[
https://issues.apache.org/jira/browse/CAMEL-18917?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Claus Ibsen updated CAMEL-18917:
--------------------------------
Fix Version/s: 3.x
(was: 4.0)
(was: 3.21.0)
> camel-as2 - Signature is not validated
> --------------------------------------
>
> Key: CAMEL-18917
> URL: https://issues.apache.org/jira/browse/CAMEL-18917
> Project: Camel
> Issue Type: Improvement
> Components: camel-as2
> Reporter: dennis lucero
> Priority: Minor
> Fix For: 3.x
>
>
> org.apache.camel.component.as2.api.entity.EntityParser can parse SIGNED
> requests into org.apache.camel.component.as2.api.entity.MultipartSignedEntity.
> But the signature part is completely ignored and never validated.
> Is this intentional? Whats the point of having a signature that is never
> validated.
> I'm wondering, because MultipartSignedEntity has a method "isValid" that is
> only used in the unit tests, not during request handling.
> Also I've recognized, that the "isValid" method does the validation wrong.
> To my knowledge one should check if the signatures certificate is contained
> in the certificates configured on the endpoint and then verify the signature
> against this. But in fact, the method validates the request-signature against
> the certificate provided within the signature. So currently the signature
> would be always valid.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
