in src/main/java/org/apache/xml/security/signature/Manifest.java [307:413]
public boolean verifyReferences(boolean followManifests)
throws MissingResourceFailureException, XMLSecurityException {
if (referencesEl == null) {
this.referencesEl =
XMLUtils.selectDsNodes(
getFirstChild(), Constants._TAG_REFERENCE
);
}
LOG.log(Level.DEBUG, "verify {0} References", referencesEl.length);
LOG.log(Level.DEBUG, "I am {0} requested to follow nested Manifests", followManifests
? "" : "not");
if (referencesEl.length == 0) {
throw new XMLSecurityException("empty", new Object[]{"References are empty"});
}
if (secureValidation && referencesEl.length > referenceCount) {
Object[] exArgs = { referencesEl.length, referenceCount };
throw new XMLSecurityException("signature.tooManyReferences", exArgs);
}
this.verificationResults = new ArrayList<>(referencesEl.length);
boolean verify = true;
for (int i = 0; i < this.referencesEl.length; i++) {
Reference currentRef =
new Reference(referencesEl[i], this.baseURI, this, secureValidation);
this.references.set(i, currentRef);
// if only one item does not verify, the whole verification fails
try {
boolean currentRefVerified = currentRef.verify();
if (!currentRefVerified) {
verify = false;
}
LOG.log(Level.DEBUG, "The Reference has Type {0}", currentRef.getType());
List<VerifiedReference> manifestReferences = Collections.emptyList();
// was verification successful till now and do we want to verify the Manifest?
if (verify && followManifests && currentRef.typeIsReferenceToManifest()) {
LOG.log(Level.DEBUG, "We have to follow a nested Manifest");
try {
XMLSignatureInput signedManifestNodes =
currentRef.dereferenceURIandPerformTransforms(null);
Set<Node> nl = signedManifestNodes.getNodeSet();
Manifest referencedManifest = null;
for (Node n : nl) {
if (n.getNodeType() == Node.ELEMENT_NODE
&& ((Element) n).getNamespaceURI().equals(Constants.SignatureSpecNS)
&& ((Element) n).getLocalName().equals(Constants._TAG_MANIFEST)
) {
try {
referencedManifest =
new Manifest(
(Element)n, signedManifestNodes.getSourceURI(), secureValidation
);
break;
} catch (XMLSecurityException ex) {
LOG.log(Level.DEBUG, ex.getMessage(), ex);
// Hm, seems not to be a ds:Manifest
}
}
}
if (referencedManifest == null) {
// The Reference stated that it points to a ds:Manifest
// but we did not find a ds:Manifest in the signed area
throw new MissingResourceFailureException(currentRef, "empty",
new Object[]{"No Manifest found"});
}
referencedManifest.perManifestResolvers = this.perManifestResolvers;
referencedManifest.resolverProperties = this.resolverProperties;
boolean referencedManifestValid =
referencedManifest.verifyReferences(followManifests);
if (!referencedManifestValid) {
verify = false;
LOG.log(Level.WARNING, "The nested Manifest was invalid (bad)");
} else {
LOG.log(Level.DEBUG, "The nested Manifest was valid (good)");
}
manifestReferences = referencedManifest.getVerificationResults();
} catch (IOException ex) {
throw new ReferenceNotInitializedException(ex);
} catch (XMLParserException ex) {
throw new ReferenceNotInitializedException(ex);
}
}
verificationResults.add(new VerifiedReference(currentRefVerified, currentRef.getURI(), manifestReferences));
} catch (ReferenceNotInitializedException ex) {
Object[] exArgs = { currentRef.getURI() };
throw new MissingResourceFailureException(
ex, currentRef, "signature.Verification.Reference.NoInput", exArgs
);
}
}
return verify;
}