mendelson AS4 opensource b35 released
Please download the new version at https://mendelson-e-c.com/opensource
Modifications and changes:
*Added a new dialog to automatically find out the mail server configuration by just knowing the replyto mail address for the notification mail setup
*Added a notification badge for the configuration problems in the status bar, set up UI scalin of the list of configuration issues (Client UI)
*Added the usage profile EU-ICS2-TI AS4 Profile V3.x and all it's presets and requirements
*Added the possibility to set the used signature binary security token type per partner to either "#X509PKIPathv1"
or "#X509v3" - "#X509v3" is always the default. This is a requirement for the AS4 profiles ICS2, BDEW and ENTSOG 4.0
*Added the possibility to use the senders AS4 id in the outbound agreement ref by replacing ${senderid} in the agreement ref by the sender AS4 id - this could be defined directly in the PMode and will be processed during the message preparation process
*Reworked the import/export functions of the certificate manager
*New Icons in the certificate manager
*Certificate manager: It is no longer possible to the collapse parts of the trust path tree by double clicking it
*Added support for the ENTSOG 4.0 which currently exists just as draft - this uses ECDH-ES.
*Added a new profile ENTSOG v4.0 to the product, allows presets
*Added the signatur algorithm eddsa-ed25519, required for the AS4 profile ENTSOG 4.0
*Added the possibility to perform the key agreement using X25519 keys (static DH (ECDH-ES)). There has been added the possibility to work with ephemeral keys that are either on the X25519 (ENTSOG 4.0) or BrainPool (BDEW 1.0) curve
*Added the possibility to generate Ed25519 keys in the the certificate manager, this is required for the ENTSOG 4.0 profile
*Added the possibility to perform the ephemeral key encryption/wrapping kw-aes128 using XDH. This is required for the AS4 profiles BDEW 1.0 and ENTSOG 4.0
*Added additional information to the usage profiles regarding the support TLS protocols, if TLS is mandatory, the supported MEPs
*Added additional information to the usage profiles to the documentation
*There are warnings now in the user interface if the user tries to perform MEPs for users that use a usage profile that does not support this
- nonetheless it is still possible to perform the operations and configuration
*Depending on the usage profile of a user the outbound TLS protocol list is passed to the TLS engine now.
This is because several AS4 profiles require just special TLS protocol levels
*There is a warning now in the log if a partners usage profile defines TLS to be mandatory and the connection is a unsecured connection.
Several AS4 profiles do not allow to use unsecured connections.
*Added the name of the used PMode set (in- and outbound) as variable ${pmode} for the message postprocessing
*Added inbound X509SKI support: In the receipt process of ECDH_ES messages the identification of the receivers key information using the
X509SKI tag (subject key identifier) was not supported (AS4 profiles ENTSOG 4, BDEW)
*The ReceipientKeyInfo tag for the BDEW AS4 profile has been extended (outbound) by the X509SKI tag - but only if the extension with the
OID 2.5.29.14 (subject key identifier) is defined in the certifiate
*Added support for the BDEW Transmission path change request message and BDEW Transmission path change confirm switch message
*Added support for AS4 messages that contain no payload - this is required because BDEW special defines special testmessages that do not match the common AS4 definition
*Added additional error details for missing or misspelled attributes and node values in inbound SOAP data
*Added the possibility to generate a subject key identifier (ski) extension in the key generator of the certificate manager.
This is required because it is possible to work with X509SKI tag certificate identification in the AS4 profiles BDEW 1.0 and ENTSOG 4.0
*Added a fallback to the MIME single part processing for AS4 responses in the Java API
*Added the possibility that the trust chain is sent with root certificate first or root certificate last (Signature verification, compatibility issue)
*Certificate manager: Display the sign algorithm and the name of the EC curve in the overview
*Adding support for SHA-2 512, SHA2 512 PSSRSA, SHA3 512 und SHA-3 512 PSSRSA signed keys (Key generation)
*The formerly file based key/certificate management has been moved to the database. This results in less file IO and more stable operations in cluster mode.
R/O and access problems to keystore files are no longer an issue during operations.
*Added the possibility to export a full keystore file from the certificate manager
*Added the possibility to import a full keystore file to the system at server start
*Removed several filesystem based configuration checks regarding keystore files
*Removed several keystore file related server settings and configuration interfaces
*Reworked all AS4 profile presets - for some AS4 profiles there were missing settings
Fixes
*The wrong MGF algorithms have been used for the outbound message encryption - the used algorithms were for the signature and not the encryption
*Fixed the problem "Comparison method violates its general contract" that happend very seldom on internal certificate access
*Inbound conversion Ids were not ignored for the AS4 profile ICS2, please see section "4.2.3.4" of the ICS2 Interface Control Document for further information
*Inbound PULL signals on non empty MPCs created a OS path error sometimes
*The field RefToMessageId was set in outbound user messages even if the message was pulled - this has to be empty for PULL messages
There was an issue in the java API, the message send function tried to get data from a running AS4 server
instance (which does not exist if you are just using the library functionality..)
*Certificate Manager: It was not possible to export private keys into an external PKCS#12 keystore if their algorithm was EC or
EdDSA - this is an important point for the usage profiles BDEW 1.0 and ENTSOG 4.0
*The PModes of a single partner are now sorted alphabetical in the client UI
*Fixed inbound SOAP parsing problems - sometimes BDEW path change message were not detected correctly
*In ECDH_ES (BDEW 1.0, ENTSOG 4.0) a SecurityTokenReference did not point to the right element in the XML metadata structure.
For most partners this was no problem but some system had issues with this
*Fixed a problem in the MIME parsing process for the content type "multipart/mixed"
*Importing a private key into the certificate manager did not test for an existing alias - if the alias
did already exist the import was just skipped without any error message
*Fixed the very seldom issue that the outbound connection entity is not repeatable.
The error message was "[NonRepeatableRequestException] Cannot retry request with a non-repeatable request entity"
3rd party software updates
*Update to Bouncycastle v176 (Crypto API)
*Update to Lucene 9.8.0 (indexing of system events)
*Update to MINA 2.2.3 (client-server interface)
*Update to HSQLDB 2.72
*Update to wss4j 3.0.1 (web service security for java)
*Update jetty to 10.0.18 (embedded HTTP server)