
                <artifactId>jersey-media-json-jackson</artifactId>
-               <version>3.1.3</version>
+               <version>3.1.5</version>
                <type>jar</type>
            </dependency>
    		   <dependency>
    		    <groupId>org.glassfish.jersey.inject</groupId>
    		    <artifactId>jersey-hk2</artifactId>
-   		    <version>3.1.3</version>
+   		    <version>3.1.5</version>
            </dependency>
            <!-- Removed JavaEE APIs removed from Java 9+ -->
            <dependency>
@@ -209,7 +209,7 @@
             <dependency>
                 <groupId>io.sentry</groupId>
                 <artifactId>sentry</artifactId>
-                <version>6.33.0</version>
+                <version>7.1.0</version>
             </dependency>
         </dependencies>
     </dependencyManagement>