Unsupported signature algorithm.

[juhojo]

There are some insecure packages (according to npm v7 audit) and the signatures do not appear to work: Unsupported signature algorithm: RSAES-PKCS1-v1_5.

Has the development of this repository been halted permanently?

I am liking this project and that is why I ask 👍 .

[ahuggins-nhs]

Development has halted, but not permanently. I'm hoping my employer's priorities allow me to continue development on this for our business use-case some time this summer, but I'm not sure exactly when I can get back to it.

That signature algorithm should be supported by PKI.js, so I'm not sure what you're encountering and why. If you can provide test file(s) and a code sample, I can try to reproduce your issue in the next 3 to 10 days (I'm very busy lately, we'll see when I can fit it in).

If I can reproduce the issue and it's not user-error or an error in PKI.js, I can try to fix and roll-up that change with any dependency updates.

Regardless of the outcome, I'll get to updating dependencies in the next 2 or 3 weeks.

[ahuggins-nhs]

@juhojo And thanks for the feedback, glad you're liking this so far.

[juhojo]

Nice to hear that! 😄

The error is thrown really early:

const fs = require("fs");
const path = require("path");
const { AS2Composer, AS2Crypto, AS2Constants, AS2Parser } = require("libas2");

const message = {
  filename: "message.edi",
  content: fs.readFileSync(
    path.join(process.cwd(), "blobs", "sample.edi"),
    "utf-8"
  ),
};

const options = {
  message,
  agreement: {
    host: {
      name: "host",
      id: "host_1",
      url: "http://example.com",
      certificate: fs.readFileSync(
        path.join(process.cwd(), "blobs", "cert.cer"),
        "utf-8"
      ),
      privateKey: fs.readFileSync(
        path.join(process.cwd(), "blobs", "key.key"),
        "utf-8"
      ),
      // ! Setting the sign attribute throws:
      // ! -- Unsupported signature algorithm: RSAES-PKCS1-v1_5
      // ! Also, if fixed, do not use `sha-1`:
      // ! -- "MD5 and SHA-1 are no longer acceptable where collision resistance is required such as digital signatures."
      // ! See: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf
      // sign: AS2Constants.SIGNING.SHA256, // Require partner to verify messages sent from the host.
      mdn: {
        signing: AS2Constants.SIGNING.SHA256,
      },
      encrypt: AS2Constants.ENCRYPTION.AES128_GCM, // Messages are encrypted.
    },
    partner: {
      name: "partner",
      id: "partner_1",
      url: "http://example.com",
      certificate: fs.readFileSync(
        path.join(process.cwd(), "blobs", "cert.cer"),
        "utf-8"
      ),
      encrypt: AS2Constants.ENCRYPTION.AES128_GCM,
      decrypt: true,
    },
  },
};

const composer = new AS2Composer(options);

If the sign attribute of AS2ComposerOptions.host is set it fails with the error mentioned in the previous message.

[ahuggins-nhs]

@juhojo Thanks for the code sample. May I also have a sample of a throw-away private key/public cert that you know gets you the same error? Or do you have an openssl command I can use to produce my own so I know I'm using the same options?

Additionally, you should know that MD5 and SHA-1 are required by a LOT of businesses out there for legacy reasons. I even had to go out of my way to support DES3 😮 so we could interoperate with a popular e-commerce marketplace. Should PKI.js ever drop support for MD5/SHA-1, I'll probably have to fix that, too, given that legacy systems often don't (or refuse) to support more modern and secure algorithms.

How I feel about this legacy stuff...

[juhojo]

The cert and key are the as2community cert and key. The MD and SHA-1 comments are for my own self 😄.
I feel you with the legacy stuff 👍.

[juhojo]

The node version I am using is 14.15.4 and npm is 7.6. OS Windows 10 Pro (which could possibly have an effect).

Edit: I did create (with OpenSSL) my own key and cert but that had no effect. Additionally, @peculiar/webcrypto (https://github.com/PeculiarVentures/webcrypto) shows no support for signing RSAES-PKCS1-v1_5 but instead for RSASSA-PKCS1-v1_5. Could this have been changed and be the cause of the error I am having? It appears as a strong candidate in my eyes.

[juhojo]

Hi,

I found out that the reason was the specific version of the @peculiar/webcrypto (and PKI.js?). I solved these on my own project, which uses the npm-package of this repo, with yarn resolutions. This is a hacky way to solve anything 😅, and thus, it would be awesome if you could update the package.json to use the current versions of these packages without the caret (^) versioning.

I did track the issues origin and it seems to be from AS2SignedData, line 143. There is no error handling right now and there is a good chance I am wrong.

[ctooley21]

@aaronhuggins @ahuggins-nhs any chance of this project continuing?

[juhojo]

For those wondering what was the hack in all its lameness, here is a short snippet of the resolutions I used.

package.json

  "resolutions": {
    "**/@peculiar/webcrypto": "1.1.3",
    "**/asn1js": "2.0.26",
    "**/nodemailer": "6.4.11",
    "**/pkijs": "2.1.90"
  }

These were identical to the node-libas2 dependencies when I created this issue.

[zhouyj001]

I want to ask how this problem is solved.

[nbutkowski-chub]

#29

I didn't have success getting the signing working when bumping versions. Instead, the linked PR seems OK. I don't know if it's correct or safe.