signature.checkSignatureValue() should return more than true/false. Ideally, an exception with a method getFailedReference() to find out what part of the signature failed the verification. Possible Exception types: - reference hash failed (provide pointer to that reference) - certificate didn't produce this signature - reference's hashed correctly, but the top-level node hash failed And so on. To preserve the interface of true/false, perhaps provide a getWhatDarnThingFailed() method returning a reference so the calling application can point the user at the right place.
Change to enhance.