santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Martin Labarthe Dubois" <dub...@consist.com.ar>
Subject Re: Improve performance of XML Signing
Date Thu, 23 Mar 2006 17:48:00 GMT
Yap, the best thing you can do there is have a "cache" of the used keys.




----- Original Message -----
From: "Arshad Noor" <arshad.noor@strongauth.com>
To: <security-dev@xml.apache.org>
Sent: Thursday, March 23, 2006 2:45 PM
Subject: Re: Improve performance of XML Signing


> It appears that opening the keystore, authenticating to it, searching
> for and retreiving the right certificate uses approximately 90% of your
> signing operation time (790 out of 890ms).  I'm not sure how much you
> can reduce this since there are a lot of things going on in this
> "keystore-init" operation (you can look at the Java source code if you
> want to learn exactly what's going on).  One option you have for
> "speeding" this up is to amortize the keystore-init time over all your
> signing operations.
>
> What does that mean?  Setup your application to provide signing as a
> service.  Initialize the keystore and get the certificate as part of
> the initialization of the service (so that it only happens once at the
> start of the application or just for the first signing operation), and
> then hold the reference to the signing key in memory.
>
> Now all signing operations do not need to go through the keystore-init
> process (until the application service is restarted) thereby "amortizing
> the cost of the keystore-init operation" across all signing operations".
> While it has not reduced the actual time for the keystore-init, it has
> reduced it significantly in the context of what it takes to perform a
> 100, 1000 or 10,000 signing operations (the more signing ops, the lower
> the cost).
>
> Arshad Noor
> StrongAuth, Inc.
>
> Murugan Selvaraj wrote:
> > Thanks for your reply.I again drilled down my code to identify where the
> > bottle-necks  are.I found that the following code takes 790 Millie
> > seconds
> >
> > Init.init();
> > //Initializing key store
> > KEYSTORE = "xml/keystore.jks";
> > KEYSTORETYPE = "JKS";
> > KEYSTOREPASS = "xmlsecurity";
> > KEYALIAS = "test";
> > CERTIFICATEALIAS = "test";
> >
> > Does any one have any idea how to improve the performance in this area.
> >
> > Thanks
> > Murugan
> >
> > -----Original Message-----
> > From: Arshad Noor [mailto:arshad.noor@strongauth.com]
> > Sent: Wednesday, March 22, 2006 6:25 PM
> > To: security-dev@xml.apache.org
> > Subject: Re: Improve performance of XML Signing
> >
> > Murugan,
> >
> > Characterization requires that you know more than the total time taken
> > for specific operations - you need to know how much of your time is
> > spent waiting for I/O, CPU, locks, etc. so that you know where to
> > optimize.  Knowing that signing takes a total of 890ms still does not
> > indicate where you can apply resources towards improving performance.
> > You need to break it down further and then determine what you want to
> > improve before deciding how to improve it.
> >
> > Arshad Noor
> > StrongAuth, Inc.
> >
> > Murugan Selvaraj wrote:
> >
> >>Yes I have you characterized the performance of the end-to-end
> >>transaction
> >>to determine where your bottle-necks are.The bottle-necks are signing
> >>the URI of the XML document that takes 890 milliseconds (We are not
> >>even signing whole XML document)using enveloped sign.I just developed
> >>one sample XML file .It is taking 890 milliseconds to sign the URI.Can
> >>you now tell me how to improve the performance.
> >>
> >>I have attached the XML document and the code below.
> >>XML:
> >><?xml version="1.0" encoding="UTF-8" ?>
> >> <DigitalWorkFlowPacket Id="new"
> >>xmlns:tools="http://www.digitalBrIdge.net/DWF/Tools/1.0"
> >>xmlns:dwf="http://www.digitalBrIdge.net/DWF/1.0"
> >>xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> >>xmlns:j="http://www.it.ojp.gov/jxdm/3.0.2"
> >>xmlns:mc="http://home.icjis.maricopa.gov/icjisschemas/MC/1.0">
> >><Signatures>
> >>      <Signature linkName="main">
> >>        <Reference type="uri">
> >>          main
> >>        </Reference>
> >>      </Signature>
> >></Signatures>
> >>
> >><div id="main">
> >>1
> >></div>
> >>
> >></DigitalWorkFlowPacket>
> >>
> >>CODE :
> >>
> >>KeyStore ks = KeyStore.getInstance(KEYSTORETYPE);
> >> FileInputStream fis = new
> >>FileInputStream(KEYSTORE);
> >> ks.load(fis, KEYSTOREPASS.toCharArray());
> >> PrivateKey privateKey =
> >>(PrivateKey)ks.getKey(KEYALIAS,KEYSTOREPASS.toCharArray());
> >>
> >> XMLSignature xmlSig = new XMLSignature(doc,"",
> >>XMLSignature.ALGO_ID_SIGNATURE_DSA);
> >> org.w3c.dom.Element sigElement =
> >>xmlSig.getElement();
> >> signAttachElement.appendChild(sigElement);
> >>
> >> Transforms transforms = new Transforms(doc);
> >>
> >>transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE);
> >>
> >>transforms.addTransform(Transforms.TRANSFORM_C14N_WITH_COMMENTS);
> >>
> >> xmlSig.addDocument(strURISign,transforms,
> >>Constants.ALGO_ID_DIGEST_SHA1);
> >> X509Certificate cert =
> >>(X509Certificate)ks.getCertificate(CERTIFICATEALIAS);
> >> if (cert == null)
> >> {
> >>                 throw new Exception("X509 certificate not
> >>found");
> >> }
> >>         xmlSig.addKeyInfo(cert);
> >>         xmlSig.addKeyInfo(cert.getPublicKey());
> >>         //System.out.println("AFTER calling");
> >>         xmlSig.sign(privateKey);
> >>
> >>-----Original Message-----
> >>From: Arshad Noor [mailto:arshad.noor@strongauth.com]
> >>Sent: Wednesday, March 22, 2006 5:34 PM
> >>To: security-dev@xml.apache.org
> >>Subject: Re: Improve performance of XML Signing
> >>
> >>Have you characterized the performance of the end-to-end transaction
> >>to determine where your bottle-necks are?  Without that you're
> >
> > shooting
> >
> >>in the dark - i.e. you could spend a lot of time optimizing components
> >>of the process and still not a dent in the overall signing time.
> >>
> >>Arshad Noor
> >>StrongAuth, Inc.
> >>
> >>Murugan Selvaraj wrote:
> >>
> >>
> >>>Hi All,
> >>>
> >>>
> >>>
> >>>We are trying to improve the performance of the XML signing done using
> >>
> >>
> >>>apache tool kit.Can any one help and guide me on improving the
> >>>performance of the signing
> >>>
> >>>
> >>>
> >>>Help would be appreciated!!!
> >>>
> >>>
> >>>
> >>>Thanks
> >>>
> >>>Murugan
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>
> >>
> >>
> >
> >
>



Mime
View raw message