John Keeping wrote on 2009-06-20: > Yes, this works fine if I remove the reference elements from the DOM. As > for resigning in general, isn't that what the templatesign tool does?
Literally have no idea. > Interestingly, while checking the source for that tool, I noticed that > DSIGSignature::clearKeyInfo() does remove the DOM node in the signature, > but then that's not signed so it's a bit easier. I'll check into it. > I suspect it is as long as a simple check is made for consecutive text > nodes after the element is removed. Namespaces shouldn't be a problem > since the Reference element shouldn't contain anything not in the > xmldsig namespace. That's the sort of assumption correct XML code doesn't make, but it isn't currently part of my scope to totally redo the XML processing in the code. At some point I either will do that, switch to a different library, or literally rewrite it all to handle only the use cases I need, at which point it doesn't help you anyway. I'm not sure what you mean by checking for text nodes. If you're changing the document, I don't think whitespace impact is too important. > If there's not a better solution, perhaps it would be useful to have > something similar in the core library? Maybe just > DSIGSignedInfo::regenerateDOM() could remove all children of the signed > info node and re-create them from the information in memory. That might be the best solution, but I don't know if it's feasible with the current design, or if it is the work involved might be similar to other options. I do plan to look at this, but I don't know when I'll have that chance. Not for a little while at any rate. -- Scott
