You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@camel.apache.org by "dennis lucero (Jira)" <ji...@apache.org> on 2023/01/13 15:03:00 UTC

[jira] [Created] (CAMEL-18917) Signature is not validated

dennis lucero created CAMEL-18917:
-------------------------------------

             Summary: Signature is not validated
                 Key: CAMEL-18917
                 URL: https://issues.apache.org/jira/browse/CAMEL-18917
             Project: Camel
          Issue Type: Bug
          Components: camel-as2
            Reporter: dennis lucero


org.apache.camel.component.as2.api.entity.EntityParser can parse SIGNED requests into org.apache.camel.component.as2.api.entity.MultipartSignedEntity.

But the signature part is completely ignored and never validated.

Is this intentional? Whats the point of having a signature that is never validated.

I'm wondering, because MultipartSignedEntity has a method "isValid" that is only used in the unit tests, not during request handling.

Also I've recognized, that the "isValid" method does the validation wrong.

To my knowledge one should check if the signatures certificate is contained in the certificates configured on the endpoint and then verify the signature against this. But in fact, the method validates the request-signature against the certificate provided within the signature. So currently the signature would be always valid.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)