XML DSIG schema validation performance

[Jorge Ortiz Claver <jo...@tirea.es>]

Hi,

I have a XML DSIG enveloping document I need to validate against its schema.

I´m using Apache Xerces 2.6.2 for schema validation (full schema 
validation). Everything works fine but process takes about 10 seconds. 
Using the same class with other XML documents (even using very complex 
schemas like UBL standards), validation never takes more than 2 or 3 
seconds (start JVM, locate class, create parser, open file, etc.).

Has anyone any experience validating this type of documents? I´d really 
appreciate any advice or idea.

Thanks in advance
Jorge Ortiz

Re: XML DSIG schema validation performance

[Matej Kafadar <ma...@setcce.org>]

As I see, the XML document has reference to schema which is on internet 
"xsi:schemaLocation="http://www.w3.org/2000/09/xmldsig# 
xmldsig-core-schema.xsd".
Maybe this is problem.

regards

Matej

Jorge Ortiz Claver wrote:
> Hi,
> 
> I have a XML DSIG enveloping document I need to validate against its 
> schema.
> 
> I´m using Apache Xerces 2.6.2 for schema validation (full schema 
> validation). Everything works fine but process takes about 10 seconds. 
> Using the same class with other XML documents (even using very complex 
> schemas like UBL standards), validation never takes more than 2 or 3 
> seconds (start JVM, locate class, create parser, open file, etc.).
> 
> Has anyone any experience validating this type of documents? I´d really 
> appreciate any advice or idea.
> 
> Thanks in advance
> Jorge Ortiz
> 
> 
> 
> ------------------------------------------------------------------------
> 
> <?xml version="1.0" encoding="UTF-8"?>
> <ds:Signature
> 	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
> 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> 	xsi:schemaLocation="http://www.w3.org/2000/09/xmldsig# xmldsig-core-schema.xsd">
> 
> <ds:SignedInfo>
> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></ds:CanonicalizationMethod>
> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
> <ds:Reference URI="#data1">
> <ds:Transforms>
> <ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"></ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
> <ds:DigestValue>xbF0V2YW4wwBEpnzwHcOZDtFLi0=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>
> Ce7TJZYv6e5RQ0SubTtl4EprFXBkLZhNy9YDa/yRD4NzrXiOx/pj7/jMYZYQbl5gHj0tW6ooYtVo
> sC0GTJ+tCW3n8Yl//c9IRDC5lAItaki2ktxLm7AlQ514TzYbNVxPB/NXlp5c+VynAf7ehCDeVZQ1
> D+WR+H23ylH5prwCv9U=
> </ds:SignatureValue>
> <ds:KeyInfo>
> <ds:X509Data>
> <ds:X509Certificate>
> MIICxTCCAi6gAwIBAgIFAKCxw+MwDQYJKoZIhvcNAQEFBQAwQjELMAkGA1UEBhMCRVMxDjAMBgNV
> BAoTBVRJUkVBMSMwIQYDVQQDExpBdXRvcmlkYWQgZGUgQ2VydGlmaWNhY2lvbjAeFw0wNTAzMTcx
> MDU2MDNaFw0wNzAzMTcxMDU2MDNaMIGhMQswCQYDVQQGEwJFUzEOMAwGA1UEChMFVElSRUExEjAQ
> BgNVBAsTCUVtcGxlYWRvczEUMBIGA1UECxMLT3BlcmFjaW9uZXMxFjAUBgoJkiaJk/IsZAEBEwZq
> b3J0aXoxGzAZBgNVBAMTEkpvcmdlIE9ydGl6IENsYXZlcjEjMCEGCSqGSIb3DQEJARYUam9yZ2Uu
> b3J0aXpAdGlyZWEuZXMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPaSm9Zbva9w8qD/VcvQ
> HN2608likgl40/p6aeV2njzjjnmszoLojgdoF75msvGTgb7maxJohnFAPWm73Ftr2XrmCMryuPIL
> 1ZnVmqOq92Ywab0u7pQUk8aYBzY8TJs6cAO4LEhJczlB09BzF1nze88DuqLnSpTRgVhWbEPWuhUB
> AgMBAAGjZzBlMBEGCWCGSAGG+EIBAQQEAwIFoDAOBgNVHQ8BAf8EBAMCBeAwHwYDVR0jBBgwFoAU
> P+GRPTGpibf64C5b2hRixaG3nmYwHwYDVR0RBBgwFoEUam9yZ2Uub3J0aXpAdGlyZWEuZXMwDQYJ
> KoZIhvcNAQEFBQADgYEAKYvEoVFXIYl8dBHMhhEXgycCW5qoRAObUkCpxsIEEEqa1UIJRtjuVHJU
> nYyyiCroqiKeCB2h0ggtZHWj3Ce1HCYtoWnd5c+MFASw7M311vDYMPobkHANGN5qySfEJeIJ1XGI
> SgZeD7U48jOJv6chkcIVaS5zejSiq5HKv0ZQj1w=
> </ds:X509Certificate>
> </ds:X509Data>
> <ds:KeyValue>
> <ds:RSAKeyValue>
> <ds:Modulus>
> 9pKb1lu9r3DyoP9Vy9Ac3brTyWKSCXjT+npp5XaePOOOeazOguiOB2gXvmay8ZOBvuZrEmiGcUA9
> abvcW2vZeuYIyvK48gvVmdWao6r3ZjBpvS7ulBSTxpgHNjxMmzpwA7gsSElzOUHT0HMXWfN7zwO6
> oudKlNGBWFZsQ9a6FQE=
> </ds:Modulus>
> <ds:Exponent>AQAB</ds:Exponent>
> </ds:RSAKeyValue>
> </ds:KeyValue>
> </ds:KeyInfo>
> <ds:Object Id="data1">
> .......
> </ds:Object>
> </ds:Signature>

Re: [xml-dev] XML DSIG schema validation performance

[Jorge Ortiz Claver <jo...@tirea.es>]

Problem is I can´t use anyother thing but Java.

Is there anyway with Xerces of doing something similiar to that schema 
cache stuff Henry talked about in his mail?

Thanks again
Jorge



Henry S. Thompson wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Jorge Ortiz Claver writes:
>
>  
>
>>Hi,
>>
>>I have a XML DSIG enveloping document I need to validate against its
>>schema.
>>
>>. . .
>>
>>Has anyone any experience validating this type of documents? I´d
>>really appreciate any advice or idea.
>>    
>>
>
>2.8 seconds total on my 2.8GHz linux box using XSV [1] (Python).
>Less than 1 second to validate twice (!) with cached schema using
>Markup's online showcase validator [2] (Java) (You need to explicitly
>pass the schema doc for DSIG [3]).
>
>ht
>
>[1] http://www.ltg.ed.ac.uk/~ht/xsv-status.html
>[2] http://www.markup.co.uk/showcase/V2S.html
>[3] http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd
>- -- 
> Henry S. Thompson, HCRC Language Technology Group, University of Edinburgh
>                     Half-time member of W3C Team
>    2 Buccleuch Place, Edinburgh EH8 9LW, SCOTLAND -- (44) 131 650-4440
>            Fax: (44) 131 650-4587, e-mail: ht@inf.ed.ac.uk
>                   URL: http://www.ltg.ed.ac.uk/~ht/
>[mail really from me _always_ has this .sig -- mail without it is forged spam]
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.6 (GNU/Linux)
>
>iD8DBQFCy6QYkjnJixAXWBoRAv92AJ9U2+FAlalng6RS2Ys/cm7ui96kqACfXQaL
>I4JNQEIJXXxvn/w4OKhKILQ=
>=2UaU
>-----END PGP SIGNATURE-----
>
>  
>

Re: XML DSIG schema validation performance

[Jorge Ortiz Claver <jo...@tirea.es>]

Yes, I don't have any kind of entity resolver. My first thought was the 
same but I checked the schema and there was no reference to an external 
location. Anyway, I'll try to install my own entity resolver.

Thanks,
Jorge


Scott Cantor wrote:

>>Has anyone any experience validating this type of documents? 
>>I´d really appreciate any advice or idea.
>>    
>>
>
>My guess would be it's retrieving something from the network, a common
>problem if you don't install your own entity resolver. You could disconnect
>and try with no connectivity.
>
>-- Scott
>
>
>  
>

RE: XML DSIG schema validation performance

[Scott Cantor <ca...@osu.edu>]

> Has anyone any experience validating this type of documents? 
> I´d really appreciate any advice or idea.

My guess would be it's retrieving something from the network, a common
problem if you don't install your own entity resolver. You could disconnect
and try with no connectivity.

-- Scott