as2 0.2.5 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8a3998531af86ec28183bebe5adaa77a0cba1b66f43d9b2270b53470b34f5d76
-  data.tar.gz: '079dfb30bfb10cb2a22d33502c155dda1d6c7069a87436b9a62e58d1521d2fa6'
+  metadata.gz: 40b3957adcdaa34f7df9fe0ee83966f7076e80bc9dc9c02b8f27a4fb22395fda
+  data.tar.gz: 1d8002959f6b4afa70c94fd363c9d97c15b2f20a82ee96b1bc39ebba8a55972e
 SHA512:
-  metadata.gz: f968aeb0ab8f1836bbcad82eec78c8a13f5507edef264df0cc397b767524628ef5936f64fa6b84cb8bffec1c4eae492336c9f64c24376d6fc42a17911ece450c
-  data.tar.gz: e05c3239d2a17c7f5c236544d184fdb038c80d4917c11187b54b77091fc17efc9e9048428384976c2c45a28f955d6ba321f63c576b98220e647ac8b16dc3a860
+  metadata.gz: bb04b23ab84f14e131e74e3a213e71ae5f3009f805af08b7cc1c88dc3798745639e4cffea1a85811df51a522776797f236da98c82ab84863dd5891c0b37fc243
+  data.tar.gz: a71c9ea6c4c82637103ae1353e5b54cee88ad4f52b388883b0b409c24722247bbd0ead903ca5ef00ba1df41403ab11f1d6b4b03f9d03f58af39ccb399848adf0

data/.github/workflows/test.yml

@@ -0,0 +1,34 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# This workflow will download a prebuilt Ruby version, install dependencies and run tests with Rake
+# For more information see: https://github.com/marketplace/actions/setup-ruby-jruby-and-truffleruby
+
+name: test suite
+
+on:
+  push:
+    branches: '**'
+
+jobs:
+  test:
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby: ['2.5', '2.6', '2.7', '3.0', '3.1']
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Ruby
+    # To automatically get bug fixes and new Ruby versions for ruby/setup-ruby,
+    # change this to (see https://github.com/ruby/setup-ruby#versioning):
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby }}
+    - name: Install dependencies
+      run: bundle install
+    - name: Run tests
+      run: bundle exec rake test

data/.gitignore

@@ -1,2 +1,4 @@
 certs
 .DS_Store
+Gemfile.lock
+pkg

data/CHANGELOG.md

@@ -0,0 +1,30 @@
+## 0.5.0, March 21, 2022
+
+  * improvements to `As2::Client`. improve compatibility with non-Mendelson AS2 servers. [#8](https://github.com/andjosh/as2/pull/8)
+  * improve MDN generation, especially when an error occurs. [#9](https://github.com/andjosh/as2/pull/9)
+  * successfully parse unsigned MDNs. [#10](https://github.com/andjosh/as2/pull/10)
+
+## 0.4.0, March 3, 2022
+
+  * client: correct MIC & signature verification when processing MDN response [#7](https://github.com/andjosh/as2/pull/7)
+    * also improves detection of successful & unsuccessful transmissions.
+  * client can transmit content which is not in a local file [#5](https://github.com/andjosh/as2/pull/5)
+    * also enables `As2::Client` and `As2::Server` can be used without reference to
+      the `As2::Config` global configuration.
+    * This allows certificate selection to be determined at runtime, making certificate
+      expiration & changeover much easier to orchestrate.
+
+## 0.3.0, Dec 22, 2021
+
+  * fix MIC calculation. [#1](https://github.com/andjosh/as2/pull/1)
+  * allow loading of private key and certificates without local files. [#2](https://github.com/andjosh/as2/pull/2)
+  * fix signature verification. [#3](https://github.com/andjosh/as2/pull/3)
+
+### breaking changes
+
+  * removed `As2::Message#original_message`
+  * removed `As2::Server::HEADER_MAP`
+
+## prior to 0.3.0
+
+Initial work by [@andjosh](https://github.com/andjosh) and [@datanoise](https://github.com/datanoise).

data/Gemfile

@@ -2,3 +2,12 @@ source 'https://rubygems.org'
 
 # Specify your gem's dependencies in as2.gemspec
 gemspec
+
+# from https://github.com/rails/rails/pull/42308/files
+if RUBY_VERSION >= "3.1"
+  # net-smtp, net-imap and net-pop were removed from default gems in Ruby 3.1, but is used by the `mail` gem.
+  # So we need to add them as dependencies until `mail` is fixed: https://github.com/mikel/mail/pull/1439
+  gem "net-smtp", require: false
+  gem "net-imap", require: false
+  gem "net-pop", require: false
+end

data/README.md

@@ -4,6 +4,40 @@ This is a proof of concept implementation of AS2 protocol: http://www.ietf.org/r
 
 Tested with the mendelson AS2 implementation from http://as2.mendelson-e-c.com
 
+## Build Status
+
+[![Test Suite](https://github.com/andjosh/as2/actions/workflows/test.yml/badge.svg)](https://github.com/andjosh/as2/actions/workflows/test.yml)
+
+## Known Limitations
+
+These limitations may be removed over time as demand (and pull requests!) come
+along.
+
+  1. RFC defines a number of optional features that partners can pick and choose
+     amongst. We currently have hard-coded options for many of these. Our current
+     choices are likely the most common ones in use, but we do not offer all the
+     configuration options needed for a fully-compliant implementation. https://datatracker.ietf.org/doc/html/rfc4130#section-2.4.2
+     1. Encrypted or Unencrypted Data: We assume all messages are encrypted. An
+       error will result if partner sends us an unencrypted message.
+     2. Signed or Unsigned Data: We error if partner sends an unsigned message.
+       Partners can request unsigned MDNs, but we always send signed MDNs.
+     3. Optional Use of Receipt: We always send a receipt.
+     4. Use of Synchronous or Asynchronous Receipts: We do not support asynchronous
+       delivery of MDNs.
+     5. Security Formatting: We should be reasonably compliant here.
+     6. Hash Function, Message Digest Choices: We currently always use sha256. If a
+       partner asks for a different algorithm, we'll always use sha256 and partner
+       will see a MIC verification failure. AS2 RFC specifically prefers sha1 and
+       mentions md5. Mendelson AS2 server supports a number of other algorithms.
+       (sha256, sha512, etc)
+  2. Payload bodies (typically EDI files) can be binary or base64 encoded. We
+     error if the body is not base64-encoded.
+  3. Payload bodies can have a few different mime types. We expect only
+     `application/EDI-Consent`. We're unable to receive content that has any other
+     mime type. https://datatracker.ietf.org/doc/html/rfc1767#section-1
+  4. AS2 partners may agree to use separate certificates for data encryption and data signing.
+     We do not support separate certificates for these purposes.
+
 ## Installation
 
 Add this line to your application's Gemfile:

data/as2.gemspec

@@ -6,12 +6,12 @@ require 'as2/version'
 Gem::Specification.new do |spec|
   spec.name          = "as2"
   spec.version       = As2::VERSION
-  spec.authors       = ["OfficeLuv"]
-  spec.email         = ["development@officeluv.com"]
+  spec.authors       = ["OfficeLuv", "Alex Dean"]
+  spec.email         = ["development@officeluv.com", "github@mostlyalex.com"]
 
   spec.summary       = %q{Simple AS2 server and client implementation}
   spec.description   = %q{Simple AS2 server and client implementation. Follows the AS2 implementation from http://as2.mendelson-e-c.com}
-  spec.homepage      = "https://github.com/officeluv/as2"
+  spec.homepage      = "https://github.com/andjosh/as2"
   spec.license       = "MIT"
 
   # Prevent pushing this gem to RubyGems.org by setting 'allowed_push_host', or
@@ -30,8 +30,11 @@ Gem::Specification.new do |spec|
   spec.add_dependency "mail"
   spec.add_dependency "rack"
 
-  spec.add_development_dependency "bundler", "~> 1.10"
-  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "bundler", ">= 1.10"
+  spec.add_development_dependency "rake", ">= 10.0"
   spec.add_development_dependency "thin"
   spec.add_development_dependency "minitest"
+  spec.add_development_dependency "minitest-focus"
+  spec.add_development_dependency "webmock"
+  spec.add_development_dependency "pry"
 end

data/lib/as2/client/result.rb

@@ -0,0 +1,40 @@
+module As2
+  class Client
+    class Result
+      attr_reader :response, :mic_matched, :mid_matched, :body, :disposition, :signature_verification_error, :exception, :outbound_message_id
+
+      def initialize(response:, mic_matched:, mid_matched:, body:, disposition:, signature_verification_error:, exception:, outbound_message_id:)
+        @response = response
+        @mic_matched = mic_matched
+        @mid_matched = mid_matched
+        @body = body
+        @disposition = disposition
+        @signature_verification_error = signature_verification_error
+        @exception = exception
+        @outbound_message_id = outbound_message_id
+      end
+
+      def signature_verified
+        self.signature_verification_error.nil?
+      end
+
+      # legacy name. accessor for backwards-compatibility.
+      def disp_code
+        self.disposition
+      end
+
+      def success
+        # 'processed' is good (though may include warnings.)
+        # 'processed/error' is not.
+        downcased_disposition = self.disposition.to_s.downcase
+
+        # TODO: we'll never have success if MDN is unsigned.
+        self.signature_verified &&
+        self.mic_matched &&
+        self.mid_matched &&
+        downcased_disposition.include?('processed') &&
+        !downcased_disposition.include?('processed/error')
+      end
+    end
+  end
+end

data/lib/as2/client.rb

@@ -2,96 +2,185 @@ require 'net/http'
 
 module As2
   class Client
-    def initialize(partner_name)
-      @partner = Config.partners[partner_name]
-      unless @partner
-        raise "Partner #{partner_name} is not registered"
+    attr_reader :partner, :server_info
+
+    # @param [As2::Config::Partner,String] partner The partner to send a message to.
+    #   If a string is given, it should be a partner name which has been registered
+    #   via a call to #add_partner.
+    # @param [As2::Config::ServerInfo,nil] server_info The server info used to identify
+    #   this client to the partner. If omitted, the main As2::Config.server_info will be used.
+    def initialize(partner, server_info: nil)
+      if partner.is_a?(As2::Config::Partner)
+        @partner = partner
+      else
+        @partner = Config.partners[partner]
+        unless @partner
+          raise "Partner #{partner} is not registered"
+        end
+      end
+
+      @server_info = server_info || Config.server_info
+    end
+
+    def as2_to
+      @partner.name
+    end
+
+    def as2_from
+      @server_info.name
+    end
+
+    # Send a file to a partner
+    #
+    #   * If the content parameter is omitted, then `file_name` must be a path
+    #     to a local file, whose contents will be sent to the partner.
+    #   * If content parameter is specified, file_name is only used to tell the
+    #     partner the original name of the file.
+    #
+    # @param [String] file_name
+    # @param [String] content
+    # @param [String] content_type This is the MIME Content-Type describing the `content` param,
+    #   and will be included in the SMIME payload. It is not the HTTP Content-Type.
+    # @return [As2::Client::Result]
+    def send_file(file_name, content: nil, content_type: 'application/EDI-Consent')
+      outbound_mic_algorithm = 'sha256'
+      outbound_message_id = As2.generate_message_id(@server_info)
+
+      req = Net::HTTP::Post.new @partner.url.path
+      req['AS2-Version'] = '1.0' # 1.1 includes compression support, which we dont implement.
+      req['AS2-From'] = as2_from
+      req['AS2-To'] = as2_to
+      req['Subject'] = 'AS2 Transaction'
+      req['Content-Type'] = 'application/pkcs7-mime; smime-type=enveloped-data; name=smime.p7m'
+      req['Date'] = Time.now.rfc2822
+      req['Disposition-Notification-To'] = @server_info.url.to_s
+      req['Disposition-Notification-Options'] = "signed-receipt-protocol=optional, pkcs7-signature; signed-receipt-micalg=optional, #{outbound_mic_algorithm}"
+      req['Content-Disposition'] = 'attachment; filename="smime.p7m"'
+      req['Recipient-Address'] = @partner.url.to_s
+      req['Message-ID'] = outbound_message_id
+
+      document_content = content || File.read(file_name)
+
+      document_payload =  "Content-Type: #{content_type}\r\n"
+      document_payload << "Content-Transfer-Encoding: base64\r\n"
+      document_payload << "Content-Disposition: attachment; filename=#{file_name}\r\n"
+      document_payload << "\r\n"
+      document_payload << Base64.strict_encode64(document_content)
+
+      signature = OpenSSL::PKCS7.sign @server_info.certificate, @server_info.pkey, document_payload
+      signature.detached = true
+      container = OpenSSL::PKCS7.write_smime signature, document_payload
+      cipher = OpenSSL::Cipher::AES256.new(:CBC) # default, but we might have to make this configurable
+      encrypted = OpenSSL::PKCS7.encrypt [@partner.certificate], container, cipher
+
+      # > HTTP can handle binary data and so there is no need to use the
+      # > content transfer encodings of MIME
+      #
+      # https://datatracker.ietf.org/doc/html/rfc4130#section-5.2.1
+      req.body = encrypted.to_der
+
+      resp = nil
+      exception = nil
+      mdn_report = {}
+
+      begin
+        # note: to pass this traffic through a debugging proxy (like Charles)
+        # set ENV['http_proxy'].
+        http = Net::HTTP.new(@partner.url.host, @partner.url.port)
+        http.use_ssl = @partner.url.scheme == 'https'
+        # http.set_debug_output $stderr
+        # http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+
+        http.start do
+          resp = http.request(req)
+        end
+
+        if resp.code == '200'
+          mdn_report = evaluate_mdn(
+                         mdn_content_type: resp['Content-Type'],
+                         mdn_body: resp.body,
+                         original_message_id: req['Message-ID'],
+                         original_body: document_payload
+                       )
+        end
+      rescue => e
+        exception = e
       end
-      @info = Config.server_info
+
+      Result.new(
+        response: resp,
+        mic_matched: mdn_report[:mic_matched],
+        mid_matched: mdn_report[:mid_matched],
+        body: mdn_report[:plain_text_body],
+        disposition: mdn_report[:disposition],
+        signature_verification_error: mdn_report[:signature_verification_error],
+        exception: exception,
+        outbound_message_id: outbound_message_id
+      )
     end
 
-    Result = Struct.new :success, :response, :mic_matched, :mid_matched, :body, :disp_code
-
-    def send_file(file_name)
-      http = Net::HTTP.new(@partner.url.host, @partner.url.port)
-      http.use_ssl = @partner.url.scheme == 'https'
-      # http.set_debug_output $stderr
-      http.start do
-        req = Net::HTTP::Post.new @partner.url.path
-        req['AS2-Version'] = '1.2'
-        req['AS2-From'] = @info.name
-        req['AS2-To'] = @partner.name
-        req['Subject'] = 'AS2 EDI Transaction'
-        req['Content-Type'] = 'application/pkcs7-mime; smime-type=enveloped-data; name=smime.p7m'
-        req['Disposition-Notification-To'] = @info.url.to_s
-        req['Disposition-Notification-Options'] = 'signed-receipt-protocol=optional, pkcs7-signature; signed-receipt-micalg=optional, sha1'
-        req['Content-Disposition'] = 'attachment; filename="smime.p7m"'
-        req['Recipient-Address'] = @info.url.to_s
-        req['Content-Transfer-Encoding'] = 'base64'
-        req['Message-ID'] = "<#{@info.name}-#{Time.now.strftime('%Y%m%d%H%M%S')}@#{@info.url.host}>"
-
-        body = StringIO.new
-        body.puts "Content-Type: application/EDI-Consent"
-        body.puts "Content-Transfer-Encoding: base64"
-        body.puts "Content-Disposition: attachment; filename=#{file_name}"
-        body.puts
-        body.puts [File.read(file_name)].pack("m*")
-
-        mic = OpenSSL::Digest::SHA1.base64digest(body.string.gsub(/\n/, "\r\n"))
-
-        pkcs7 = OpenSSL::PKCS7.sign @info.certificate, @info.pkey, body.string
-        pkcs7.detached = true
-        smime_signed = OpenSSL::PKCS7.write_smime pkcs7, body.string
-        pkcs7 = OpenSSL::PKCS7.encrypt [@partner.certificate], smime_signed
-        smime_encrypted = OpenSSL::PKCS7.write_smime pkcs7
-
-        req.body = smime_encrypted.sub(/^.+?\n\n/m, '')
-
-        resp = http.request(req)
-
-        success = resp.code == '200'
-        mic_matched = false
-        mid_matched = false
-        disp_code = nil
-        body = nil
-        if success
-          body = resp.body
-
-          smime = OpenSSL::PKCS7.read_smime "Content-Type: #{resp['Content-Type']}\r\n#{body}"
-          smime.verify [@partner.certificate], Config.store
-
-          mail = Mail.new smime.data
-          mail.parts.each do |part|
-            case part.content_type
-            when 'text/plain'
-              body = part.body
-            when 'message/disposition-notification'
-              options = {}
-              part.body.to_s.lines.each do |line|
-                if line =~ /^([^:]+): (.+)$/
-                  options[$1] = $2
-                end
-              end
-
-              if req['Message-ID'] == options['Original-Message-ID']
-                mid_matched = true
-              else
-                success = false
-              end
-
-              if options['Received-Content-MIC'].start_with?(mic)
-                mic_matched = true
-              else
-                success = false
-              end
-
-              disp_code = options['Disposition']
-              success = disp_code.end_with?('processed')
+    def evaluate_mdn(mdn_body:, mdn_content_type:, original_message_id:, original_body:)
+      report = {
+        signature_verification_error: :not_checked,
+        mic_matched: nil,
+        mid_matched: nil,
+        disposition: nil,
+        plain_text_body: nil
+      }
+
+      # MDN bodies we've seen so far don't include Content-Type, which causes `read_smime` to fail.
+      response_content = "Content-Type: #{mdn_content_type.to_s.strip}\r\n\r\n#{mdn_body}"
+
+      if mdn_content_type.start_with?('multipart/signed')
+        smime = OpenSSL::PKCS7.read_smime(response_content)
+
+        # create mail instance before #verify call.
+        # `smime.data` is emptied if verification fails, which means we wouldn't know disposition & other details.
+        mail = Mail.new(smime.data)
+
+        # based on As2::Message version
+        # TODO: test cases based on valid/invalid responses. (response signed with wrong certificate, etc.)
+        smime.verify [@partner.certificate], OpenSSL::X509::Store.new, nil, OpenSSL::PKCS7::NOVERIFY | OpenSSL::PKCS7::NOINTERN
+        report[:signature_verification_error] = smime.error_string
+      else
+        # MDN may be unsigned if an error occurred, like if we sent an unrecognized As2-From header.
+        mail = Mail.new(response_content)
+      end
+
+      mail.parts.each do |part|
+        if part.content_type.start_with?('text/plain')
+          report[:plain_text_body] = part.body.to_s.strip
+        elsif part.content_type.start_with?('message/disposition-notification')
+          # "The rules for constructing the AS2-disposition-notification content..."
+          # https://datatracker.ietf.org/doc/html/rfc4130#section-7.4.3
+
+          options = {}
+          # TODO: can we use Mail built-ins for this?
+          part.body.to_s.lines.each do |line|
+            if line =~ /^([^:]+): (.+)$/
+              # downcase because we've seen both 'Disposition' and 'disposition'
+              options[$1.to_s.downcase] = $2
             end
           end
+
+          report[:disposition] = options['disposition']
+          report[:mid_matched] = original_message_id == options['original-message-id']
+
+          if options['received-content-mic']
+            # do mic calc using the algorithm specified by server.
+            # (even if we specify sha1, server may send back MIC using a different algo.)
+            received_mic, micalg = options['received-content-mic'].split(',').map(&:strip)
+
+            # if they don't specify, we'll use the algorithm we specified in the outbound transmission.
+            # but it's only a guess & may fail.
+            micalg ||= outbound_mic_algorithm
+
+            mic = As2::DigestSelector.for_code(micalg).base64digest(original_body)
+            report[:mic_matched] = received_mic == mic
+          end
         end
-        Result.new success, resp, mic_matched, mid_matched, body, disp_code
       end
+      report
     end
   end
 end

data/lib/as2/config.rb

@@ -1,6 +1,17 @@
 require 'uri'
 module As2
   module Config
+    def self.build_certificate(input)
+      if input.kind_of? OpenSSL::X509::Certificate
+        input
+      elsif input.kind_of? String
+        OpenSSL::X509::Certificate.new File.read(input)
+      else
+        raise ArgumentError, "Invalid certificate. Provide a string (file path)" \
+          " or an OpenSSL::X509::Certificate instance. Got a #{input.class} instead."
+      end
+    end
+
     class Partner < Struct.new :name, :url, :certificate
       def url=(url)
         if url.kind_of? String
@@ -11,7 +22,7 @@ module As2
       end
 
       def certificate=(certificate)
-        self['certificate'] = OpenSSL::X509::Certificate.new File.read(certificate)
+        self['certificate'] = As2::Config.build_certificate(certificate)
       end
     end
 
@@ -25,11 +36,20 @@ module As2
       end
 
       def certificate=(certificate)
-        self['certificate'] = OpenSSL::X509::Certificate.new File.read(certificate)
+        self['certificate'] = As2::Config.build_certificate(certificate)
       end
 
-      def pkey=(pkey)
-        self['pkey'] = OpenSSL::PKey.read File.read(pkey)
+      def pkey=(input)
+        # looks like even though you OpenSSL::PKey.new, you still end up with
+        # an instance which is an OpenSSL::PKey::PKey.
+        if input.kind_of? OpenSSL::PKey::PKey
+          self['pkey'] = input
+        elsif input.kind_of? String
+          self['pkey'] = OpenSSL::PKey.read File.read(input)
+        else
+          raise ArgumentError, "Invalid private key. Provide a string (file path)" \
+            " or an OpenSSL::PKey instance. Got a #{input.class} instead."
+        end
       end
 
       def add_partner
@@ -67,12 +87,7 @@ module As2
         unless @server_info.domain
           raise 'Your domain name is required'
         end
-        begin
-          store.add_cert @server_info.certificate
-        rescue OpenSSL::X509::StoreError => err
-          # ignore duplicate certs
-          raise unless err.message == 'cert already in hash table'
-        end
+        store.add_cert @server_info.certificate
       end
 
       def partners
@@ -82,6 +97,11 @@ module As2
       def store
         @store ||= OpenSSL::X509::Store.new
       end
+
+      def reset!
+        @partners = {}
+        @store = OpenSSL::X509::Store.new
+      end
     end
   end
 end

data/lib/as2/digest_selector.rb

@@ -0,0 +1,24 @@
+require 'openssl'
+
+module As2
+  class DigestSelector
+    @map = {
+      'sha1' => OpenSSL::Digest::SHA1,
+      'sha256' => OpenSSL::Digest::SHA256,
+      'sha384' => OpenSSL::Digest::SHA384,
+      'sha512' => OpenSSL::Digest::SHA512,
+      'md5' => OpenSSL::Digest::MD5
+    }
+
+    def self.valid_codes
+      @map.keys
+    end
+
+    def self.for_code(code)
+      # we may receive 'sha256', 'sha-256', or 'SHA256'.
+      normalized = code.strip.downcase.gsub(/[^a-z0-9]/, '')
+
+      @map[normalized] || OpenSSL::Digest::SHA1
+    end
+  end
+end

data/lib/as2/message.rb

@@ -1,49 +1,108 @@
-require 'as2/base64_helper'
-
 module As2
   class Message
-    attr_reader :original_message
+    attr_reader :verification_error
 
     def initialize(message, private_key, public_certificate)
-      @original_message = message
+      # TODO: might need to use OpenSSL::PKCS7.read_smime rather than .new sometimes
+      @pkcs7 = OpenSSL::PKCS7.new(message)
       @private_key = private_key
       @public_certificate = public_certificate
+      @verification_error = nil
     end
 
     def decrypted_message
-      @decrypted_message ||= decrypt_smime(original_message)
+      @decrypted_message ||= @pkcs7.decrypt @private_key, @public_certificate
     end
 
     def valid_signature?(partner_certificate)
-      store = OpenSSL::X509::Store.new
-      store.add_cert(partner_certificate)
+      content_type = mail.header_fields.find { |h| h.name == 'Content-Type' }.content_type
+      if content_type == "multipart/signed"
+        # for a "multipart/signed" message, we will do 'detatched' signature
+        # verification, where we supply the data to be verified as the 3rd parameter
+        # to OpenSSL::PKCS7#verify. this is in keeping with how this content type
+        # is described in the S/MIME RFC.
+        #
+        # > The multipart/signed MIME type has two parts.  The first part contains
+        # > the MIME entity that is signed; the second part contains the "detached signature"
+        # > CMS SignedData object in which the encapContentInfo eContent field is absent.
+        #
+        # https://datatracker.ietf.org/doc/html/rfc3851#section-3.4.3.1
+
+        # TODO: more robust detection of content vs signature (if they're ever out of order).
+        content = mail.parts[0].raw_source
+        # remove any leading \r\n characters (between headers & body i think).
+        content = content.gsub(/\A\s+/, '')
+
+        signature = OpenSSL::PKCS7.new(mail.parts[1].body.to_s)
+
+        # using an empty CA store. see notes on NOVERIFY flag below.
+        store = OpenSSL::X509::Store.new
+
+        # notes on verification proces and flags used
+        #
+        # ## NOINTERN
+        #
+        # > If PKCS7_NOINTERN is set the certificates in the message itself are
+        # > not searched when locating the signer's certificate. This means that
+        # > all the signers certificates must be in the certs parameter.
+        #
+        # > One application of PKCS7_NOINTERN is to only accept messages signed
+        # > by a small number of certificates. The acceptable certificates would
+        # > be passed in the certs parameter. In this case if the signer is not
+        # > one of the certificates supplied in certs then the verify will fail
+        # > because the signer cannot be found.
+        #
+        # https://www.openssl.org/docs/manmaster/man3/PKCS7_verify.html
+        #
+        # we want this so we can be sure that the `partner_certificate` we supply
+        # was actually used to sign the message. otherwise we could get a positive
+        # verification even if `partner_certificate` didn't sign the message
+        # we're checking.
+        #
+        # ## NOVERIFY
+        #
+        # > If PKCS7_NOVERIFY is set the signer's certificates are not chain verified.
+        #
+        # ie: we won't attempt to connect signer (in the first param) to a root
+        # CA (in `store`, which is empty). alternately, we could instead remove
+        # this flag, and add `partner_certificate` to `store`. but what's the point?
+        # we'd only be verifying that `partner_certificate` is connected to `partner_certificate`.
+        output = signature.verify([partner_certificate], store, content, OpenSSL::PKCS7::NOVERIFY | OpenSSL::PKCS7::NOINTERN)
 
-      smime = Base64Helper.ensure_body_base64(decrypted_message)
-      message = read_smime(smime)
-      message.verify [partner_certificate], store
+        # when `signature.verify` fails, signature.error_string will be populated.
+        @verification_error = signature.error_string
+
+        output
+      else
+        # TODO: how to log this?
+        false
+      end
+    end
+
+    def mic
+      digest = As2::DigestSelector.for_code(mic_algorithm)
+      digest.base64digest(attachment.raw_source.strip)
+    end
+
+    def mic_algorithm
+      'sha256'
     end
 
     # Return the attached file, use .filename and .body on the return value
     def attachment
       if mail.has_attachments?
-        mail.attachments.find{|a| a.content_type == "application/edi-consent"}
+        # TODO: match 'application/edi*', test with 'application/edi-x12'
+        # test also with "application/edi-consent; name=this_is_a_filename.txt"
+        mail.parts.find{ |a| a.content_type.match(/^application\/edi/) }
       else
         mail
       end
     end
 
     private
+
     def mail
       @mail ||= Mail.new(decrypted_message)
     end
-
-    def read_smime(smime)
-      OpenSSL::PKCS7.read_smime(smime)
-    end
-
-    def decrypt_smime(smime)
-      message = read_smime(smime)
-      message.decrypt @private_key, @public_certificate
-    end
   end
 end

data/lib/as2/mime_generator.rb

@@ -5,6 +5,7 @@ module As2
         @parts = []
         @body = ""
         @headers = {}
+        @id = nil
       end
 
       def [](name)

data/lib/as2/server.rb

@@ -2,50 +2,51 @@ require 'rack'
 require 'logger'
 require 'stringio'
 require 'as2/mime_generator'
-require 'as2/base64_helper'
 require 'as2/message'
 
 module As2
   class Server
-    HEADER_MAP = {
-      'To' => 'HTTP_AS2_TO',
-      'From' => 'HTTP_AS2_FROM',
-      'Subject' => 'HTTP_SUBJECT',
-      'MIME-Version' => 'HTTP_MIME_VERSION',
-      'Content-Disposition' => 'HTTP_CONTENT_DISPOSITION',
-      'Content-Type' => 'CONTENT_TYPE',
-    }
-
     attr_accessor :logger
 
-    def initialize(options = {}, &block)
+    # @param [As2::Config::ServerInfo] server_info Config used for naming of this
+    #   server and key/certificate selection. If omitted, the main As2::Config.server_info is used.
+    # @param [As2::Config::Partner] partner Which partner to receive messages from.
+    #   If omitted, the partner is determined by incoming HTTP headers.
+    # @param [Proc] on_signature_failure A proc which will be called if signature verification fails.
+    # @param [Proc] block A proc which will be called with file_name and file content.
+    def initialize(server_info: nil, partner: nil, on_signature_failure: nil, &block)
       @block = block
-      @info = Config.server_info
-      @options = options
+      @server_info = server_info || Config.server_info
+      @partner = partner
+      @signature_failure_handler = on_signature_failure
     end
 
     def call(env)
-      if env['HTTP_AS2_TO'] != @info.name
+      if env['HTTP_AS2_TO'] != @server_info.name
         return send_error(env, "Invalid destination name #{env['HTTP_AS2_TO']}")
       end
 
-      partner = Config.partners[env['HTTP_AS2_FROM']]
-      unless partner
+      partner = @partner || Config.partners[env['HTTP_AS2_FROM']]
+
+      if !partner || env['HTTP_AS2_FROM'] != partner.name
         return send_error(env, "Invalid partner name #{env['HTTP_AS2_FROM']}")
       end
 
-      smime_string = build_smime_text(env)
-      message = Message.new(smime_string, @info.pkey, @info.certificate)
+      request = Rack::Request.new(env)
+      message = Message.new(request.body.read, @server_info.pkey, @server_info.certificate)
+
       unless message.valid_signature?(partner.certificate)
-        if @options[:on_signature_failure]
-          @options[:on_signature_failure].call({env: env, smime_string: smime_string})
+        if @signature_failure_handler
+          @signature_failure_handler.call({
+            env: env,
+            smime_string: message.decrypted_message,
+            verification_error: message.verification_error
+          })
         else
           raise "Could not verify signature"
         end
       end
 
-      mic = OpenSSL::Digest::SHA1.base64digest(message.decrypted_message)
-
       if @block
         begin
           @block.call message.attachment.filename, message.attachment.body
@@ -54,62 +55,41 @@ module As2
         end
       end
 
-      send_mdn(env, mic)
+      send_mdn(env, message.mic, message.mic_algorithm)
     end
 
-    private
-    def build_smime_text(env)
-      request = Rack::Request.new(env)
-      smime_data = StringIO.new
+    def send_mdn(env, mic, mic_algorithm, failed = nil)
+      # rules for MDN construction are covered in
+      # https://datatracker.ietf.org/doc/html/rfc4130#section-7.4.2
 
-      HEADER_MAP.each do |name, value|
-        smime_data.puts "#{name}: #{env[value]}"
+      options = {
+        'Reporting-UA' => @server_info.name,
+        'Original-Recipient' => "rfc822; #{@server_info.name}",
+        'Final-Recipient' => "rfc822; #{@server_info.name}",
+        'Original-Message-ID' => env['HTTP_MESSAGE_ID']
+      }
+      if failed
+        options['Disposition'] = 'automatic-action/MDN-sent-automatically; failed'
+        options['Failure'] = failed
+        text_body = "There was an error with the AS2 transmission.\r\n\r\n#{failed}"
+      else
+        options['Disposition'] = 'automatic-action/MDN-sent-automatically; processed'
+        text_body = "The AS2 message has been received successfully"
       end
+      options['Received-Content-MIC'] = "#{mic}, #{mic_algorithm}" if mic
 
-      smime_data.puts 'Content-Transfer-Encoding: base64'
-      smime_data.puts
-      smime_data.puts Base64Helper.ensure_base64(request.body.read)
-
-      return smime_data.string
-    end
-
-    def logger(env)
-      @logger ||= Logger.new env['rack.errors']
-    end
-
-    def send_error(env, msg)
-      logger(env).error msg
-      send_mdn env, nil, msg
-    end
-
-    def send_mdn(env, mic, failed = nil)
       report = MimeGenerator::Part.new
       report['Content-Type'] = 'multipart/report; report-type=disposition-notification'
 
       text = MimeGenerator::Part.new
       text['Content-Type'] = 'text/plain'
       text['Content-Transfer-Encoding'] = '7bit'
-      text.body = "The AS2 message has been received successfully"
-
+      text.body = text_body
       report.add_part text
 
       notification = MimeGenerator::Part.new
       notification['Content-Type'] = 'message/disposition-notification'
       notification['Content-Transfer-Encoding'] = '7bit'
-
-      options = {
-        'Reporting-UA' => @info.name,
-        'Original-Recipient' => "rfc822; #{@info.name}",
-        'Final-Recipient' => "rfc822; #{@info.name}",
-        'Original-Message-ID' => env['HTTP_MESSAGE_ID']
-      }
-      if failed
-        options['Disposition'] = 'automatic-action/MDN-sent-automatically; failed'
-        options['Failure'] = failed
-      else
-        options['Disposition'] = 'automatic-action/MDN-sent-automatically; processed'
-      end
-      options['Received-Content-MIC'] = "#{mic}, sha1" if mic
       notification.body = options.map{|n, v| "#{n}: #{v}"}.join("\r\n")
       report.add_part notification
 
@@ -117,23 +97,35 @@ module As2
 
       report.write msg_out
 
-      pkcs7 = OpenSSL::PKCS7.sign @info.certificate, @info.pkey, msg_out.string
+      pkcs7 = OpenSSL::PKCS7.sign @server_info.certificate, @server_info.pkey, msg_out.string
       pkcs7.detached = true
       smime_signed = OpenSSL::PKCS7.write_smime pkcs7, msg_out.string
 
       content_type = smime_signed[/^Content-Type: (.+?)$/m, 1]
-      smime_signed.sub!(/\A.+?^(?=---)/m, '')
+      # smime_signed.sub!(/\A.+?^(?=---)/m, '')
 
       headers = {}
       headers['Content-Type'] = content_type
+      # TODO: if MIME-Version header is actually needed, should extract it out of smime_signed.
       headers['MIME-Version'] = '1.0'
-      headers['Message-ID'] = "<#{@info.name}-#{Time.now.strftime('%Y%m%d%H%M%S')}@#{@info.domain}>"
-      headers['AS2-From'] = @info.name
+      headers['Message-ID'] = As2.generate_message_id(@server_info)
+      headers['AS2-From'] = @server_info.name
       headers['AS2-To'] = env['HTTP_AS2_FROM']
-      headers['AS2-Version'] = '1.2'
+      headers['AS2-Version'] = '1.0'
       headers['Connection'] = 'close'
 
       [200, headers, ["\r\n" + smime_signed]]
     end
+
+    private
+
+    def logger(env)
+      @logger ||= Logger.new env['rack.errors']
+    end
+
+    def send_error(env, msg)
+      logger(env).error msg
+      send_mdn env, nil, 'sha1', msg
+    end
   end
 end

data/lib/as2/version.rb

@@ -1,3 +1,3 @@
 module As2
-  VERSION = "0.2.5"
+  VERSION = "0.5.0"
 end

data/lib/as2.rb

@@ -1,12 +1,23 @@
 require 'openssl'
 require 'mail'
+require 'securerandom'
 require 'as2/config'
 require 'as2/server'
 require 'as2/client'
+require 'as2/client/result'
+require 'as2/digest_selector'
 require "as2/version"
 
 module As2
   def self.configure(&block)
     Config.configure(&block)
   end
+
+  def self.reset_config!
+    Config.reset!
+  end
+
+  def self.generate_message_id(server_info)
+    "<#{server_info.name}-#{Time.now.strftime('%Y%m%d-%H%M%S')}-#{SecureRandom.uuid}@#{server_info.domain}>"
+  end
 end

metadata

@@ -1,14 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: as2
 version: !ruby/object:Gem::Version
-  version: 0.2.5
+  version: 0.5.0
 platform: ruby
 authors:
 - OfficeLuv
-autorequire: 
+- Alex Dean
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2019-03-12 00:00:00.000000000 Z
+date: 2022-03-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: mail
@@ -42,28 +43,28 @@ dependencies:
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.10'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.10'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '10.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '10.0'
 - !ruby/object:Gem::Dependency
@@ -94,17 +95,61 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: minitest-focus
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Simple AS2 server and client implementation. Follows the AS2 implementation
   from http://as2.mendelson-e-c.com
 email:
 - development@officeluv.com
+- github@mostlyalex.com
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/workflows/test.yml"
 - ".gitignore"
+- CHANGELOG.md
 - Gemfile
-- Gemfile.lock
 - LICENSE.txt
 - README.md
 - Rakefile
@@ -116,17 +161,19 @@ files:
 - lib/as2.rb
 - lib/as2/base64_helper.rb
 - lib/as2/client.rb
+- lib/as2/client/result.rb
 - lib/as2/config.rb
+- lib/as2/digest_selector.rb
 - lib/as2/message.rb
 - lib/as2/mime_generator.rb
 - lib/as2/server.rb
 - lib/as2/version.rb
-homepage: https://github.com/officeluv/as2
+homepage: https://github.com/andjosh/as2
 licenses:
 - MIT
 metadata:
   allowed_push_host: https://rubygems.org/
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -141,9 +188,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6
-signing_key: 
+rubygems_version: 3.1.4
+signing_key:
 specification_version: 4
 summary: Simple AS2 server and client implementation
 test_files: []

data/Gemfile.lock

@@ -1,35 +0,0 @@
-PATH
-  remote: .
-  specs:
-    as2 (0.2.4)
-      mail
-      rack
-
-GEM
-  remote: https://rubygems.org/
-  specs:
-    daemons (1.2.3)
-    eventmachine (1.0.8)
-    mail (2.6.3)
-      mime-types (>= 1.16, < 3)
-    mime-types (2.6.2)
-    minitest (5.8.1)
-    rack (1.6.4)
-    rake (10.4.2)
-    thin (1.6.4)
-      daemons (~> 1.0, >= 1.0.9)
-      eventmachine (~> 1.0, >= 1.0.4)
-      rack (~> 1.0)
-
-PLATFORMS
-  ruby
-
-DEPENDENCIES
-  as2!
-  bundler (~> 1.10)
-  minitest
-  rake (~> 10.0)
-  thin
-
-BUNDLED WITH
-   1.10.6