as2 0.6.0 → 0.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 44bae86d51af027c42242dcc2b746014fc1e5c408bdba4d8fda43373a3b61470
-  data.tar.gz: e7043ac582ceb07fa9527f029ea128015e2f96331c3217758b022e5fe2b64e3a
+  metadata.gz: 78765b4a0fba8aaa7e3531ee9e3841a0774d72b6a1d09b18a69b53117cf26e22
+  data.tar.gz: c020c365f57a2dd428501b453bb349483bc98baf6db263dab7dfdfbab33b70a6
 SHA512:
-  metadata.gz: 8f6beade2e29c96b6e0d65297296f26642a4882b3628b7d43aa2169b7b6b3ddea7abb5e791490b20a1ffb260cfbd214db5c9026a9cb61e34b4a9af05fd6f2d49
-  data.tar.gz: 8bac3d37290848e67e01b689872fb6504c3407c23501040f1647f17bc42ae2101669ceb6b331908f170f2242a6acf3d4cbeeafe4ad3cf2c4f24995422e358e13
+  metadata.gz: 13155476fe9dab95fa56e29ec8dc842c86d4cdba0bf296aec518801d4ff8ef3f963bdb7e20d9e17bbc58bfdf334d9c760ccd712b267f70882b8e7ec79fa9230a
+  data.tar.gz: 1c6806d55b297222c0133e27f53914143ba0b3b35891c8076e93befe9d375534551b492890092432015a793dd88d97d8489ce69635e6ceeb8495f00880c5bd82

data/CHANGELOG.md

@@ -1,4 +1,15 @@
-## Unreleased (future 0.6.0)
+## 0.7.0, August 25, 2023
+
+Two improvements in compatibility with IBM Sterling, which could not understand
+our existing message & MDN formats.
+
+These changes are opt-in only, and require a config change to use. See linked PRs for
+details.
+
+  * Improved formatting of MDN messages. [#25](https://github.com/alexdean/as2/pull/25)
+  * Improved formatting of outbound messages. [#28](https://github.com/alexdean/as2/pull/28)
+
+## 0.6.0, April 4, 2023
 
   * allow verification of signed MDNs which use `Content-Transfer-Encoding: binary`. [#22](https://github.com/alexdean/as2/pull/22)
   * Improve example server to make it more useful for local testing & development. [#17](https://github.com/alexdean/as2/pull/17)

data/README.md

@@ -26,11 +26,9 @@ along.
      4. Use of Synchronous or Asynchronous Receipts: We do not support asynchronous
        delivery of MDNs.
      5. Security Formatting: We should be reasonably compliant here.
-     6. Hash Function, Message Digest Choices: We currently always use sha256. If a
-       partner asks for a different algorithm, we'll always use sha256 and partner
-       will see a MIC verification failure. AS2 RFC specifically prefers sha1 and
-       mentions md5. Mendelson AS2 server supports a number of other algorithms.
-       (sha256, sha512, etc)
+     6. Hash Function, Message Digest Choices: We currently always use sha256 for
+        signing. Since [#20](https://github.com/alexdean/as2/pull/20) we have supported
+        allowing partners to request which algorithm we use for MIC generation in MDNs.
   2. AS2 partners may agree to use separate certificates for data encryption and data signing.
      We do not support separate certificates for these purposes.
 

data/lib/as2/client.rb

@@ -4,6 +4,10 @@ module As2
   class Client
     attr_reader :partner, :server_info
 
+    def self.valid_outbound_formats
+      ['v0', 'v1']
+    end
+
     # @param [As2::Config::Partner,String] partner The partner to send a message to.
     #   If a string is given, it should be a partner name which has been registered
     #   via a call to #add_partner.
@@ -64,18 +68,22 @@ module As2
       req['Message-ID'] = outbound_message_id
 
       document_content = content || File.read(file_name)
+      outbound_format = @partner&.outbound_format || 'v0'
 
-      document_payload =  "Content-Type: #{content_type}\r\n"
-      document_payload << "Content-Transfer-Encoding: base64\r\n"
-      document_payload << "Content-Disposition: attachment; filename=#{file_name}\r\n"
-      document_payload << "\r\n"
-      document_payload << Base64.strict_encode64(document_content)
+      if outbound_format == 'v1'
+        format_method = :format_body_v1
+      else
+        format_method = :format_body_v0
+      end
+
+      document_payload, request_body = send(format_method,
+                                         document_content,
+                                         content_type: content_type,
+                                         file_name: file_name
+                                       )
 
-      signature = OpenSSL::PKCS7.sign @server_info.certificate, @server_info.pkey, document_payload
-      signature.detached = true
-      container = OpenSSL::PKCS7.write_smime signature, document_payload
       cipher = OpenSSL::Cipher::AES256.new(:CBC) # default, but we might have to make this configurable
-      encrypted = OpenSSL::PKCS7.encrypt [@partner.certificate], container, cipher
+      encrypted = OpenSSL::PKCS7.encrypt([@partner.certificate], request_body, cipher)
 
       # > HTTP can handle binary data and so there is no need to use the
       # > content transfer encodings of MIME
@@ -123,6 +131,109 @@ module As2
       )
     end
 
+    # 'original' body formatting
+    #
+    # 1. uses OpenSSL::PKCS7.write_smime to build MIME body
+    #   * includes plain-text "this is an S/MIME message" note prior to initial
+    #     MIME boundary
+    # 2. uses non-standard application/x-pkcs7-* content types
+    # 3. MIME boundaries and signature have \n line endings
+    #
+    # this format is understood by Mendelson, OpenAS2, and several commercial
+    # products (GoAnywhere MFT). it is not understood by IBM Sterling B2B Integrator.
+    #
+    # @param [String] document_content the content to be transmitted
+    # @param [String] content_type the MIME type for document_content
+    # @param [String] file_name The filename to be transmitted to the partner
+    # @return [Array]
+    #   first item is the full document part of the transmission (including) MIME headers.
+    #   second item is the complete HTTP body.
+    def format_body_v0(document_content, content_type:, file_name:)
+      document_payload =  "Content-Type: #{content_type}\r\n"
+      document_payload << "Content-Transfer-Encoding: base64\r\n"
+      document_payload << "Content-Disposition: attachment; filename=#{file_name}\r\n"
+      document_payload << "\r\n"
+      document_payload << Base64.strict_encode64(document_content)
+
+      signature = OpenSSL::PKCS7.sign(@server_info.certificate, @server_info.pkey, document_payload)
+      signature.detached = true
+
+      [document_payload, OpenSSL::PKCS7.write_smime(signature, document_payload)]
+    end
+
+    # updated body formatting
+    #
+    # 1. no content before the first MIME boundary
+    # 2. uses standard application/pkcs7-* content types
+    # 3. MIME boundaries and signature have \r\n line endings
+    # 4. adds parameter smime-type=signed-data to the signature's Content-Type
+    #
+    # this format is understood by Mendelson, OpenAS2, and several commercial
+    # products (GoAnywhere MFT) and IBM Sterling B2B Integrator.
+    #
+    # @param [String] document_content the content to be transmitted
+    # @param [String] content_type the MIME type for document_content
+    # @param [String] file_name The filename to be transmitted to the partner
+    # @return [Array]
+    #   first item is the full document part of the transmission (including) MIME headers.
+    #   second item is the complete HTTP body.
+    def format_body_v1(document_content, content_type:, file_name:)
+      document_payload =  "Content-Type: #{content_type}\r\n"
+      document_payload << "Content-Transfer-Encoding: base64\r\n"
+      document_payload << "Content-Disposition: attachment; filename=#{file_name}\r\n"
+      document_payload << "\r\n"
+      document_payload << Base64.strict_encode64(document_content)
+
+      signature = OpenSSL::PKCS7.sign(@server_info.certificate, @server_info.pkey, document_payload)
+      signature.detached = true
+
+      # PEM (base64-encoded) signature
+      bare_pem_signature = signature.to_pem
+      # strip off the '-----BEGIN PKCS7-----' / '-----END PKCS7-----' delimiters
+      bare_pem_signature.gsub!(/^-----[^\n]+\n/, '')
+      # and update to canonical \r\n line endings
+      bare_pem_signature.gsub!(/(?<!\r)\n/, "\r\n")
+
+      # this is a hack until i can determine a better way to get the micalg parameter
+      # from the pkcs7 signature generated above...
+      # https://stackoverflow.com/questions/75934159/how-does-openssl-smime-determine-micalg-parameter
+      #
+      # also tried approach outlined in https://stackoverflow.com/questions/53044007/how-to-use-sha1-digest-during-signing-with-opensslpkcs7-sign-when-creating-smi
+      # but the signature generated by that method lacks some essential data. verifying those
+      # signatures results in an openssl error "unable to find message digest"
+      smime_body = OpenSSL::PKCS7.write_smime(signature, document_payload)
+      micalg = smime_body[/^Content-Type: multipart\/signed.*micalg=\"([^"]+)/m, 1]
+
+      # generate a MIME part boundary
+      #
+      # > A good strategy is to choose a boundary that includes
+      # > a character sequence such as "=_" which can never appear in a
+      # > quoted-printable body.
+      #
+      # https://www.rfc-editor.org/rfc/rfc2045#page-21
+      boundary = "----=_#{SecureRandom.hex(16).upcase}"
+      body_boundary = "--#{boundary}"
+
+      # body's mime headers
+      body = "Content-Type: multipart/signed; protocol=\"application/pkcs7-signature\"; micalg=#{micalg};  boundary=\"#{boundary}\"\r\n"
+      body += "\r\n"
+
+      # first body part: the document
+      body += body_boundary + "\r\n"
+      body += document_payload + "\r\n"
+
+      # second body part: the signature
+      body += body_boundary + "\r\n"
+      body += "Content-Type: application/pkcs7-signature; name=smime.p7s; smime-type=signed-data\r\n"
+      body += "Content-Transfer-Encoding: base64\r\n"
+      body += "Content-Disposition: attachment; filename=\"smime.p7s\"\r\n"
+      body += "\r\n"
+      body += bare_pem_signature
+      body += body_boundary + "--\r\n"
+
+      [document_payload, body]
+    end
+
     def evaluate_mdn(mdn_body:, mdn_content_type:, original_message_id:, original_body:)
       report = {
         signature_verification_error: :not_checked,

data/lib/as2/config.rb

@@ -12,7 +12,7 @@ module As2
       end
     end
 
-    class Partner < Struct.new :name, :url, :certificate
+    class Partner < Struct.new :name, :url, :certificate, :mdn_format, :outbound_format
       def url=(url)
         if url.kind_of? String
           self['url'] = URI.parse url
@@ -21,6 +21,24 @@ module As2
         end
       end
 
+      def mdn_format=(format)
+        format_s = format.to_s
+        valid_formats = As2::Server.valid_mdn_formats
+        if !valid_formats.include?(format_s)
+          raise ArgumentError, "mdn_format '#{format_s}' must be one of #{valid_formats.inspect}"
+        end
+        self['mdn_format'] = format_s
+      end
+
+      def outbound_format=(format)
+        format_s = format.to_s
+        valid_formats = As2::Client.valid_outbound_formats
+        if !valid_formats.include?(format_s)
+          raise ArgumentError, "outbound_format '#{format_s}' must be one of #{valid_formats.inspect}"
+        end
+        self['outbound_format'] = format_s
+      end
+
       def certificate=(certificate)
         self['certificate'] = As2::Config.build_certificate(certificate)
       end

data/lib/as2/server.rb

@@ -8,6 +8,11 @@ module As2
   class Server
     attr_accessor :logger
 
+    # each of these should be understandable by send_mdn
+    def self.valid_mdn_formats
+      ['v0', 'v1']
+    end
+
     # @param [As2::Config::ServerInfo] server_info Config used for naming of this
     #   server and key/certificate selection. If omitted, the main As2::Config.server_info is used.
     # @param [As2::Config::Partner] partner Which partner to receive messages from.
@@ -81,27 +86,61 @@ module As2
       report = MimeGenerator::Part.new
       report['Content-Type'] = 'multipart/report; report-type=disposition-notification'
 
-      text = MimeGenerator::Part.new
-      text['Content-Type'] = 'text/plain'
-      text['Content-Transfer-Encoding'] = '7bit'
-      text.body = text_body
-      report.add_part text
+      text_part = MimeGenerator::Part.new
+      text_part['Content-Type'] = 'text/plain'
+      text_part['Content-Transfer-Encoding'] = '7bit'
+      text_part.body = text_body
+      report.add_part text_part
 
-      notification = MimeGenerator::Part.new
-      notification['Content-Type'] = 'message/disposition-notification'
-      notification['Content-Transfer-Encoding'] = '7bit'
-      notification.body = options.map{|n, v| "#{n}: #{v}"}.join("\r\n")
-      report.add_part notification
+      notification_part = MimeGenerator::Part.new
+      notification_part['Content-Type'] = 'message/disposition-notification'
+      notification_part['Content-Transfer-Encoding'] = '7bit'
+      notification_part.body = options.map{|n, v| "#{n}: #{v}"}.join("\r\n")
+      report.add_part notification_part
 
       msg_out = StringIO.new
-
       report.write msg_out
+      mdn_text = msg_out.string
+
+      mdn_format = @partner&.mdn_format || 'v0'
+      if mdn_format == 'v1'
+        format_method = :format_mdn_v1
+      else
+        format_method = :format_mdn_v0
+      end
 
-      pkcs7 = OpenSSL::PKCS7.sign @server_info.certificate, @server_info.pkey, msg_out.string
+      headers, body = send(
+                        format_method,
+                        mdn_text,
+                        as2_to: env['HTTP_AS2_FROM']
+                      )
+
+      [200, headers, ["\r\n" + body]]
+    end
+
+    # 'original' MDN formatting
+    #
+    # 1. uses OpenSSL::PKCS7.write_smime to build MIME body
+    #   * includes MIME headers in HTTP body
+    #   * includes plain-text "this is an S/MIME message" note prior to initial
+    #     MIME boundary
+    # 2. uses non-standard application/x-pkcs7-* content types
+    # 3. MIME boundaries and signature have \n line endings
+    #
+    # this format is understood by Mendelson, OpenAS2, and several commercial
+    # products (GoAnywhere MFT). it is not understood by IBM Sterling B2B Integrator.
+    #
+    # @param [String] mdn_text MIME multipart/report body containing text/plain
+    #   and message/disposition-notification parts
+    # @param [String] mic_algorithm
+    # @param [String] as2_to
+    def format_mdn_v0(mdn_text, as2_to:)
+      pkcs7 = OpenSSL::PKCS7.sign @server_info.certificate, @server_info.pkey, mdn_text
       pkcs7.detached = true
-      smime_signed = OpenSSL::PKCS7.write_smime pkcs7, msg_out.string
 
-      content_type = smime_signed[/^Content-Type: (.+?)$/m, 1]
+      body = OpenSSL::PKCS7.write_smime pkcs7, mdn_text
+
+      content_type = body[/^Content-Type: (.+?)$/m, 1]
       # smime_signed.sub!(/\A.+?^(?=---)/m, '')
 
       headers = {}
@@ -110,11 +149,67 @@ module As2
       headers['MIME-Version'] = '1.0'
       headers['Message-ID'] = As2.generate_message_id(@server_info)
       headers['AS2-From'] = @server_info.name
-      headers['AS2-To'] = env['HTTP_AS2_FROM']
+      headers['AS2-To'] = as2_to
+      headers['AS2-Version'] = '1.0'
+      headers['Connection'] = 'close'
+
+      [headers, body]
+    end
+
+    def format_mdn_v1(mdn_text, as2_to:)
+      pkcs7 = OpenSSL::PKCS7.sign(@server_info.certificate, @server_info.pkey, mdn_text)
+      pkcs7.detached = true
+
+      # PEM (base64-encoded) signature
+      bare_pem_signature = pkcs7.to_pem
+      # strip off the '-----BEGIN PKCS7-----' / '-----END PKCS7-----' delimiters
+      bare_pem_signature.gsub!(/^-----[^\n]+\n/, '')
+      # and update to canonical \r\n line endings
+      bare_pem_signature.gsub!(/(?<!\r)\n/, "\r\n")
+
+      # this is a hack until i can determine a better way to get the micalg parameter
+      # from the pkcs7 signature generated above...
+      # https://stackoverflow.com/questions/75934159/how-does-openssl-smime-determine-micalg-parameter
+      #
+      # also tried approach outlined in https://stackoverflow.com/questions/53044007/how-to-use-sha1-digest-during-signing-with-opensslpkcs7-sign-when-creating-smi
+      # but the signature generated by that method lacks some essential data. verifying those
+      # signatures results in an openssl error "unable to find message digest"
+      smime_body = OpenSSL::PKCS7.write_smime(pkcs7, mdn_text)
+      micalg = smime_body[/^Content-Type: multipart\/signed.*micalg=\"([^"]+)/m, 1]
+
+      # generate a MIME part boundary
+      #
+      # > A good strategy is to choose a boundary that includes
+      # > a character sequence such as "=_" which can never appear in a
+      # > quoted-printable body.
+      #
+      # https://www.rfc-editor.org/rfc/rfc2045#page-21
+      boundary = "----=_#{SecureRandom.hex(16).upcase}"
+      body_boundary = "--#{boundary}"
+
+      headers = {}
+      headers['Content-Type'] = "multipart/signed; protocol=\"application/pkcs7-signature\"; micalg=\"#{micalg}\"; boundary=\"#{boundary}\""
+      headers['MIME-Version'] = '1.0'
+      headers['Message-ID'] = As2.generate_message_id(@server_info)
+      headers['AS2-From'] = @server_info.name
+      headers['AS2-To'] = as2_to
       headers['AS2-Version'] = '1.0'
       headers['Connection'] = 'close'
 
-      [200, headers, ["\r\n" + smime_signed]]
+      # this is the MDN report, with text/plain and message/disposition-notification parts
+      body = body_boundary + "\r\n"
+      body += mdn_text + "\r\n"
+
+      # this is the signature generated over that report
+      body += body_boundary + "\r\n"
+      body += "Content-Type: application/pkcs7-signature; name=\"smime.p7s\"\r\n"
+      body += "Content-Transfer-Encoding: base64\r\n"
+      body += "Content-Disposition: attachment; filename=\"smime.p7s\"\r\n"
+      body += "\r\n"
+      body += bare_pem_signature
+      body += body_boundary + "--\r\n"
+
+      [headers, body]
     end
 
     private

data/lib/as2/version.rb

@@ -1,3 +1,3 @@
 module As2
-  VERSION = "0.6.0"
+  VERSION = "0.7.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: as2
 version: !ruby/object:Gem::Version
-  version: 0.6.0
+  version: 0.7.0
 platform: ruby
 authors:
 - OfficeLuv
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-04-04 00:00:00.000000000 Z
+date: 2023-08-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: mail