You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@santuario.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2019/03/29 13:32:00 UTC

[jira] [Closed] (SANTUARIO-489) Unable to know why verification failed when signature contains a Manifest which has an invalid reference

     [ https://issues.apache.org/jira/browse/SANTUARIO-489?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Colm O hEigeartaigh closed SANTUARIO-489.
-----------------------------------------

> Unable to know why verification failed when signature contains a Manifest which has an invalid reference
> --------------------------------------------------------------------------------------------------------
>
>                 Key: SANTUARIO-489
>                 URL: https://issues.apache.org/jira/browse/SANTUARIO-489
>             Project: Santuario
>          Issue Type: Bug
>          Components: Java
>    Affects Versions: Java 2.0.10, Java 2.1.2
>            Reporter: Enric Granda
>            Assignee: Colm O hEigeartaigh
>            Priority: Major
>             Fix For: Java 2.0.11, Java 2.1.3
>
>
> When a signature contains a Manifest, and this Manifest contains an incorrect Reference, if a previous call to
> {code:java}
> XMLSignature.setFollowNestedManifests(false){code}
> is made, then {{XMLSignature.checkSignatureValue()}} returns true, that is, the signature is valid.
>  So far, so good.
> But when verification is called with a previous call to
> {code:java}
> XMLSignature.setFollowNestedManifests(true){code}
> then {{checkSignatureValue}} returns false (that's correct), but as far as I know there's no way XMLSignature can tell the reason of the failure.
> Taking a look to the code I've seen {{Manifest.verifyReferences()}} contains a method:
> {code:java|title=Manifest.java}
> 341    this.setVerificationResult(i, currentRefVerified);{code}
> that sets the result (false) for the incorrect reference.
>  But this set is only made in a new Manifest object created in the same method {{Manifest.verifyReferences()}} previously called (well, in fact it was a call to {{SignedInfo.verifyRefences()}})
> {code:java|title=Manifest.java}
> 367    referencedManifest =
> 368        new Manifest(
> 369            (Element)n, signedManifestNodes.getSourceURI(), secureValidation
> 370        );{code}
> and its validation information is not accessible from XMLSignature.
> SignedInfo (since it extends Manifest) allows to access to its items and check the validity of its references, calling {{SignedInfo.getVerificationResult(int)}}
>  But when SignedInfo has a Manifest reference, and one (or more) of the Manifest references are not correct, It seems there's no way to know the reason of the verification error.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)