> I am indeed validating. I've found a workaround, in the end, which > consists of serializing and re-parsing every document before I sign it > in the Java code, which at least ensures that I'm not signing any > denormalized data, and then doing the same thing before actually > emitting the document that gets passed to xmlsec to normalize the > unsigned bits of the document too (libxml appears to not normalize > strings even when it validates).
Nice, then libxml is broken. ;-) But yeah, I considered a double parse, but decided that was unacceptable for performance reasons. I hope the JAXP normalize property isn't broken, otherwise my migration to it is dead in the water (again). > So whose bright idea was it to set <xs:whitespace value="collapse" > fixed="true"/> on the base64Binary type, anyway? *grump* No joke. That was incredibly dumb. But basically, what probably needs to happen is xmlsec might want to consider outputting pre-normalized base64 when it writes out those nodes. Then at least you could have super-signatures that wouldn't always break. -- Scott
