I've run into strange things in DSIGReference class:
1. There is errStr variable of safeBuffer type declared in hashReferenceList(), but never used. It is used to keep the text "Reference URI="myReference" failed to verify\n", but then this variable is not used in any other way. Proper way would be to raise an exception with this text, but even if verification of URI fails, during signing, exception is not raised and signing completes. This is peace of verifyReferenceList():
...
if (!r->checkHash()) {
// Failed
errStr.sbXMLChCat("Reference URI=\"");
errStr.sbXMLChCat(r->getURI());
errStr.sbXMLChCat("\" failed to verify\n");
res = false;
}
...
but there is no any exception to be raised nor anything else bad will happen. This is because this peace of code in hashReferenceList():
do {
for (int j = 0; j < i; ++j) {
r = lst->item(j);
r->setHash();
// If this is a manifest we need to set all the references in the manifest as well
if (r->isManifest())
hashReferenceList(r->getManifestReferenceList());
}
} while (interlocking && !DSIGReference::verifyReferenceList(lst, errStr) && (i-- >= 0));
this peace of code calculates and verifies hash 100 (10*10) times if you have 10 references.
Best regards,
Milan
