fix(letter): hash DER certificate in INI/HIA letters for EBICS 3.0

The letters printed the SHA-256 of the public key by default, but the
INI/HIA requests always transmit the X.509 certificate. Under H005 the
letter must carry the SHA-256 of the DER-encoded certificate (spec
4.4.1.2.3), which the bank verifies against the request — the public-key
hash failed bank-side verification

fixes #49

Author: uwemaurer

src/main/java/org/kopi/ebics/client/Bank.java

@@ -42,13 +42,11 @@ public class Bank implements EbicsBank, Savable {
    * @param url the bank URL
    * @param name the bank name
    * @param hostId the bank host ID
-   * @param useCertificate does the bank use certificates for exchange ?
    */
-  public Bank(URL url, String name, String hostId, boolean useCertificate) {
+  public Bank(URL url, String name, String hostId) {
     this.url = url;
     this.name = name;
     this.hostId = hostId;
-    this.useCertificate = useCertificate;
     needSave = true;
   }
 
@@ -127,17 +125,6 @@ public String getName() {
     return name;
   }
 
-    @Override
-    public boolean useCertificate() {
-      return useCertificate;
-    }
-
-    @Override
-    public void setUseCertificate(boolean useCertificate) {
-        this.useCertificate = useCertificate;
-        needSave = true;
-    }
-
   @Override
   public void setBankKeys(RSAPublicKey e002Key, RSAPublicKey x002Key) {
     this.e002Key = e002Key;
@@ -172,12 +159,6 @@ public String getSaveName() {
    * @serial
    */
   private final String		hostId;
-  
-  /**
-   * Does the bank use certificates for signing/crypting ?
-   * @serial
-   */
-  private boolean               useCertificate;
 
   /**
    * The bank name

src/main/java/org/kopi/ebics/client/EbicsClient.java

@@ -135,12 +135,10 @@ public void createUserDirectories(EbicsUser user) {
      *            the bank name
      * @param hostId
      *            the bank host ID
-     * @param useCertificate
-     *            does the bank use certificates ?
      * @return the created ebics bank
      */
-    private Bank createBank(URL url, String name, String hostId, boolean useCertificate) {
-        Bank bank = new Bank(url, name, hostId, useCertificate);
+    private Bank createBank(URL url, String name, String hostId) {
+        Bank bank = new Bank(url, name, hostId);
         banks.put(hostId, bank);
         return bank;
     }
@@ -180,8 +178,6 @@ private Partner createPartner(EbicsBank bank, String partnerId) {
      *            the user country
      * @param organization
      *            the user organization or company
-     * @param useCertificates
-     *            does the bank use certificates ?
      * @param saveCertificates
      *            save generated certificates?
      * @param passwordCallback
@@ -192,11 +188,11 @@ private Partner createPartner(EbicsBank bank, String partnerId) {
      */
     public User createUser(URL url, String bankName, String hostId, String partnerId,
         String userId, String name, String email, String country, String organization,
-        boolean useCertificates, boolean saveCertificates, PasswordCallback passwordCallback)
+        boolean saveCertificates, PasswordCallback passwordCallback)
         throws Exception {
         log.info(messages.getString("user.create.info", userId));
 
-        Bank bank = createBank(url, bankName, hostId, useCertificates);
+        Bank bank = createBank(url, bankName, hostId);
         Partner partner = createPartner(bank, partnerId);
         try {
             User user = new User(partner, userId, name, email, country, organization,
@@ -208,7 +204,7 @@ public User createUser(URL url, String bankName, String hostId, String partnerId
             configuration.getSerializationManager().serialize(bank);
             configuration.getSerializationManager().serialize(partner);
             configuration.getSerializationManager().serialize(user);
-            createLetters(user, useCertificates);
+            createLetters(user);
             users.put(userId, user);
             partners.put(partner.getPartnerId(), partner);
             banks.put(bank.getHostId(), bank);
@@ -221,9 +217,8 @@ public User createUser(URL url, String bankName, String hostId, String partnerId
         }
     }
 
-    private void createLetters(EbicsUser user, boolean useCertificates)
+    private void createLetters(EbicsUser user)
         throws GeneralSecurityException, IOException, EbicsException {
-        user.getPartner().getBank().setUseCertificate(useCertificates);
         LetterManager letterManager = configuration.getLetterManager();
         List<InitLetter> letters = List.of(letterManager.createA005Letter(user),
             letterManager.createE002Letter(user), letterManager.createX002Letter(user));
@@ -512,10 +507,9 @@ private User createUser(ConfigProperties properties, PasswordCallback pwdHandler
         String userEmail = properties.get("user.email");
         String userCountry = properties.get("user.country");
         String userOrg = properties.get("user.org");
-        boolean useCertificates = false;
         boolean saveCertificates = true;
         return createUser(new URL(bankUrl), bankName, hostId, partnerId, userId, userName, userEmail,
-            userCountry, userOrg, useCertificates, saveCertificates, pwdHandler);
+            userCountry, userOrg, saveCertificates, pwdHandler);
     }
 
     private static CommandLine parseArguments(Options options, String[] args)
@@ -640,7 +634,7 @@ public static void main(String[] args) throws Exception {
         }
 
         if (cmd.hasOption("letters")) {
-            client.createLetters(client.defaultUser, false);
+            client.createLetters(client.defaultUser);
         }
 
         if (hasOption(cmd, OrderType.INI)) {

src/main/java/org/kopi/ebics/client/ParameterizedEbicsClientLauncher.java

@@ -99,7 +99,6 @@ public static void main(String[] args) throws Exception {
                 env("EBICS_USER_EMAIL", userId + "@example.invalid"),
                 env("EBICS_USER_COUNTRY", countryCode),
                 env("EBICS_USER_ORGANIZATION", "EBICS"),
-                resolveUseCertificate(),
                 true,
                 passwordCallback
             );
@@ -224,15 +223,6 @@ private static Properties buildConfigurationProperties(
         return properties;
     }
 
-    private static boolean resolveUseCertificate() {
-        String explicit = normalize(System.getenv("EBICS_USE_CERTIFICATE"));
-        if (explicit != null) {
-            return "true".equalsIgnoreCase(explicit);
-        }
-        String signatureVersion = env("EBICS_SIGNATURE_VERSION", "A005");
-        return "A006".equalsIgnoreCase(signatureVersion);
-    }
-
     private static void ensureLoadedUserMatchesConfiguredEndpoint(
         User user,
         String configuredBankUrl,

src/main/java/org/kopi/ebics/interfaces/EbicsBank.java

@@ -35,16 +35,6 @@ public interface EbicsBank extends Serializable {
    */
   URL getURL();
 
-  /**
-   * 
-   */
-  boolean useCertificate();
-  
-  /**
-   * 
-   */
-  void setUseCertificate(boolean useCertificate);
-  
   /**
    * Returns the encryption key digest you have obtained from the bank.
    * Ensure that nobody was able to modify the digest on its way from the bank to you.

src/main/java/org/kopi/ebics/letter/A005Letter.java

@@ -45,29 +45,19 @@ public A005Letter(Locale locale) {
 
     @Override
     public void create(EbicsUser user) throws GeneralSecurityException, IOException, EbicsException {
-        if (user.getPartner().getBank().useCertificate()) {
-            build(user.getPartner().getBank().getHostId(),
-                    user.getPartner().getBank().getName(),
-                    user.getUserId(),
-                    user.getName(),
-                    user.getPartner().getPartnerId(),
-                    getString("INILetter.version"),
-                    getString("INILetter.certificate"),
-                    Base64.encodeBase64(user.getA005Certificate(), true),
-                    getString("INILetter.digest"),
-                    getHash(user.getA005Certificate()));
-        } else {
-            build(user.getPartner().getBank().getHostId(),
-                    user.getPartner().getBank().getName(),
-                    user.getUserId(),
-                    user.getName(),
-                    user.getPartner().getPartnerId(),
-                    getString("INILetter.version"),
-                    getString("INILetter.certificate"),
-                    null,
-                    getString("INILetter.digest"),
-                    getHash(user.getA005PublicKey()));
-        }
+        // EBICS 3.0 (H005): the INI letter must carry the SHA-256 hash of the
+        // DER-encoded signature certificate (spec ch. 4.4.1.2.3), matching the
+        // X.509 certificate transmitted in the INI request.
+        build(user.getPartner().getBank().getHostId(),
+                user.getPartner().getBank().getName(),
+                user.getUserId(),
+                user.getName(),
+                user.getPartner().getPartnerId(),
+                getString("INILetter.version"),
+                getString("INILetter.certificate"),
+                Base64.encodeBase64(user.getA005Certificate(), true),
+                getString("INILetter.digest"),
+                getHash(user.getA005Certificate()));
     }
 
   @Override

src/main/java/org/kopi/ebics/letter/AbstractInitLetter.java

@@ -23,16 +23,13 @@
 import java.io.OutputStream;
 import java.io.PrintWriter;
 import java.io.Writer;
-import java.nio.charset.StandardCharsets;
 import java.security.GeneralSecurityException;
 import java.security.MessageDigest;
-import java.security.interfaces.RSAPublicKey;
 import java.text.SimpleDateFormat;
 import java.util.Date;
 import java.util.Locale;
 
 import org.apache.commons.codec.binary.Hex;
-import org.kopi.ebics.exception.EbicsException;
 import org.kopi.ebics.interfaces.InitLetter;
 import org.kopi.ebics.messages.Messages;
 
@@ -100,8 +97,8 @@ protected String getString(String key) {
   }
 
   /**
-   * Returns the certificate hash
-   * @param certificate the certificate
+   * Returns the SHA-256 hash of the DER-encoded certificate.
+   * @param certificate the DER-encoded certificate
    * @return the certificate hash
    * @throws GeneralSecurityException
    */
@@ -111,36 +108,6 @@ protected byte[] getHash(byte[] certificate) throws GeneralSecurityException {
     return format(hash256).getBytes();
   }
 
-    protected byte[] getHash(RSAPublicKey publicKey) throws EbicsException {
-        String			modulus;
-        String			exponent;
-        String			hash;
-        byte[]			digest;
-
-        exponent = Hex.encodeHexString(publicKey.getPublicExponent().toByteArray());
-        modulus =  Hex.encodeHexString(removeFirstByte(publicKey.getModulus().toByteArray()));
-        hash = exponent + " " + modulus;
-
-        if (hash.charAt(0) == '0') {
-          hash = hash.substring(1);
-        }
-
-        try {
-          digest = MessageDigest.getInstance("SHA-256", "BC").digest(hash.getBytes(
-              StandardCharsets.US_ASCII));
-        } catch (GeneralSecurityException e) {
-          throw new EbicsException(e.getMessage());
-        }
-
-        return format(new String(Hex.encodeHex(digest, false))).getBytes();
-    }
-
-    private static byte[] removeFirstByte(byte[] byteArray) {
-        byte[] b = new byte[byteArray.length - 1];
-        System.arraycopy(byteArray, 1, b, 0, b.length);
-        return b;
-    }
-
   /**
    * Formats a hash 256 input.
    * @param hash256 the hash input
@@ -215,9 +182,9 @@ public void build(String certTitle,
       out = new ByteArrayOutputStream();
       writer = new PrintWriter(out, true);
       buildTitle();
-      buildHeader();
-      if (certificate != null) {
-        buildCertificate(certTitle, certificate);
+      buildHeader();
+      if (certificate != null) {
+        buildCertificate(certTitle, certificate);
       }
       buildHash(hashTitle, hash);
       buildFooter();

src/main/java/org/kopi/ebics/letter/E002Letter.java

@@ -45,29 +45,19 @@ public E002Letter(Locale locale) {
 
     @Override
     public void create(EbicsUser user) throws GeneralSecurityException, IOException, EbicsException {
-        if (user.getPartner().getBank().useCertificate()) {
-            build(user.getPartner().getBank().getHostId(),
-                    user.getPartner().getBank().getName(),
-                    user.getUserId(),
-                    user.getName(),
-                    user.getPartner().getPartnerId(),
-                    getString("HIALetter.e002.version"),
-                    getString("HIALetter.e002.certificate"),
-                    Base64.encodeBase64(user.getE002Certificate(), true),
-                    getString("HIALetter.e002.digest"),
-                    getHash(user.getE002Certificate()));
-        } else {
-            build(user.getPartner().getBank().getHostId(),
-                    user.getPartner().getBank().getName(),
-                    user.getUserId(),
-                    user.getName(),
-                    user.getPartner().getPartnerId(),
-                    getString("HIALetter.e002.version"),
-                    getString("HIALetter.e002.certificate"),
-                    null,
-                    getString("HIALetter.e002.digest"),
-                    getHash(user.getE002PublicKey()));
-        }
+        // EBICS 3.0 (H005): the HIA letter must carry the SHA-256 hash of the
+        // DER-encoded encryption certificate (spec ch. 4.4.1.2.3), matching the
+        // X.509 certificate transmitted in the HIA request.
+        build(user.getPartner().getBank().getHostId(),
+                user.getPartner().getBank().getName(),
+                user.getUserId(),
+                user.getName(),
+                user.getPartner().getPartnerId(),
+                getString("HIALetter.e002.version"),
+                getString("HIALetter.e002.certificate"),
+                Base64.encodeBase64(user.getE002Certificate(), true),
+                getString("HIALetter.e002.digest"),
+                getHash(user.getE002Certificate()));
     }
 
   @Override

src/main/java/org/kopi/ebics/letter/X002Letter.java

@@ -45,29 +45,19 @@ public X002Letter(Locale locale) {
 
     @Override
     public void create(EbicsUser user) throws GeneralSecurityException, IOException, EbicsException {
-        if (user.getPartner().getBank().useCertificate()) {
-            build(user.getPartner().getBank().getHostId(),
-                    user.getPartner().getBank().getName(),
-                    user.getUserId(),
-                    user.getName(),
-                    user.getPartner().getPartnerId(),
-                    getString("HIALetter.x002.version"),
-                    getString("HIALetter.x002.certificate"),
-                    Base64.encodeBase64(user.getX002Certificate(), true),
-                    getString("HIALetter.x002.digest"),
-                    getHash(user.getX002Certificate()));
-        } else {
-            build(user.getPartner().getBank().getHostId(),
-                    user.getPartner().getBank().getName(),
-                    user.getUserId(),
-                    user.getName(),
-                    user.getPartner().getPartnerId(),
-                    getString("HIALetter.x002.version"),
-                    getString("HIALetter.x002.certificate"),
-                    null,
-                    getString("HIALetter.x002.digest"),
-                    getHash(user.getX002PublicKey()));
-        }
+        // EBICS 3.0 (H005): the HIA letter must carry the SHA-256 hash of the
+        // DER-encoded authentication certificate (spec ch. 4.4.1.2.3), matching
+        // the X.509 certificate transmitted in the HIA request.
+        build(user.getPartner().getBank().getHostId(),
+                user.getPartner().getBank().getName(),
+                user.getUserId(),
+                user.getName(),
+                user.getPartner().getPartnerId(),
+                getString("HIALetter.x002.version"),
+                getString("HIALetter.x002.certificate"),
+                Base64.encodeBase64(user.getX002Certificate(), true),
+                getString("HIALetter.x002.digest"),
+                getHash(user.getX002Certificate()));
     }
 
   @Override