Hi everybody,

Today many italian PA identifiers were migrated to a new ICD, 0201, effectively breaking compatibility with oxalis, which now raises an IllegalStateException when validating documents using this new ICD.

See here for the news about the migration: https://intercenter.regione.emilia-romagna.it/notizie/2019/novembre/aggiornati-i-participant-id-peppol

Here's the deprecated code:
https://github.com/difi/vefa-peppol/blob/be3fc670d5a27ab9516a6458a612ffb3fbac5164/peppol-icd/src/main/java/no/difi/vefa/peppol/icd/code/PeppolIcd.java#L74

A new line such as
IT_NEW_IPA("IT:IPA", "0201", "Indice delle Pubbliche Amministrazioni"),
Should be added to support the compatibility with participants using the new ID without breaking the ones that haven't switched yet.

Seems we have to increase the strength of signature from SHA1 to SHA256.

See https://blogs.oracle.com/mullan/entry/using_stronger_xml_signature_algorithms

Hello

We are currently using Oxalis 3.2, and noticed a couple of problems with SMP lookup. They were discovered during some internal test runs, and therefore we have not yet seen the problem in production. The issues will only appear in special circumstances, when the SMP registration is done in a valid (but not normally used) way.

If we look at the following registration in the SMP:
http://b-ddc207601e442e1b751e5655d39371cd.iso6523-actorid-upis.edelivery.tech.ec.europa.eu/iso6523-actorid-upis%3A%3A9908%3A810017902/services/busdox-docid-qns%3A%3Aurn%3Aoasis%3Anames%3Aspecification%3Aubl%3Aschema%3Axsd%3ACreditNote-2%3A%3ACreditNote%23%23urn%3Awww.cenbii.eu%3Atransaction%3Abiitrns014%3Aver2.0%3Aextended%3Aurn%3Awww.cenbii.eu%3Aprofile%3Abiixx%3Aver2.0%3Aextended%3Aurn%3Awww.difi.no%3Aehf%3Akreditnota%3Aver2.0%3A%3A2.1

We can see that in the ns3:ProcessList that only one ns3:Process exist. In the test performed, there was two ns3:Process elements. The second ns3:Process element contains the information we need.
However in the oxalis-common class eu.peppol.smp.SmpLookupManagerImpl we have found this code

   EndpointType selectOptimalEndpoint(SignedServiceMetadataType serviceMetadata) {
        // List of end points contained in the signed service meta data type
        List<EndpointType> endPointsForDocumentTypeIdentifier = serviceMetadata
                .getServiceMetadata()
                .getServiceInformation()
                .getProcessList()
                .getProcess()
                .get(0)
                .getServiceEndpointList()
                .getEndpoint();
...

where the code always take the first ns3:Process element from the process list and we need the second element.

Described below are the first errors:
1 - The first ns3:Process element could be the old START protocol, while the second could be AS2 protocol. So the code should loop through the list and find only those that have an accepting protocol.
2 - The method does not validate the profile. The first ns3:Process element could be a undesired profile, while a later ns3:Process element could be the desired ns3:Process element.

Another error related to above errors were found in the class eu.peppol.smp.DefaultBusDoxProtocolSelectionStrategyImpl, as showed below. However this error could also be described as an invalid SMP registration, but Oxalis should still handle this in a valid way.

@Override
    public BusDoxProtocol selectOptimalProtocol(List<BusDoxProtocol> protocolsAccepted) {
        int lowestIndex = Integer.MAX_VALUE;
        for (BusDoxProtocol busDoxProtocol : protocolsAccepted) {
            int indexOf = knownProtocols.indexOf(busDoxProtocol);
            if (indexOf == -1) {
                throw new IllegalArgumentException("BusDox protocol " + busDoxProtocol + " not known by protocol selection strategy");
            }
            if (indexOf > -1 && indexOf < lowestIndex) {
                lowestIndex = indexOf;
            }
        }
        return knownProtocols.get(lowestIndex);
    }

The error we received was:

Caused by: java.lang.ArrayIndexOutOfBoundsException: 2147483647
    at java.util.Arrays$ArrayList.get(Unknown Source) ~[na:1.8.0_101]
    at eu.peppol.smp.DefaultBusDoxProtocolSelectionStrategyImpl.selectOptimalProtocol(DefaultBusDoxProtocolSelectionStrategyImpl.java:55) ~[oxalis-commons-3.2.0.jar:na]

If we look at the class, the index is first set to 2147483647 ( Integer.MAX_VALUE). In the ns2:Process element, the ns2:ServiceEndpointList element contains no ns2:Endpoint element.
The method just jump to:

   knownProtocols.get(lowestIndex);

and the lowestIndex is still 2147483647, so it result in an ArrayIndexOutOfBoundsException.

Jacob Mogensen
mySupply ApS
Denmark

In the common.model.EndPoint.class, there are some elements in the ServiceMetaData that are not available in the EndPoint class.

• TechnicalContactUrl
• TechnicalInformationUrl
• ServiceActivationDate
• ServiceExpirationDate
• ServiceDescription

Would it be possible to have these in the EndPoint model, and also populated from the lookup.reader.Bdxreader class?

Injecting the bytes of the AS2 MDN or any other transport level receipt should be made optional.

Party Identifiers (ICD) 0201, 0202, 0204 and 0208 are missing in no.difi.vefa.peppol.icd.code.PeppolIcd (peppol-icd-1.1.4) even though it could be found in the corresponding list at https://docs.peppol.eu/poacc/billing/3.0/codelist/ICD/

EvidenceIssuerDetails is a required according to the ETSI specification.
According to the e-SENS profile it should contain the entity name of the gateway, so the NamesPostalAddresses child element and its descendants should be used.

Verify that all eSENS requirements are adhered to in accordance with what was discussed in Brussels on March 14th.

Det står på siden at man skal bruke følgende dependency når man tar prosjektet i bruk

<dependency>
    <groupId>no.difi.vefa</groupId>
    <artifactId>peppol-lookup</artifactId>
    <version>0.9.2</version>
</dependency>`

I denne versjonen har for eksempel ikke LookupClient en getEndpoint() metode. Versjonen bør endres til 0.9.3 feks

This method sets the Evidence Issuer Details and should therefore be renamed to evidenceIssuerDetails

Another missing element is EvidenceIssuerPolicyID and its PolicyID child elements which should contain the identifier of the policy used for creating the evidence.
Although the e-SENS profile states that this element is optional (as does the xsd from the REM evidence spec) it is a required element according to section 5.1.4 of the REM evidence spec.

Why is de identifier tolower?
VAT-numbers often contain alphabetic characters. When the identifier is lower't, those numbers can not be found in the SML....

Hi all,

the following codes have been approved during the last CEF Advisory board to become active at the spring release.

0210 | CODICE FISCALE
0211 | PARTITA IVA
0212 | Finnish Organization Identifier
0213 | Finnish Organization Value Add Tax Identifier

210 and 211 are for Italy

At the same time 9956 will be removed but this is less an issue.

It would be nice to have support for SMP redirects in the LookupClient (see SMP spesification)

Philip Helger has implemented this in his smp-client if you want some code to look at.

In accordance with instructions from Jörg Apitzsch

In EHF 3.0 ubl version was removed and inferred UblVersionId 2.1 was used to generate the document type Identifier.

But with the ehf:forward-billing:3.0 UBL version is specified as 2.2 and document does not contain the version as well. This creates a conflic in identifying the proper UBL version.

How to determine the proper UBL version from the document ??

Party Identifier (ICD) 0209 is missing in no.difi.vefa.peppol.icd.code.PeppolIcd (master). This was added in the 3.0.8 release of the schematron (https://docs.peppol.eu/poacc/billing/3.0/release-notes/) but has not yet been added to the OpenPEPPOL eDEC Code Lists.

I tried to follow the instructions in the readme to do a participant lookup but end up with the DifiCertificatevalidator exception. Does it require anything that's not written there? New to all these. Any help is appreciated. Thanks

LookupClient client = LookupClientBuilder.forProduction()
.fetcher(ApacheFetcher.class)
.build();
List documentTypeIdentifiers = client.getDocumentIdentifiers(
ParticipantIdentifier.of("9908:810418052"));

We recently run into an issue where we do a lookup but the SMP(in this case smp.difi.no) returns an xml header with a commented out body together with HTTP status 404. Curl output follows below.
In network.oxalis.vefa.peppol.lookup.reader.MultiReader.parseServiceGroup it results in an NPE with the message:

Cannot invoke "network.oxalis.vefa.peppol.lookup.api.FetcherResponse.getNamespace()" because "response" is null

Not sure if this should be handled by vefa-peppol or in the code that uses vefa-peppol?

`curl -v B-8c30ca3b541456dde1172d2f56b737d3.iso6523-actorid-upis.edelivery.tech.ec.europa.eu/iso6523-actorid-upis::0192:981299108

• About to connect() to B-8c30ca3b541456dde1172d2f56b737d3.iso6523-actorid-upis.edelivery.tech.ec.europa.eu port 80 (#0)
• Trying 51.144.60.163...
• Connected to B-8c30ca3b541456dde1172d2f56b737d3.iso6523-actorid-upis.edelivery.tech.ec.europa.eu (51.144.60.163) port 80 (#0)

GET /iso6523-actorid-upis::0192:981299108 HTTP/1.1
User-Agent: curl/7.29.0
Host: B-8c30ca3b541456dde1172d2f56b737d3.iso6523-actorid-upis.edelivery.tech.ec.europa.eu
Accept: /

< HTTP/1.1 404
< Date: Tue, 04 Oct 2022 13:38:55 GMT
< Content-Type: text/xml;charset=UTF-8
< Content-Length: 313
< Connection: keep-alive
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-Frame-Options: DENY
<

Current signature of the REM evidence is pure XML DSIG. It needs to be augmented with the XAdES stuff.

Bearing in mind that ETSI is about to simplify the XAdES spec. this issue is on hold until further notice.

BdxlLocator and BusdoxLocator reports network-level erros as if the participant was not found, for example: Identifier '0192:992090006' is not registered in SML

I believe this to be a real and significant issue.

Incorrectly reporting network-level errors as participant not found is causing service providers operational issues. These issues have been present for a long while and is causing service providers to lose trust in the network and the SMPs.

Please examine the following lines of code:

https://github.com/OxalisCommunity/vefa-peppol/blob/v3.4.0/peppol-lookup/src/main/java/network/oxalis/vefa/peppol/lookup/locator/BusdoxLocator.java#L109

These exceptions could be caused by a missing/non-registered participant in the network, which is fine and in line with the error message and exception name.

But the exceptions could also be caused by a network level issue at the client, at the DNS-server being used by the client, or somewhere in between. It is very misleading to report these situations as not found.

We hope this issue can prioritized and resolved 👍

It was previously reported in 2021 to the Oxalis project, and marked as resolved, but it is still present. See OxalisCommunity/oxalis#497

A related issue (but I think not the same) is currently open at OxalisCommunity/oxalis#586

Discussed in #48

Implementation of the suggested change is developed in this issue.

If the REM Evidence is based on ETSI TS 102 640-2 V2.2.1 (2011-09) then it is
missing element “Attribute version” because this element is in that case mandatory.
The value is "1" for this version.

Problem is with oxalis-standalone.java

Fix this
https://github.com/difi/vefa-peppol/blob/master/peppol-sbdh/src/main/java/no/difi/vefa/peppol/sbdh/util/XMLStreamUtils.java

you are loosing the attribute prefix while copying.....

package
no.difi.vefa.peppol.sbdh.util.XMLStreamUtils;
file
XMLStreamUtils.class
class
public class XMLStreamUtils {
method
public static void copy(XMLStreamReader reader, XMLStreamWriter writer) throws XMLStreamException {

Line 72
for (int i = 0; i < reader.getAttributeCount(); i++)
writer.writeAttribute(reader.getAttributeLocalName(i), reader.getAttributeValue(i));

replace with
writer.writeAttribute(reader.getAttributePrefix(i), reader.getAttributeLocalName(i), reader.getAttributeValue(i));

According to the Peppol Migration Document sent out on 2022-01-24 the ServiceActivationDate and ServiceExpirationDate need to be interpreted with >= and <= including also the seconds of the provided date.

The Migration Guide specifies it as:

SMP client implementations are now forced to interpret these fields
accordingly
o The need to reject endpoints that are not yet active
(ServiceActivationDate is provided AND ServiceActivationDate is after
now).
o The need to reject endpoints that are no longer active
(ServiceExpirationDate is provided and before now).
o In all other cases, the endpoint needs to be accepted.
o Note: the values of “ServiceActivationDate” and
“ServiceExpirationDate” that exactly match the current date and time
(up to second precision) are considered to be “valid endpoint”
timestamps.

Compare the current implementation: https://github.com/OxalisCommunity/vefa-peppol/blame/938b0a1b33db549a3d361fc5f912fb40d75e86b4/peppol-common/src/main/java/network/oxalis/vefa/peppol/common/model/Period.java#L20

According to e-SENS specifications the instance identifier field from the "DOCUMENTID" business scope should be copied to the uaMessageIdentifier element of the REM evidence. It should therefore be possible to add this element to the evidence.

Getting null exception in BusdoxReader.java:138, there is probably incorect null check:
endpointType.getService**Activation**Date() == null ? null : endpointType.getService**Expiration**Date().toGregorianCalendar().getTime()
Had to be endpointType.getServiceExpirationDate() checked for null?
https://github.com/OxalisCommunity/vefa-peppol/blob/master/peppol-lookup/src/main/java/network/oxalis/vefa/peppol/lookup/reader/BusdoxReader.java#L138

Agid as Peppol National Authority for Italy,
has therefore communicated that starting from November 15, 2019 the prefix 9921 will no longer be active and will be replaced by 0201 to indicate the codes IPA in the list of EAS and ICD codes.

In the class no/difi/vefa/peppol/icd/code/PeppolIcd
I suggest to replace
IT_IPA("IT:IPA", "9921", "Indice delle Pubbliche Amministrazioni"),
with
IT_IPA("IT:IPA", "0201", "Codice Univoco Unità Organizzativa iPA ")

S.

Not sure where to make the issue ( vefa-peppol or oxalis-as4 )

We are busy implementing reporting requirements and use the InboundMetaData to collect the transportProfile.
In Oxalis-AS4 , the transport profile is hardcoded to TransportProfile.AS4, which corresponds to "bdxr-transport-ebms3-as4-v1p0"

I would expect "peppol-transport-as4-v2_0" - TransportProfile.PEPPOL_AS4_2_0