I’ve been following with interest various articles over the last week or so about “XML Pull API’s”http://www.xmlpull.org. The main advantages being much quicker processing and I’m guessing memory usage over DOM style apis. As well as a simpler API over Event driven APIs like SAX .

Now my XML Signature for Dom4J uses as the name sugest Dom4J. Which is great in that its easy to use and very powerful. This is great when you want to actually go in and do stuff to your xml.

Reading about the Pull methodologies advantages got me thinking, that it would be a good idea to create a Pull based XML Signature verifier. After all Verifications are in usage much more common than the actual signing process. Also most of the XML messages used by for example NeuClear are fairly simple and would probably lend themselves well to the simplicity of a Pull api.

So how would you do that exactly? My guess is the easiest way to do so would be to have a wrapper class implementing XMLPullParser.

Actually more likely two wrapper classes. One the Canonicalizer and one the Signature Verifier.

You would use it by passing it something like this:

XmlPullParser xpp = factory.newPullParser();
xpp.setInput(new FileReader ( args [i] ) );
XMLPullSignatureVerifier ver=new XMLPullSignatureVerifier(xpp);

while(ver.next()) {
	// Do stuff
}
if (ver.isValid(key))
	System.out.println("Signature is valid");
}

This looks relatively simple to me, but I’m not sure. Its not the highest priority for me at the moment though.