Scott Cantor wrote:
Or I suppose the other option would be to make sure you validate prior to sign. If I could think of some fancy way to do it, we could even mark base64binary elements somehow and have the security library convert them to normalised form as part of signing.
You mean verify first and then validate? You can, but until recently it required two parse operations, which isn't reasonable. I don't know if Xerces-C supports in-memory validation of a DOM yet. The Java code does.
I was actually thinking more about always making sure the original document is validated prior to signing, just to make sure you are signing the normalised form. But that's going to be unworkable in many instances - particularly if you are building the DOM in memory. It was just idle musings :>.
I had a quick look at validating in memory with Xerces-C a few months back and couldn't find anything, but then I wasn't looking too hard.
CHeers,
Berin