XAdESVerifier verify CertDigest fix

[msetina]

Fix for #246. I found out that if I have multiple certificates in cert parameter to sign, the digest check would fail. Since it was signed with signxml, it was strange. Looking at code I found a problem. This is the solution.

[msetina]

Test suite fails for nonconformant-X_BE_CONN_10.xml. It has 2 X509Certificate nodes and 2 xades:Cert nodes. Previous code raised a InvalidDigest. The new code checks both Digests as OK as it compares by list index.
By removing "nonconformant-X_BE_CONN_10": InvalidDigest, from test_xades_interop_examples error_conditions, test suit will finish with OK.

[kislyuk]

Please add a PR description with the motivation for this change.

[msetina]

Notice that test is changed as one was an error before and now it is not as Digests match.

[kislyuk]

Thanks. I will take a look at that test case and see if this is the correct way to make it work.

[msetina]

Is there a problem with this PR?

[kislyuk]

The problem is that I haven't been able to understand whether this change is the general and safe thing to do.

A deeper analysis including references to relevant parts of the standard would help.

[msetina]

You are right to be sceptical. I still think the base implementation is wrong as my case was made by this project and it does not verify.
All I did was change the code to the point where my case cleared.
The test case may have tested for certificate replacement. And this PR does not check that. But the test case was cleared for wrong reason. Current code verifies by first fail which does not work with multiple certificates.
The spec expects to link certicates and digest by issuerserial.

[kislyuk]

Let's keep this open if you don't mind, since as you say it makes one of the test cases pass. I promise I will get to it eventually :)

[msetina]

I changed the code to be more inline with specification.
The specification ETSI EN 319 132-1 V1.2.1 states

The information in the IssuerSerialV2 element is only a hint, that can help to identify the certificate
whose digest matches the value present in the reference. But the binding information is the digest of the
certificate.

So I changed the code to reflect that. So the available certificates get keys formed in accordace to IssuerSerial and IssuerSerialV2 for the newer definition. Then the Digests are first matched by this key. If not then it follows the notion to find the certificate by matching digest to all available certificates to conform to the statement. This way digest fails only if no Certificates match the digest. Test look OK, but in test cases are examples that do not match by IssueSerial because of encoding issues. Those do not break the digest as digest matches one of the Certificates.

[msetina]

To parse the IssueSerialV2 I used asn1crypto. I saw it is used in tests, but it is not dependency. The data in IssueSerialV2 is a complex type and would be hesitant to do it on my own. Hope this is not a problem.