dennis lucero created CAMEL-18917:
-------------------------------------
Summary: Signature is not validated
Key: CAMEL-18917
URL: https://issues.apache.org/jira/browse/CAMEL-18917
Project: Camel
Issue Type: Bug
Components: camel-as2
Reporter: dennis lucero
org.apache.camel.component.as2.api.entity.EntityParser can parse SIGNED
requests into org.apache.camel.component.as2.api.entity.MultipartSignedEntity.
But the signature part is completely ignored and never validated.
Is this intentional? Whats the point of having a signature that is never
validated.
I'm wondering, because MultipartSignedEntity has a method "isValid" that is
only used in the unit tests, not during request handling.
Also I've recognized, that the "isValid" method does the validation wrong.
To my knowledge one should check if the signatures certificate is contained in
the certificates configured on the endpoint and then verify the signature
against this. But in fact, the method validates the request-signature against
the certificate provided within the signature. So currently the signature would
be always valid.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
