You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@camel.apache.org by "Claus Ibsen (Jira)" <ji...@apache.org> on 2023/01/13 15:10:00 UTC

[jira] [Updated] (CAMEL-18917) camel-as2 - Signature is not validated

     [ https://issues.apache.org/jira/browse/CAMEL-18917?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Claus Ibsen updated CAMEL-18917:
--------------------------------
    Priority: Minor  (was: Major)

> camel-as2 - Signature is not validated
> --------------------------------------
>
>                 Key: CAMEL-18917
>                 URL: https://issues.apache.org/jira/browse/CAMEL-18917
>             Project: Camel
>          Issue Type: Bug
>          Components: camel-as2
>            Reporter: dennis lucero
>            Priority: Minor
>
> org.apache.camel.component.as2.api.entity.EntityParser can parse SIGNED requests into org.apache.camel.component.as2.api.entity.MultipartSignedEntity.
> But the signature part is completely ignored and never validated.
> Is this intentional? Whats the point of having a signature that is never validated.
> I'm wondering, because MultipartSignedEntity has a method "isValid" that is only used in the unit tests, not during request handling.
> Also I've recognized, that the "isValid" method does the validation wrong.
> To my knowledge one should check if the signatures certificate is contained in the certificates configured on the endpoint and then verify the signature against this. But in fact, the method validates the request-signature against the certificate provided within the signature. So currently the signature would be always valid.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)