Vincent Finn wrote:
Is it possible to sign and verify a document without using the DOM?
Not at the moment - in either library.
The core library loads its structures from DOM, and relies on DOM for
most of the transforms.
The reason I ask is because I have a document that is about 13Mb with
about 200 or 300 thousand nodes
calling parse to get this into a DOM document crashes after the memory
hits about 2Gb.
I should be able to rewrite my load of this file to use Sax but that means
abandoning the signature since DSIGSignature requires a DOMDoc
Has anyone else hit this?
Is there a nice solution?
I don't know about "nice". The only way I've seen is to use a detached
signature, and treat the document as a straight byte stream. The
library will read it in in chunks, so the size won't matter.
Unfortunately, that means any change to the XML at all will invalidate
the siganture. That's even one that doesn't affect the underlying
information, such as an extra space between an element name and first
attribute, re-ordering of attributes etc.
I have been toying with the idea of building a SAX based canonicaliser
for these situations, but it would still only work with a detached
signature. I.e. you would have one file with the signature, and the
reference would be a URI to the signed file, with a canonicalisation
transform. The library would pick that it was coming in as a byte
stream and use a SAX version of the canonicaliser to sign it.
Cheers,
Berin
|
