It is possible that this functionality does not need to verify the trust anchor signatures to work securely or that it is done elsewhere but this is still a big code smell and should be handled. (Returning true from a signature verification method that is not implemented is just dangerous!)
The
checkTrustAnchorSignature
method inGatewayDataDownloadBtpServiceImpl
is unimplemented but returnstrue
. Furthermore the method is unused.https://github.com/eu-digital-green-certificates/dgca-businessrule-service/blob/6e87451612437324c03287cb6aabd31d7d501612/src/main/java/eu/europa/ec/dgc/businessrule/service/GatewayDataDownloadBtpServiceImpl.java#L294-L297
It is possible that this functionality does not need to verify the trust anchor signatures to work securely or that it is done elsewhere but this is still a big code smell and should be handled. (Returning
true
from a signature verification method that is not implemented is just dangerous!)