as2-lib icon indicating copy to clipboard operation
as2-lib copied to clipboard
verified publisher icon phax

Calculate MIC like sending

Open alvarolivie opened this issue 2 months ago • 2 comments

  • Move MIC calculation to after decryption/verification
  • Calculate MIC on first body part of multipart/signed messages
  • Ensures MIC is calculated on same data as sender

In theory, MIC is calculated before signature and encryption. If the content is compressed before encryption then MIC should be calculated on the compressed object. I've tested both sending and receiving with mendelson.

Java is not my main language so please feel free to edit and fix. I tried to implement what would work in my use case but copying how the sending worked with callbacks. #140

alvarolivie avatar Dec 08 '25 18:12 alvarolivie

Thx - will check asap

phax avatar Dec 08 '25 20:12 phax

One issue I have found with this is that between a partnership, if the sender does not use the defined values but instead sends new ones in the header the server will respond with the values defined in the partnership. For example, if a partnership A-B is defined with sign: sha-256 but the sender sends without signature then the server will accept the incoming request but it will calculate the MIC with headers as the partnership states that they use signature. The server responds with a signature and a wrong MIC. In my opinion the server should directly reject the request because the sender did not comply with the agreement but I may be wrong.

alvarolivie avatar Dec 10 '25 11:12 alvarolivie

🔝 I was testing out other features but I preferred to leave this branch clean

alvarolivie avatar Jan 08 '26 18:01 alvarolivie