Adjust deprecation to better reflect real-world usage #499
Conversation
| // thus the `canonXml` and _only_ the `canonXml` can be trusted. | ||
| // Append this to `signedReferences`. | ||
| this.signedReferences.push(canonXml); | ||
| ref.signedReference = canonXml; |
There was a problem hiding this comment.
If there exist >1 references and any of the 1+n ( n > 0 ) reference validation fails then it seems based on quick code browsing that at least ref numer 1's signedReference points to canonical representation of ref XML and it is "labelled" as "signed" even though actual signature validation has not occured at all. At this stage only reference digest is validated but attacker might have recalculated digest after altering content at the end of reference "pointer". I.e. this looks similar case that there was with signedReferences array which was not resetted if any of the 1+n references validation failed.
Edit: aforementioned comment was meant to another PR. Any possible further discussion should take place at #498 (comment)
This PR is to pull these changes from #498 to the 6.x branch.