as2 0.4.0 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: '094edd2c08516e42061e5623b49e4b2f355a3ca3a19a6ed17bc2764ea1073f9c'
-  data.tar.gz: c7678c44a070eda090eec89d3e3bacfdc2a1400b880bb39d52f2ba3e08ffe300
+  metadata.gz: 40b3957adcdaa34f7df9fe0ee83966f7076e80bc9dc9c02b8f27a4fb22395fda
+  data.tar.gz: 1d8002959f6b4afa70c94fd363c9d97c15b2f20a82ee96b1bc39ebba8a55972e
 SHA512:
-  metadata.gz: c4ecd6838eb1e62174c584638141ba0f2af696bfd906765a0f3ffd4928e03ed3d203e9160c2ce5731439e282283fbf2b511b891719c98eeff262834b9bb1ec11
-  data.tar.gz: 852b03c4eebc90ea86447a4074afa417556b89f8613851eb59364dc6f8b4f9f1904452da3c4160929992c2263085774ff6c8cdf46345a92e75411daf945b8123
+  metadata.gz: bb04b23ab84f14e131e74e3a213e71ae5f3009f805af08b7cc1c88dc3798745639e4cffea1a85811df51a522776797f236da98c82ab84863dd5891c0b37fc243
+  data.tar.gz: a71c9ea6c4c82637103ae1353e5b54cee88ad4f52b388883b0b409c24722247bbd0ead903ca5ef00ba1df41403ab11f1d6b4b03f9d03f58af39ccb399848adf0

data/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 0.5.0, March 21, 2022
+
+  * improvements to `As2::Client`. improve compatibility with non-Mendelson AS2 servers. [#8](https://github.com/andjosh/as2/pull/8)
+  * improve MDN generation, especially when an error occurs. [#9](https://github.com/andjosh/as2/pull/9)
+  * successfully parse unsigned MDNs. [#10](https://github.com/andjosh/as2/pull/10)
+
 ## 0.4.0, March 3, 2022
 
   * client: correct MIC & signature verification when processing MDN response [#7](https://github.com/andjosh/as2/pull/7)

data/README.md

@@ -25,8 +25,8 @@ along.
      4. Use of Synchronous or Asynchronous Receipts: We do not support asynchronous
        delivery of MDNs.
      5. Security Formatting: We should be reasonably compliant here.
-     6. Hash Function, Message Digest Choices: We currently always use sha1. If a
-       partner asks for a different algorithm, we'll always use sha1 and partner
+     6. Hash Function, Message Digest Choices: We currently always use sha256. If a
+       partner asks for a different algorithm, we'll always use sha256 and partner
        will see a MIC verification failure. AS2 RFC specifically prefers sha1 and
        mentions md5. Mendelson AS2 server supports a number of other algorithms.
        (sha256, sha512, etc)

data/as2.gemspec

@@ -11,7 +11,7 @@ Gem::Specification.new do |spec|
 
   spec.summary       = %q{Simple AS2 server and client implementation}
   spec.description   = %q{Simple AS2 server and client implementation. Follows the AS2 implementation from http://as2.mendelson-e-c.com}
-  spec.homepage      = "https://github.com/officeluv/as2"
+  spec.homepage      = "https://github.com/andjosh/as2"
   spec.license       = "MIT"
 
   # Prevent pushing this gem to RubyGems.org by setting 'allowed_push_host', or

data/lib/as2/client.rb

@@ -22,6 +22,14 @@ module As2
       @server_info = server_info || Config.server_info
     end
 
+    def as2_to
+      @partner.name
+    end
+
+    def as2_from
+      @server_info.name
+    end
+
     # Send a file to a partner
     #
     #   * If the content parameter is omitted, then `file_name` must be a path
@@ -31,26 +39,29 @@ module As2
     #
     # @param [String] file_name
     # @param [String] content
+    # @param [String] content_type This is the MIME Content-Type describing the `content` param,
+    #   and will be included in the SMIME payload. It is not the HTTP Content-Type.
     # @return [As2::Client::Result]
-    def send_file(file_name, content: nil)
+    def send_file(file_name, content: nil, content_type: 'application/EDI-Consent')
+      outbound_mic_algorithm = 'sha256'
       outbound_message_id = As2.generate_message_id(@server_info)
 
       req = Net::HTTP::Post.new @partner.url.path
-      req['AS2-Version'] = '1.2'
-      req['AS2-From'] = @server_info.name
-      req['AS2-To'] = @partner.name
-      req['Subject'] = 'AS2 EDI Transaction'
+      req['AS2-Version'] = '1.0' # 1.1 includes compression support, which we dont implement.
+      req['AS2-From'] = as2_from
+      req['AS2-To'] = as2_to
+      req['Subject'] = 'AS2 Transaction'
       req['Content-Type'] = 'application/pkcs7-mime; smime-type=enveloped-data; name=smime.p7m'
+      req['Date'] = Time.now.rfc2822
       req['Disposition-Notification-To'] = @server_info.url.to_s
-      req['Disposition-Notification-Options'] = 'signed-receipt-protocol=optional, pkcs7-signature; signed-receipt-micalg=optional, sha1'
+      req['Disposition-Notification-Options'] = "signed-receipt-protocol=optional, pkcs7-signature; signed-receipt-micalg=optional, #{outbound_mic_algorithm}"
       req['Content-Disposition'] = 'attachment; filename="smime.p7m"'
-      req['Recipient-Address'] = @server_info.url.to_s
-      req['Content-Transfer-Encoding'] = 'base64'
+      req['Recipient-Address'] = @partner.url.to_s
       req['Message-ID'] = outbound_message_id
 
       document_content = content || File.read(file_name)
 
-      document_payload =  "Content-Type: application/EDI-Consent\r\n"
+      document_payload =  "Content-Type: #{content_type}\r\n"
       document_payload << "Content-Transfer-Encoding: base64\r\n"
       document_payload << "Content-Disposition: attachment; filename=#{file_name}\r\n"
       document_payload << "\r\n"
@@ -59,63 +70,38 @@ module As2
       signature = OpenSSL::PKCS7.sign @server_info.certificate, @server_info.pkey, document_payload
       signature.detached = true
       container = OpenSSL::PKCS7.write_smime signature, document_payload
-      encrypted = OpenSSL::PKCS7.encrypt [@partner.certificate], container
-      smime_encrypted = OpenSSL::PKCS7.write_smime encrypted
+      cipher = OpenSSL::Cipher::AES256.new(:CBC) # default, but we might have to make this configurable
+      encrypted = OpenSSL::PKCS7.encrypt [@partner.certificate], container, cipher
 
-      req.body = smime_encrypted.sub(/^.+?\n\n/m, '')
+      # > HTTP can handle binary data and so there is no need to use the
+      # > content transfer encodings of MIME
+      #
+      # https://datatracker.ietf.org/doc/html/rfc4130#section-5.2.1
+      req.body = encrypted.to_der
 
       resp = nil
-      signature_verification_error = :not_checked
       exception = nil
-      mic_matched = nil
-      mid_matched = nil
-      disposition = nil
-      plain_text_body = nil
+      mdn_report = {}
 
       begin
+        # note: to pass this traffic through a debugging proxy (like Charles)
+        # set ENV['http_proxy'].
         http = Net::HTTP.new(@partner.url.host, @partner.url.port)
         http.use_ssl = @partner.url.scheme == 'https'
         # http.set_debug_output $stderr
+        # http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+
         http.start do
           resp = http.request(req)
         end
 
         if resp.code == '200'
-          response_content = "Content-Type: #{resp['Content-Type']}\r\n#{resp.body}"
-          smime = OpenSSL::PKCS7.read_smime response_content
-          # based on As2::Message version
-          # TODO: test cases based on valid/invalid responses. (response signed with wrong certificate, etc.)
-          smime.verify [@partner.certificate], OpenSSL::X509::Store.new, nil, OpenSSL::PKCS7::NOVERIFY | OpenSSL::PKCS7::NOINTERN
-          signature_verification_error = smime.error_string
-
-          mail = Mail.new smime.data
-          mail.parts.each do |part|
-            case part.content_type
-            when 'text/plain'
-              plain_text_body = part.body
-            when 'message/disposition-notification'
-              # "The rules for constructing the AS2-disposition-notification content..."
-              # https://datatracker.ietf.org/doc/html/rfc4130#section-7.4.3
-
-              options = {}
-              # TODO: can we use Mail built-ins for this?
-              part.body.to_s.lines.each do |line|
-                if line =~ /^([^:]+): (.+)$/
-                  options[$1] = $2
-                end
-              end
-
-              disposition = options['Disposition']
-              mid_matched = req['Message-ID'] == options['Original-Message-ID']
-
-              # do mic calc using the algorithm specified by server.
-              # (even if we specify sha1, server may send back MIC using a different algo.)
-              received_mic, micalg = options['Received-Content-MIC'].split(',').map(&:strip)
-              micalg ||= 'sha1'
-              mic = As2::DigestSelector.for_code(micalg).base64digest(document_payload)
-              mic_matched = received_mic == mic
-            end
-          end
+          mdn_report = evaluate_mdn(
+                         mdn_content_type: resp['Content-Type'],
+                         mdn_body: resp.body,
+                         original_message_id: req['Message-ID'],
+                         original_body: document_payload
+                       )
         end
       rescue => e
         exception = e
@@ -123,14 +109,78 @@ module As2
 
       Result.new(
         response: resp,
-        mic_matched: mic_matched,
-        mid_matched: mid_matched,
-        body: plain_text_body,
-        disposition: disposition,
-        signature_verification_error: signature_verification_error,
+        mic_matched: mdn_report[:mic_matched],
+        mid_matched: mdn_report[:mid_matched],
+        body: mdn_report[:plain_text_body],
+        disposition: mdn_report[:disposition],
+        signature_verification_error: mdn_report[:signature_verification_error],
         exception: exception,
         outbound_message_id: outbound_message_id
       )
     end
+
+    def evaluate_mdn(mdn_body:, mdn_content_type:, original_message_id:, original_body:)
+      report = {
+        signature_verification_error: :not_checked,
+        mic_matched: nil,
+        mid_matched: nil,
+        disposition: nil,
+        plain_text_body: nil
+      }
+
+      # MDN bodies we've seen so far don't include Content-Type, which causes `read_smime` to fail.
+      response_content = "Content-Type: #{mdn_content_type.to_s.strip}\r\n\r\n#{mdn_body}"
+
+      if mdn_content_type.start_with?('multipart/signed')
+        smime = OpenSSL::PKCS7.read_smime(response_content)
+
+        # create mail instance before #verify call.
+        # `smime.data` is emptied if verification fails, which means we wouldn't know disposition & other details.
+        mail = Mail.new(smime.data)
+
+        # based on As2::Message version
+        # TODO: test cases based on valid/invalid responses. (response signed with wrong certificate, etc.)
+        smime.verify [@partner.certificate], OpenSSL::X509::Store.new, nil, OpenSSL::PKCS7::NOVERIFY | OpenSSL::PKCS7::NOINTERN
+        report[:signature_verification_error] = smime.error_string
+      else
+        # MDN may be unsigned if an error occurred, like if we sent an unrecognized As2-From header.
+        mail = Mail.new(response_content)
+      end
+
+      mail.parts.each do |part|
+        if part.content_type.start_with?('text/plain')
+          report[:plain_text_body] = part.body.to_s.strip
+        elsif part.content_type.start_with?('message/disposition-notification')
+          # "The rules for constructing the AS2-disposition-notification content..."
+          # https://datatracker.ietf.org/doc/html/rfc4130#section-7.4.3
+
+          options = {}
+          # TODO: can we use Mail built-ins for this?
+          part.body.to_s.lines.each do |line|
+            if line =~ /^([^:]+): (.+)$/
+              # downcase because we've seen both 'Disposition' and 'disposition'
+              options[$1.to_s.downcase] = $2
+            end
+          end
+
+          report[:disposition] = options['disposition']
+          report[:mid_matched] = original_message_id == options['original-message-id']
+
+          if options['received-content-mic']
+            # do mic calc using the algorithm specified by server.
+            # (even if we specify sha1, server may send back MIC using a different algo.)
+            received_mic, micalg = options['received-content-mic'].split(',').map(&:strip)
+
+            # if they don't specify, we'll use the algorithm we specified in the outbound transmission.
+            # but it's only a guess & may fail.
+            micalg ||= outbound_mic_algorithm
+
+            mic = As2::DigestSelector.for_code(micalg).base64digest(original_body)
+            report[:mic_matched] = received_mic == mic
+          end
+        end
+      end
+      report
+    end
   end
 end

data/lib/as2/digest_selector.rb

@@ -15,6 +15,7 @@ module As2
     end
 
     def self.for_code(code)
+      # we may receive 'sha256', 'sha-256', or 'SHA256'.
       normalized = code.strip.downcase.gsub(/[^a-z0-9]/, '')
 
       @map[normalized] || OpenSSL::Digest::SHA1

data/lib/as2/message.rb

@@ -80,14 +80,20 @@ module As2
     end
 
     def mic
-      # TODO: could use As2::DigestSelector if a different algo is needed.
-      OpenSSL::Digest::SHA1.base64digest(attachment.raw_source.strip)
+      digest = As2::DigestSelector.for_code(mic_algorithm)
+      digest.base64digest(attachment.raw_source.strip)
+    end
+
+    def mic_algorithm
+      'sha256'
     end
 
     # Return the attached file, use .filename and .body on the return value
     def attachment
       if mail.has_attachments?
-        mail.parts.find{|a| a.content_type == "application/edi-consent"}
+        # TODO: match 'application/edi*', test with 'application/edi-x12'
+        # test also with "application/edi-consent; name=this_is_a_filename.txt"
+        mail.parts.find{ |a| a.content_type.match(/^application\/edi/) }
       else
         mail
       end

data/lib/as2/server.rb

@@ -55,23 +55,12 @@ module As2
         end
       end
 
-      send_mdn(env, message.mic)
+      send_mdn(env, message.mic, message.mic_algorithm)
     end
 
-    def send_mdn(env, mic, failed = nil)
-      report = MimeGenerator::Part.new
-      report['Content-Type'] = 'multipart/report; report-type=disposition-notification'
-
-      text = MimeGenerator::Part.new
-      text['Content-Type'] = 'text/plain'
-      text['Content-Transfer-Encoding'] = '7bit'
-      text.body = "The AS2 message has been received successfully"
-
-      report.add_part text
-
-      notification = MimeGenerator::Part.new
-      notification['Content-Type'] = 'message/disposition-notification'
-      notification['Content-Transfer-Encoding'] = '7bit'
+    def send_mdn(env, mic, mic_algorithm, failed = nil)
+      # rules for MDN construction are covered in
+      # https://datatracker.ietf.org/doc/html/rfc4130#section-7.4.2
 
       options = {
         'Reporting-UA' => @server_info.name,
@@ -82,10 +71,25 @@ module As2
       if failed
         options['Disposition'] = 'automatic-action/MDN-sent-automatically; failed'
         options['Failure'] = failed
+        text_body = "There was an error with the AS2 transmission.\r\n\r\n#{failed}"
       else
         options['Disposition'] = 'automatic-action/MDN-sent-automatically; processed'
+        text_body = "The AS2 message has been received successfully"
       end
-      options['Received-Content-MIC'] = "#{mic}, sha1" if mic
+      options['Received-Content-MIC'] = "#{mic}, #{mic_algorithm}" if mic
+
+      report = MimeGenerator::Part.new
+      report['Content-Type'] = 'multipart/report; report-type=disposition-notification'
+
+      text = MimeGenerator::Part.new
+      text['Content-Type'] = 'text/plain'
+      text['Content-Transfer-Encoding'] = '7bit'
+      text.body = text_body
+      report.add_part text
+
+      notification = MimeGenerator::Part.new
+      notification['Content-Type'] = 'message/disposition-notification'
+      notification['Content-Transfer-Encoding'] = '7bit'
       notification.body = options.map{|n, v| "#{n}: #{v}"}.join("\r\n")
       report.add_part notification
 
@@ -98,15 +102,16 @@ module As2
       smime_signed = OpenSSL::PKCS7.write_smime pkcs7, msg_out.string
 
       content_type = smime_signed[/^Content-Type: (.+?)$/m, 1]
-      smime_signed.sub!(/\A.+?^(?=---)/m, '')
+      # smime_signed.sub!(/\A.+?^(?=---)/m, '')
 
       headers = {}
       headers['Content-Type'] = content_type
+      # TODO: if MIME-Version header is actually needed, should extract it out of smime_signed.
       headers['MIME-Version'] = '1.0'
       headers['Message-ID'] = As2.generate_message_id(@server_info)
       headers['AS2-From'] = @server_info.name
       headers['AS2-To'] = env['HTTP_AS2_FROM']
-      headers['AS2-Version'] = '1.2'
+      headers['AS2-Version'] = '1.0'
       headers['Connection'] = 'close'
 
       [200, headers, ["\r\n" + smime_signed]]
@@ -120,7 +125,7 @@ module As2
 
     def send_error(env, msg)
       logger(env).error msg
-      send_mdn env, nil, msg
+      send_mdn env, nil, 'sha1', msg
     end
   end
 end

data/lib/as2/version.rb

@@ -1,3 +1,3 @@
 module As2
-  VERSION = "0.4.0"
+  VERSION = "0.5.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: as2
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.5.0
 platform: ruby
 authors:
 - OfficeLuv
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2022-03-03 00:00:00.000000000 Z
+date: 2022-03-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: mail
@@ -168,7 +168,7 @@ files:
 - lib/as2/mime_generator.rb
 - lib/as2/server.rb
 - lib/as2/version.rb
-homepage: https://github.com/officeluv/as2
+homepage: https://github.com/andjosh/as2
 licenses:
 - MIT
 metadata: