Getting issue on revoke certificate test

[perneninag]

@aaron-kumar
Could you please give exact config settings to avoid below issue while testing AP with Testbed.

Received a transaction that was not supposed to be initiated from sending AP. During the SMP lookup, a certificate was used that is revoked. Your Access Point implementation must be able to identify a certificate as revoked and never proceed with a transaction towards an Access Point that uses a revoked certificate. Please adjust your implementation accordingly and restart the test case.

I am getting above error even I have configured below given options in config file.I have copied respective files into my conf folder also.

mode.default.security.validator = {
class: network.oxalis.vefa.peppol.security.util.DifiCertificateValidator
ALL: default
AP: AP
SMP: SMP
}

mode.TEST.security.pki = /pki/peppol-test.xml
mode.TEST.security.truststore.ap = /truststore/peppol-test-ap.jks
mode.TEST.security.truststore.smp = /truststore/peppol-test-smp.jks
mode.TEST.security.truststore.password = changeit

[aaron-kumar]

@perneninag: Below is the minimal configuration you required in "oxalis.conf"

oxalis.logging.config = logback.xml
oxalis.keystore {
    path="PXXXXXXXX.p12"
    password = "XXXXXXXXXXXXX"
    key.alias = XXXX
    key.password = "XXXXXXXXXXXXX"
}

If certificate is revoked, then you will get following error while sending message:

Testbed Result:

PS: Converting this is to discussion as it is Not an issue. Similar discussion happened in OxalisCommunity/oxalis#682

[karelkryda]

Well @aaron-kumar, it IS an issue...
The only thing we get from your side is a part of the configuration and a few screenshots. Is this something you tried during my issue or not? I absolutely do not understand why you do not make at least a minimal effort to help with your own software.
And NO, we are not going to buy your Oxalis membership for 3k a year just to get (who knows if) normal support and not just ridicule and instructions on how to do our job.

If you claim that Oxalis in its basic configuration can pass this test, explain to me why another person opened an issue saying that it doesn't happen. So explain to me what we are doing wrong when it works for you.

Thanks

[aaron-kumar]

@karelkryda Would you like to review below comment from @perneninag and perhaps consider updating your reaction based on multiple proofs?

[karelkryda]

No thanks, my opinion remains. Maybe it would be enough to say that specifying parameters breaks functionality rather than saying "do your homework"...

[aaron-kumar]

No further comment, as your wish !!!

[perneninag]

@aaron-kumar
I am using same basic configuration but still getting same error. I am using standalone jar file compiled from oxalis-ng code that was deployed recently. Help me to set anything else while running the command.
/home/ec2-user/jdk11/bin/java -jar oxalis-ng-standalone.jar -f TestFile_002__Invoice.xml -r 9922:NGTBCNTRLP1001 -s 0060:POP000000 -cert peppol_ap.cer

I will surely join community, not only for this support but to sync with continuous updates related to Peppol world.

[aaron-kumar]

@perneninag the issue lies with the command.

Do NOT specify parameters like certificate (-cert), sender (-s) and receiver (-r) in the command. These parameters are only needed for point-to-point communication (locally).

In your case, you are specifying the certificate via the -cert parameter ("peppol_ap.cer") rather than retrieving it from SMP. This approach is incorrect for both testbed and production environments. As a result, even though the certificate has been revoked in SMP, your test isn't failing because you're overriding it with a valid certificate ("peppol_ap.cer").

Once you stop overriding the certificate, the OpenPeppol test with the revoked certificate will fail as expected, thus meeting the required condition.

Oxalis automatically reads the sender (-s) and receiver (-r) parameters from the SBDH, and the certificate (-cert) from SMP. Therefore, the correct command should be

/home/ec2-user/jdk11/bin/java -cp "/home/ec2-user/oxalis-ng-distribution-0.1.0-alpha-distro/bin/*" network.oxalis.ng.Main -f TestFile_002__Invoice.xml 

Also, do Not modify the "TestFile_002__Invoice.xml" that you downloaded as part of "ZIP-package" from www.testbed.peppol.org it contains SBDH, so use it "as-is".

Note from OpenPeppol - "Here is a prepared ZIP-package, download it locally and extract its contents. It contains one or more files that are ready to be sent by your Access Point implementation. Please send them in the same sequence as their naming suggests and be observant of any error that would occur. Do not manipulate the files in any way before sending them, otherwise the Test Bed might experience problem correlating them appropriately."

[perneninag]

@aaron-kumar
Thanks a lot Mr. Aaron. It is perfectly working fine. Such a simple logic gives us work done in easy way.
I have removed sender (-s), receiver (-r) and certificate (-cert) command line arguments and verified it is working fine.

Now I realized, you have given all required config options in respective modules and just expecting simple config option like below to make our testing process very easier. Thank you so much :)

BTW command and config that was used as below

/home/ec2-user/jdk11/bin/java -jar oxalis-ng-standalone.jar -f TestFile_001__Invoice.xml

oxalis.conf:

oxalis.logging.config = logback.xml
oxalis.keystore {
# Relative to OXALIS_HOME
path = oxalis-keystore.jks
password = XXXX
key.alias = cert
key.password = XXXX
}

[aaron-kumar]

@perneninag Happy to help!!!

You can use either java -jar ... or java -cp ... both will work fine. Your command java -jar ... is working fine because Main class (network.oxalis.ng.Main) is defined in POM of oxalis-ng-standalone. So multiple way to do same thing...

Welcome to the list of Certified Access point Provider (or very soon, you will be...) . Christmas Gift :)