I am trying to integrate with a ARIBA/SAP in which we are both using CA-verified certificates (at their request). When they send me an inbound message, it looks like the message is decrypting just fine (so, as expected, no issue with my server working with my cert), but the signature verification is failing. Below is a TRACE log, and it looks like it is trying to work its way up the cert chain (it's verified by DigiCert), but is failing on the first step up. I feel like years back I had to deal with this, and it had to do with loading the non-leaf certs in the chain onto the server in a certain way, but I can't find anything written up on it. Any ideas?
TIA,
Mike
The TRACE log:
2023-02-01 12:48:01.255 FINEST HTTPUtil: HTTP received request: POST /
Headers: ;;Accept==/;;Connection==close;;AS2-From==ZZARIBATESTUS;;Disposition-Notification-To==info@ariba.com;;AS2-Version==1.2;;Message-Id==AGPas-Cp9JlYWPOFoi6qpII7RFwA@ariba.com;;From==info@ariba.com;;Content-Transfer-Encoding==binary;;Content-Description==S/MIME Encrypted Message;;Date==Wed, 01 Feb 2023 18:48:00 GMT;;MIME-Version==1.0;;Subject==EDI Message;;Content-Disposition==attachment;;AS2-To==360DATACA;;Content-Type==application/pkcs7-mime; name=smime.p7m; smime-type=enveloped-data;;SAP-PASSPORT==2A54482A0300E600004350495F65313430303100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004D657373616765526563657074696F6E00000000000000000000000000000000000000000000000000004350495F6531343030310000000000000000000000000000000000000000000063356337393837376239643634653663383163323938386566643838646233630000000016C5C79877B9D64E6C81C2988EFD88DB3C1E2F5800C7A24E48869C58F25383D37000000001000000002A54482A;;content-length==5410;;host==as2.360data.com:10443;;user-agent==AHC/2.1
2023-02-01 12:48:01.256 FINE AS2ReceiverHandler: received 5410 bytes in 0.147 seconds at 35.963 KBps 130.214.184.68 38241 [AGPas-Cp9JlYWPOFoi6qpII7RFwA@ariba.com]
2023-02-01 12:48:01.256 FINEST AS2ReceiverHandler: Received msg built from HTTP input stream: Message From:{}To:{}
Headers:{Accept=/, Connection=close, AS2-From=ZZARIBATESTUS, Disposition-Notification-To=info@ariba.com, AS2-Version=1.2, Message-Id=AGPas-Cp9JlYWPOFoi6qpII7RFwA@ariba.com, From=info@ariba.com, Content-Transfer-Encoding=binary, Content-Description=S/MIME Encrypted Message, Date=Wed, 01 Feb 2023 18:48:00 GMT, MIME-Version=1.0, Subject=EDI Message, Content-Disposition=attachment, AS2-To=360DATACA, Content-Type=application/pkcs7-mime; name=smime.p7m; smime-type=enveloped-data, SAP-PASSPORT=2A54482A0300E600004350495F65313430303100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004D657373616765526563657074696F6E00000000000000000000000000000000000000000000000000004350495F6531343030310000000000000000000000000000000000000000000063356337393837376239643634653663383163323938386566643838646233630000000016C5C79877B9D64E6C81C2988EFD88DB3C1E2F5800C7A24E48869C58F25383D37000000001000000002A54482A, content-length=5410, host=as2.360data.com:10443, user-agent=AHC/2.1}
Attributes:{HTTP_REQUEST_TYPE=POST, destination_ip=/10.200.22.23, destination_port=10443, HTTP_REQUEST_URL=/, source_port=38241, source_ip=/130.214.184.68} [AGPas-Cp9JlYWPOFoi6qpII7RFwA@ariba.com]
2023-02-01 12:48:01.268 FINEST AS2ReceiverHandler: Received MimeBodyPart for inbound message: [AGPas-Cp9JlYWPOFoi6qpII7RFwA@ariba.com]
========BEGIN MIMEBODYPART=========
...
========END MIMEBODYPART=========
2023-02-01 12:48:01.272 FINER DefaultProcessor: Processor searching for module handler for action: track_msg
2023-02-01 12:48:01.272 FINER AS2ReceiverHandler: decrypting ::: [AGPas-Cp9JlYWPOFoi6qpII7RFwA@ariba.com]
2023-02-01 12:48:01.292 FINER BCCryptoHelper: Extracted X500 info:: PRINCIPAL : CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US :: NAME : CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US
2023-02-01 12:48:01.313 FINEST AS2ReceiverHandler: Received MimeBodyPart for inbound message after decryption: [AGPas-Cp9JlYWPOFoi6qpII7RFwA@ariba.com]
========BEGIN MIMEBODYPART=========
Date: Wed, 1 Feb 2023 18:48:00 +0000 (UTC)
Content-Type: multipart/signed;
boundary="----=_Part_3244_129752334.1675277280982";
protocol="application/pkcs7-signature"; micalg=sha256
critical(false) 2.5.29.14 value = DER Octet String[20]
critical(false) 2.5.29.17 value = Sequence
Tagged [CONTEXT 2] IMPLICIT
DER Octet String[36]
critical(true) KeyUsage: 0xa0
critical(false) 2.5.29.37 value = Sequence
ObjectIdentifier(1.3.6.1.5.5.7.3.1)
ObjectIdentifier(1.3.6.1.5.5.7.3.2)
critical(false) 2.5.29.31 value = Sequence
Sequence
Tagged [CONTEXT 0]
Tagged [CONTEXT 0]
Tagged [CONTEXT 6] IMPLICIT
DER Octet String[58]
Sequence
Tagged [CONTEXT 0]
Tagged [CONTEXT 0]
Tagged [CONTEXT 6] IMPLICIT
DER Octet String[58]
critical(false) 2.5.29.32 value = Sequence
Sequence
ObjectIdentifier(2.23.140.1.2.2)
Sequence
Sequence
ObjectIdentifier(1.3.6.1.5.5.7.2.1)
IA5String(http://www.digicert.com/CPS)
critical(false) 1.3.6.1.5.5.7.1.1 value = Sequence
Sequence
ObjectIdentifier(1.3.6.1.5.5.7.48.1)
Tagged [CONTEXT 6] IMPLICIT
DER Octet String[24]
Sequence
ObjectIdentifier(1.3.6.1.5.5.7.48.2)
Tagged [CONTEXT 6] IMPLICIT
DER Octet String[61]
critical(false) BasicConstraints: isCa(false)
critical(false) 1.3.6.1.4.1.11129.2.4.2 value = DER Octet String[363]
2023-02-01 12:48:01.359 ERROR AS2ReceiverHandler: Error decrypting received message: Signature Verification failed [AGPas-Cp9JlYWPOFoi6qpII7RFwA@ariba.com]
java.security.SignatureException: Signature Verification failed
at org.openas2.lib.helper.BCCryptoHelper.verifySignature(BCCryptoHelper.java:417)
at org.openas2.processor.receiver.AS2ReceiverHandler.decryptAndVerify(AS2ReceiverHandler.java:390)
at org.openas2.processor.receiver.AS2ReceiverHandler.handle(AS2ReceiverHandler.java:208)
at org.openas2.processor.receiver.NetModule$ConnectionHandler.run(NetModule.java:176)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
2023-02-01 12:48:01.397 FINER DefaultProcessor: Processor searching for module handler for action: sendmdn
2023-02-01 12:48:01.398 FINER MDNSenderModule: ASYNC MDN send started...
2023-02-01 12:48:01.400 FINER DefaultProcessor: Processor searching for module handler for action: track_msg
2023-02-01 12:48:01.401 FINEST MDNSenderModule: MDN HEADERS SENT: =Date;Wed, 01 Feb 2023 12:48:01 -0600=From;360DATA GoDaddy CA email=Message-Id;OPENAS2-01022023124801-0600-88e6b66c-a4ea-49f0-8935-301f53bac4a6@ZZARIBATESTUS_360DATACA=Subject;From ZZARIBATESTUS to 360DATACA=MIME-Version;1.0=Content-Type;multipart/report; report-type=disposition-notification; boundary="----=_Part_0_182960550.1675277281396"=AS2-To;ZZARIBATESTUS=AS2-From;360DATACA=AS2-Version;1.1=Connection;close, TE=User-Agent;OpenAS2 Server v3.4.0=Server;OpenAS2 Server v3.4.0 [AGPas-Cp9JlYWPOFoi6qpII7RFwA@ariba.com]
2023-02-01 12:48:01.401 FINER DefaultProcessor: Processor searching for module handler for action: storemdn
2023-02-01 12:48:01.407 FINER IOUtil: Moved file atomically from /u01/home/prod/commprod/openas2/bin/../config/../data/../inbox/mdn/temp/OPENAS2-20230201124801-0600-c96f23b5-bb65-4f76-8768-e2a2b937ee06.cd47a405-8717-4f48-bdf3-b1c8f8e64048 to /u01/home/prod/commprod/openas2/bin/../config/../data/../inbox/mdn/ZZARIBATESTUS/OPENAS2-20230201124801-0600-c96f23b5-bb65-4f76-8768-e2a2b937ee06
2023-02-01 12:48:01.407 FINE MDNSenderModule: sent MDN [automatic-action/mdn-sent-automatically; processed/error:integrity-check-failed][AGPas-Cp9JlYWPOFoi6qpII7RFwA@ariba.com]
2023-02-01 12:48:01.408 ERROR OpenAS2Exception: Error occurred:: Signature Verification failed
Sources: {message=Message From:{as2_id=ZZARIBATESTUS, name=ZZARIBATESTUS, email=Pepsi Test email, x509_alias=ZZARIBATESTUS}To:{as2_id=360DATACA, name=360DATACA, email=360DATA GoDaddy CA email, x509_alias=360DATACA}
Headers:{Content-Type=multipart/signed;
boundary="----=_Part_3244_129752334.1675277280982";
protocol="application/pkcs7-signature"; micalg=sha256, Accept=/, Connection=close, AS2-From=ZZARIBATESTUS, Disposition-Notification-To=info@ariba.com, AS2-Version=1.2, Message-Id=AGPas-Cp9JlYWPOFoi6qpII7RFwA@ariba.com, From=info@ariba.com, Content-Transfer-Encoding=binary, Content-Description=S/MIME Encrypted Message, Date=Wed, 01 Feb 2023 18:48:00 GMT, MIME-Version=1.0, Subject=EDI Message, Content-Disposition=null, AS2-To=360DATACA, SAP-PASSPORT=2A54482A0300E600004350495F65313430303100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004D657373616765526563657074696F6E00000000000000000000000000000000000000000000000000004350495F6531343030310000000000000000000000000000000000000000000063356337393837376239643634653663383163323938386566643838646233630000000016C5C79877B9D64E6C81C2988EFD88DB3C1E2F5800C7A24E48869C58F25383D37000000001000000002A54482A, content-length=5410, host=as2.360data.com:10443, user-agent=AHC/2.1}
Attributes:{HTTP_REQUEST_TYPE=POST, destination_ip=/10.200.22.23, destination_port=10443, HTTP_REQUEST_URL=/, source_port=38241, source_ip=/130.214.184.68}
MDN:MDN From:{as2_id=360DATACA, name=360DATACA, email=360DATA GoDaddy CA email, x509_alias=360DATACA}To:{as2_id=ZZARIBATESTUS, name=ZZARIBATESTUS, email=Pepsi Test email, x509_alias=ZZARIBATESTUS}
Headers:{Date=Wed, 01 Feb 2023 12:48:01 -0600, From=360DATA GoDaddy CA email, Message-Id=OPENAS2-01022023124801-0600-88e6b66c-a4ea-49f0-8935-301f53bac4a6@ZZARIBATESTUS_360DATACA, Subject=From ZZARIBATESTUS to 360DATACA, MIME-Version=1.0, Content-Type=multipart/report; report-type=disposition-notification; boundary="----=_Part_0_182960550.1675277281396", AS2-To=ZZARIBATESTUS, AS2-From=360DATACA, AS2-Version=1.1, Connection=close, TE, User-Agent=OpenAS2 Server v3.4.0, Server=OpenAS2 Server v3.4.0}
Attributes:{FINAL_RECIPIENT=rfc822; 360DATACA, MIC=null, REPORTING_UA=OpenAS2 Server v3.4.0@/10.200.22.23:10443, ORIGINAL_MESSAGE_ID=AGPas-Cp9JlYWPOFoi6qpII7RFwA@ariba.com, ORIGINAL_RECIPIENT=rfc822; 360DATACA, DISPOSITION=automatic-action/MDN-sent-automatically; processed/Error:integrity-check-failed}
Text:
The message sent to Recipient 360DATACA on Wed, 01 Feb 2023 18:48:00 GMT with Subject EDI Message has been received, the EDI Interchange was successfully decrypted and it's integrity was verified. Authentication of the originator of the message failed.
}
org.openas2.DispositionException: automatic-action/MDN-sent-automatically; processed/Error:integrity-check-failed
at org.openas2.processor.receiver.AS2ReceiverHandler.decryptAndVerify(AS2ReceiverHandler.java:413)
at org.openas2.processor.receiver.AS2ReceiverHandler.handle(AS2ReceiverHandler.java:208)
at org.openas2.processor.receiver.NetModule$ConnectionHandler.run(NetModule.java:176)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.security.SignatureException: Signature Verification failed
at org.openas2.lib.helper.BCCryptoHelper.verifySignature(BCCryptoHelper.java:417)
at org.openas2.processor.receiver.AS2ReceiverHandler.decryptAndVerify(AS2ReceiverHandler.java:390)
... 5 more
2023-02-01 12:48:01.409 ERROR OpenAS2Exception: Error occurred:: Stored invalid message to /u01/home/prod/commprod/openas2/bin/../config/../data/../inbox/error/20230201124801.2fd93d9b-56b8-447a-9ad4-8ab2d027116e
Sources: {}
org.openas2.message.InvalidMessageException: Stored invalid message to /u01/home/prod/commprod/openas2/bin/../config/../data/../inbox/error/20230201124801.2fd93d9b-56b8-447a-9ad4-8ab2d027116e
at org.openas2.processor.receiver.NetModule.handleError(NetModule.java:142)
at org.openas2.processor.receiver.AS2ReceiverHandler.handle(AS2ReceiverHandler.java:279)
at org.openas2.processor.receiver.NetModule$ConnectionHandler.run(NetModule.java:176)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
For some reason SourceForge forces long discussion posts to be approved but sends no message to anyone saying there are messages waiting to be approved so this has sat there for a whil without being seen.
Whether you use 3rd party certificates or not, for encryption and signing the thrid party chain certificates are irrelevant.
Certificate chains are only followed for SSL transport connection encyption.
The MDN response from your partner indicates they could not verify the sent message and your processing of the MDN cannot verify it either. Look at how certificates are utilised in the OpenAS2HowTo.pdf secion 8.2 "Certificate Usage Overview"
Somehow the certificates you are using are not matched with the other end and vice versa.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I am trying to integrate with a ARIBA/SAP in which we are both using CA-verified certificates (at their request). When they send me an inbound message, it looks like the message is decrypting just fine (so, as expected, no issue with my server working with my cert), but the signature verification is failing. Below is a TRACE log, and it looks like it is trying to work its way up the cert chain (it's verified by DigiCert), but is failing on the first step up. I feel like years back I had to deal with this, and it had to do with loading the non-leaf certs in the chain onto the server in a certain way, but I can't find anything written up on it. Any ideas?
TIA,
Mike
The TRACE log:
2023-02-01 12:48:01.255 FINEST HTTPUtil: HTTP received request: POST /
Headers: ;;Accept==/;;Connection==close;;AS2-From==ZZARIBATESTUS;;Disposition-Notification-To==info@ariba.com;;AS2-Version==1.2;;Message-Id==AGPas-Cp9JlYWPOFoi6qpII7RFwA@ariba.com;;From==info@ariba.com;;Content-Transfer-Encoding==binary;;Content-Description==S/MIME Encrypted Message;;Date==Wed, 01 Feb 2023 18:48:00 GMT;;MIME-Version==1.0;;Subject==EDI Message;;Content-Disposition==attachment;;AS2-To==360DATACA;;Content-Type==application/pkcs7-mime; name=smime.p7m; smime-type=enveloped-data;;SAP-PASSPORT==2A54482A0300E600004350495F65313430303100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004D657373616765526563657074696F6E00000000000000000000000000000000000000000000000000004350495F6531343030310000000000000000000000000000000000000000000063356337393837376239643634653663383163323938386566643838646233630000000016C5C79877B9D64E6C81C2988EFD88DB3C1E2F5800C7A24E48869C58F25383D37000000001000000002A54482A;;content-length==5410;;host==as2.360data.com:10443;;user-agent==AHC/2.1
2023-02-01 12:48:01.256 FINE AS2ReceiverHandler: received 5410 bytes in 0.147 seconds at 35.963 KBps 130.214.184.68 38241 [AGPas-Cp9JlYWPOFoi6qpII7RFwA@ariba.com]
2023-02-01 12:48:01.256 FINEST AS2ReceiverHandler: Received msg built from HTTP input stream: Message From:{}To:{}
Headers:{Accept=/, Connection=close, AS2-From=ZZARIBATESTUS, Disposition-Notification-To=info@ariba.com, AS2-Version=1.2, Message-Id=AGPas-Cp9JlYWPOFoi6qpII7RFwA@ariba.com, From=info@ariba.com, Content-Transfer-Encoding=binary, Content-Description=S/MIME Encrypted Message, Date=Wed, 01 Feb 2023 18:48:00 GMT, MIME-Version=1.0, Subject=EDI Message, Content-Disposition=attachment, AS2-To=360DATACA, Content-Type=application/pkcs7-mime; name=smime.p7m; smime-type=enveloped-data, SAP-PASSPORT=2A54482A0300E600004350495F65313430303100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004D657373616765526563657074696F6E00000000000000000000000000000000000000000000000000004350495F6531343030310000000000000000000000000000000000000000000063356337393837376239643634653663383163323938386566643838646233630000000016C5C79877B9D64E6C81C2988EFD88DB3C1E2F5800C7A24E48869C58F25383D37000000001000000002A54482A, content-length=5410, host=as2.360data.com:10443, user-agent=AHC/2.1}
Attributes:{HTTP_REQUEST_TYPE=POST, destination_ip=/10.200.22.23, destination_port=10443, HTTP_REQUEST_URL=/, source_port=38241, source_ip=/130.214.184.68} [AGPas-Cp9JlYWPOFoi6qpII7RFwA@ariba.com]
2023-02-01 12:48:01.268 FINEST AS2ReceiverHandler: Received MimeBodyPart for inbound message: [AGPas-Cp9JlYWPOFoi6qpII7RFwA@ariba.com]
========BEGIN MIMEBODYPART=========
...
========END MIMEBODYPART=========
2023-02-01 12:48:01.272 FINER DefaultProcessor: Processor searching for module handler for action: track_msg
2023-02-01 12:48:01.272 FINER AS2ReceiverHandler: decrypting ::: [AGPas-Cp9JlYWPOFoi6qpII7RFwA@ariba.com]
2023-02-01 12:48:01.292 FINER BCCryptoHelper: Extracted X500 info:: PRINCIPAL : CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US :: NAME : CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US
2023-02-01 12:48:01.313 FINEST AS2ReceiverHandler: Received MimeBodyPart for inbound message after decryption: [AGPas-Cp9JlYWPOFoi6qpII7RFwA@ariba.com]
========BEGIN MIMEBODYPART=========
Date: Wed, 1 Feb 2023 18:48:00 +0000 (UTC)
Content-Type: multipart/signed;
boundary="----=_Part_3244_129752334.1675277280982";
protocol="application/pkcs7-signature"; micalg=sha256
------=_Part_3244_129752334.1675277280982
Content-Type: Application/edi-x12
Content-Transfer-Encoding: binary
Content-Disposition: attachment; filename="ZZARIBATESTUS_File"
Content-Id: payload-3c64bd0b-fa26-44de-a52b-e43e311ca3d1@sap.com
Content-Description: MainDocument
ISA00 00 ZZARIBAUS ZZAN01007864296-T2302011848U004010000496850T^~GSPOAN01532261692-TAN01007864296-T20230201184800000049685X004010~ST8500001~BEG00NETC_87693875520230201~CURBYUSD~REFPOTC_876938755~REFZZCompanyCode3000~REFZZAriba.invoicingAllowedYes~REFZZAriba.availableAmount24000~REFZZpartyAdditionalID0000001000~DTM0042023020118480002~N9ZZCompanyCode~MSG3000~N9ZZAriba.invoicingAllowed~MSGYes~N9ZZAriba.availableAmount~MSG24000~N9ZZpartyAdditionalID~MSG0000001000~N1STNew City923000~N3691 Brandway~N4New CityNY16001US~PERREdefaultTE1-66652245254525FX1-1219287345734525~N1BTIDAS1 US INC923000~N31230 Lincoln Avenger~N4NEW CityNY16019US~PERAPdefaultTE1-2153450983FX1-2183455693~N1SUC.E.B. BARLIN920000001000~N3Molping Str. 111134~N4BARLIN12001DESP11~PERCNdefaultEMgoogle@google.comTE49-06894/555010...FX49-06894/555011002000~PO10001024000EA*1VPNon ItemBPBuyerC300801~CURBYUSD~CTPWS1EACSD1~PIDF*Test MaterialEN~PIDSMACAS00801NotAvailable~REFFL*item~REFZZAccountCategoryK~REFZZReceivingType4~SACN*B8402400000*-0000404000-0000004120-100.00LISAEN~CURBYUSD~DTM00220140510000000~SCH1000EA00220140510*0000000001~N9ZZAccountCategory~MSGK~N9ZZReceivingType~MSG4~CTT124000~AMTTT24000~SE480001~GE1000049685~IEA1*000049685~
------=_Part_3244_129752334.1675277280982
Content-Type: application/pkcs7-signature; name=smime.p7s; smime-type=signed-data
Content-Transfer-Encoding: binary
Content-Disposition: attachment; filename=smime.p7s
Content-Description: S/MIME Cryptographic Signature
...
------=_Part_3244_129752334.1675277280982--
========END MIMEBODYPART=========
2023-02-01 12:48:01.313 FINEST BCCryptoHelper: Compression check. MIME Base Content-Type:multipart/signed
2023-02-01 12:48:01.313 FINEST BCCryptoHelper: Compression check. SMIME-TYPE:null
2023-02-01 12:48:01.313 FINEST BCCryptoHelper: Compressed MIME msg AFTER COMPRESSION Content-Disposition:null
2023-02-01 12:48:01.313 FINER BCCryptoHelper: Check for compressed data failed on BASE content type: multipart/signed
2023-02-01 12:48:01.313 FINER AS2ReceiverHandler: verifying signature [AGPas-Cp9JlYWPOFoi6qpII7RFwA@ariba.com]
2023-02-01 12:48:01.334 FINEST BCCryptoHelper: Headers on MimeBodyPart passed in to signature verifier:
Date == Wed, 1 Feb 2023 18:48:00 +0000 (UTC)
Content-Type == multipart/signed;
boundary="----=_Part_3244_129752334.1675277280982";
protocol="application/pkcs7-signature"; micalg=sha256
2023-02-01 12:48:01.334 FINEST BCCryptoHelper: Checking signature on SIGNED MIME part extracted from multipart contains headers:
Content-Type == Application/edi-x12
Content-Transfer-Encoding == binary
Content-Disposition == attachment; filename="ZZARIBATESTUS_File"
Content-Id == payload-3c64bd0b-fa26-44de-a52b-e43e311ca3d1@sap.com
Content-Description == MainDocument
2023-02-01 12:48:01.340 FINEST BCCryptoHelper: Signer Attributes:
1.2.840.113549.1.9.4:=#16c8720f0705bced1795f95e2e4e764163075b9a84b89efee10effafb63592a8;
1.2.840.113549.1.9.3:=1.2.840.113549.1.7.1;
1.2.840.113549.1.9.15:=[[2.16.840.1.101.3.4.1.42], [2.16.840.1.101.3.4.1.2], [1.2.840.113549.3.7], [1.2.840.113549.3.2, 128], [1.2.840.113549.3.2, 64], [1.3.14.3.2.7], [1.2.840.113549.3.2, 40]];
1.2.840.113549.1.9.5:=230201184800Z;
1.2.840.113549.1.9.16.2.47:=[[[#31eab16d6fa591ea016a791510101fa65ac235cdaabb1e40b42392a01f1a8d42, [[[CONTEXT 4][[[2.5.4.6, US]], [[2.5.4.10, DigiCert Inc]], [[2.5.4.3, DigiCert TLS RSA SHA256 2020 CA1]]]], 17817980749478206810159990989867083391]]]];
2023-02-01 12:48:01.341 FINEST BCCryptoHelper: * Signed Attribute Message-Digest := 16c8720f0705bced1795f95e2e4e764163075b9a84b89efee10effafb63592a8
2023-02-01 12:48:01.341 FINEST BCCryptoHelper: * Signed Content-Digest := 16c8720f0705bced1795f95e2e4e764163075b9a84b89efee10effafb63592a8
2023-02-01 12:48:01.359 FINER BCCryptoHelper: Failed to verify signature for signer info:
Digest Alg OID: 2.16.840.1.101.3.4.2.1
Encrypt Alg OID: 1.2.840.113549.1.1.1
Signer Version: 1
Content Digest: [22, -56, 114, 15, 7, 5, -68, -19, 23, -107, -7, 94, 46, 78, 118, 65, 99, 7, 91, -102, -124, -72, -98, -2, -31, 14, -1, -81, -74, 53, -110, -88]
Content Type: 1.2.840.113549.1.7.1
SID: C=US,O=DigiCert Inc,CN=DigiCert TLS RSA SHA256 2020 CA1
Signature: [75, -114, -16, -101, -78, 120, -63, -100, 26, 94, 35, -12, 35, -62, 40, -21, -75, 1, 33, -26, -6, -20, 112, -10, 0, 114, -42, 27, 42, -39, 93, -103, -40, 32, -114, 67, 38, -58, 100, 122, -62, -60, -37, -47, 83, -15, 73, -97, -5, 75, -60, 21, -120, 3, 15, 119, 28, -74, -27, 87, 13, 86, 82, 13, -127, 40, 57, -21, 100, -62, 87, 121, 8, 88, 99, 17, -10, -42, 57, 72, 52, 54, -117, -4, 70, -66, 40, -41, -35, -36, -115, 8, -22, -45, 93, 99, 55, 55, -91, 15, 33, -6, 43, 81, -108, -58, -49, 109, 58, 81, -1, 20, 25, 77, 18, -64, 50, 60, -91, 52, 122, -7, -106, -52, -116, -8, -61, 75, -48, -49, -17, 58, 72, 95, 4, -41, -40, -88, -38, 8, 10, -95, -8, -43, -41, -56, -48, -36, 48, 71, 84, -34, 39, -88, -60, -93, -68, -74, -2, -82, 10, -52, -73, -94, 31, 97, 44, 36, -20, 8, -112, 12, -76, -124, -40, -21, 40, -14, 93, -106, -97, 63, -117, -71, 121, -125, -103, -119, 119, -36, -24, -94, -123, -6, -85, 79, -110, -71, -54, 81, 45, -89, -11, -74, -75, -59, -74, 95, 8, 74, 16, 124, 24, -37, 22, 126, -121, 82, -21, -69, -29, 111, 48, -75, 41, -31, 84, 22, -79, -71, -19, -24, 51, -92, -87, 112, 106, -99, 91, -5, 43, 78, -88, -90, -62, -34, 66, 77, 109, -25, 99, 112, 78, -27, -97, -67]
Unsigned attribs: null
Content-transfer-encoding: null
Certificate: [0] Version: 3
SerialNumber: 12276118078186337965860819263844804589
IssuerDN: C=US,O=DigiCert Inc,CN=DigiCert TLS RSA SHA256 2020 CA1
Start Date: Wed Apr 13 19:00:00 CDT 2022
Final Date: Fri Apr 14 18:59:59 CDT 2023
SubjectDN: C=US,ST=Pennsylvania,L=Newtown Square,O=SAP America Inc.,CN=aribacloudintegration-test.ariba.com
Public Key: RSA Public Key [4d:46:9d:fd:3d:ee:06:b4:e5:a2:31:e8:de:31:01:94:3f:e6:7b:b2],[56:66:d1:a4]
modulus: ec53fd8772e798785917485ffe7ab40a636c224654d9ca766c617be9311e21f26ee54f1216fba0bdbcb85fecd4b5faf070c806ba45f4ecadb3de437dd3dca4a5a2b54ad77ce1f5c5d7fa0bcc25479c19e13bb96cf8bec0ba8fd2a48b378364ba2591f81f680b75e2e911a2d66c9c8b90cee170473048820e371fb0baa32d7fcb55194ee3e5beb17cf0b7fbf08c3ccf2d29ec556740ecedb3f3d432df174d8a5486773ad07a326777d11ca4831e2c47b96e7b5de06df6202ad3dc2b4f6bdf4548f020bcbb00e277d51c6b12d897498a558643e8d695ecab775762f1951235f5bdb961fde613abde944ec8f7a3c8560428e87f5e04d559db5321438e0cc55a2161
public exponent: 10001
Signature Algorithm: SHA256WITHRSA
Signature: aa1bb21f647ed6041ef9716596d2bb6cef12ecbd
7cc3789bda3a82b68e2bec13b61b54025283ff30
2ecc73c2eb09e6bf49bc089c80fe97c0a1ef6819
2dcca00ebb94ea657a25787d259ddc3a168dd2b9
3b29fbb5f837402314a5c26a236e7d7b1b29bfe1
dc3c0f7003381ed9b2c9d85c126a7a08aeac9362
4f17022468cad82f75e8cef3542950797705d31d
4d4602d4f1782e4167d4409ae44d21b20f55cf2e
0745d72c6bfddfec45bd195981a1bcc0f5a52231
306aff293e47afe5bcec5498d75a0be27b023bcc
42d4b3a813b47b4a45115faf9f3ccb390624ccba
3b25590557de67072aac8584efcdd18688896c73
1e5211caa133a480470c1132193f8f95
Extensions:
critical(false) 2.5.29.35 value = Sequence
Tagged [CONTEXT 0] IMPLICIT
DER Octet String[20]
2023-02-01 12:48:01.359 ERROR AS2ReceiverHandler: Error decrypting received message: Signature Verification failed [AGPas-Cp9JlYWPOFoi6qpII7RFwA@ariba.com]
java.security.SignatureException: Signature Verification failed
at org.openas2.lib.helper.BCCryptoHelper.verifySignature(BCCryptoHelper.java:417)
at org.openas2.processor.receiver.AS2ReceiverHandler.decryptAndVerify(AS2ReceiverHandler.java:390)
at org.openas2.processor.receiver.AS2ReceiverHandler.handle(AS2ReceiverHandler.java:208)
at org.openas2.processor.receiver.NetModule$ConnectionHandler.run(NetModule.java:176)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
2023-02-01 12:48:01.397 FINER DefaultProcessor: Processor searching for module handler for action: sendmdn
2023-02-01 12:48:01.398 FINER MDNSenderModule: ASYNC MDN send started...
2023-02-01 12:48:01.400 FINER DefaultProcessor: Processor searching for module handler for action: track_msg
2023-02-01 12:48:01.401 FINEST MDNSenderModule: MDN HEADERS SENT: =Date;Wed, 01 Feb 2023 12:48:01 -0600=From;360DATA GoDaddy CA email=Message-Id;OPENAS2-01022023124801-0600-88e6b66c-a4ea-49f0-8935-301f53bac4a6@ZZARIBATESTUS_360DATACA=Subject;From ZZARIBATESTUS to 360DATACA=MIME-Version;1.0=Content-Type;multipart/report; report-type=disposition-notification; boundary="----=_Part_0_182960550.1675277281396"=AS2-To;ZZARIBATESTUS=AS2-From;360DATACA=AS2-Version;1.1=Connection;close, TE=User-Agent;OpenAS2 Server v3.4.0=Server;OpenAS2 Server v3.4.0 [AGPas-Cp9JlYWPOFoi6qpII7RFwA@ariba.com]
2023-02-01 12:48:01.401 FINER DefaultProcessor: Processor searching for module handler for action: storemdn
2023-02-01 12:48:01.407 FINER IOUtil: Moved file atomically from /u01/home/prod/commprod/openas2/bin/../config/../data/../inbox/mdn/temp/OPENAS2-20230201124801-0600-c96f23b5-bb65-4f76-8768-e2a2b937ee06.cd47a405-8717-4f48-bdf3-b1c8f8e64048 to /u01/home/prod/commprod/openas2/bin/../config/../data/../inbox/mdn/ZZARIBATESTUS/OPENAS2-20230201124801-0600-c96f23b5-bb65-4f76-8768-e2a2b937ee06
2023-02-01 12:48:01.407 FINE MDNSenderModule: sent MDN [automatic-action/mdn-sent-automatically; processed/error:integrity-check-failed] [AGPas-Cp9JlYWPOFoi6qpII7RFwA@ariba.com]
2023-02-01 12:48:01.408 ERROR OpenAS2Exception: Error occurred:: Signature Verification failed
Sources: {message=Message From:{as2_id=ZZARIBATESTUS, name=ZZARIBATESTUS, email=Pepsi Test email, x509_alias=ZZARIBATESTUS}To:{as2_id=360DATACA, name=360DATACA, email=360DATA GoDaddy CA email, x509_alias=360DATACA}
Headers:{Content-Type=multipart/signed;
boundary="----=_Part_3244_129752334.1675277280982";
protocol="application/pkcs7-signature"; micalg=sha256, Accept=/, Connection=close, AS2-From=ZZARIBATESTUS, Disposition-Notification-To=info@ariba.com, AS2-Version=1.2, Message-Id=AGPas-Cp9JlYWPOFoi6qpII7RFwA@ariba.com, From=info@ariba.com, Content-Transfer-Encoding=binary, Content-Description=S/MIME Encrypted Message, Date=Wed, 01 Feb 2023 18:48:00 GMT, MIME-Version=1.0, Subject=EDI Message, Content-Disposition=null, AS2-To=360DATACA, SAP-PASSPORT=2A54482A0300E600004350495F65313430303100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004D657373616765526563657074696F6E00000000000000000000000000000000000000000000000000004350495F6531343030310000000000000000000000000000000000000000000063356337393837376239643634653663383163323938386566643838646233630000000016C5C79877B9D64E6C81C2988EFD88DB3C1E2F5800C7A24E48869C58F25383D37000000001000000002A54482A, content-length=5410, host=as2.360data.com:10443, user-agent=AHC/2.1}
Attributes:{HTTP_REQUEST_TYPE=POST, destination_ip=/10.200.22.23, destination_port=10443, HTTP_REQUEST_URL=/, source_port=38241, source_ip=/130.214.184.68}
MDN:MDN From:{as2_id=360DATACA, name=360DATACA, email=360DATA GoDaddy CA email, x509_alias=360DATACA}To:{as2_id=ZZARIBATESTUS, name=ZZARIBATESTUS, email=Pepsi Test email, x509_alias=ZZARIBATESTUS}
Headers:{Date=Wed, 01 Feb 2023 12:48:01 -0600, From=360DATA GoDaddy CA email, Message-Id=OPENAS2-01022023124801-0600-88e6b66c-a4ea-49f0-8935-301f53bac4a6@ZZARIBATESTUS_360DATACA, Subject=From ZZARIBATESTUS to 360DATACA, MIME-Version=1.0, Content-Type=multipart/report; report-type=disposition-notification; boundary="----=_Part_0_182960550.1675277281396", AS2-To=ZZARIBATESTUS, AS2-From=360DATACA, AS2-Version=1.1, Connection=close, TE, User-Agent=OpenAS2 Server v3.4.0, Server=OpenAS2 Server v3.4.0}
Attributes:{FINAL_RECIPIENT=rfc822; 360DATACA, MIC=null, REPORTING_UA=OpenAS2 Server v3.4.0@/10.200.22.23:10443, ORIGINAL_MESSAGE_ID=AGPas-Cp9JlYWPOFoi6qpII7RFwA@ariba.com, ORIGINAL_RECIPIENT=rfc822; 360DATACA, DISPOSITION=automatic-action/MDN-sent-automatically; processed/Error:integrity-check-failed}
Text:
The message sent to Recipient 360DATACA on Wed, 01 Feb 2023 18:48:00 GMT with Subject EDI Message has been received, the EDI Interchange was successfully decrypted and it's integrity was verified. Authentication of the originator of the message failed.
}
org.openas2.DispositionException: automatic-action/MDN-sent-automatically; processed/Error:integrity-check-failed
at org.openas2.processor.receiver.AS2ReceiverHandler.decryptAndVerify(AS2ReceiverHandler.java:413)
at org.openas2.processor.receiver.AS2ReceiverHandler.handle(AS2ReceiverHandler.java:208)
at org.openas2.processor.receiver.NetModule$ConnectionHandler.run(NetModule.java:176)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.security.SignatureException: Signature Verification failed
at org.openas2.lib.helper.BCCryptoHelper.verifySignature(BCCryptoHelper.java:417)
at org.openas2.processor.receiver.AS2ReceiverHandler.decryptAndVerify(AS2ReceiverHandler.java:390)
... 5 more
2023-02-01 12:48:01.409 ERROR OpenAS2Exception: Error occurred:: Stored invalid message to /u01/home/prod/commprod/openas2/bin/../config/../data/../inbox/error/20230201124801.2fd93d9b-56b8-447a-9ad4-8ab2d027116e
Sources: {}
org.openas2.message.InvalidMessageException: Stored invalid message to /u01/home/prod/commprod/openas2/bin/../config/../data/../inbox/error/20230201124801.2fd93d9b-56b8-447a-9ad4-8ab2d027116e
at org.openas2.processor.receiver.NetModule.handleError(NetModule.java:142)
at org.openas2.processor.receiver.AS2ReceiverHandler.handle(AS2ReceiverHandler.java:279)
at org.openas2.processor.receiver.NetModule$ConnectionHandler.run(NetModule.java:176)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
For some reason SourceForge forces long discussion posts to be approved but sends no message to anyone saying there are messages waiting to be approved so this has sat there for a whil without being seen.
Whether you use 3rd party certificates or not, for encryption and signing the thrid party chain certificates are irrelevant.
Certificate chains are only followed for SSL transport connection encyption.
The MDN response from your partner indicates they could not verify the sent message and your processing of the MDN cannot verify it either. Look at how certificates are utilised in the OpenAS2HowTo.pdf secion 8.2 "Certificate Usage Overview"
Somehow the certificates you are using are not matched with the other end and vice versa.