My question is this: Are there any efforts like this currently going
on in the community (none that I could find, outside of a largely
untested SAX based patch)?
Nothing I know of, and I spent a fair amount of time looking a few
months ago.
If not, would there be interest in helping to advance the state of the
code I have, and if possible modify it to follow the XML Signature
specification? Currently the code suits my needs, which are very
limited, and there would likely be significant effort in bringing it
up to spec.
However, I feel strongly that a DOM based implementation can be not
much more than a reference implementation if we're ever to make XML
signature (and encryption) a part of large scale enterprise class
systems.
Any comments or criticisms would be much appreciated.
I also have my own very-limited subset of xml signature implemented via
StAX. Unfortunately I use many calls to my own XMLUtil methods as well.
I am using the XMLStreamReader/XMLStreamWriter rather than the event
model as it is slightly faster and is what was being used in our
application code already. My big hurdles have been c14n (should be
doable for most cases fairly easily) and being able to generate digests
in an efficient manner (as you may have already noticed, on reading the
token-wise stream position does not necessarily match the position of
the underlying stream the factory used to create the XMLStreamReader). I
have tried a bunch of approaches with BufferedInputStream, etc without
much luck so am currently running with a temp file workaround. I have an
idea of how to make it work without this but haven't implemented it yet.
I was also unable to integrate with the existing xml-security classes
easily since so many of them are tightly coupled to DOM and on first
look would need refactoring to be able to interoperate with non-DOM IO.
The state of my current code is:
Currently only supports detached sigs within enveloped files
([Env][Content][RealData][/RealData][/Content][Signature]...[/Signature][/Env])
Only supports SHA1/DSA keys, no certs or other algorithms
Does not do C14N other than newline normalization to 0xA
Is tied to our application code in that it uses XMLUtil convenience
calls we wrote such as writeAttributes(XMLStreamWriter) and
readElement(XMLStreamReader)
I think my next immediate step would be a C14N implementation using StAX
that was not tied to our utility methods. I already have the merlin w3c
test files but haven't started dealing with c14n much yet.
Chris
