camel-as2 - AS2 receiving server does not check signature?

Fri, 08 Oct 2021 02:26:07 -0700 

I have configured an as2 server to receive as2 messages like this

        from(as2("server/listen?requestUriPattern=/")
                .serverPortNumber("8887")
                .ediMessageTransferEncoding("8bit")
                .decryptingPrivateKey(privateKey)
                .as2MessageStructure(AS2MessageStructure.SIGNED_ENCRYPTED)

.signingAlgorithm(String.valueOf(AS2SignatureAlgorithm.SHA512WITHRSA))
                .signingCertificateChain(getValidSenderCertificates())
                .signedReceiptMicAlgorithms(new String[]{"sha2", "md5"})
                .ediMessageType("application/edifact;charset=UTF-8")
                .as2From("878051556")
                .from("m...@example.org")
                .as2To("MaxedaDIYPRD01")
                .dispositionNotificationTo("m...@example.org")
                .subject("Product offers")
       )

When I send a message to the AS2 server with a signature created with
another (invalid) private key and the signature should not match what I
configured with the signingCertificateChain in the receiver.

Configuration of sender:

from("direct:start")
                            .convertBodyTo(String.class)
                            .setHeader("CamelAS2.ediMessageContentType",
simple("application/edifact;charset=UTF-8", ContentType.class))

.setHeader("CamelAS2.ediMessageTransferEncoding", constant("8bit"))
                            .setHeader("CamelAS2.requestUri", constant("/"))
                            .setHeader("CamelAS2.as2From",
constant("878051556"))
                            .setHeader("CamelAS2.from", constant("
m...@example.org"))
                            .setHeader("CamelAS2.as2To",
constant("MaxedaDIYPRD01"))

.setHeader("CamelAS2.dispositionNotificationTo", constant("m...@example.org
"))
                            .setHeader("CamelAS2.subject", simple("Product
offers"))
                            .setHeader("CamelAS2.as2MessageStructure",
constant(AS2MessageStructure.SIGNED_ENCRYPTED))
                            .setHeader("CamelAS2.signingAlgorithm",
constant(AS2SignatureAlgorithm.SHA512WITHRSA))
                            .setHeader("CamelAS2.signingCertificateChain",
constant(hackerCertificates))
                            .setHeader("CamelAS2.signingPrivateKey",
constant(hackerPrivateKey))

.setHeader("CamelAS2.signedReceiptMicAlgorithms", constant(new
String[]{"sha2", "md5"}))
                            .setHeader("CamelAS2.encryptingAlgorithm",
constant(AS2EncryptionAlgorithm.AES128_CBC))

.setHeader("CamelAS2.encryptingCertificateChain",
constant(receiverCertificates))
                            .to(as2("client/send?inBody=ediMessage")
                                    .targetHostname("localhost")
                                    .targetPortNumber("8887")
                                    .requestUri("/")
                            );

See configured hackerKey and hackerCertificates in the configuration above.

It looks like the receiving as2 server does not check the signature. It
just responds with an ok and the as2 message is processed. Am I missing
something? My understanding of AS2 is that the receiving AS2 server should
check the signature with the certificate/public key that is exchanged with
the sending party. Is my assumption wrong or did I configure something
wrong?

Joris Wijlens

Reply via email to