I have a usage of XML Signatures that's probably at the intersection of several out-of-the-ordinary uses of the spec, and I'm wondering if there are any shortcuts I can take.
I am using ds:Object/ds:Manifest References to refer to external files, for the purposes of providing a digest of files which accompany to the XML document. Sometimes these files are quite large. I am also using detached signatures, sometimes more than one to a single XML file. In this case the certs mean different things to different consumers of the same XML file. They might be added all at once, or accumulated over time. This results in a situation where one XML document posesses multiple digests for the same file. This presents a throughput problem when verifying signatures, as the digests in this case are the proverbial tall tent pole by a good margin. I haven't discovered any mechanism built into the XMLSec API which allows or encourages the sharing of digest calculations for the same resource.
From my reading of the Java implementation, all of the fields and
methods related to calculating the digest are safely hidden away from my grubby hands, and probably for good reason considering how fragile this could make the verification code. I'm wondering if there's some way to accomplish this without jeopardizing correctness, and especially without heavily subclassing the Reference or Manifest class to do so. Or am I out of luck? Thanks, Jason Marshall -- - Jason
