open-banking-gateway icon indicating copy to clipboard operation
open-banking-gateway copied to clipboard

Published 20 hours ago verified publisher icon adorsys

Use real certificates for Xs2a Sandbox

Open valb3r opened this issue 5 years ago • 1 comments
trafficstars

As xs2a-adapter supports (should support from version 0.0.8) real request signing for Sandbox API, we need to make: 0. mock-qwac-certificate of Sandbox is complete security bypass, we should drop it.

  1. Sandbox should not use mock-qwac-certificate and profile. It should work with our 'OPBA mocked generated certificate' (requests done from us must be signed and Sandbox should validate the signature)
  2. We need to supply 'OPBA mocked generated certificate' to xs2a-adapter so all requests from us to Sandbox must be signed.

So we generate some certificate, make Sandbox aware of it (to trust it) and sign all requests with it. Unsigned requests must fail.

valb3r avatar Mar 18 '20 07:03 valb3r

https://jira.adorsys.de/browse/OBG-78

gatiskalnins avatar Sep 02 '21 13:09 gatiskalnins