My Oracle Support Banner

For Oracle API Gateway, The Same Digest is Calculated For All Message Attachments. (Doc ID 1587082.1)

Last updated on MARCH 17, 2019

Applies to:

Oracle API Gateway - Version to [Release 11gR1]
Information in this document applies to any platform.


There is an issue in the OAG code both for the API Gateway Explorer and the API Gateway component when signing attachments, the attachment content is not made available to the signing filter.  This results in the same digest being calculated regardless of the attachment when using the Attachment-Content Transforms.

The outcome is two fold.

Firstly, when attachments are signed correctly by a third party, OAG incorrectly fails signature validation, reporting that the digest and message content do not match.
Conversely, when OAG is signing messages to third parties, they will correctly reject the signature created by OAG as the digest does not match the attachment.

When OAG is sending messages to another OAG instance, the signature always passes, regardless of whether the attachment has been tampered with or not.

This has been seen in the of OAG.




To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.