Last updated on MAY 27, 2016
Applies to:Oracle API Gateway - Version 11.1.2 to 11.1.2 [Release 11gR2]
Information in this document applies to any platform.
There is an issue in the OAG code both for the API Gateway Explorer and the API Gateway component when signing attachments, the attachment content is not made available to the signing filter. This results in the same digest being calculated regardless of the attachment when using the Attachment-Content Transforms.
The outcome is two fold.
Firstly, when attachments are signed correctly by a third party, OAG incorrectly fails signature validation, reporting that the digest and message content do not match.
Conversely, when OAG is signing messages to third parties, they will correctly reject the signature created by OAG as the digest does not match the attachment.
When OAG is sending messages to another OAG instance, the signature always passes, regardless of whether the attachment has been tampered with or not.
This has been seen in the 188.8.131.52.0 of OAG.
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
Million Knowledge Articles and hundreds of Community platforms