Unbale to establish communicaton with CANADA BORDER SERVICES AGENCY(CBSA) using entrust toolkit

Question

We are trying to send and encrypted EDI(Electronic Data Interchange) String along with a digital signature in the form of SMIME to Canada Border Services Agency ,but getting Error everytime we try different approaches. The request SMIME payload we are sending is :


Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1;
                boundary="----=_Part_0_1964847681.1577187780616"
------=_Part_0_1964847681.1577187780616
Content-Type: application/edi-edifact
Content-Length: 881 

UNA:+.?'
UNB+UNOA:3+KAGATEWAY:CBSANETWORKID+191017:0930+REF12345'UNG+CUSDEC+ +IIDT+191017:0930+GREF12345+UN+D:13A:IID'
UNH+MREF12345+GOVCBR:D:13A:UN:IID'
BGM+929+119081234567X+9'
DTM+132:CCYYMMDDHHMMZZZ:303'MOA+134:10000:CAD'
RFF+CN:WXYZ12345678987654321'
GOR++5'LOC+23+0809+3470'
NAD+IM+868929415RM0001++ INC+6955 AVE+NEWARK+CA+94560+US'UNS+D'
SEQ+1'NAD+VN+++ZOY HOME FURNISHING CO+BUILDING 2-5:TANGPU INDUSTRIAL PARK+DIPU,ANJI+ZJ+313301+CN'
NAD+UC+868929415RM0001++ CAN+123 +VANCOUVERBC+V5K1A5+CA'LOC+35+CN'
DTM+757:20191001:102'DOC+380+98027209'SEQ+1'DTM+3:20190901:102'MOA+39:10000CAD'MEA+AAE+AAB+KGM:5000'QTY+47:180:H87'LIN+1'NAD+MF+++ZOY HOME CO+BUILDING 2-5: INDUSTRIAL PARK+DIPU,ANJI+ZJ+313301+CN'
LOC+27+CN'PAC+180+3+BX'SEQ+1'GID+1'
IMD++8+:::METAL +AAE+ABS+KGM:4500'MOA+66:10000CAD'TCC+++9401791000:HS'CNT+51:180:EA'SEQ+1'HYN+3'UNS+S'UNT+20+MREF12345'UNE+1+GREF12345'UNZ+1+REF12345'

------=_Part_0_1964847681.1577187780616
Content-Type: application/pkcs7-signature
Content-Transfer-Encoding: base64
Content-Length: 1640

0��         *�H��

���0��1�u0�q0Y0Q1
0              UCA1
0              U

GC10U
cra-arc10

U
Extern10U
                EXTTESTCASd=0

                *�H��

� {/d�R'^J��o�����.�M5Q:��^��Ў�2�<�)9a       �VS�|O�.�P/�(N�"�IJ��0_HH�m!��I.

j3�a        �`����g�4|ll.�M��uVW�8��2�y[�$0_���j
���m�2���uul��9ehqS��N�O����������{m'� >�ϻ��cL���9�R�g�͜����{�O
�h-�UJ��(��W�dԼd\
Q7��|��:����P����0� *�H��

0              *�H��}B

0_.h�U�������"�q�����S          �C2X������*a�
�eٲQ��>`˨�?�����|i���a��³ev�
��������`�����cY]�����#�Ӡ(n�o��Jm���!�F?J�1�        �6]M�l#]��u֡p�;�Fn����
����w8Dz�Q�
����R�����~h�K��E�à��
�n{ϬA��3LA=����y�!��?7�h`\[%�y>�%10�������          s�-��z=E�,�K�������:��9�?�F��

VpT#A�7�[=��   �y2�w�o:[�"�;���ŗp5�C�uk��qf5l�

Ȑ���:��X��Y1�ς�ˆ?P�]���^�����8�m�:3|���#Qm=0\���r �����X�
q�Eڂz�A�a\1l�D�4,x�V�g79c��)>T�ժ���d:��]<�.ri�@vl����C������|T��l��<;�n�,�H�p~D����;��VN�VT�*�o:���y%�jfh4�S���Pf)>Z����5��L�<�
R���������#�3Ҫ��T�a�nMh6q@cێ���eʯ�p$ƅv����� cb�zQc�&�5li���zg!��
E�)�i�$v��%Y'�

o�zX����qЫ���P�)F��c<�`e�B~
&��SL�J��M��������o�M�K�Q{��<m�|��"�yo��(�%�_���g�����$���NiV�z�u����u��T��_#g���b��r�H��̨�'rw���:n[!�e@
o_�� �l2'2�

�T�Q��7�k7�(�4�e؁���G"����>{'1b�4,?Y���#)
��u(�ч���ܤ6weMLY��b�f�����8}&��v��?�Ti�R:g$�P5��v�Ž~���

܅��q��RK;��
*"N�G�O�[R����>��Cm8o懏�e�T_
------=_Part_0_1964847681.1577187780616--

The exception is: Response code : 400

Response Message : Bad Request

Error Message :

400 BAD REQUEST

Your transaction &LT;<393BDE.000003.00179@yourhost.yourcompany.com>&GT; could not be processed due to the following error(s):

java.io.IOException: Unexpected response code received from servlet: 400

EERROR 2207:Smime does not conains 2 body parts

END: Communication with servlet

            at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)--

If anyone has worked with CBSA or worked with entrust or EDI ..please help we are stuck Any help related to the exception in SMIME will also be really helpful

The code I m using is:


            mbp1.addHeader("Content-Length", String.valueOf(testMessage.length()));


            PropUtil.getBooleanSystemProperty("mail.mime.multipart.ignoreexistingboundaryparameter", true);
//            contentType = new ContentType("multipart","mixed",pml);
//            contentType.setParameter("boundary", getBoundary());
//
//            contentType1 = new ContentType("multipart","mixed",pml1);
//            contentType1.setParameter("boundary", getBoundary());
//
//            contentType2 = new ContentType("multipart","mixed",pml2);
//            contentType2.setParameter("boundary", getBoundary());
//            contentType = type.toString();
            MimeMultipart mimeMultipart = new MyMimEMultipart("signed");

            SMimeBodyPart ediEdiPart = new SMimeBodyPart();

            ByteArrayOutputStream fout = new ByteArrayOutputStream();
            fout.write(testMessage.getBytes());
            ByteArrayOutputStream encoded = (ByteArrayOutputStream)MimeUtility.encode(fout, "7bit");
            byte[] gg = encoded.toByteArray();

            InternetHeaders internetHeaders = new InternetHeaders();
            internetHeaders.addHeader("Content-Type", "application/edi-edifact");
            internetHeaders.addHeader("Content-Length", String.valueOf(gg.length));
            internetHeaders.addHeader("Content-Transfer-Encoding","7-bit");

            SMimeBodyPart newthing= new SMimeBodyPart(internetHeaders,gg);
            ByteArrayOutputStream consoleStream = new ByteArrayOutputStream();
            newthing.writeTo(consoleStream);

//            consoleStream.writeTo(System.out);
FileOutputStream f= new FileOutputStream("/Users/lakshyakumarsingh/Documents/kx-github/kn-cbsaproxy/src/main/resources/test1_decode.txt");
           f.write(consoleStream.toByteArray());

//            System.out.println("this is the input");
//            System.out.println(consoleStream.toString("US-ASCII"));
//            ediEdiPart.setHeader("Message-ID","29123185.1.1449072497221.JavaMail.axg129@WH12CU10178A");
//            ediEdiPart.setHeader("Content-Type", "application/edi-edifact");
//            int contentlength = testMessage.length();
 ediEdiPart.setDataHandler(dataHandler);
//            ediEdiPart.setText(finalString);
//            ediEdiPart.setHeader("Content-Transfer-Encoding", "binary");
            ediEdiPart.setHeader("Content-Length", String.valueOf(testMessage.length()));

//            ediEdiPart.setContent(testMessage, "application/edi-edifact");
//            mimeMultipart.setParent(PART.);
//            System.out.println("contetnt type is : " + contentType.toString());

            mimeMultipart.setSubType("signed");
            mimeMultipart.setPreamble(
                    "Content-Type: multipart/signed; protocol=\"application/pkcs7-signature\"; micalg=sha1; \n" +
                    "\tboundary=\"----=_Part_0_1964847681.1577187780616\"");

            mimeMultipart.addBodyPart(newthing);


            SMimeBodyPart mbp2 = new SMimeBodyPart();
            mbp2.addHeader("Content-Type", "application/pkcs7-signature");
            mbp2.addHeader("Content-Transfer-Encoding", "binary");
//            mbp2.addHeader("Content-Description", "S/MIME Cryptographic Signature");

The boundary indicated in the header doesn't seem to be the boundary marker you're actually using. — Iridium, Jan 01 '20 at 15:33
@Iridium yeah It was old...my mistake....I edited it....Still doesn't work — user7786905, Jan 01 '20 at 16:42
@Iridium+ and each part-header should not have any blank/empty line except (exactly) one at its end, and the main content-type header should all be one line (preferred) or else consecutive lines (no blank/empty lines) with each continuation line beginning with space. Those are basic MIME, not related to SMIME or CBSA at all; see the RFCs or wikipedia. In addition, your signature part is clearly wrong; no signature in binary (which is not recommended, using base64 here is better) would just happen to be EDI text -- although that should/will give a quite different error. — dave_thompson_085, Jan 01 '20 at 16:51
@dave_thompson_085 Actually I have already tried Different indentations and spacing as mentioned by you, It still didn't work.Although I am stuck on encoding the signature part. You are right that I have to use binary encoding for the Signature. Can you suggest any Java library to do so(I tried Base64 already). also I need to encode the EDI String as 7-bit. can you point out any Java libraries that can do both. — user7786905, Jan 01 '20 at 17:04
'tried different' is very vague, but when the website responds 'unable to parse [as] multipart' whatever you did was wrong. The format shown in rfc3851 3.4.3.3 is right. EDI is (normally) ISO 646 which is already a 7-bit code, and your example definitely is. Base64 is builtin to all java(se) versions from 8 up; see the javadoc for `java.util.Base64` in your IDE. But the problem with your signature is not only the encoding; as I said, the value is clearly wrong (and even the wrong size, BTW; a PKCS7/CMS detached signature won't be 128 bytes). — dave_thompson_085, Jan 04 '20 at 02:07
@dave_thompson_085 I edited the signature part.... As you can see it now looks like A digital signature. For the signature what I am doing is that I m generating the hash of the EDI and then encrypting it. P. S. It still doesn't work. Can you please help? — user7786905, Jan 07 '20 at 06:09
Digital signature is NOT 'encrypting' a hash; this is a widely repeated mistake that was originated in the early days of RSA and was corrected in the 1990s. I can't fully check because a website like SO doesn't preserve binary data, but the body of the signature part now looks plausible. But you aren't specifying its content-type, and the _MIME_ headers are still wrong. Did you look at 3851? — dave_thompson_085, Jan 07 '20 at 10:39
@dave_thompson_085 I updated the headers and still no respons. But the exception now is ''unable to extract first body part of decrypted data". Regarding the signature, now I am using the built in classes of entrust toolkit. Please see the payload and exception I edited. I think the smime structure looks promising. Please help — user7786905, Jan 08 '20 at 09:35
You've apparently fixed the outer header, but if you have empty/blank lines as shown your _inner_ (part) headers are still wrong, which would explain the new error about 'extract first body part'. Meta: it is better to use 'code' formatting for data like this where exact layout matters. even though it isn't code -- note the editor help page calls it 'code and preformatted text'. Your first-part content-length value is wrong, although I'm not sure that matters in multipart. Your second part is now actually base64, but modulo the incorrect blank lines is wrongly stated to be binary. ... — dave_thompson_085, Jan 09 '20 at 16:42
... More substantively, (after base64 decoding) it is not a CMS (detached) signature as it should be and is claimed to be; it is actually an X.509v3 _certificate_. While CMS signatures _use_ -- and normally _include_ -- such a certificate, the signature is a different thing from the certificate. No, I don't PM; Stack is justified largely on the basis that it helps _everybody_ who is interested and comes here via search, not just one person for free. It would probably help if you show your code, at least if you can extract the relevant part(s) to a reasonably minimal reproducer. — dave_thompson_085, Jan 09 '20 at 16:48
@dave_thompson_085 I used the coding format and the edited payload is the smime I m sending. Regarding the signature, Should I have to use a CMS type signature...Is that what you are saying. Nevertheless , According to the exception I m getting ,signature doesn't play a role in this, right? As per your comments ,I edited the SMIME correctly and the only thing left might be the signature. — user7786905, Jan 12 '20 at 05:33
If exception still says 'first bodypart' that certainly should be the data part, which does now look correct to me, at least assuming it is terminated by a single nongraphic byte e.g. LF. Do you have or can you get a known-good (working) example to compare? For the _second_ part you should (1) put back the CTE header specifying base64 (as the example in 3851 does) and (2) yes, the content should be a CMS detached signature not (just) a certificate -- or more formally a CMS SignedData object with eContent omitted, as described in steps 2,4,5 of section 3.4.3.2 of 3851. — dave_thompson_085, Jan 13 '20 at 03:24
@dave_thompson_085 I edited the EDI... Added new lines.... The exception changed: "mime multipart does not contain two body parts" I think the problem now lies in the signature... But I am generating CMS signature using Bouncycastle now, then why is it still giving exception. — user7786905, Jan 14 '20 at 07:11
But the signature comes after.. According to the exception, it cannot find the 2nd bodypart — user7786905, Jan 14 '20 at 10:48
Also... I have to use RFC 1847 and RFC 1521 mentioned to us by CBSA — user7786905, Jan 14 '20 at 11:41
I never suggested putting linebreaks in the EDI data; EDI broadly varies on using linebreaks but EDIFACT does not AFAIK. But if you do add them they change your content length to 893 if single-bye (LF) or 906 if double-byte (CRLF). OTOH linebreaks both beginning (or before?) and ending the `--boundary` lines ARE required and must be CRLF (not just LF) -- are they? If server can't even find the second part then it isn't even trying to look at the signature yet, but the data you posted still has the second part containing a certificate, not a signature. ... — dave_thompson_085, Jan 15 '20 at 01:23
... Both 1521 and 1847 have been superseded and replaced (the latter multiple times) but the current standards are intentionally backwards compatible. Complying _correctly_ with the multipart aka clearsigned option in 3851 does comply with both of those. — dave_thompson_085, Jan 15 '20 at 01:23
@dave_thompson_085 I edited the signature but the exception still remains that is : smime does not contain 2 body parts.Regarding CRLF ,actually I m modifying the SMIME content type method to make my own boundary.And in these java libraries ,I can't find any line breaks functions. So can you suggest something in java. — user7786905, Jan 15 '20 at 17:18
For the EDI length , I even hardcoded the content length to check but still no luck.I used "\r\n" as well.I m attaching a short code snippet.If you want I can show show some more code. — user7786905, Jan 15 '20 at 17:19

Unbale to establish communicaton with CANADA BORDER SERVICES AGENCY(CBSA) using entrust toolkit

400 BAD REQUEST

0 Answers0