as2 0.2.4 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7cb3eb0153dae7ea4c9ddba6a2843c86982fb6a035bddf9f0638655d0e3c3cda
-  data.tar.gz: b4a7d09a451eb131ca1febc572e243144014029c9ac82a35ea43da12db5d3519
+  metadata.gz: '094edd2c08516e42061e5623b49e4b2f355a3ca3a19a6ed17bc2764ea1073f9c'
+  data.tar.gz: c7678c44a070eda090eec89d3e3bacfdc2a1400b880bb39d52f2ba3e08ffe300
 SHA512:
-  metadata.gz: ea8bb601045953e40aca4a13193f8377b2fdeacae2d0b143adfda5e434025d7ed38b7db3aca8e11612f38cb431fab80d590d13923c29a52c51ea118c2b2c2ce1
-  data.tar.gz: aa7b396aa6de6271ae86bc8094ed72f7dce59ed996198f1f31f21c3438de585cee5083a466720e593f80c85474f24fb276f31faa0be8b70813248efc8129db8d
+  metadata.gz: c4ecd6838eb1e62174c584638141ba0f2af696bfd906765a0f3ffd4928e03ed3d203e9160c2ce5731439e282283fbf2b511b891719c98eeff262834b9bb1ec11
+  data.tar.gz: 852b03c4eebc90ea86447a4074afa417556b89f8613851eb59364dc6f8b4f9f1904452da3c4160929992c2263085774ff6c8cdf46345a92e75411daf945b8123

data/.github/workflows/test.yml

@@ -0,0 +1,34 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# This workflow will download a prebuilt Ruby version, install dependencies and run tests with Rake
+# For more information see: https://github.com/marketplace/actions/setup-ruby-jruby-and-truffleruby
+
+name: test suite
+
+on:
+  push:
+    branches: '**'
+
+jobs:
+  test:
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby: ['2.5', '2.6', '2.7', '3.0', '3.1']
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Ruby
+    # To automatically get bug fixes and new Ruby versions for ruby/setup-ruby,
+    # change this to (see https://github.com/ruby/setup-ruby#versioning):
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby }}
+    - name: Install dependencies
+      run: bundle install
+    - name: Run tests
+      run: bundle exec rake test

data/.gitignore

@@ -1,2 +1,4 @@
 certs
 .DS_Store
+Gemfile.lock
+pkg

data/CHANGELOG.md

@@ -0,0 +1,24 @@
+## 0.4.0, March 3, 2022
+
+  * client: correct MIC & signature verification when processing MDN response [#7](https://github.com/andjosh/as2/pull/7)
+    * also improves detection of successful & unsuccessful transmissions.
+  * client can transmit content which is not in a local file [#5](https://github.com/andjosh/as2/pull/5)
+    * also enables `As2::Client` and `As2::Server` can be used without reference to
+      the `As2::Config` global configuration.
+    * This allows certificate selection to be determined at runtime, making certificate
+      expiration & changeover much easier to orchestrate.
+
+## 0.3.0, Dec 22, 2021
+
+  * fix MIC calculation. [#1](https://github.com/andjosh/as2/pull/1)
+  * allow loading of private key and certificates without local files. [#2](https://github.com/andjosh/as2/pull/2)
+  * fix signature verification. [#3](https://github.com/andjosh/as2/pull/3)
+
+### breaking changes
+
+  * removed `As2::Message#original_message`
+  * removed `As2::Server::HEADER_MAP`
+
+## prior to 0.3.0
+
+Initial work by [@andjosh](https://github.com/andjosh) and [@datanoise](https://github.com/datanoise).

data/Gemfile

@@ -2,3 +2,12 @@ source 'https://rubygems.org'
 
 # Specify your gem's dependencies in as2.gemspec
 gemspec
+
+# from https://github.com/rails/rails/pull/42308/files
+if RUBY_VERSION >= "3.1"
+  # net-smtp, net-imap and net-pop were removed from default gems in Ruby 3.1, but is used by the `mail` gem.
+  # So we need to add them as dependencies until `mail` is fixed: https://github.com/mikel/mail/pull/1439
+  gem "net-smtp", require: false
+  gem "net-imap", require: false
+  gem "net-pop", require: false
+end

data/README.md

@@ -4,6 +4,40 @@ This is a proof of concept implementation of AS2 protocol: http://www.ietf.org/r
 
 Tested with the mendelson AS2 implementation from http://as2.mendelson-e-c.com
 
+## Build Status
+
+[![Test Suite](https://github.com/andjosh/as2/actions/workflows/test.yml/badge.svg)](https://github.com/andjosh/as2/actions/workflows/test.yml)
+
+## Known Limitations
+
+These limitations may be removed over time as demand (and pull requests!) come
+along.
+
+  1. RFC defines a number of optional features that partners can pick and choose
+     amongst. We currently have hard-coded options for many of these. Our current
+     choices are likely the most common ones in use, but we do not offer all the
+     configuration options needed for a fully-compliant implementation. https://datatracker.ietf.org/doc/html/rfc4130#section-2.4.2
+     1. Encrypted or Unencrypted Data: We assume all messages are encrypted. An
+       error will result if partner sends us an unencrypted message.
+     2. Signed or Unsigned Data: We error if partner sends an unsigned message.
+       Partners can request unsigned MDNs, but we always send signed MDNs.
+     3. Optional Use of Receipt: We always send a receipt.
+     4. Use of Synchronous or Asynchronous Receipts: We do not support asynchronous
+       delivery of MDNs.
+     5. Security Formatting: We should be reasonably compliant here.
+     6. Hash Function, Message Digest Choices: We currently always use sha1. If a
+       partner asks for a different algorithm, we'll always use sha1 and partner
+       will see a MIC verification failure. AS2 RFC specifically prefers sha1 and
+       mentions md5. Mendelson AS2 server supports a number of other algorithms.
+       (sha256, sha512, etc)
+  2. Payload bodies (typically EDI files) can be binary or base64 encoded. We
+     error if the body is not base64-encoded.
+  3. Payload bodies can have a few different mime types. We expect only
+     `application/EDI-Consent`. We're unable to receive content that has any other
+     mime type. https://datatracker.ietf.org/doc/html/rfc1767#section-1
+  4. AS2 partners may agree to use separate certificates for data encryption and data signing.
+     We do not support separate certificates for these purposes.
+
 ## Installation
 
 Add this line to your application's Gemfile:

data/as2.gemspec

@@ -6,8 +6,8 @@ require 'as2/version'
 Gem::Specification.new do |spec|
   spec.name          = "as2"
   spec.version       = As2::VERSION
-  spec.authors       = ["OfficeLuv"]
-  spec.email         = ["development@officeluv.com"]
+  spec.authors       = ["OfficeLuv", "Alex Dean"]
+  spec.email         = ["development@officeluv.com", "github@mostlyalex.com"]
 
   spec.summary       = %q{Simple AS2 server and client implementation}
   spec.description   = %q{Simple AS2 server and client implementation. Follows the AS2 implementation from http://as2.mendelson-e-c.com}
@@ -30,8 +30,11 @@ Gem::Specification.new do |spec|
   spec.add_dependency "mail"
   spec.add_dependency "rack"
 
-  spec.add_development_dependency "bundler", "~> 1.10"
-  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "bundler", ">= 1.10"
+  spec.add_development_dependency "rake", ">= 10.0"
   spec.add_development_dependency "thin"
   spec.add_development_dependency "minitest"
+  spec.add_development_dependency "minitest-focus"
+  spec.add_development_dependency "webmock"
+  spec.add_development_dependency "pry"
 end

data/lib/as2/client/result.rb

@@ -0,0 +1,40 @@
+module As2
+  class Client
+    class Result
+      attr_reader :response, :mic_matched, :mid_matched, :body, :disposition, :signature_verification_error, :exception, :outbound_message_id
+
+      def initialize(response:, mic_matched:, mid_matched:, body:, disposition:, signature_verification_error:, exception:, outbound_message_id:)
+        @response = response
+        @mic_matched = mic_matched
+        @mid_matched = mid_matched
+        @body = body
+        @disposition = disposition
+        @signature_verification_error = signature_verification_error
+        @exception = exception
+        @outbound_message_id = outbound_message_id
+      end
+
+      def signature_verified
+        self.signature_verification_error.nil?
+      end
+
+      # legacy name. accessor for backwards-compatibility.
+      def disp_code
+        self.disposition
+      end
+
+      def success
+        # 'processed' is good (though may include warnings.)
+        # 'processed/error' is not.
+        downcased_disposition = self.disposition.to_s.downcase
+
+        # TODO: we'll never have success if MDN is unsigned.
+        self.signature_verified &&
+        self.mic_matched &&
+        self.mid_matched &&
+        downcased_disposition.include?('processed') &&
+        !downcased_disposition.include?('processed/error')
+      end
+    end
+  end
+end

data/lib/as2/client.rb

@@ -2,96 +2,135 @@ require 'net/http'
 
 module As2
   class Client
-    def initialize(partner_name)
-      @partner = Config.partners[partner_name]
-      unless @partner
-        raise "Partner #{partner_name} is not registered"
+    attr_reader :partner, :server_info
+
+    # @param [As2::Config::Partner,String] partner The partner to send a message to.
+    #   If a string is given, it should be a partner name which has been registered
+    #   via a call to #add_partner.
+    # @param [As2::Config::ServerInfo,nil] server_info The server info used to identify
+    #   this client to the partner. If omitted, the main As2::Config.server_info will be used.
+    def initialize(partner, server_info: nil)
+      if partner.is_a?(As2::Config::Partner)
+        @partner = partner
+      else
+        @partner = Config.partners[partner]
+        unless @partner
+          raise "Partner #{partner} is not registered"
+        end
       end
-      @info = Config.server_info
+
+      @server_info = server_info || Config.server_info
     end
 
-    Result = Struct.new :success, :response, :mic_matched, :mid_matched, :body, :disp_code
-
-    def send_file(file_name)
-      http = Net::HTTP.new(@partner.url.host, @partner.url.port)
-      http.use_ssl = @partner.url.scheme == 'https'
-      # http.set_debug_output $stderr
-      http.start do
-        req = Net::HTTP::Post.new @partner.url.path
-        req['AS2-Version'] = '1.2'
-        req['AS2-From'] = @info.name
-        req['AS2-To'] = @partner.name
-        req['Subject'] = 'AS2 EDI Transaction'
-        req['Content-Type'] = 'application/pkcs7-mime; smime-type=enveloped-data; name=smime.p7m'
-        req['Disposition-Notification-To'] = @info.url.to_s
-        req['Disposition-Notification-Options'] = 'signed-receipt-protocol=optional, pkcs7-signature; signed-receipt-micalg=optional, sha1'
-        req['Content-Disposition'] = 'attachment; filename="smime.p7m"'
-        req['Recipient-Address'] = @info.url.to_s
-        req['Content-Transfer-Encoding'] = 'base64'
-        req['Message-ID'] = "<#{@info.name}-#{Time.now.strftime('%Y%m%d%H%M%S')}@#{@info.url.host}>"
-
-        body = StringIO.new
-        body.puts "Content-Type: application/EDI-Consent"
-        body.puts "Content-Transfer-Encoding: base64"
-        body.puts "Content-Disposition: attachment; filename=#{file_name}"
-        body.puts
-        body.puts [File.read(file_name)].pack("m*")
-
-        mic = OpenSSL::Digest::SHA1.base64digest(body.string.gsub(/\n/, "\r\n"))
-
-        pkcs7 = OpenSSL::PKCS7.sign @info.certificate, @info.pkey, body.string
-        pkcs7.detached = true
-        smime_signed = OpenSSL::PKCS7.write_smime pkcs7, body.string
-        pkcs7 = OpenSSL::PKCS7.encrypt [@partner.certificate], smime_signed
-        smime_encrypted = OpenSSL::PKCS7.write_smime pkcs7
-
-        req.body = smime_encrypted.sub(/^.+?\n\n/m, '')
-
-        resp = http.request(req)
-
-        success = resp.code == '200'
-        mic_matched = false
-        mid_matched = false
-        disp_code = nil
-        body = nil
-        if success
-          body = resp.body
-
-          smime = OpenSSL::PKCS7.read_smime "Content-Type: #{resp['Content-Type']}\r\n#{body}"
-          smime.verify [@partner.certificate], Config.store
+    # Send a file to a partner
+    #
+    #   * If the content parameter is omitted, then `file_name` must be a path
+    #     to a local file, whose contents will be sent to the partner.
+    #   * If content parameter is specified, file_name is only used to tell the
+    #     partner the original name of the file.
+    #
+    # @param [String] file_name
+    # @param [String] content
+    # @return [As2::Client::Result]
+    def send_file(file_name, content: nil)
+      outbound_message_id = As2.generate_message_id(@server_info)
+
+      req = Net::HTTP::Post.new @partner.url.path
+      req['AS2-Version'] = '1.2'
+      req['AS2-From'] = @server_info.name
+      req['AS2-To'] = @partner.name
+      req['Subject'] = 'AS2 EDI Transaction'
+      req['Content-Type'] = 'application/pkcs7-mime; smime-type=enveloped-data; name=smime.p7m'
+      req['Disposition-Notification-To'] = @server_info.url.to_s
+      req['Disposition-Notification-Options'] = 'signed-receipt-protocol=optional, pkcs7-signature; signed-receipt-micalg=optional, sha1'
+      req['Content-Disposition'] = 'attachment; filename="smime.p7m"'
+      req['Recipient-Address'] = @server_info.url.to_s
+      req['Content-Transfer-Encoding'] = 'base64'
+      req['Message-ID'] = outbound_message_id
+
+      document_content = content || File.read(file_name)
+
+      document_payload =  "Content-Type: application/EDI-Consent\r\n"
+      document_payload << "Content-Transfer-Encoding: base64\r\n"
+      document_payload << "Content-Disposition: attachment; filename=#{file_name}\r\n"
+      document_payload << "\r\n"
+      document_payload << Base64.strict_encode64(document_content)
+
+      signature = OpenSSL::PKCS7.sign @server_info.certificate, @server_info.pkey, document_payload
+      signature.detached = true
+      container = OpenSSL::PKCS7.write_smime signature, document_payload
+      encrypted = OpenSSL::PKCS7.encrypt [@partner.certificate], container
+      smime_encrypted = OpenSSL::PKCS7.write_smime encrypted
+
+      req.body = smime_encrypted.sub(/^.+?\n\n/m, '')
+
+      resp = nil
+      signature_verification_error = :not_checked
+      exception = nil
+      mic_matched = nil
+      mid_matched = nil
+      disposition = nil
+      plain_text_body = nil
+
+      begin
+        http = Net::HTTP.new(@partner.url.host, @partner.url.port)
+        http.use_ssl = @partner.url.scheme == 'https'
+        # http.set_debug_output $stderr
+        http.start do
+          resp = http.request(req)
+        end
+
+        if resp.code == '200'
+          response_content = "Content-Type: #{resp['Content-Type']}\r\n#{resp.body}"
+          smime = OpenSSL::PKCS7.read_smime response_content
+          # based on As2::Message version
+          # TODO: test cases based on valid/invalid responses. (response signed with wrong certificate, etc.)
+          smime.verify [@partner.certificate], OpenSSL::X509::Store.new, nil, OpenSSL::PKCS7::NOVERIFY | OpenSSL::PKCS7::NOINTERN
+          signature_verification_error = smime.error_string
 
           mail = Mail.new smime.data
           mail.parts.each do |part|
             case part.content_type
             when 'text/plain'
-              body = part.body
+              plain_text_body = part.body
             when 'message/disposition-notification'
+              # "The rules for constructing the AS2-disposition-notification content..."
+              # https://datatracker.ietf.org/doc/html/rfc4130#section-7.4.3
+
               options = {}
+              # TODO: can we use Mail built-ins for this?
               part.body.to_s.lines.each do |line|
                 if line =~ /^([^:]+): (.+)$/
                   options[$1] = $2
                 end
               end
 
-              if req['Message-ID'] == options['Original-Message-ID']
-                mid_matched = true
-              else
-                success = false
-              end
-
-              if options['Received-Content-MIC'].start_with?(mic)
-                mic_matched = true
-              else
-                success = false
-              end
+              disposition = options['Disposition']
+              mid_matched = req['Message-ID'] == options['Original-Message-ID']
 
-              disp_code = options['Disposition']
-              success = disp_code.end_with?('processed')
+              # do mic calc using the algorithm specified by server.
+              # (even if we specify sha1, server may send back MIC using a different algo.)
+              received_mic, micalg = options['Received-Content-MIC'].split(',').map(&:strip)
+              micalg ||= 'sha1'
+              mic = As2::DigestSelector.for_code(micalg).base64digest(document_payload)
+              mic_matched = received_mic == mic
             end
           end
         end
-        Result.new success, resp, mic_matched, mid_matched, body, disp_code
+      rescue => e
+        exception = e
       end
+
+      Result.new(
+        response: resp,
+        mic_matched: mic_matched,
+        mid_matched: mid_matched,
+        body: plain_text_body,
+        disposition: disposition,
+        signature_verification_error: signature_verification_error,
+        exception: exception,
+        outbound_message_id: outbound_message_id
+      )
     end
   end
 end

data/lib/as2/config.rb

@@ -1,6 +1,17 @@
 require 'uri'
 module As2
   module Config
+    def self.build_certificate(input)
+      if input.kind_of? OpenSSL::X509::Certificate
+        input
+      elsif input.kind_of? String
+        OpenSSL::X509::Certificate.new File.read(input)
+      else
+        raise ArgumentError, "Invalid certificate. Provide a string (file path)" \
+          " or an OpenSSL::X509::Certificate instance. Got a #{input.class} instead."
+      end
+    end
+
     class Partner < Struct.new :name, :url, :certificate
       def url=(url)
         if url.kind_of? String
@@ -11,7 +22,7 @@ module As2
       end
 
       def certificate=(certificate)
-        self['certificate'] = OpenSSL::X509::Certificate.new File.read(certificate)
+        self['certificate'] = As2::Config.build_certificate(certificate)
       end
     end
 
@@ -25,11 +36,20 @@ module As2
       end
 
       def certificate=(certificate)
-        self['certificate'] = OpenSSL::X509::Certificate.new File.read(certificate)
+        self['certificate'] = As2::Config.build_certificate(certificate)
       end
 
-      def pkey=(pkey)
-        self['pkey'] = OpenSSL::PKey.read File.read(pkey)
+      def pkey=(input)
+        # looks like even though you OpenSSL::PKey.new, you still end up with
+        # an instance which is an OpenSSL::PKey::PKey.
+        if input.kind_of? OpenSSL::PKey::PKey
+          self['pkey'] = input
+        elsif input.kind_of? String
+          self['pkey'] = OpenSSL::PKey.read File.read(input)
+        else
+          raise ArgumentError, "Invalid private key. Provide a string (file path)" \
+            " or an OpenSSL::PKey instance. Got a #{input.class} instead."
+        end
       end
 
       def add_partner
@@ -77,6 +97,11 @@ module As2
       def store
         @store ||= OpenSSL::X509::Store.new
       end
+
+      def reset!
+        @partners = {}
+        @store = OpenSSL::X509::Store.new
+      end
     end
   end
 end

data/lib/as2/digest_selector.rb

@@ -0,0 +1,23 @@
+require 'openssl'
+
+module As2
+  class DigestSelector
+    @map = {
+      'sha1' => OpenSSL::Digest::SHA1,
+      'sha256' => OpenSSL::Digest::SHA256,
+      'sha384' => OpenSSL::Digest::SHA384,
+      'sha512' => OpenSSL::Digest::SHA512,
+      'md5' => OpenSSL::Digest::MD5
+    }
+
+    def self.valid_codes
+      @map.keys
+    end
+
+    def self.for_code(code)
+      normalized = code.strip.downcase.gsub(/[^a-z0-9]/, '')
+
+      @map[normalized] || OpenSSL::Digest::SHA1
+    end
+  end
+end

data/lib/as2/message.rb

@@ -1,49 +1,102 @@
-require 'as2/base64_helper'
-
 module As2
   class Message
-    attr_reader :original_message
+    attr_reader :verification_error
 
     def initialize(message, private_key, public_certificate)
-      @original_message = message
+      # TODO: might need to use OpenSSL::PKCS7.read_smime rather than .new sometimes
+      @pkcs7 = OpenSSL::PKCS7.new(message)
       @private_key = private_key
       @public_certificate = public_certificate
+      @verification_error = nil
     end
 
     def decrypted_message
-      @decrypted_message ||= decrypt_smime(original_message)
+      @decrypted_message ||= @pkcs7.decrypt @private_key, @public_certificate
     end
 
     def valid_signature?(partner_certificate)
-      store = OpenSSL::X509::Store.new
-      store.add_cert(partner_certificate)
+      content_type = mail.header_fields.find { |h| h.name == 'Content-Type' }.content_type
+      if content_type == "multipart/signed"
+        # for a "multipart/signed" message, we will do 'detatched' signature
+        # verification, where we supply the data to be verified as the 3rd parameter
+        # to OpenSSL::PKCS7#verify. this is in keeping with how this content type
+        # is described in the S/MIME RFC.
+        #
+        # > The multipart/signed MIME type has two parts.  The first part contains
+        # > the MIME entity that is signed; the second part contains the "detached signature"
+        # > CMS SignedData object in which the encapContentInfo eContent field is absent.
+        #
+        # https://datatracker.ietf.org/doc/html/rfc3851#section-3.4.3.1
+
+        # TODO: more robust detection of content vs signature (if they're ever out of order).
+        content = mail.parts[0].raw_source
+        # remove any leading \r\n characters (between headers & body i think).
+        content = content.gsub(/\A\s+/, '')
+
+        signature = OpenSSL::PKCS7.new(mail.parts[1].body.to_s)
+
+        # using an empty CA store. see notes on NOVERIFY flag below.
+        store = OpenSSL::X509::Store.new
 
-      smime = Base64Helper.ensure_body_base64(decrypted_message)
-      message = read_smime(smime)
-      message.verify [partner_certificate], store
+        # notes on verification proces and flags used
+        #
+        # ## NOINTERN
+        #
+        # > If PKCS7_NOINTERN is set the certificates in the message itself are
+        # > not searched when locating the signer's certificate. This means that
+        # > all the signers certificates must be in the certs parameter.
+        #
+        # > One application of PKCS7_NOINTERN is to only accept messages signed
+        # > by a small number of certificates. The acceptable certificates would
+        # > be passed in the certs parameter. In this case if the signer is not
+        # > one of the certificates supplied in certs then the verify will fail
+        # > because the signer cannot be found.
+        #
+        # https://www.openssl.org/docs/manmaster/man3/PKCS7_verify.html
+        #
+        # we want this so we can be sure that the `partner_certificate` we supply
+        # was actually used to sign the message. otherwise we could get a positive
+        # verification even if `partner_certificate` didn't sign the message
+        # we're checking.
+        #
+        # ## NOVERIFY
+        #
+        # > If PKCS7_NOVERIFY is set the signer's certificates are not chain verified.
+        #
+        # ie: we won't attempt to connect signer (in the first param) to a root
+        # CA (in `store`, which is empty). alternately, we could instead remove
+        # this flag, and add `partner_certificate` to `store`. but what's the point?
+        # we'd only be verifying that `partner_certificate` is connected to `partner_certificate`.
+        output = signature.verify([partner_certificate], store, content, OpenSSL::PKCS7::NOVERIFY | OpenSSL::PKCS7::NOINTERN)
+
+        # when `signature.verify` fails, signature.error_string will be populated.
+        @verification_error = signature.error_string
+
+        output
+      else
+        # TODO: how to log this?
+        false
+      end
+    end
+
+    def mic
+      # TODO: could use As2::DigestSelector if a different algo is needed.
+      OpenSSL::Digest::SHA1.base64digest(attachment.raw_source.strip)
     end
 
     # Return the attached file, use .filename and .body on the return value
     def attachment
       if mail.has_attachments?
-        mail.attachments.find{|a| a.content_type == "application/edi-consent"}
+        mail.parts.find{|a| a.content_type == "application/edi-consent"}
       else
         mail
       end
     end
 
     private
+
     def mail
       @mail ||= Mail.new(decrypted_message)
     end
-
-    def read_smime(smime)
-      OpenSSL::PKCS7.read_smime(smime)
-    end
-
-    def decrypt_smime(smime)
-      message = read_smime(smime)
-      message.decrypt @private_key, @public_certificate
-    end
   end
 end

data/lib/as2/mime_generator.rb

@@ -5,6 +5,7 @@ module As2
         @parts = []
         @body = ""
         @headers = {}
+        @id = nil
       end
 
       def [](name)

data/lib/as2/server.rb

@@ -2,50 +2,51 @@ require 'rack'
 require 'logger'
 require 'stringio'
 require 'as2/mime_generator'
-require 'as2/base64_helper'
 require 'as2/message'
 
 module As2
   class Server
-    HEADER_MAP = {
-      'To' => 'HTTP_AS2_TO',
-      'From' => 'HTTP_AS2_FROM',
-      'Subject' => 'HTTP_SUBJECT',
-      'MIME-Version' => 'HTTP_MIME_VERSION',
-      'Content-Disposition' => 'HTTP_CONTENT_DISPOSITION',
-      'Content-Type' => 'CONTENT_TYPE',
-    }
-
     attr_accessor :logger
 
-    def initialize(options = {}, &block)
+    # @param [As2::Config::ServerInfo] server_info Config used for naming of this
+    #   server and key/certificate selection. If omitted, the main As2::Config.server_info is used.
+    # @param [As2::Config::Partner] partner Which partner to receive messages from.
+    #   If omitted, the partner is determined by incoming HTTP headers.
+    # @param [Proc] on_signature_failure A proc which will be called if signature verification fails.
+    # @param [Proc] block A proc which will be called with file_name and file content.
+    def initialize(server_info: nil, partner: nil, on_signature_failure: nil, &block)
       @block = block
-      @info = Config.server_info
-      @options = options
+      @server_info = server_info || Config.server_info
+      @partner = partner
+      @signature_failure_handler = on_signature_failure
     end
 
     def call(env)
-      if env['HTTP_AS2_TO'] != @info.name
+      if env['HTTP_AS2_TO'] != @server_info.name
         return send_error(env, "Invalid destination name #{env['HTTP_AS2_TO']}")
       end
 
-      partner = Config.partners[env['HTTP_AS2_FROM']]
-      unless partner
+      partner = @partner || Config.partners[env['HTTP_AS2_FROM']]
+
+      if !partner || env['HTTP_AS2_FROM'] != partner.name
         return send_error(env, "Invalid partner name #{env['HTTP_AS2_FROM']}")
       end
 
-      smime_string = build_smime_text(env)
-      message = Message.new(smime_string, @info.pkey, @info.certificate)
+      request = Rack::Request.new(env)
+      message = Message.new(request.body.read, @server_info.pkey, @server_info.certificate)
+
       unless message.valid_signature?(partner.certificate)
-        if @options[:on_signature_failure]
-          @options[:on_signature_failure].call({env: env, smime_string: smime_string})
+        if @signature_failure_handler
+          @signature_failure_handler.call({
+            env: env,
+            smime_string: message.decrypted_message,
+            verification_error: message.verification_error
+          })
         else
           raise "Could not verify signature"
         end
       end
 
-      mic = OpenSSL::Digest::SHA1.base64digest(message.decrypted_message)
-
       if @block
         begin
           @block.call message.attachment.filename, message.attachment.body
@@ -54,32 +55,7 @@ module As2
         end
       end
 
-      send_mdn(env, mic)
-    end
-
-    private
-    def build_smime_text(env)
-      request = Rack::Request.new(env)
-      smime_data = StringIO.new
-
-      HEADER_MAP.each do |name, value|
-        smime_data.puts "#{name}: #{env[value]}"
-      end
-
-      smime_data.puts 'Content-Transfer-Encoding: base64'
-      smime_data.puts
-      smime_data.puts Base64Helper.ensure_base64(request.body.read)
-
-      return smime_data.string
-    end
-
-    def logger(env)
-      @logger ||= Logger.new env['rack.errors']
-    end
-
-    def send_error(env, msg)
-      logger(env).error msg
-      send_mdn env, nil, msg
+      send_mdn(env, message.mic)
     end
 
     def send_mdn(env, mic, failed = nil)
@@ -98,9 +74,9 @@ module As2
       notification['Content-Transfer-Encoding'] = '7bit'
 
       options = {
-        'Reporting-UA' => @info.name,
-        'Original-Recipient' => "rfc822; #{@info.name}",
-        'Final-Recipient' => "rfc822; #{@info.name}",
+        'Reporting-UA' => @server_info.name,
+        'Original-Recipient' => "rfc822; #{@server_info.name}",
+        'Final-Recipient' => "rfc822; #{@server_info.name}",
         'Original-Message-ID' => env['HTTP_MESSAGE_ID']
       }
       if failed
@@ -117,7 +93,7 @@ module As2
 
       report.write msg_out
 
-      pkcs7 = OpenSSL::PKCS7.sign @info.certificate, @info.pkey, msg_out.string
+      pkcs7 = OpenSSL::PKCS7.sign @server_info.certificate, @server_info.pkey, msg_out.string
       pkcs7.detached = true
       smime_signed = OpenSSL::PKCS7.write_smime pkcs7, msg_out.string
 
@@ -127,13 +103,24 @@ module As2
       headers = {}
       headers['Content-Type'] = content_type
       headers['MIME-Version'] = '1.0'
-      headers['Message-ID'] = "<#{@info.name}-#{Time.now.strftime('%Y%m%d%H%M%S')}@#{@info.domain}>"
-      headers['AS2-From'] = @info.name
+      headers['Message-ID'] = As2.generate_message_id(@server_info)
+      headers['AS2-From'] = @server_info.name
       headers['AS2-To'] = env['HTTP_AS2_FROM']
       headers['AS2-Version'] = '1.2'
       headers['Connection'] = 'close'
 
       [200, headers, ["\r\n" + smime_signed]]
     end
+
+    private
+
+    def logger(env)
+      @logger ||= Logger.new env['rack.errors']
+    end
+
+    def send_error(env, msg)
+      logger(env).error msg
+      send_mdn env, nil, msg
+    end
   end
 end

data/lib/as2/version.rb

@@ -1,3 +1,3 @@
 module As2
-  VERSION = "0.2.4"
+  VERSION = "0.4.0"
 end

data/lib/as2.rb

@@ -1,12 +1,23 @@
 require 'openssl'
 require 'mail'
+require 'securerandom'
 require 'as2/config'
 require 'as2/server'
 require 'as2/client'
+require 'as2/client/result'
+require 'as2/digest_selector'
 require "as2/version"
 
 module As2
   def self.configure(&block)
     Config.configure(&block)
   end
+
+  def self.reset_config!
+    Config.reset!
+  end
+
+  def self.generate_message_id(server_info)
+    "<#{server_info.name}-#{Time.now.strftime('%Y%m%d-%H%M%S')}-#{SecureRandom.uuid}@#{server_info.domain}>"
+  end
 end

metadata

@@ -1,14 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: as2
 version: !ruby/object:Gem::Version
-  version: 0.2.4
+  version: 0.4.0
 platform: ruby
 authors:
 - OfficeLuv
-autorequire: 
+- Alex Dean
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2019-03-12 00:00:00.000000000 Z
+date: 2022-03-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: mail
@@ -42,28 +43,28 @@ dependencies:
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.10'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.10'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '10.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '10.0'
 - !ruby/object:Gem::Dependency
@@ -94,17 +95,61 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: minitest-focus
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Simple AS2 server and client implementation. Follows the AS2 implementation
   from http://as2.mendelson-e-c.com
 email:
 - development@officeluv.com
+- github@mostlyalex.com
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/workflows/test.yml"
 - ".gitignore"
+- CHANGELOG.md
 - Gemfile
-- Gemfile.lock
 - LICENSE.txt
 - README.md
 - Rakefile
@@ -116,7 +161,9 @@ files:
 - lib/as2.rb
 - lib/as2/base64_helper.rb
 - lib/as2/client.rb
+- lib/as2/client/result.rb
 - lib/as2/config.rb
+- lib/as2/digest_selector.rb
 - lib/as2/message.rb
 - lib/as2/mime_generator.rb
 - lib/as2/server.rb
@@ -126,7 +173,7 @@ licenses:
 - MIT
 metadata:
   allowed_push_host: https://rubygems.org/
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -141,9 +188,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6
-signing_key: 
+rubygems_version: 3.1.4
+signing_key:
 specification_version: 4
 summary: Simple AS2 server and client implementation
 test_files: []

data/Gemfile.lock

@@ -1,35 +0,0 @@
-PATH
-  remote: .
-  specs:
-    as2 (0.2.4)
-      mail
-      rack
-
-GEM
-  remote: https://rubygems.org/
-  specs:
-    daemons (1.2.3)
-    eventmachine (1.0.8)
-    mail (2.6.3)
-      mime-types (>= 1.16, < 3)
-    mime-types (2.6.2)
-    minitest (5.8.1)
-    rack (1.6.4)
-    rake (10.4.2)
-    thin (1.6.4)
-      daemons (~> 1.0, >= 1.0.9)
-      eventmachine (~> 1.0, >= 1.0.4)
-      rack (~> 1.0)
-
-PLATFORMS
-  ruby
-
-DEPENDENCIES
-  as2!
-  bundler (~> 1.10)
-  minitest
-  rake (~> 10.0)
-  thin
-
-BUNDLED WITH
-   1.10.6