Is it possible to sign and verify a document without using the DOM?
Not at the moment - in either library.
The core library loads its structures from DOM, and relies on DOM for most of the transforms.
The reason I ask is because I have a document that is about 13Mb with about 200 or 300 thousand nodes
calling parse to get this into a DOM document crashes after the memory hits about 2Gb.
I should be able to rewrite my load of this file to use Sax but that means abandoning the signature since DSIGSignature requires a DOMDoc
Has anyone else hit this? Is there a nice solution?
I don't know about "nice". The only way I've seen is to use a detached signature, and treat the document as a straight byte stream. The library will read it in in chunks, so the size won't matter.
Unfortunately, that means any change to the XML at all will invalidate the siganture. That's even one that doesn't affect the underlying information, such as an extra space between an element name and first attribute, re-ordering of attributes etc.
I have been toying with the idea of building a SAX based canonicaliser for these situations, but it would still only work with a detached signature. I.e. you would have one file with the signature, and the reference would be a URI to the signed file, with a canonicalisation transform. The library would pick that it was coming in as a byte stream and use a SAX version of the canonicaliser to sign it.
Cheers,
Berin