Bug 32657 - Experimental single pass SAX xml signature verification
Summary: Experimental single pass SAX xml signature verification
Status: NEW
Alias: None
Product: Security - Now in JIRA
Classification: Unclassified
Component: Signature (show other bugs)
Version: unspecified
Hardware: All All
: P2 enhancement
Target Milestone: ---
Assignee: XML Security Developers Mailing List
Depends on:
Reported: 2004-12-12 14:09 UTC by Raul Benito
Modified: 2005-01-07 09:27 UTC (History)
0 users

First Version (63.11 KB, patch)
2004-12-12 14:10 UTC, Raul Benito
Details | Diff
Second version (92.62 KB, patch)
2005-01-07 18:27 UTC, Raul Benito
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Raul Benito 2004-12-12 14:09:54 UTC
I attached a patch that includes an experimental (i.e. nearly working, and hard
to use) single pass SAX xml signature verification.
Right now it can only verify signatures that the name of the element signed, and
the way it is c14n are known before hand (no other transformations are
implemented, so no enveloped signatures right now). Some examples of use can be
found in the src_samples/prb/SaxPrb.java. I have documented my progress somehow
in my blog so please take a look to http://r-bg.com/apache for more info.
This feature has been tested by some other people finding very big improvements
both in memory consumption and in performance. But the API is really unstable
and it is going to change radically in next versions.

I'm expecting some help in order to design the API, and the functionality in
order to include it (when polished) in the official distribution.


Comment 1 Raul Benito 2004-12-12 14:10:40 UTC
Created attachment 13738 [details]
First Version
Comment 2 Raul Benito 2005-01-07 18:27:45 UTC
Created attachment 13928 [details]
Second version

New version, major changes: 
 * easier to use API(see tests for examples), in enveloping signatures no other
parameters need to be given. 
 * verification of enveloped signature.
 The api is still not stable, only verification not creation API. More ways of
telling what to verificate and how.