Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
Java 2.0.10, Java 2.1.2
-
None
Description
When a signature contains a Manifest, and this Manifest contains an incorrect Reference, if a previous call to
XMLSignature.setFollowNestedManifests(false)
is made, then XMLSignature.checkSignatureValue() returns true, that is, the signature is valid.
So far, so good.
But when verification is called with a previous call to
XMLSignature.setFollowNestedManifests(true)
then checkSignatureValue returns false (that's correct), but as far as I know there's no way XMLSignature can tell the reason of the failure.
Taking a look to the code I've seen Manifest.verifyReferences() contains a method:
341 this.setVerificationResult(i, currentRefVerified);
that sets the result (false) for the incorrect reference.
But this set is only made in a new Manifest object created in the same method Manifest.verifyReferences() previously called (well, in fact it was a call to SignedInfo.verifyRefences())
367 referencedManifest =
368 new Manifest(
369 (Element)n, signedManifestNodes.getSourceURI(), secureValidation
370 );
and its validation information is not accessible from XMLSignature.
SignedInfo (since it extends Manifest) allows to access to its items and check the validity of its references, calling SignedInfo.getVerificationResult(int)
But when SignedInfo has a Manifest reference, and one (or more) of the Manifest references are not correct, It seems there's no way to know the reason of the verification error.