From 48c179d4fa3d0844bed476f82b818434d4e91086 Mon Sep 17 00:00:00 2001 From: aaron-kumar Date: Mon, 4 Mar 2024 21:29:39 +0530 Subject: [PATCH] Bump Oxalis to version 6.5.0 and added certification validation --- pom.xml | 7 +++- .../oxalis/as4/inbound/As4FaultInHandler.java | 25 ++++++++++++++ .../oxalis/as4/inbound/As4InboundHandler.java | 33 ++++++++++++++----- 3 files changed, 55 insertions(+), 10 deletions(-) diff --git a/pom.xml b/pom.xml index c1e86e3..6563c56 100755 --- a/pom.xml +++ b/pom.xml @@ -28,7 +28,7 @@ network.oxalis oxalis - 6.4.0 + 6.5.0 oxalis-as4 @@ -142,6 +142,11 @@ peppol-mode provided + + network.oxalis.vefa + peppol-security + provided + network.oxalis.peppol diff --git a/src/main/java/network/oxalis/as4/inbound/As4FaultInHandler.java b/src/main/java/network/oxalis/as4/inbound/As4FaultInHandler.java index d2d1a18..d659b5f 100644 --- a/src/main/java/network/oxalis/as4/inbound/As4FaultInHandler.java +++ b/src/main/java/network/oxalis/as4/inbound/As4FaultInHandler.java @@ -34,6 +34,10 @@ public class As4FaultInHandler implements SOAPHandler { private final As4MessageFactory as4MessageFactory; private final PersisterHandler persisterHandler; + private static final String CERTIFICATE_ERROR_MSG = "Cannot find key for certificate"; + private static final String ERROR_CODE_FAILED_CHECK = "FAILED_CHECK"; + private static final String FAULT_CODE_FAILED_CHECK = "FailedCheck"; + @Inject public As4FaultInHandler(As4MessageFactory as4MessageFactory, PersisterHandler persisterHandler) { this.as4MessageFactory = as4MessageFactory; @@ -111,6 +115,27 @@ public static AS4Error toAS4Error(Throwable t) { if (t instanceof WSSecurityException && inMessage.isPresent()) { + boolean IsSecurityException = false; + String detailSecurityExceptionMessage = ""; + + if(null != t.getMessage()) { + detailSecurityExceptionMessage = t.getMessage(); + } + + if(null != ((WSSecurityException) t).getErrorCode()) { + String errorCode = ((WSSecurityException) t).getErrorCode().name(); + IsSecurityException = errorCode.equalsIgnoreCase(ERROR_CODE_FAILED_CHECK); + } + + if(null != ((WSSecurityException) t).getFaultCode()) { + String faultCode = (null == ((WSSecurityException) t).getFaultCode().getLocalPart() ? "" : ((WSSecurityException) t).getFaultCode().getLocalPart()); + IsSecurityException = faultCode.equalsIgnoreCase(FAULT_CODE_FAILED_CHECK); + } + + if(IsSecurityException || detailSecurityExceptionMessage.equalsIgnoreCase(CERTIFICATE_ERROR_MSG)) { + return new OxalisAs4Exception("PEPPOL:NOT_SERVICED", AS4ErrorCode.EBMS_0004, AS4ErrorCode.Severity.FAILURE); + } + boolean isCompressionError = (boolean) inMessage.get().getOrDefault("oxalis.as4.compressionErrorDetected", false); if (isCompressionError) { diff --git a/src/main/java/network/oxalis/as4/inbound/As4InboundHandler.java b/src/main/java/network/oxalis/as4/inbound/As4InboundHandler.java index efd956c..2afe13b 100644 --- a/src/main/java/network/oxalis/as4/inbound/As4InboundHandler.java +++ b/src/main/java/network/oxalis/as4/inbound/As4InboundHandler.java @@ -4,9 +4,6 @@ import com.google.inject.Inject; import com.google.inject.Singleton; import lombok.extern.slf4j.Slf4j; -import network.oxalis.as4.lang.OxalisAs4Exception; -import network.oxalis.as4.lang.OxalisAs4TransmissionException; -import network.oxalis.as4.util.*; import network.oxalis.api.header.HeaderParser; import network.oxalis.api.inbound.InboundService; import network.oxalis.api.lang.TimestampException; @@ -19,12 +16,18 @@ import network.oxalis.api.transmission.TransmissionVerifier; import network.oxalis.as4.common.As4MessageProperties; import network.oxalis.as4.common.As4MessageProperty; +import network.oxalis.as4.lang.OxalisAs4Exception; +import network.oxalis.as4.lang.OxalisAs4TransmissionException; +import network.oxalis.as4.util.*; import network.oxalis.commons.header.SbdhHeaderParser; import network.oxalis.commons.io.UnclosableInputStream; +import network.oxalis.commons.mode.OxalisCertificateValidator; import network.oxalis.vefa.peppol.common.code.DigestMethod; +import network.oxalis.vefa.peppol.common.code.Service; import network.oxalis.vefa.peppol.common.model.*; import network.oxalis.vefa.peppol.sbdh.SbdReader; import network.oxalis.vefa.peppol.sbdh.lang.SbdhException; +import network.oxalis.vefa.peppol.security.lang.PeppolSecurityException; import org.apache.cxf.attachment.AttachmentUtil; import org.apache.cxf.helpers.CastUtils; import org.apache.cxf.message.Attachment; @@ -63,9 +66,12 @@ public class As4InboundHandler { private final As4MessageFactory as4MessageFactory; private final PolicyService policyService; private final InboundService inboundService; + private final OxalisCertificateValidator certificateValidator; @Inject - public As4InboundHandler(TransmissionVerifier transmissionVerifier, PersisterHandler persisterHandler, TimestampProvider timestampProvider, HeaderParser headerParser, As4MessageFactory as4MessageFactory, PolicyService policyService, InboundService inboundService) { + public As4InboundHandler(TransmissionVerifier transmissionVerifier, PersisterHandler persisterHandler, + TimestampProvider timestampProvider, HeaderParser headerParser, As4MessageFactory as4MessageFactory, + PolicyService policyService, InboundService inboundService, OxalisCertificateValidator certificateValidator) { this.transmissionVerifier = transmissionVerifier; this.persisterHandler = persisterHandler; this.timestampProvider = timestampProvider; @@ -73,10 +79,14 @@ public As4InboundHandler(TransmissionVerifier transmissionVerifier, PersisterHan this.as4MessageFactory = as4MessageFactory; this.policyService = policyService; this.inboundService = inboundService; + this.certificateValidator = certificateValidator; } public SOAPMessage handle(SOAPMessage request, MessageContext messageContext) throws OxalisAs4Exception { SOAPHeader soapHeader = getSoapHeader(request); + + X509Certificate senderCertificate = getSenderCertificate(soapHeader); + Timestamp timestamp = getTimestamp(soapHeader); Iterator attachments = CastUtils.cast(request.getAttachments()); @@ -89,6 +99,13 @@ public SOAPMessage handle(SOAPMessage request, MessageContext messageContext) th TransmissionIdentifier messageId = TransmissionIdentifier.of(envelopeHeader.getMessageId()); validateMessageId(messageId.getIdentifier()); // Validate UserMessage + + try { + certificateValidator.validate(Service.AP, senderCertificate); + } catch (PeppolSecurityException peppolSecurityException) { + throw new OxalisAs4Exception("PEPPOL:NOT_SERVICED", AS4ErrorCode.EBMS_0004, AS4ErrorCode.Severity.FAILURE); + } + validatePayloads(userMessage.getPayloadInfo()); // Validate Payloads List referenceList = SOAPHeaderParser.getReferenceListFromSignedInfo(soapHeader); @@ -123,8 +140,6 @@ public SOAPMessage handle(SOAPMessage request, MessageContext messageContext) th String firstAttachmentId = envelopeHeader.getPayloadCIDs().get(0); Digest firstAttachmentDigest = Digest.of(DigestMethod.SHA256, SOAPHeaderParser.getAttachmentDigest(firstAttachmentId, soapHeader)); - X509Certificate senderCertificate = getSenderCertificate(soapHeader); - As4InboundMetadata as4InboundMetadata = new As4InboundMetadata( messageId, userMessage.getCollaborationInfo().getConversationId(), @@ -166,11 +181,11 @@ public SOAPMessage handle(SOAPMessage request, MessageContext messageContext) th return response; } - private X509Certificate getSenderCertificate(SOAPHeader soapHeader) { + private X509Certificate getSenderCertificate(SOAPHeader soapHeader) throws OxalisAs4Exception { try { return SOAPHeaderParser.getSenderCertificate(soapHeader); } catch (OxalisAs4Exception e) { - return null; + throw new OxalisAs4Exception("PEPPOL:NOT_SERVICED", AS4ErrorCode.EBMS_0004, AS4ErrorCode.Severity.FAILURE); } } @@ -186,7 +201,7 @@ private boolean isPingMessage(UserMessage userMessage) { } return Optional.ofNullable(collaborationInfo.getService()) - .map(Service::getValue) + .map(org.oasis_open.docs.ebxml_msg.ebms.v3_0.ns.core._200704.Service::getValue) .map(service -> Optional.ofNullable(collaborationInfo.getAction()) .map(action -> Constants.TEST_SERVICE.equals(service) && Constants.TEST_ACTION.equals(action)