UPDATE Jan 2011: I’ve written a post about receiving AS2 messages.
A recent project at work required us to generate and send AS2 (Applicability Statement 2) messages. A colleague had written a project years ago using .NET 1.1 and a COM dll for encryption, so I set about porting that to Visual Studio 2008 and .NET 3.5.
I also wanted to use .NET’s System.Security libraries for encryption instead of having to use reflection to call the old COM dll.
It was quite difficult to get the signing and encryption working – in the end I had to resort to reverse engineering, by getting BizTalk to send an AS2 message and intercepting the message content with Fiddler, so that I could see how the AS2 messages and their headers were supposed to look.
Here’s some code which constructs an AS2 message and sends it over HTTP:
using System;
using System.IO;
using System.Net;
namespace WebTestPlugins.AS2Helpers
{
public struct ProxySettings
{
public string Name;
public string Username;
public string Password;
public string Domain;
}
public class AS2Send
{
public static HttpStatusCode SendFile(Uri uri, string filename, byte[] fileData, string from, string to, ProxySettings proxySettings, int timeoutMs, string signingCertFilename, string signingCertPassword, string recipientCertFilename)
{
if (String.IsNullOrEmpty(filename)) throw new ArgumentNullException("filename");
if (fileData.Length == 0) throw new ArgumentException("filedata");
byte[] content = fileData;
//Initialise the request
HttpWebRequest http = (HttpWebRequest)WebRequest.Create(uri);
if (!String.IsNullOrEmpty(proxySettings.Name))
{
WebProxy proxy = new WebProxy(proxySettings.Name);
NetworkCredential proxyCredential = new NetworkCredential();
proxyCredential.Domain = proxySettings.Domain;
proxyCredential.UserName = proxySettings.Username;
proxyCredential.Password = proxySettings.Password;
proxy.Credentials = proxyCredential;
http.Proxy = proxy;
}
//Define the standard request objects
http.Method = "POST";
http.AllowAutoRedirect = true;
http.KeepAlive = true;
http.PreAuthenticate = false; //Means there will be two requests sent if Authentication required.
http.SendChunked = false;
http.UserAgent = "MY SENDING AGENT";
//These Headers are common to all transactions
http.Headers.Add("Mime-Version", "1.0");
http.Headers.Add("AS2-Version", "1.2");
http.Headers.Add("AS2-From", from);
http.Headers.Add("AS2-To", to);
http.Headers.Add("Subject", filename + " transmission.");
http.Headers.Add("Message-Id", "<AS2_" + DateTime.Now.ToString("hhmmssddd") + ">");
http.Timeout = timeoutMs;
string contentType = (Path.GetExtension(filename) == ".xml") ? "application/xml" : "application/EDIFACT";
bool encrypt = !string.IsNullOrEmpty(recipientCertFilename);
bool sign = !string.IsNullOrEmpty(signingCertFilename);
if (!sign && !encrypt)
{
http.Headers.Add("Content-Transfer-Encoding", "binary");
http.Headers.Add("Content-Disposition", "inline; filename=\"" + filename + "\"");
}
if (sign)
{
// Wrap the file data with a mime header
content = AS2MIMEUtilities.CreateMessage(contentType, "binary", "", content);
content = AS2MIMEUtilities.Sign(content, signingCertFilename, signingCertPassword, out contentType);
http.Headers.Add("EDIINT-Features", "multiple-attachments");
}
if (encrypt)
{
if (string.IsNullOrEmpty(recipientCertFilename))
{
throw new ArgumentNullException(recipientCertFilename, "if encrytionAlgorithm is specified then recipientCertFilename must be specified");
}
byte[] signedContentTypeHeader = System.Text.ASCIIEncoding.ASCII.GetBytes("Content-Type: " + contentType + Environment.NewLine);
byte[] contentWithContentTypeHeaderAdded = AS2MIMEUtilities.ConcatBytes(signedContentTypeHeader, content);
content = AS2Encryption.Encrypt(contentWithContentTypeHeaderAdded, recipientCertFilename, EncryptionAlgorithm.DES3);
contentType = "application/pkcs7-mime; smime-type=enveloped-data; name=\"smime.p7m\"";
}
http.ContentType = contentType;
http.ContentLength = content.Length;
SendWebRequest(http, content);
return HandleWebResponse(http);
}
private static HttpStatusCode HandleWebResponse(HttpWebRequest http)
{
HttpWebResponse response = (HttpWebResponse)http.GetResponse();
response.Close();
return response.StatusCode;
}
private static void SendWebRequest(HttpWebRequest http, byte[] fileData)
{
Stream oRequestStream = http.GetRequestStream();
oRequestStream.Write(fileData, 0, fileData.Length);
oRequestStream.Flush();
oRequestStream.Close();
}
}
}
And here’s the code which signs and/or encrypts the message:
using System;
using System.Security.Cryptography.Pkcs;
using System.Security.Cryptography.X509Certificates;
namespace WebTestPlugins.AS2Helpers
{
public static class EncryptionAlgorithm
{
public static string DES3 = "3DES";
public static string RC2 = "RC2";
}
public class AS2Encryption
{
internal static byte[] Encode(byte[] arMessage, string signerCert, string signerPassword)
{
X509Certificate2 cert = new X509Certificate2(signerCert, signerPassword);
ContentInfo contentInfo = new ContentInfo(arMessage);
SignedCms signedCms = new SignedCms(contentInfo, true); // <- true detaches the signature
CmsSigner cmsSigner = new CmsSigner(cert);
signedCms.ComputeSignature(cmsSigner);
byte[] signature = signedCms.Encode();
return signature;
}
internal static byte[] Encrypt(byte[] message, string recipientCert, string encryptionAlgorithm)
{
if (!string.Equals(encryptionAlgorithm, EncryptionAlgorithm.DES3) && !string.Equals(encryptionAlgorithm, EncryptionAlgorithm.RC2))
throw new ArgumentException("encryptionAlgorithm argument must be 3DES or RC2 - value specified was:" + encryptionAlgorithm);
X509Certificate2 cert = new X509Certificate2(recipientCert);
ContentInfo contentInfo = new ContentInfo(message);
EnvelopedCms envelopedCms = new EnvelopedCms(contentInfo,
new AlgorithmIdentifier(new System.Security.Cryptography.Oid(encryptionAlgorithm))); // should be 3DES or RC2
CmsRecipient recipient = new CmsRecipient(SubjectIdentifierType.IssuerAndSerialNumber, cert);
envelopedCms.Encrypt(recipient);
byte[] encoded = envelopedCms.Encode();
return encoded;
}
internal static byte[] Decrypt(byte[] encodedEncryptedMessage, out string encryptionAlgorithmName)
{
EnvelopedCms envelopedCms = new EnvelopedCms();
// NB. the message will have been encrypted with your public key.
// The corresponding private key must be installed in the Personal Certificates folder of the user
// this process is running as.
envelopedCms.Decode(encodedEncryptedMessage);
envelopedCms.Decrypt();
encryptionAlgorithmName = envelopedCms.ContentEncryptionAlgorithm.Oid.FriendlyName;
return envelopedCms.Encode();
}
}
}
For completeness you’ll also need the AS2MimeUtilities class. Disclaimer: I didn’t write this class, it’s legacy hungarian-notated goodness.
using System;
using System.Text;
namespace WebTestPlugins.AS2Helpers
{
/// <summary>
/// Contains a number of useful static functions for creating MIME messages.
/// </summary>
public class AS2MIMEUtilities
{
public const string MESSAGE_SEPARATOR = "\r\n\r\n";
public AS2MIMEUtilities()
{
}
/// <summary>
/// return a unique MIME style boundary
/// this needs to be unique enought not to occur within the data
/// and so is a Guid without - or { } characters.
/// </summary>
/// <returns></returns>
protected static string MIMEBoundary()
{
return "_" + Guid.NewGuid().ToString("N") + "_";
}
/// <summary>
/// Creates the a Mime header out of the components listed.
/// </summary>
/// <param name="sContentType">Content type</param>
/// <param name="sEncoding">Encoding method</param>
/// <param name="sDisposition">Disposition options</param>
/// <returns>A string containing the three headers.</returns>
public static string MIMEHeader(string sContentType, string sEncoding, string sDisposition)
{
string sOut = "";
sOut = "Content-Type: " + sContentType + Environment.NewLine;
if (sEncoding != "" )
sOut += "Content-Transfer-Encoding: " + sEncoding + Environment.NewLine;
if (sDisposition != "" )
sOut += "Content-Disposition: " + sDisposition + Environment.NewLine;
sOut = sOut + Environment.NewLine;
return sOut;
}
/// <summary>
/// Return a single array of bytes out of all the supplied byte arrays.
/// </summary>
/// <param name="arBytes">Byte arrays to add</param>
/// <returns>The single byte array.</returns>
public static byte[] ConcatBytes(params byte[][] arBytes)
{
long lLength = 0;
long lPosition = 0;
//Get total size required.
foreach(byte[] ar in arBytes)
lLength += ar.Length;
//Create new byte array
byte[] toReturn = new byte[lLength];
//Fill the new byte array
foreach(byte[] ar in arBytes)
{
ar.CopyTo(toReturn,lPosition);
lPosition += ar.Length;
}
return toReturn;
}
/// <summary>
/// Create a Message out of byte arrays (this makes more sense than the above method)
/// </summary>
/// <param name="sContentType">Content type ie multipart/report</param>
/// <param name="sEncoding">The encoding provided...</param>
/// <param name="sDisposition">The disposition of the message...</param>
/// <param name="abMessageParts">The byte arrays that make up the components</param>
/// <returns>The message as a byte array.</returns>
public static byte[] CreateMessage(string sContentType, string sEncoding, string sDisposition, params byte[][] abMessageParts)
{
int iHeaderLength=0;
return CreateMessage(sContentType, sEncoding, sDisposition, out iHeaderLength, abMessageParts);
}
/// <summary>
/// Create a Message out of byte arrays (this makes more sense than the above method)
/// </summary>
/// <param name="sContentType">Content type ie multipart/report</param>
/// <param name="sEncoding">The encoding provided...</param>
/// <param name="sDisposition">The disposition of the message...</param>
/// <param name="iHeaderLength">The length of the headers.</param>
/// <param name="abMessageParts">The message parts.</param>
/// <returns>The message as a byte array.</returns>
public static byte[] CreateMessage(string sContentType, string sEncoding, string sDisposition, out int iHeaderLength, params byte[][] abMessageParts)
{
long lLength = 0;
long lPosition = 0;
//Only one part... Add headers only...
if (abMessageParts.Length==1)
{
byte[] bHeader = ASCIIEncoding.ASCII.GetBytes(MIMEHeader(sContentType, sEncoding, sDisposition));
iHeaderLength = bHeader.Length;
return ConcatBytes(bHeader, abMessageParts[0]);
}
else
{
// get boundary and "static" subparts.
string sBoundary = MIMEBoundary();
byte[] bPackageHeader = ASCIIEncoding.ASCII.GetBytes(MIMEHeader(sContentType + "; boundary=\"" + sBoundary + "\"", sEncoding, sDisposition));
byte[] bBoundary = ASCIIEncoding.ASCII.GetBytes(Environment.NewLine + "--" + sBoundary + Environment.NewLine);
byte[] bFinalFooter = ASCIIEncoding.ASCII.GetBytes(Environment.NewLine + "--" + sBoundary + "--" + Environment.NewLine);
//Calculate the total size required.
iHeaderLength = bPackageHeader.Length;
foreach(byte[] ar in abMessageParts)
lLength += ar.Length;
lLength += iHeaderLength + bBoundary.Length*abMessageParts.Length +
bFinalFooter.Length;
//Create new byte array to that size.
byte[] toReturn = new byte[lLength];
//Copy the headers in.
bPackageHeader.CopyTo(toReturn, lPosition);
lPosition += bPackageHeader.Length;
//Fill the new byte array in by coping the message parts.
foreach(byte[] ar in abMessageParts)
{
bBoundary.CopyTo(toReturn, lPosition);
lPosition += bBoundary.Length;
ar.CopyTo(toReturn,lPosition);
lPosition += ar.Length;
}
//Finally add the footer boundary.
bFinalFooter.CopyTo(toReturn, lPosition);
return toReturn;
}
}
/// <summary>
/// Signs a message and returns a MIME encoded array of bytes containing the signature.
/// </summary>
/// <param name="arMessage"></param>
/// <param name="bPackageHeader"></param>
/// <returns></returns>
public static byte[] Sign(byte[] arMessage, string signerCert, string signerPassword, out string sContentType)
{
byte[] bInPKCS7 = new byte[0];
// get a MIME boundary
string sBoundary = MIMEBoundary();
// Get the Headers for the entire message.
sContentType = "multipart/signed; protocol=\"application/pkcs7-signature\"; micalg=\"sha1\"; boundary=\"" + sBoundary + "\"";
// Define the boundary byte array.
byte[] bBoundary = ASCIIEncoding.ASCII.GetBytes(Environment.NewLine + "--" + sBoundary + Environment.NewLine);
// Encode the header for the signature portion.
byte[] bSignatureHeader = ASCIIEncoding.ASCII.GetBytes(MIMEHeader("application/pkcs7-signature; name=\"smime.p7s\"", "base64", "attachment; filename=smime.p7s"));
// Get the signature.
byte[] bSignature = AS2Encryption.Encode(arMessage, signerCert, signerPassword);
// convert to base64
string sig = Convert.ToBase64String(bSignature) + MESSAGE_SEPARATOR;
bSignature = System.Text.ASCIIEncoding.ASCII.GetBytes(sig);
// Calculate the final footer elements.
byte[] bFinalFooter = ASCIIEncoding.ASCII.GetBytes("--" + sBoundary + "--" + Environment.NewLine);
// Concatenate all the above together to form the message.
bInPKCS7 = ConcatBytes(bBoundary, arMessage, bBoundary,
bSignatureHeader, bSignature, bFinalFooter);
return bInPKCS7;
}
}
}
Anyway, I hope this helps someone out there because I couldn’t find a sample of how to send an AS2 message in .NET.
Matt's work blog 
Thanks very much! This was very helpful for me to figure out how to sign and encrypt messages.
This is very useful thanks! exactly what I was looking for.
Do you have any examples of code/setup that would be required to recieve these AS2 messages and write out the files onto the file system?
Yes I do have some sample code for receiving the AS2 messages. I’ll try and post it in a new blog post for you this weekend.
Blogged: https://mattfrear.com/2011/01/03/receiving-as2-messages-with-net/
Thanks.. I’m learning more about AS2 than I ever imagined!
Your blog is an ideal resource; thanks for posting
Very good example! But I have a problem finding ParseFilename?
@Nelly – you a referring to my Receiving AS2 messages blog post and not this post.
In an AS2 message the Subject header will be something like “hello.txt transmission”.
ParseFilename only reads the filename (e.g. hello.txt) from the given subject header. I don’t think there’s any need to post it because it is not AS2 specific.
-Matt
hi what is the sendercertfile name and recipitientcertfilename . Please give the clarification about that
signingCertFilename is the name of an X509Certificate2 which is used for signing the message. This argument is optional. You can create such a certificate yourself using makecert – google it.
recipientCertFilename is the name of a an X509Certificate2 which is used for encrypting the message. This cert is created by the recipient of the message and given to you. You need to know ahead of time whether the recipient wants his messages encrypted or not. So if you are sending messages to say 5 different customers, some of them might want their messages encrypted in which case they would have previously given you THEIR cert to encrypt messages to THEM with.
hi mattrear thanks for your reply,
i am testing this application in one machine . So i created certificate by using makecert and install that certificate , and export with private key because i need to set password as for your coding. then i will send that .pfx file and password,and here i send that same cer file as recipitient file name .But it will give Bad key error in receiving side.
As for your suggestion i tried only send recipitiant cert file but i got this error
Length cannot be less than zero.
Parameter name: length from this place.
int firstBlankLineInMessage = messageWithContentTypeLineAndMIMEHeaders.IndexOf(Environment.NewLine + Environment.NewLine);
string contentType = messageWithContentTypeLineAndMIMEHeaders.Substring(0, firstBlankLineInMessage);
could you guide me how to solve this problem.
I find only these article in internet. great article mattrear..thanks for posting
I suggest you try and get it working first without signing and encryption, as they make it much more complicated.
Yeah I couldn’t find any help online with this stuff either. It was a year ago that I wrote that post.
I don’t think testing it on one machine is a good idea either. In my test environment I had a Biztalk server to test against. You should try and setup another computer to be the recipient though.
That might be crashing because you’re not sending a message? You should send a message, even if it’s just “hello world”.
Sorry but I can’t help you more than that.
hi mattfrear,
I tested that application in one machine its also working fine . I need your guidance for implementing MDN response.Shall we give same process for reverse. or we are implementing any other process by using web response.
please suggest me … .
Thanks for the clear and useful example.
However… are you sure that the usage of Environment.NewLine in the ASMimeUtilities class is correct? RFCs for email require CRLF as line breaks, and NewLine may be different (on Mono, for example).
It also seems to me that extra line breaks are being inserted somewhere, but that probably is my own mistake in parsing the message :)
Anyhow, these are minor issues, and your sample is extremely helpful.
Thanks imil – oh OK yes it should be CRLF then – I didn’t know that the RFC specified that.
Cheers
This is really useful. I am currently evaluating a third party software that I will be using to send and receive AS2 messages. However, I thought that it would be better if we have at least some knowledge on create that kind of functionality using .Net. This blog was really useful. Thank you.
Hi Matt,
This post is very helpful. Have you ever send or receive MDNs synchronously.
What i can think of is when we receive AS2 message, after processing, decrypting and verifying signature , we should create another AS2 message that is MDN of current message and send it across to original sender.
Can we use same httpresponse or we have to create new post request ?
Hi Matt,
this is a great post, to begin with, as my employer ask me to create something like this because they want to decommision the biztalk, do you have a sample to use this? sorry this is my first time on as2, :-)
Thanks
Hi Guys,
do you have a sample on how to use this?
Thanks
Hi,
in SendFile(Uri uri, string filename, byte[] fileData, string from, string to, ProxySettings proxySettings, int timeoutMs, string signingCertFilename, string signingCertPassword, string recipientCertFilename)
What is the URI, filename and filedata? and also the proxysettings.name and proxysettings.domain?
Thanks
I have used your code in my program (IMil42 above is me), and I’ve found out that the following modification is needed:
string sig = Convert.ToBase64String(bSignature, Base64FormattingOptions.InsertLineBreaks) + MESSAGE_SEPARATOR;
According to S/MIME RFC, Base64 strings should not exceed 76 characters. Most user agents ignore this, but we happened to encounter the one that does require strict limitation :)
Hi,
it is possible to get the demo-project?
Thanks a lot for this Matt, this has been really helpful for me while testing a BizTalk application. I might actually use your code in a BizUnit test step (with credit to you) which I’ll make publicly available if you don’t mind.
That’s fine Johann.
Thanks for the code, very good post because there are almost none on .NET. I will test it next days. It would be very helpful some demo code (please understand, I am not professional in C# like you) :(
Don’t work also on AS4 please? Thanks tvoska@gmail.com
Do you have the response MDN part (i.e. the server side)? If yes, please post it here,
Thanks.
Great example! helped me a lot. you rock!
Hey, It worked. Now please guide to send the MDN as well. Thanks.
Does anybody have the MDN part?
If yes, please post a C# code on how to respond with a signed MDN,
Thanks for sharing the code!
Thanks for this example. Though I have a query here what about AS2 certification (Process by the Drummond Group). I need to send EDI message through AS2 and while searching I found that AS2 need to some certification.
Can you please guide me on this.
Thanks again
Drummond certification guarantees that your AS2 implementation is correct and will work with all other correct implementations.
If you use AS2 to interact with just a few known parties, the participants are free to decide whether they require certification, or simple mutual testing will be enough.
Hello Guys,
I am getting this error – Unable to verify content integrity: Error decoding
really very urgent to fix it. Please help
Thanks
Thanks very good code. Looking forward to use it
Hello,
I could not find the definition for classes ContentInfo, SignedCms, CmsSigner, EnvelopedCms, AlgorithmIdentifier, and CmsRecipient.
Could you please help out?
Thank you.
Do you have information about other AS2 headers we need to send like Host and Trading partner, etc..?
This code helped me very much and I’m grateful that you shared your valuable work, thank you! I didn’t found much on this topic in the Internet when it comes to live example like this, despite that 11 years have passed since writing this post.
In the code there is AS2 version 1.2 therefore it indicates that there is also support for compression, because it was introduced in version 1.1. Maybe you also have and could share some example with compression?
Hi Michal. Sorry, nope, I haven’t touched AS2 since I wrote this blog post all those years ago.
hi mattfrear,
internal static byte[] Decrypt(byte[] encodedEncryptedMessage)
{
try
{
ContentInfo contentInfo = new ContentInfo(encodedEncryptedMessage);
EnvelopedCms envelopedCms = new EnvelopedCms();
envelopedCms.Decode(encodedEncryptedMessage);
envelopedCms.Decrypt();
return envelopedCms.Encode();
}
catch (Exception ex)
{
throw ex;
}
}
In this method, I got an error Internal.Cryptography.CryptoThrowHelper.WindowsCryptographicException: ‘ASN1 bad tag value met.’
How can resolve it? pls, suggest me .
I dunno, sorry, I wrote that post 13 years ago, and I haven’t done anything with AS2 since then.
Hi, did you find a solution for this
Hello, When I use this to send data to mendelson server I have error:
mendelson_opensource_AS2-COMMUN-1709647866218-12@mycompanyAS2_AS2Ident] Outbound MDN created for AS2 message “d0e10760-f476-463f-a324-ba7d09514f91”, state set to [processed/error: authentication-failed]
I used self-signed certificate
Do you know why this error?