[standalone] Peppol certificate validation not working

[karelkryda]

Hi,
I would like to report issue with Oxalis standalone component.

When sending a message to the Peppol network, the sender - in this case the Oxalis standalone component - should check the validity of the certificate and reject the message if the certificate is not valid.
This behavior is tested in Peppol Testbed using the TC2A.4: Invalid certificate handling test. This test generates three test XML files, the second of which is signed with a revoked certificate. Oxalis should therefore refuse to send this file. Unfortunately, this expected behavior does not happen and Oxalis still performs delivery of this message. The Peppol test in this case ends in an error because sending this message is undesirable and against Peppol security practices.

I am attaching here a log dump from the Oxalis standalone component. These are the logs from sending the message signed with a revoked certificate:

2024-05-22 08:31:42,169 INFO [network.oxalis.commons.filesystem.detector.EnvironmentHomeDetector] Using Oxalis folder specified as environment variable 'OXALIS_HOME' with value '/home/karel/oxalis-standalone-as4'.
2024-05-22 08:31:42,172 INFO [network.oxalis.commons.filesystem.FileSystemModule] Home folder: /home/karel/oxalis-standalone-as4
2024-05-22 08:31:42,172 INFO [network.oxalis.commons.filesystem.FileSystemModule] Configuration folder: /home/karel/oxalis-standalone-as4
2024-05-22 08:31:42,172 INFO [network.oxalis.commons.config.ConfigModule] Configuration file: /home/karel/oxalis-standalone-as4/oxalis.conf
2024-05-22 08:31:42,175 INFO [network.oxalis.commons.settings.SettingsBuilder] File system => CONF:
2024-05-22 08:31:42,176 INFO [network.oxalis.commons.settings.SettingsBuilder] File system => INBOUND: /var/peppol/IN
2024-05-22 08:31:42,176 INFO [network.oxalis.commons.settings.SettingsBuilder] File system => PLUGIN: <null>
2024-05-22 08:31:42,347 INFO [network.oxalis.as4.util.OxalisAlgorithmSuiteLoader] Registering OxalisAlgorithmSuite on bus cxf711310213
2024-05-22 08:31:42,783 INFO [network.oxalis.commons.filesystem.detector.EnvironmentHomeDetector] Using Oxalis folder specified as environment variable 'OXALIS_HOME' with value '/home/karel/oxalis-standalone-as4'.
2024-05-22 08:31:42,783 INFO [network.oxalis.commons.filesystem.FileSystemModule] Home folder: /home/karel/oxalis-standalone-as4
2024-05-22 08:31:42,784 INFO [network.oxalis.commons.filesystem.FileSystemModule] Configuration folder: /home/karel/oxalis-standalone-as4
2024-05-22 08:31:42,784 INFO [network.oxalis.commons.config.ConfigModule] Configuration file: /home/karel/oxalis-standalone-as4/oxalis.conf
2024-05-22 08:31:42,785 INFO [network.oxalis.commons.settings.SettingsBuilder] HTTP => POOL_TOTAL: 20
2024-05-22 08:31:42,785 INFO [network.oxalis.commons.settings.SettingsBuilder] HTTP => POOL_MAX_ROUTE: 2
2024-05-22 08:31:42,786 INFO [network.oxalis.commons.settings.SettingsBuilder] HTTP => POOL_VALIDATE_AFTER_INACTIVITY: 1000
2024-05-22 08:31:42,786 INFO [network.oxalis.commons.settings.SettingsBuilder] HTTP => POOL_TIME_TO_LIVE: 30
2024-05-22 08:31:42,786 INFO [network.oxalis.commons.settings.SettingsBuilder] HTTP => TIMEOUT_CONNECT: 0
2024-05-22 08:31:42,786 INFO [network.oxalis.commons.settings.SettingsBuilder] HTTP => TIMEOUT_READ: 0
2024-05-22 08:31:42,786 INFO [network.oxalis.commons.settings.SettingsBuilder] HTTP => TIMEOUT_SOCKET: 0
2024-05-22 08:31:42,786 INFO [network.oxalis.commons.settings.SettingsBuilder] Error => TRACKER: quiet
2024-05-22 08:31:42,786 INFO [network.oxalis.commons.settings.SettingsBuilder] AS2 => NOTIFICATION: not.in.use@difi.no
2024-05-22 08:31:42,786 INFO [network.oxalis.commons.settings.SettingsBuilder] File system => CONF:
2024-05-22 08:31:42,786 INFO [network.oxalis.commons.settings.SettingsBuilder] File system => INBOUND: /var/peppol/IN
2024-05-22 08:31:42,787 INFO [network.oxalis.commons.settings.SettingsBuilder] File system => PLUGIN: <null>
2024-05-22 08:31:42,787 INFO [network.oxalis.commons.settings.SettingsBuilder] Identifiers => HOSTNAME:
2024-05-22 08:31:42,787 INFO [network.oxalis.commons.settings.SettingsBuilder] Identifiers => MSGID_GENERATOR: default
2024-05-22 08:31:42,787 INFO [network.oxalis.commons.settings.SettingsBuilder] Key store => PATH: peppol-cert.p12
2024-05-22 08:31:42,787 INFO [network.oxalis.commons.settings.SettingsBuilder] Key store => PASSWORD: ************
2024-05-22 08:31:42,787 INFO [network.oxalis.commons.settings.SettingsBuilder] Key store => KEY_ALIAS: cert
2024-05-22 08:31:42,787 INFO [network.oxalis.commons.settings.SettingsBuilder] Key store => KEY_PASSWORD: ************
2024-05-22 08:31:42,787 INFO [network.oxalis.commons.settings.SettingsBuilder] Header => PARSER: sbdh
2024-05-22 08:31:42,788 INFO [network.oxalis.commons.settings.SettingsBuilder] Persister => PAYLOAD: default
2024-05-22 08:31:42,788 INFO [network.oxalis.commons.settings.SettingsBuilder] Persister => RECEIPT: plugin
2024-05-22 08:31:42,788 INFO [network.oxalis.commons.settings.SettingsBuilder] Persister => EXCEPTION: default
2024-05-22 08:31:42,788 INFO [network.oxalis.commons.settings.SettingsBuilder] Persister => HANDLER: default
2024-05-22 08:31:42,788 INFO [network.oxalis.commons.settings.SettingsBuilder] Tracing => REPORTER: noop
2024-05-22 08:31:42,788 INFO [network.oxalis.commons.settings.SettingsBuilder] Tracing => HTTP: <null>
2024-05-22 08:31:42,788 INFO [network.oxalis.commons.settings.SettingsBuilder] Tracing => TRACER: noop
2024-05-22 08:31:42,788 INFO [network.oxalis.commons.settings.SettingsBuilder] Executor => DEFAULT: 50
2024-05-22 08:31:42,788 INFO [network.oxalis.commons.settings.SettingsBuilder] Executor => STATISTICS: 50
2024-05-22 08:31:42,788 INFO [network.oxalis.commons.settings.SettingsBuilder] Tag => GENERATOR: noop
2024-05-22 08:31:42,789 INFO [network.oxalis.commons.settings.SettingsBuilder] Timestamp => SERVICE: system
2024-05-22 08:31:42,789 INFO [network.oxalis.commons.settings.SettingsBuilder] Evidence => SERVICE: rem
2024-05-22 08:31:42,789 INFO [network.oxalis.commons.settings.SettingsBuilder] Transformer => DETECTOR: noop
2024-05-22 08:31:42,789 INFO [network.oxalis.commons.settings.SettingsBuilder] Transformer => WRAPPER: xml
2024-05-22 08:31:42,789 INFO [network.oxalis.commons.settings.SettingsBuilder] Statistics => SERVICE: noop
2024-05-22 08:31:42,789 INFO [network.oxalis.commons.settings.SettingsBuilder] Transmission => VERIFIER: default
2024-05-22 08:31:42,789 INFO [network.oxalis.commons.settings.SettingsBuilder] AS4 => HOSTNAME:
2024-05-22 08:31:42,790 INFO [network.oxalis.commons.settings.SettingsBuilder] AS4 => MSGID_GENERATOR: default
2024-05-22 08:31:42,790 INFO [network.oxalis.commons.settings.SettingsBuilder] AS4 => TYPE: peppol
2024-05-22 08:31:42,790 INFO [network.oxalis.commons.settings.SettingsBuilder] Logging => CONFIG: <null>
2024-05-22 08:31:42,790 INFO [network.oxalis.commons.settings.SettingsBuilder] Logging => SERVICE: logback
2024-05-22 08:31:42,830 INFO [network.oxalis.commons.security.CertificateModule] Certificate subject: CN=OUR_ID, OU=PEPPOL TEST AP, O=OUR_ORG, C=CZ
2024-05-21 14:09:42,434 INFO [network.oxalis.commons.security.CertificateModule] Certificate issuer: CN=PEPPOL ACCESS POINT TEST CA - G2, OU=FOR TEST ONLY, O=OpenPEPPOL AISBL, C=BE
2024-05-21 14:09:42,521 INFO [network.oxalis.vefa.peppol.security.ModeDetector] Detection error (FRTEST): Validation of subject principal(CN) failed.
2024-05-21 14:09:43,102 INFO [network.oxalis.vefa.peppol.security.ModeDetector] Detected mode: TEST
2024-05-21 14:09:43,104 INFO [network.oxalis.outbound.transmission.MessageSenderFactory] Prioritized list of transport profiles:
2024-05-21 14:09:43,105 INFO [network.oxalis.outbound.transmission.MessageSenderFactory] => peppol-transport-as4-v2_0
2024-05-21 14:09:43,105 INFO [network.oxalis.outbound.transmission.MessageSenderFactory] => busdox-transport-as2-ver1p0r1
2024-05-21 14:09:43,105 INFO [network.oxalis.outbound.transmission.MessageSenderFactory] => busdox-transport-as2-ver2p0
2024-05-21 14:09:43,105 INFO [network.oxalis.outbound.transmission.MessageSenderFactory] => busdox-transport-as2-ver1p0


May 21, 2024 2:09:44 PM org.apache.cxf.wsdl.service.factory.ReflectionServiceFactoryBean buildServiceFromClass
INFO: Creating Service {oxalis.network/}outbound-service from class org.apache.cxf.jaxws.support.DummyImpl
2024-05-21 14:09:45,521 WARN [org.apache.wss4j.common.crypto.CryptoBase] No Subject DN Certificate Constraints were defined. This could be a security issue
transmission took 1399 ms
Average transmission time was 1399.0ms
Total time spent: 2s
Attempted to send 1 files
Failed transmissions: 0
Transmission speed 0 documents per second

Thank you in advance for checking the situation.

Additional information:

Oxalis version: 6.5.0
AS4 plugin version: 6.5.0

[aaron-kumar]

@karelkryda : Here is screenshot which mention Oxalis successfully passed all tests under eDELIVERY TEST SUITE including "TC2A.4: Invalid certificate handling" using Oxalis/Oxalis-AS4 version 6.5.0 with Audit ID: 1467:262

https://github.com/OxalisCommunity/oxalis/wiki/OpenPeppol-Testbed-and-Accreditation

Oxalis check "revoked" and "expired" certificate while sending and fail delivery with proper error message e.g. "Certificate is revoked" Please check whether you are bypassing certificate validation

Also please attach complete logs which you promised but Not shared.

[karelkryda]

Hi @aaron-kumar,
I edited the original post and added the complete log. We didn't modify any configuration from our side, we just added a mandatory section for keystore.

oxalis.keystore {
    # Relative to OXALIS_HOME
    path = peppol-cert.p12
    password = PASSWORD
    key.alias = cert
    key.password = PASSWORD
}

# The relative name of the directory holding plugin
#oxalis.path.plugin = oxalis-plugin

# Signals to Oxalis that we should look for plugin
oxalis.persister.receipt = plugin

# Where to store inbound files
oxalis.path.inbound = /var/peppol/IN

[karelkryda]

@aaron-kumar, any news?

[Robcio35]

Hi @karelkryda
Did you finally pass the Testbed ? If so, what did you change in your configuration ?