You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by "Enric Granda (JIRA)" <ji...@apache.org> on 2018/06/22 15:42:00 UTC
[jira] [Created] (SANTUARIO-489) Unable to know why verification
failed when signature contains a Manifest which has an invalid reference
Enric Granda created SANTUARIO-489:
--------------------------------------
Summary: Unable to know why verification failed when signature contains a Manifest which has an invalid reference
Key: SANTUARIO-489
URL: https://issues.apache.org/jira/browse/SANTUARIO-489
Project: Santuario
Issue Type: Bug
Components: Java
Affects Versions: Java 2.1.2, Java 2.0.10
Reporter: Enric Granda
Assignee: Colm O hEigeartaigh
When a signature contains a Manifest, and this Manifest contains an incorrect Reference, if a previous call to
{code:java}
XMLSignature.setFollowNestedManifests(false){code}
is made, then {{XMLSignature.checkSignatureValue()}} returns true, that is, the signature is valid.
So far, so good.
But when verification is called with a previous call to
{code:java}
XMLSignature.setFollowNestedManifests(true){code}
then {{checkSignatureValue}} returns false (that's correct), but as far as I know there's no way XMLSignature can tell the reason of the failure.
Taking a look to the code I've seen {{Manifest.verifyReferences()}} contains a method:
{code:java|title=Manifest.java}
341 this.setVerificationResult(i, currentRefVerified);{code}
that sets the result (false) for the incorrect reference.
But this set is only made in a new Manifest object created in the same method {{Manifest.verifyReferences()}} previously called (well, in fact it was a call to {{SignedInfo.verifyRefences()}})
{code:java|title=Manifest.java}
367 referencedManifest =
368 new Manifest(
369 (Element)n, signedManifestNodes.getSourceURI(), secureValidation
370 );{code}
and its validation information is not accessible from XMLSignature.
SignedInfo (since it extends Manifest) allows to access to its items and check the validity of its references, calling {{SignedInfo.getVerificationResult(int)}}
But when SignedInfo has a Manifest reference, and one (or more) of the Manifest references are not correct, It seems there's no way to know the reason of the verification error.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)