For Oracle API Gateway 220.127.116.11, The Same Digest is Calculated For All Message Attachments.
(Doc ID 1587082.1)
Last updated on MARCH 17, 2019
Applies to:Oracle API Gateway - Version 18.104.22.168.0 to 22.214.171.124.0 [Release 11gR1]
Information in this document applies to any platform.
There is an issue in the OAG code both for the API Gateway Explorer and the API Gateway component when signing attachments, the attachment content is not made available to the signing filter. This results in the same digest being calculated regardless of the attachment when using the Attachment-Content Transforms.
The outcome is two fold.
Firstly, when attachments are signed correctly by a third party, OAG incorrectly fails signature validation, reporting that the digest and message content do not match.
Conversely, when OAG is signing messages to third parties, they will correctly reject the signature created by OAG as the digest does not match the attachment.
When OAG is sending messages to another OAG instance, the signature always passes, regardless of whether the attachment has been tampered with or not.
This has been seen in the 126.96.36.199.0 of OAG.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document