Search in sources :

Example 21 with IAS4CryptoFactory

use of com.helger.phase4.crypto.IAS4CryptoFactory in project phase4 by phax.

the class AS4DumpReader method decryptAS4In.

/**
 * Utility method to decrypt dumped .as4in message late.<br>
 * Note: this method was mainly created for internal use and does not win the
 * prize for the most sexy piece of software in the world ;-)
 *
 * @param aAS4InData
 *        The byte array with the dumped data.
 * @param aCF
 *        The Crypto factory to be used. This crypto factory must use use the
 *        private key that can be used to decrypt this particular message. May
 *        not be <code>null</code>.
 * @param aHttpHeaderConsumer
 *        An optional HTTP Header map consumer. May be <code>null</code>.
 * @param aDecryptedConsumer
 *        The consumer for the decrypted payload - whatever that is :). May
 *        not be <code>null</code>.
 * @throws WSSecurityException
 *         In case of error
 * @throws Phase4Exception
 *         In case of error
 * @throws IOException
 *         In case of error
 * @throws MessagingException
 *         In case of error
 */
public static void decryptAS4In(@Nonnull final byte[] aAS4InData, final IAS4CryptoFactory aCF, @Nullable final Consumer<HttpHeaderMap> aHttpHeaderConsumer, @Nonnull final Consumer<byte[]> aDecryptedConsumer) throws WSSecurityException, Phase4Exception, IOException, MessagingException {
    final HttpHeaderMap hm = new HttpHeaderMap();
    int nHttpStart = 0;
    int nHttpEnd = -1;
    boolean bLastWasCR = false;
    for (int i = 0; i < aAS4InData.length; ++i) {
        final byte b = aAS4InData[i];
        if (b == '\n') {
            if (bLastWasCR) {
                nHttpEnd = i;
                break;
            }
            bLastWasCR = true;
            final String sLine = new String(aAS4InData, nHttpStart, i - nHttpStart, StandardCharsets.ISO_8859_1);
            final String[] aParts = StringHelper.getExplodedArray(':', sLine, 2);
            hm.addHeader(aParts[0].trim(), aParts[1].trim());
            nHttpStart = i + 1;
        } else {
            if (b != '\r')
                bLastWasCR = false;
        }
    }
    if (aHttpHeaderConsumer != null)
        aHttpHeaderConsumer.accept(hm);
    LOGGER.info("Now at byte " + nHttpEnd + " having " + hm.getCount() + " HTTP headers");
    WebScopeManager.onGlobalBegin(MockServletContext.create());
    try (final WebScoped w = new WebScoped();
        final AS4RequestHandler rh = new AS4RequestHandler(aCF, DefaultPModeResolver.DEFAULT_PMODE_RESOLVER, IAS4IncomingAttachmentFactory.DEFAULT_INSTANCE, new AS4IncomingMessageMetadata(EAS4MessageMode.REQUEST))) {
        final IAS4ServletMessageProcessorSPI aSPI = new IAS4ServletMessageProcessorSPI() {

            public AS4MessageProcessorResult processAS4UserMessage(final IAS4IncomingMessageMetadata aMessageMetadata, final HttpHeaderMap aHttpHeaders, final Ebms3UserMessage aUserMessage, final IPMode aPMode, final Node aPayload, final ICommonsList<WSS4JAttachment> aIncomingAttachments, final IAS4MessageState aState, final ICommonsList<Ebms3Error> aProcessingErrorMessages) {
                try {
                    final byte[] aDecryptedBytes = StreamHelper.getAllBytes(aIncomingAttachments.getFirst().getInputStreamProvider());
                    aDecryptedConsumer.accept(aDecryptedBytes);
                    LOGGER.info("Handled decrypted payload with " + aDecryptedBytes.length + " bytes");
                    return AS4MessageProcessorResult.createSuccess();
                } catch (final Exception ex) {
                    throw new IllegalStateException(ex);
                }
            }

            public AS4SignalMessageProcessorResult processAS4SignalMessage(final IAS4IncomingMessageMetadata aMessageMetadata, final HttpHeaderMap aHttpHeaders, final Ebms3SignalMessage aSignalMessage, final IPMode aPMode, final IAS4MessageState aState, final ICommonsList<Ebms3Error> aProcessingErrorMessages) {
                LOGGER.error("Unexpected signal msg");
                return AS4SignalMessageProcessorResult.createSuccess();
            }
        };
        rh.setProcessorSupplier(() -> new CommonsArrayList<>(aSPI));
        rh.handleRequest(new NonBlockingByteArrayInputStream(aAS4InData, nHttpEnd, aAS4InData.length - nHttpEnd), hm, new IAS4ResponseAbstraction() {

            public void setStatus(final int nStatusCode) {
            }

            public void setMimeType(final IMimeType aMimeType) {
            }

            public void setContent(final HttpHeaderMap aHeaderMap, final IHasInputStream aHasIS) {
            }

            public void setContent(final byte[] aResultBytes, final Charset aCharset) {
            }
        });
    } finally {
        WebScopeManager.onGlobalEnd();
    }
}
Also used : Ebms3SignalMessage(com.helger.phase4.ebms3header.Ebms3SignalMessage) ICommonsList(com.helger.commons.collection.impl.ICommonsList) Node(org.w3c.dom.Node) IHasInputStream(com.helger.commons.io.IHasInputStream) IAS4ServletMessageProcessorSPI(com.helger.phase4.servlet.spi.IAS4ServletMessageProcessorSPI) IAS4MessageState(com.helger.phase4.servlet.IAS4MessageState) IAS4IncomingMessageMetadata(com.helger.phase4.messaging.IAS4IncomingMessageMetadata) NonBlockingByteArrayInputStream(com.helger.commons.io.stream.NonBlockingByteArrayInputStream) HttpHeaderMap(com.helger.commons.http.HttpHeaderMap) IAS4ResponseAbstraction(com.helger.phase4.servlet.IAS4ResponseAbstraction) IMimeType(com.helger.commons.mime.IMimeType) WebScoped(com.helger.web.scope.mgr.WebScoped) IAS4IncomingMessageMetadata(com.helger.phase4.messaging.IAS4IncomingMessageMetadata) AS4IncomingMessageMetadata(com.helger.phase4.servlet.AS4IncomingMessageMetadata) Charset(java.nio.charset.Charset) MessagingException(javax.mail.MessagingException) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) Phase4Exception(com.helger.phase4.util.Phase4Exception) IOException(java.io.IOException) AS4RequestHandler(com.helger.phase4.servlet.AS4RequestHandler) IPMode(com.helger.phase4.model.pmode.IPMode) Ebms3UserMessage(com.helger.phase4.ebms3header.Ebms3UserMessage)

Example 22 with IAS4CryptoFactory

use of com.helger.phase4.crypto.IAS4CryptoFactory in project phase4 by phax.

the class EncryptionTest method testEncryptionDecryptionAES128GCM.

/**
 * Test that encrypt and decrypt a WS-Security envelope. This test uses the
 * RSA_15 algorithm to transport (wrap) the symmetric key.
 * <p/>
 *
 * @throws Exception
 *         Thrown when there is any problem in signing or verification
 */
@Test
public void testEncryptionDecryptionAES128GCM() throws Exception {
    final IAS4CryptoFactory aCryptoFactory = AS4CryptoFactoryProperties.getDefaultInstance();
    final Document doc = _getSoapEnvelope11();
    final WSSecHeader secHeader = new WSSecHeader(doc);
    secHeader.insertSecurityHeader();
    final WSSecEncrypt aBuilder = new WSSecEncrypt(secHeader);
    aBuilder.setKeyIdentifierType(ECryptoKeyIdentifierType.ISSUER_SERIAL.getTypeID());
    aBuilder.setSymmetricEncAlgorithm(ECryptoAlgorithmCrypt.AES_128_GCM.getAlgorithmURI());
    aBuilder.setUserInfo(aCryptoFactory.getKeyAlias(), aCryptoFactory.getKeyPassword());
    // final WSEncryptionPart encP = new WSEncryptionPart ("Messaging",
    // "http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/",
    // "Element");
    final WSEncryptionPart encP = new WSEncryptionPart("Body", ESoapVersion.SOAP_11.getNamespaceURI(), "Element");
    aBuilder.getParts().add(encP);
    // Generate a session key
    final KeyGenerator aKeyGen = KeyUtils.getKeyGenerator(WSS4JConstants.AES_128);
    final SecretKey aSymmetricKey = aKeyGen.generateKey();
    LOGGER.info("Before Encryption AES 128/RSA-15....");
    final Document encryptedDoc = aBuilder.build(aCryptoFactory.getCrypto(), aSymmetricKey);
    LOGGER.info("After Encryption AES 128/RSA-15....");
    final String outputString = XMLUtils.prettyDocumentToString(encryptedDoc);
    assertFalse(outputString.contains("counter_port_type"));
}
Also used : IAS4CryptoFactory(com.helger.phase4.crypto.IAS4CryptoFactory) WSEncryptionPart(org.apache.wss4j.common.WSEncryptionPart) SecretKey(javax.crypto.SecretKey) WSSecHeader(org.apache.wss4j.dom.message.WSSecHeader) WSSecEncrypt(org.apache.wss4j.dom.message.WSSecEncrypt) Document(org.w3c.dom.Document) KeyGenerator(javax.crypto.KeyGenerator) Test(org.junit.Test)

Example 23 with IAS4CryptoFactory

use of com.helger.phase4.crypto.IAS4CryptoFactory in project phase4 by phax.

the class MainVerifySignature method _verifyAndDecrypt.

@Nonnull
private static ESuccess _verifyAndDecrypt(@Nonnull final IAS4CryptoFactory aCryptoFactory, @Nonnull final Document aSOAPDoc, @Nonnull final Locale aLocale, @Nonnull final AS4ResourceHelper aResHelper, @Nonnull final ICommonsList<WSS4JAttachment> aAttachments, @Nonnull final ErrorList aErrorList, @Nonnull final Supplier<WSSConfig> aWSSConfigSupplier) {
    // Signing verification and Decryption
    try {
        // Convert to WSS4J attachments
        final Phase4KeyStoreCallbackHandler aKeyStoreCallback = new Phase4KeyStoreCallbackHandler(aCryptoFactory);
        final WSS4JAttachmentCallbackHandler aAttachmentCallbackHandler = new WSS4JAttachmentCallbackHandler(aAttachments, aResHelper);
        // Resolve the WSS config here to ensure the context matches
        final WSSConfig aWSSConfig = aWSSConfigSupplier.get();
        // Configure RequestData needed for the check / decrypt process!
        final RequestData aRequestData = new RequestData();
        aRequestData.setCallbackHandler(aKeyStoreCallback);
        if (aAttachments.isNotEmpty())
            aRequestData.setAttachmentCallbackHandler(aAttachmentCallbackHandler);
        aRequestData.setSigVerCrypto(aCryptoFactory.getCrypto());
        aRequestData.setDecCrypto(aCryptoFactory.getCrypto());
        aRequestData.setWssConfig(aWSSConfig);
        // Upon success, the SOAP document contains the decrypted content
        // afterwards!
        final WSSecurityEngine aSecurityEngine = new WSSecurityEngine();
        aSecurityEngine.setWssConfig(aWSSConfig);
        final WSHandlerResult aHdlRes = aSecurityEngine.processSecurityHeader(aSOAPDoc, aRequestData);
        final List<WSSecurityEngineResult> aResults = aHdlRes.getResults();
        // Collect all unique used certificates
        final ICommonsSet<X509Certificate> aCertSet = new CommonsHashSet<>();
        // Preferred certificate from BinarySecurityToken
        X509Certificate aPreferredCert = null;
        int nWSS4JSecurityActions = 0;
        for (final WSSecurityEngineResult aResult : aResults) {
            if (LOGGER.isDebugEnabled())
                LOGGER.debug("WSSecurityEngineResult: " + aResult);
            final Integer aAction = (Integer) aResult.get(WSSecurityEngineResult.TAG_ACTION);
            final int nAction = aAction != null ? aAction.intValue() : 0;
            nWSS4JSecurityActions |= nAction;
            final X509Certificate aCert = (X509Certificate) aResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
            if (aCert != null) {
                aCertSet.add(aCert);
                if (nAction == WSConstants.BST && aPreferredCert == null)
                    aPreferredCert = aCert;
            }
        }
        // this determines if a signature check or a decryption happened
        final X509Certificate aUsedCert;
        if (aCertSet.size() > 1) {
            if (aPreferredCert == null) {
                LOGGER.warn("Found " + aCertSet.size() + " different certificates in message. Using the first one.");
                if (LOGGER.isDebugEnabled())
                    LOGGER.debug("All gathered certificates: " + aCertSet);
                aUsedCert = aCertSet.getAtIndex(0);
            } else
                aUsedCert = aPreferredCert;
        } else if (aCertSet.size() == 1)
            aUsedCert = aCertSet.getAtIndex(0);
        else
            aUsedCert = null;
        // Remember in State
        // Decrypting the Attachments
        final ICommonsList<WSS4JAttachment> aResponseAttachments = aAttachmentCallbackHandler.getAllResponseAttachments();
        for (final WSS4JAttachment aResponseAttachment : aResponseAttachments) {
            // Always copy to a temporary file, so that decrypted content can be
            // read more than once. By default the stream can only be read once
            // Not nice, but working :)
            final File aTempFile = aResHelper.createTempFile();
            StreamHelper.copyInputStreamToOutputStreamAndCloseOS(aResponseAttachment.getSourceStream(), FileHelper.getBufferedOutputStream(aTempFile));
            aResponseAttachment.setSourceStreamProvider(HasInputStream.multiple(() -> FileHelper.getBufferedInputStream(aTempFile)));
        }
        // Remember in State
        return ESuccess.SUCCESS;
    } catch (final IndexOutOfBoundsException | IllegalStateException | WSSecurityException ex) {
        // Decryption or Signature check failed
        LOGGER.error("Error processing the WSSSecurity Header", ex);
        // TODO we need a way to distinct
        // signature and decrypt WSSecurityException provides no such thing
        aErrorList.add(EEbmsError.EBMS_FAILED_DECRYPTION.getAsError(aLocale));
        return ESuccess.FAILURE;
    } catch (final IOException ex) {
        // Decryption or Signature check failed
        LOGGER.error("IO error processing the WSSSecurity Header", ex);
        aErrorList.add(EEbmsError.EBMS_OTHER.getAsError(aLocale));
        return ESuccess.FAILURE;
    }
}
Also used : WSS4JAttachmentCallbackHandler(com.helger.phase4.attachment.WSS4JAttachmentCallbackHandler) WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException) IOException(java.io.IOException) WSHandlerResult(org.apache.wss4j.dom.handler.WSHandlerResult) WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult) X509Certificate(java.security.cert.X509Certificate) WSSConfig(org.apache.wss4j.dom.engine.WSSConfig) RequestData(org.apache.wss4j.dom.handler.RequestData) WSSecurityEngine(org.apache.wss4j.dom.engine.WSSecurityEngine) Phase4KeyStoreCallbackHandler(com.helger.phase4.servlet.soap.Phase4KeyStoreCallbackHandler) CommonsHashSet(com.helger.commons.collection.impl.CommonsHashSet) File(java.io.File) WSS4JAttachment(com.helger.phase4.attachment.WSS4JAttachment) Nonnull(javax.annotation.Nonnull)

Example 24 with IAS4CryptoFactory

use of com.helger.phase4.crypto.IAS4CryptoFactory in project phase4 by phax.

the class DropFolderUserMessage method _send.

private static void _send(@Nonnull final IAS4CryptoFactory aCF, final Path aSendFile, final Path aIncomingDir) {
    final StopWatch aSW = StopWatch.createdStarted();
    boolean bSuccess = false;
    LOGGER.info("Trying to send " + aSendFile.toString());
    try (final AS4ResourceHelper aResHelper = new AS4ResourceHelper()) {
        // Read generic SBD
        final StandardBusinessDocument aSBD = SBDHReader.standardBusinessDocument().read(Files.newInputStream(aSendFile));
        if (aSBD == null) {
            LOGGER.error("Failed to read " + aSendFile.toString() + " as SBDH document!");
        } else {
            // Extract Peppol specific data
            final PeppolSBDHDocument aSBDH = new PeppolSBDHDocumentReader(IF).extractData(aSBD);
            final ISMPServiceMetadataProvider aSMPClient = new SMPClient(UP, aSBDH.getReceiverAsIdentifier(), ESML.DIGIT_TEST);
            final EndpointType aEndpoint = aSMPClient.getEndpoint(aSBDH.getReceiverAsIdentifier(), aSBDH.getDocumentTypeAsIdentifier(), aSBDH.getProcessAsIdentifier(), ESMPTransportProfile.TRANSPORT_PROFILE_BDXR_AS4);
            if (aEndpoint == null) {
                LOGGER.error("Found no endpoint for:\n  Receiver ID: " + aSBDH.getReceiverAsIdentifier().getURIEncoded() + "\n  Document type ID: " + aSBDH.getDocumentTypeAsIdentifier().getURIEncoded() + "\n  Process ID: " + aSBDH.getProcessAsIdentifier().getURIEncoded());
            } else {
                final KeyStore.PrivateKeyEntry aOurCert = aCF.getPrivateKeyEntry();
                final X509Certificate aTheirCert = CertificateHelper.convertStringToCertficate(aEndpoint.getCertificate());
                final AS4ClientUserMessage aClient = new AS4ClientUserMessage(aResHelper);
                aClient.setSoapVersion(ESoapVersion.SOAP_12);
                // Keystore data
                aClient.setAS4CryptoFactory(aCF);
                aClient.signingParams().setAlgorithmSign(ECryptoAlgorithmSign.RSA_SHA_512);
                aClient.signingParams().setAlgorithmSignDigest(ECryptoAlgorithmSignDigest.DIGEST_SHA_512);
                // FIXME Action, Service etc. are missing
                aClient.setAction("xxx");
                aClient.setServiceType("xxx");
                aClient.setServiceValue("xxx");
                aClient.setConversationID(MessageHelperMethods.createRandomConversationID());
                aClient.setAgreementRefValue("xxx");
                aClient.setFromRole(CAS4.DEFAULT_ROLE);
                aClient.setFromPartyID(PeppolCertificateHelper.getSubjectCN((X509Certificate) aOurCert.getCertificate()));
                aClient.setToRole(CAS4.DEFAULT_ROLE);
                aClient.setToPartyID(PeppolCertificateHelper.getSubjectCN(aTheirCert));
                aClient.ebms3Properties().setAll(MessageHelperMethods.createEbms3Property(CAS4.ORIGINAL_SENDER, aSBDH.getSenderScheme(), aSBDH.getSenderValue()), MessageHelperMethods.createEbms3Property(CAS4.FINAL_RECIPIENT, aSBDH.getReceiverScheme(), aSBDH.getReceiverValue()));
                aClient.setPayload(SBDHWriter.standardBusinessDocument().getAsDocument(aSBD));
                final IAS4ClientBuildMessageCallback aCallback = null;
                final IAS4OutgoingDumper aOutgoingDumper = null;
                final IAS4RetryCallback aRetryCallback = null;
                final AS4ClientSentMessage<byte[]> aResponseEntity = aClient.sendMessageWithRetries(W3CEndpointReferenceHelper.getAddress(aEndpoint.getEndpointReference()), new ResponseHandlerByteArray(), aCallback, aOutgoingDumper, aRetryCallback);
                LOGGER.info("Successfully transmitted document with message ID '" + aResponseEntity.getMessageID() + "' for '" + aSBDH.getReceiverAsIdentifier().getURIEncoded() + "' to '" + W3CEndpointReferenceHelper.getAddress(aEndpoint.getEndpointReference()) + "' in " + aSW.stopAndGetMillis() + " ms");
                if (aResponseEntity.hasResponse()) {
                    final String sMessageID = aResponseEntity.getMessageID();
                    final String sFilename = FilenameHelper.getAsSecureValidASCIIFilename(sMessageID) + "-response.xml";
                    final File aResponseFile = aIncomingDir.resolve(sFilename).toFile();
                    if (SimpleFileIO.writeFile(aResponseFile, aResponseEntity.getResponse()).isSuccess())
                        LOGGER.info("Response file was written to '" + aResponseFile.getAbsolutePath() + "'");
                    else
                        LOGGER.error("Error writing response file to '" + aResponseFile.getAbsolutePath() + "'");
                }
                bSuccess = true;
            }
        }
    } catch (final Exception ex) {
        LOGGER.error("Error sending " + aSendFile.toString(), ex);
    }
    // After the exception handler!
    {
        // Move to done or error directory?
        final Path aDest = aSendFile.resolveSibling(bSuccess ? PATH_DONE : PATH_ERROR).resolve(aSendFile.getFileName());
        try {
            Files.move(aSendFile, aDest);
        } catch (final IOException ex) {
            LOGGER.error("Error moving from '" + aSendFile.toString() + "' to '" + aDest + "'", ex);
        }
    }
}
Also used : Path(java.nio.file.Path) IAS4ClientBuildMessageCallback(com.helger.phase4.client.IAS4ClientBuildMessageCallback) IAS4OutgoingDumper(com.helger.phase4.dump.IAS4OutgoingDumper) PeppolSBDHDocument(com.helger.peppol.sbdh.PeppolSBDHDocument) ISMPServiceMetadataProvider(com.helger.smpclient.peppol.ISMPServiceMetadataProvider) StandardBusinessDocument(org.unece.cefact.namespaces.sbdh.StandardBusinessDocument) ResponseHandlerByteArray(com.helger.httpclient.response.ResponseHandlerByteArray) IAS4RetryCallback(com.helger.phase4.client.IAS4RetryCallback) PeppolSBDHDocumentReader(com.helger.peppol.sbdh.read.PeppolSBDHDocumentReader) UncheckedIOException(java.io.UncheckedIOException) IOException(java.io.IOException) KeyStore(java.security.KeyStore) X509Certificate(java.security.cert.X509Certificate) UncheckedIOException(java.io.UncheckedIOException) IOException(java.io.IOException) StopWatch(com.helger.commons.timing.StopWatch) SMPClient(com.helger.smpclient.peppol.SMPClient) EndpointType(com.helger.xsds.peppol.smp1.EndpointType) AS4ClientUserMessage(com.helger.phase4.client.AS4ClientUserMessage) AS4ResourceHelper(com.helger.phase4.util.AS4ResourceHelper) File(java.io.File)

Aggregations

IAS4CryptoFactory (com.helger.phase4.crypto.IAS4CryptoFactory)17 IAS4ClientBuildMessageCallback (com.helger.phase4.client.IAS4ClientBuildMessageCallback)8 File (java.io.File)8 IOException (java.io.IOException)8 Nonnull (javax.annotation.Nonnull)8 Document (org.w3c.dom.Document)7 WSS4JAttachment (com.helger.phase4.attachment.WSS4JAttachment)6 Element (org.w3c.dom.Element)6 IParticipantIdentifier (com.helger.peppolid.IParticipantIdentifier)5 Ebms3SignalMessage (com.helger.phase4.ebms3header.Ebms3SignalMessage)5 Ebms3UserMessage (com.helger.phase4.ebms3header.Ebms3UserMessage)5 ESimpleUserMessageSendResult (com.helger.phase4.sender.AbstractAS4UserMessageBuilder.ESimpleUserMessageSendResult)5 Nullable (javax.annotation.Nullable)5 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)5 HttpXMLEntity (com.helger.phase4.http.HttpXMLEntity)4 IAS4IncomingMessageMetadata (com.helger.phase4.messaging.IAS4IncomingMessageMetadata)4 AS4UserMessage (com.helger.phase4.messaging.domain.AS4UserMessage)4 Phase4Exception (com.helger.phase4.util.Phase4Exception)4 MessagingException (javax.mail.MessagingException)4 Wrapper (com.helger.commons.wrapper.Wrapper)3