Recipient certificate does not match.

You are here

HomeForumSoftwareOpen Source SoftwareAS2

Recipient certificate does not match.

3 posts / 0 new
Log in or register to post comments
Last post
Thu, 2010-07-01 18:34
#1
mccachar
mccachar's picture
Recipient certificate does not match.

I'm trying to setup a new partnership with 1.1b29 and TibCo Business Connect and getting the output below (sanitized) when they try to send to me:

[Jul 1, 2010 11:53:39 AM] 8082270.1278000122756.JavaMail.rptib@turner2.bas.them.com: Incoming transmission is a AS2 message, raw message size: 259.66 KB.
[Jul 1, 2010 11:53:39 AM] 8082270.1278000122756.JavaMail.rptib@turner2.bas.them.com: AS2 message is encrypted.
[Jul 1, 2010 11:53:39 AM] 8082270.1278000122756.JavaMail.rptib@turner2.bas.them.com: To decrypt the data a key with the following parameter is required:
X509CertSelector: [
Serial Number: 123509864848763426142813845052203930377
Issuer: CN=prodca01,DC=us,DC=wan
matchAllSubjectAltNames flag: true
]
[Jul 1, 2010 11:53:39 AM] 8082270.1278000122756.JavaMail.rptib@turner2.bas.them.com: A key with the following parameter is used to decrypt the data (alias "transfertest"):
X509CertSelector: [
Serial Number: 93375581595419736539204
Issuer: CN=prodca01,DC=us,DC=wan
matchAllSubjectAltNames flag: true
]
[Jul 1, 2010 11:53:39 AM] mendelson_opensource_AS2-1277999619713-2@transfertest.us.com_TradingPartnerServerEZComm-test: Outgoing MDN has been signed with the algorithm "SHA1".
[Jul 1, 2010 11:53:39 AM] mendelson_opensource_AS2-1277999619713-2@transfertest.us.com_TradingPartnerServerEZComm-test: MDN created, state set to [processed/error: authentication-failed].
[Jul 1, 2010 11:53:39 AM] 8082270.1278000122756.JavaMail.rptib@turner2.bas.them.com:
MDN details:
--------------
Error decrypting the message: Recipient certificate does not match.
--------------
[Jul 1, 2010 11:53:39 AM] mendelson_opensource_AS2-1277999619713-2@transfertest.us.com_TradingPartnerServerEZComm-test: Synchronous MDN sent as answer to message 8082270.1278000122756.JavaMail.rptib@turner2.bas.them.com.
[Jul 1, 2010 11:53:40 AM] 8082270.1278000122756.JavaMail.rptib@turner2.bas.them.com: A transaction error notification mail has been sent to tcontact@us.com.

First, note that I *do not* know the URL to send the MDN to them (we seem to have a communication problem), so I expect errors there.

What's confusing me is that neither of the serial numbers listed in the output correspond to any of the serial numbers of any of the certificates involved in this process. I also don't understand why there are two similar lines talking about decrypting data with two different keys.

Can anyone shed some light on it?

Thanks,
Chaz

Top
Thu, 2010-07-01 21:12
heller
heller's picture

Chaz,

please update to build 31.

The important lines are the following:

To decrypt the data a key with the following parameter is required:
X509CertSelector: [
Serial Number: 123509864848763426142813845052203930377
Issuer: CN=prodca01,DC=us,DC=wan
matchAllSubjectAltNames flag: true
]
[Jul 1, 2010 11:53:39 AM] 8082270.1278000122756.JavaMail.rptib@turner2.bas.them.com: A key with the following parameter is used to decrypt the data (alias "transfertest"):
X509CertSelector: [
Serial Number: 93375581595419736539204
Issuer: CN=prodca01,DC=us,DC=wan
matchAllSubjectAltNames flag: true
]

There is an other key required to decrypt the data than the one you configured.

You configured as decryption key the key with the serial number:
123509864848763426142813845052203930377
But required for the decryption is the key:
93375581595419736539204

Some programs may show these serial numbers in hex.

Even if the issuer of both these keys is the same these are two different keys.

Regards
Heller

Top
Thu, 2010-07-01 23:06
(Reply to #2)
mccachar
mccachar's picture

Ah! The decimal vs. hex thing makes a big difference!

It seems that the sender was using the wrong certificate for encryption and they've rectified that. Now I'm getting much the same situation with the signatures:

===============================================
[Jul 1, 2010 3:42:14 PM] 16945600.1278013839089.JavaMail.rptib@turner2.bas.them.com: Incoming transmission is a AS2 message, raw message size: 305.32 KB.
[Jul 1, 2010 3:42:14 PM] 16945600.1278013839089.JavaMail.rptib@turner2.bas.them.com: AS2 message is encrypted.
[Jul 1, 2010 3:42:14 PM] 16945600.1278013839089.JavaMail.rptib@turner2.bas.them.com: The data has been decrypted using the key "transfertest".
[Jul 1, 2010 3:42:14 PM] 16945600.1278013839089.JavaMail.rptib@turner2.bas.them.com: AS2 message is signed.
[Jul 1, 2010 3:42:14 PM] 16945600.1278013839089.JavaMail.rptib@turner2.bas.them.com: The sender used the algorithm SHA1 to sign the message.
[Jul 1, 2010 3:42:14 PM] 16945600.1278013839089.JavaMail.rptib@turner2.bas.them.com: Using certificate "elytis2.bas.them.com (them enterprise ca 1)" to verify signature.
[Jul 1, 2010 3:42:15 PM] 16945600.1278013839089.JavaMail.rptib@turner2.bas.them.com: Verification of digital signature failed (Verification failed

Signature certificate information:
Serial number (dec): 412558075463841778698631
Issuer: CN=them Enterprise CA 1,DC=them,DC=com

Verification certificate information:
Serial number (dec): 78558951334978222083817
Issuer: CN=them Enterprise CA 1, DC=them, DC=com).
[Jul 1, 2010 3:42:15 PM] mendelson_opensource_AS2-1278013335247-12@transfertest.us.com_TradingPartnerServerEZComm-test: Outgoing MDN has not been signed.
[Jul 1, 2010 3:42:15 PM] mendelson_opensource_AS2-1278013335247-12@transfertest.us.com_TradingPartnerServerEZComm-test: MDN created, state set to [processed/error: authentication-failed].
[Jul 1, 2010 3:42:15 PM] 16945600.1278013839089.JavaMail.rptib@turner2.bas.them.com:
MDN details:
--------------
Error verifying the senders digital signature: Verification failed

Signature certificate information:
Serial number (dec): 412558075463841778698631
Issuer: CN=them Enterprise CA 1,DC=them,DC=com

Verification certificate information:
Serial number (dec): 78558951334978222083817
Issuer: CN=them Enterprise CA 1, DC=them, DC=com.
--------------
[Jul 1, 2010 3:42:15 PM] mendelson_opensource_AS2-1278013335247-12@transfertest.us.com_TradingPartnerServerEZComm-test: Synchronous MDN sent as answer to message 16945600.1278013839089.JavaMail.rptib@turner2.bas.them.com.
[Jul 1, 2010 3:42:15 PM] 16945600.1278013839089.JavaMail.rptib@turner2.bas.them.com: A transaction error notification mail has been sent to tcontact@us.com.
===============================================

78558951334978222083817 is the certificate they gave to us. 412558075463841778698631 is unknown. As soon as they start signing with a cert we recognize, I think we'll be good to go.

BTW, I'd love to update to b31 . . . as soon as I catch my breath ; }

+++++++++++++++++++++
EDIT: They fixed the signing cert and all's well.
+++++++++++++++++++++

Thanks,
Chaz

Top