santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Arshad Noor <>
Subject Re: Improve performance of XML Signing
Date Thu, 23 Mar 2006 17:45:01 GMT
It appears that opening the keystore, authenticating to it, searching
for and retreiving the right certificate uses approximately 90% of your
signing operation time (790 out of 890ms).  I'm not sure how much you
can reduce this since there are a lot of things going on in this
"keystore-init" operation (you can look at the Java source code if you
want to learn exactly what's going on).  One option you have for
"speeding" this up is to amortize the keystore-init time over all your
signing operations.

What does that mean?  Setup your application to provide signing as a
service.  Initialize the keystore and get the certificate as part of
the initialization of the service (so that it only happens once at the
start of the application or just for the first signing operation), and
then hold the reference to the signing key in memory.

Now all signing operations do not need to go through the keystore-init
process (until the application service is restarted) thereby "amortizing
the cost of the keystore-init operation" across all signing operations".
While it has not reduced the actual time for the keystore-init, it has
reduced it significantly in the context of what it takes to perform a
100, 1000 or 10,000 signing operations (the more signing ops, the lower
the cost).

Arshad Noor
StrongAuth, Inc.

Murugan Selvaraj wrote:
> Thanks for your reply.I again drilled down my code to identify where the
> bottle-necks  are.I found that the following code takes 790 Millie
> seconds
> 		Init.init();		 
> 		//Initializing key store
> 		KEYSTORE 			= "xml/keystore.jks";
> 		KEYSTOREPASS 		= "xmlsecurity";
> 		KEYALIAS 			= "test";
> Does any one have any idea how to improve the performance in this area.
> Thanks
> Murugan
> -----Original Message-----
> From: Arshad Noor [] 
> Sent: Wednesday, March 22, 2006 6:25 PM
> To:
> Subject: Re: Improve performance of XML Signing
> Murugan,
> Characterization requires that you know more than the total time taken
> for specific operations - you need to know how much of your time is
> spent waiting for I/O, CPU, locks, etc. so that you know where to
> optimize.  Knowing that signing takes a total of 890ms still does not
> indicate where you can apply resources towards improving performance.
> You need to break it down further and then determine what you want to
> improve before deciding how to improve it.
> Arshad Noor
> StrongAuth, Inc.
> Murugan Selvaraj wrote:
>>Yes I have you characterized the performance of the end-to-end
>>to determine where your bottle-necks are.The bottle-necks are signing
>>the URI of the XML document that takes 890 milliseconds (We are not
>>even signing whole XML document)using enveloped sign.I just developed
>>one sample XML file .It is taking 890 milliseconds to sign the URI.Can
>>you now tell me how to improve the performance.
>>I have attached the XML document and the code below.
>><?xml version="1.0" encoding="UTF-8" ?> 
>> <DigitalWorkFlowPacket Id="new"
>>      <Signature linkName="main">
>>        <Reference type="uri">
>>          main
>>        </Reference>
>>      </Signature>
>><div id="main">   
>>CODE : 
>>KeyStore ks = KeyStore.getInstance(KEYSTORETYPE);
>>			FileInputStream fis = new
>>			ks.load(fis, KEYSTOREPASS.toCharArray());
>>			PrivateKey privateKey =
>>			XMLSignature xmlSig = new XMLSignature(doc,"",
>>			org.w3c.dom.Element sigElement =
>>			signAttachElement.appendChild(sigElement);
>>			Transforms transforms = new Transforms(doc);
>>			xmlSig.addDocument(strURISign,transforms,
>>			X509Certificate cert =
>>			if (cert == null)
>>			{
>>	                throw new Exception("X509 certificate not
>>			}         
>>	        xmlSig.addKeyInfo(cert);
>>	        xmlSig.addKeyInfo(cert.getPublicKey());        
>>	        //System.out.println("AFTER calling");
>>	        xmlSig.sign(privateKey);
>>-----Original Message-----
>>From: Arshad Noor [] 
>>Sent: Wednesday, March 22, 2006 5:34 PM
>>Subject: Re: Improve performance of XML Signing
>>Have you characterized the performance of the end-to-end transaction
>>to determine where your bottle-necks are?  Without that you're
> shooting
>>in the dark - i.e. you could spend a lot of time optimizing components
>>of the process and still not a dent in the overall signing time.
>>Arshad Noor
>>StrongAuth, Inc.
>>Murugan Selvaraj wrote:
>>>Hi All,
>>>We are trying to improve the performance of the XML signing done using
>>>apache tool kit.Can any one help and guide me on improving the 
>>>performance of the signing
>>>Help would be appreciated!!!

View raw message