You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@santuario.apache.org by "Enric Granda (JIRA)" <ji...@apache.org> on 2018/06/22 15:42:00 UTC

[jira] [Created] (SANTUARIO-489) Unable to know why verification failed when signature contains a Manifest which has an invalid reference

Enric Granda created SANTUARIO-489:
--------------------------------------

             Summary: Unable to know why verification failed when signature contains a Manifest which has an invalid reference
                 Key: SANTUARIO-489
                 URL: https://issues.apache.org/jira/browse/SANTUARIO-489
             Project: Santuario
          Issue Type: Bug
          Components: Java
    Affects Versions: Java 2.1.2, Java 2.0.10
            Reporter: Enric Granda
            Assignee: Colm O hEigeartaigh


When a signature contains a Manifest, and this Manifest contains an incorrect Reference, if a previous call to
{code:java}
XMLSignature.setFollowNestedManifests(false){code}
is made, then {{XMLSignature.checkSignatureValue()}} returns true, that is, the signature is valid.
 So far, so good.

But when verification is called with a previous call to
{code:java}
XMLSignature.setFollowNestedManifests(true){code}
then {{checkSignatureValue}} returns false (that's correct), but as far as I know there's no way XMLSignature can tell the reason of the failure.

Taking a look to the code I've seen {{Manifest.verifyReferences()}} contains a method:
{code:java|title=Manifest.java}
341    this.setVerificationResult(i, currentRefVerified);{code}
that sets the result (false) for the incorrect reference.
 But this set is only made in a new Manifest object created in the same method {{Manifest.verifyReferences()}} previously called (well, in fact it was a call to {{SignedInfo.verifyRefences()}})
{code:java|title=Manifest.java}
367    referencedManifest =
368        new Manifest(
369            (Element)n, signedManifestNodes.getSourceURI(), secureValidation
370        );{code}
and its validation information is not accessible from XMLSignature.

SignedInfo (since it extends Manifest) allows to access to its items and check the validity of its references, calling {{SignedInfo.getVerificationResult(int)}}
 But when SignedInfo has a Manifest reference, and one (or more) of the Manifest references are not correct, It seems there's no way to know the reason of the verification error.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)