Andrea Cosentino created CAMEL-23764:
----------------------------------------
Summary: camel-as2: fail closed when an inbound signed message
cannot be verified
Key: CAMEL-23764
URL: https://issues.apache.org/jira/browse/CAMEL-23764
Project: Camel
Issue Type: Improvement
Components: camel-as2
Reporter: Andrea Cosentino
Assignee: Andrea Cosentino
Fix For: 4.21.0, 4.18.3, 4.14.8
When no validateSigningCertificateChain is configured (the default), the AS2
server consumer delivers the payload of an inbound multipart/signed message
without performing signature validation. This proposes a safer default: when a
signed AS2 message is received but no trust anchor is configured to validate
it, reject (or warn) rather than silently delivering the unverified payload.
Signature validation already works correctly once a chain is configured.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
