For Oracle API Gateway 11.1.2.1, The Same Digest is Calculated For All Message Attachments. (Doc ID 1587082.1)

Last updated on MAY 27, 2016

Applies to:

Oracle API Gateway - Version 11.1.2 to 11.1.2 [Release 11gR2]
Information in this document applies to any platform.

Symptoms

There is an issue in the OAG code both for the API Gateway Explorer and the API Gateway component when signing attachments, the attachment content is not made available to the signing filter.  This results in the same digest being calculated regardless of the attachment when using the Attachment-Content Transforms.

The outcome is two fold.

Firstly, when attachments are signed correctly by a third party, OAG incorrectly fails signature validation, reporting that the digest and message content do not match.
Conversely, when OAG is signing messages to third parties, they will correctly reject the signature created by OAG as the digest does not match the attachment.

When OAG is sending messages to another OAG instance, the signature always passes, regardless of whether the attachment has been tampered with or not.

This has been seen in the 11.1.2.1.0 of OAG.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms