phase4 icon indicating copy to clipboard operation
phase4 copied to clipboard

Published 20 hours ago verified publisher icon phax

BDEW profile: Curve not supported: brainpoolP256r1 (1.3.36.3.3.2.8.1.1.7)

Open michaldaniel opened this issue 1 year ago • 3 comments
trafficstars

Hi, Using the library 2.7.5 that comes with updated WSS4J 3.0.3 and xmlsec I'm getting exception when attempting message sendout:

Caused by: org.apache.wss4j.common.ext.WSSecurityException: java.security.SignatureException: Curve not supported: brainpoolP256r1 (1.3.36.3.3.2.8.1.1.7)
	at org.apache.wss4j.dom.message.WSSecSignature.computeSignature(WSSecSignature.java:637)
	at org.apache.wss4j.dom.message.WSSecSignature.computeSignature(WSSecSignature.java:554)
	at org.apache.wss4j.dom.message.WSSecSignature.build(WSSecSignature.java:414)
	at com.helger.phase4.messaging.crypto.AS4Signer._createSignedMessage(AS4Signer.java:152)
	at com.helger.phase4.messaging.crypto.AS4Signer.createSignedMessage(AS4Signer.java:216)
	at com.helger.phase4.client.AS4ClientUserMessage.buildMessage(AS4ClientUserMessage.java:713)
	at com.helger.phase4.client.AbstractAS4Client.sendMessageWithRetries(AbstractAS4Client.java:561)
	at com.helger.phase4.sender.AS4BidirectionalClientHelper.sendAS4UserMessageAndReceiveAS4SignalMessage(AS4BidirectionalClientHelper.java:137)
	at com.helger.phase4.sender.AbstractAS4UserMessageBuilderMIMEPayload.mainSendMessage(AbstractAS4UserMessageBuilderMIMEPayload.java:211)
	... 165 common frames omitted
Caused by: javax.xml.crypto.dsig.XMLSignatureException: java.security.SignatureException: Curve not supported: brainpoolP256r1 (1.3.36.3.3.2.8.1.1.7)
	at org.apache.jcp.xml.dsig.internal.dom.DOMSignatureMethod.sign(DOMSignatureMethod.java:348)
	at org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.sign(DOMXMLSignature.java:417)
	at org.apache.wss4j.dom.message.WSSecSignature.computeSignature(WSSecSignature.java:630)
	... 173 common frames omitted
Caused by: java.security.SignatureException: Curve not supported: brainpoolP256r1 (1.3.36.3.3.2.8.1.1.7)
	at jdk.crypto.ec/sun.security.ec.ECDSASignature.engineSign(ECDSASignature.java:485)
	at java.base/java.security.Signature$Delegate.engineSign(Signature.java:1423)
	at java.base/java.security.Signature.sign(Signature.java:712)
	at org.apache.jcp.xml.dsig.internal.dom.DOMSignatureMethod.sign(DOMSignatureMethod.java:346)
	... 175 common frames omitted

Was the support for brainpoolP256r1 not merged yet upstream or am I possibly missing some configuration steps that would allow for using brainpoolP256r1 certificates?

michaldaniel avatar Apr 11 '24 10:04 michaldaniel

Currently you need to use the implementation of BouncyCastle - it's not yet published in a release of xmlsec 3.x to the best of my knowledge. Link: https://github.com/apache/santuario-xml-security-java/pull/293

phax avatar Apr 11 '24 12:04 phax

@phax Do I understand you correctly that there is a way to circumvent this using BC implementation? I would really appreciate if you found time to elaborate.

Other way to understand your answer is that we would either have to wait for Santuario release or build it from sources and force dependency usage.

michaldaniel avatar Apr 11 '24 13:04 michaldaniel

Well, I never did it myself - I only saw it in implementations using phase4. You need to be familiar with the concepts of "Security Providers" in Java. By using Bouncy Castle (BC) as your Security Provider you are capable of using the Brainpool Curves with Java 11 and onwards. The Security Provider can be provided on many levels - for certificate factory as well as for JSSE setups etc. Please refer to the regular Java documentation and the BC documentation on the details.

phax avatar Apr 11 '24 19:04 phax

@michaldaniel Did that solve your issue?

phax avatar Apr 16 '24 08:04 phax