You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by Inma Marín <in...@dif.um.es> on 2008/12/01 17:06:31 UTC
Problem verifying an XML enveloped signature
Hello,
I have a problem when validating an XML enveloped signature. The point is
that I want to verify an XML document which includes 3 enveloped signatures.
These enveloped signatures are independent, in such a way that each of them
are generated only over the XML document (removing the already existing
signatures). To that extent, an xpath expression
(not(ancestor-or-self::node()=//*[namespace-uri()='http://www.w3.org/2000/09
/xmldsig#' and local-name()='Signature'])) is used instead of an enveloped
transform (as an enveloped transform only removes the actual signature
element, and I need all existing signatures elements be removed). However,
when verifying this document, the verification last a lot of time!
Particularly, if I try to verify an XML document with only one signature, if
it has been generated using the XPath expression , the verification lasts 15
minutes more than if the signature has been generated using the enveloped
transform!!
I am using xmlsec v1.2.1.
Could you be so kind as to tell me why it happens, please? Does any later
version make this kind of verification quicker? If no, any idea of making
this verification more rapid?
Thank you very much in advance.
------------------------------------------------------------
Inmaculada Marín López
Edificio ATICA - Planta baja
Campus de Espinardo
Universidad de Murcia
Teléfono +34 968 367906
e-mail: <ma...@dif.um.es> inma@dif.um.es
------------------------------------------------------------
Re: Problem verifying an XML enveloped signature
Posted by Sean Mullan <Se...@Sun.COM>.
Should be fixed now. If not, let me know.
--Sean
Sean Mullan wrote:
> Sorry, this is my fault.
>
> Yesterday I changed the old site http://xml.apache.org/security to
> redirect to the new site http://santuario.apache.org but I didn't
> realize there were still download links to the old site. I'll send
> another email when I have fixed this.
>
> --Sean
>
> Inma Marín wrote:
>> Yes, I do the following:
>>
>> - Get into http://santuario.apache.org/index.html
>> - I click on the 'Download' link on the left
>> - I see the 'Downloading the Libraries' page
>> - Then I click on the 'XML Project site' link under 'Obtaining the
>> Libraries'. This link goes to http://xml.apache.org/security/dist/,
>> which
>> is not found :(.
>>
>> Can you be so kind as to tell me what I am doing wrong, please? Or
>> Maybe the
>> server is not available....
>>
>> Thank you very much in advance.
>>
>>
>> Regards,
>> Inma.
>>
>>
>> -----Mensaje original-----
>> De: Ling Xiaohan [mailto:lingxh@cn.fujitsu.com] Enviado el: miércoles,
>> 03 de diciembre de 2008 10:16
>> Para: security-dev@xml.apache.org
>> Asunto: Re: Problem verifying an XML enveloped signature
>>
>> You can try http://santuario.apache.org/index.html
>>
>> ----- Original Message ----- Can you be so kind as to tell me where I
>> can download the latest version,
>> please? When I try to access http://santuario.apache.org/dist/ , I get a
>> 'Not Found' page.
>>
>> Thank you very much in advance.
>>
>>
>>
>> -----Mensaje original-----
>> De: Sean.Mullan@Sun.COM [mailto:Sean.Mullan@Sun.COM]
>> Enviado el: lunes, 01 de diciembre de 2008 19:22
>> Para: security-dev@xml.apache.org
>> Asunto: Re: Problem verifying an XML enveloped signature
>>
>> Version 1.2.1 is quite old. Many performance enhancements have been made
>> since then, especially in the transform processing. Please try the
>> latest (version 1.4.2) if you can.
>>
>> --Sean
>>
>> Inma Marín wrote:
>>> Hello,
>>>
>>>
>>>
>>> I have a problem when validating an XML enveloped signature. The point
>>> is that I want to verify an XML document which includes 3 enveloped
>>> signatures. These enveloped signatures are independent, in such a way
>>> that each of them are generated only over the XML document (removing the
>>> already existing signatures). To that extent, an xpath expression
>>>
>> (not(ancestor-or-self::node()=//*[namespace-uri()='http://www.w3.org/2000/09
>>
>> /xmldsig#'
>>> and local-name()='Signature'])) is used instead of an enveloped
>>> transform (as an enveloped transform only removes the actual signature
>>> element, and I need all existing signatures elements be removed).
>>> However, when verifying this document, the verification last a lot of
>> time!
>>>
>>>
>>> Particularly, if I try to verify an XML document with only one
>>> signature, if it has been generated using the XPath expression , the
>>> verification lasts 15 minutes more than if the signature has been
>>> generated using the enveloped transform!!
>>>
>>>
>>>
>>> I am using xmlsec v1.2.1.
>>>
>>>
>>>
>>> Could you be so kind as to tell me why it happens, please? Does any
>>> later version make this kind of verification quicker? If no, any idea of
>>> making this verification more rapid?
>>>
>>>
>>>
>>> Thank you very much in advance.
>>>
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------
>>> Inmaculada Marín López
>>> Edificio ATICA - Planta baja
>>> Campus de Espinardo
>>> Universidad de Murcia
>>> Teléfono +34 968 367906
>>> e-mail: inma@dif.um.es <ma...@dif.um.es>
>>> ------------------------------------------------------------
>>>
>>>
>>>
>>
>>
>>
>>
>>
>>
>
Re: Problem verifying an XML enveloped signature
Posted by Sean Mullan <Se...@Sun.COM>.
Sorry, this is my fault.
Yesterday I changed the old site http://xml.apache.org/security to
redirect to the new site http://santuario.apache.org but I didn't
realize there were still download links to the old site. I'll send
another email when I have fixed this.
--Sean
Inma Marín wrote:
> Yes, I do the following:
>
> - Get into http://santuario.apache.org/index.html
> - I click on the 'Download' link on the left
> - I see the 'Downloading the Libraries' page
> - Then I click on the 'XML Project site' link under 'Obtaining the
> Libraries'. This link goes to http://xml.apache.org/security/dist/, which
> is not found :(.
>
> Can you be so kind as to tell me what I am doing wrong, please? Or Maybe the
> server is not available....
>
> Thank you very much in advance.
>
>
> Regards,
> Inma.
>
>
> -----Mensaje original-----
> De: Ling Xiaohan [mailto:lingxh@cn.fujitsu.com]
> Enviado el: miércoles, 03 de diciembre de 2008 10:16
> Para: security-dev@xml.apache.org
> Asunto: Re: Problem verifying an XML enveloped signature
>
> You can try http://santuario.apache.org/index.html
>
> ----- Original Message -----
> Can you be so kind as to tell me where I can download the latest version,
> please? When I try to access http://santuario.apache.org/dist/ , I get a
> 'Not Found' page.
>
> Thank you very much in advance.
>
>
>
> -----Mensaje original-----
> De: Sean.Mullan@Sun.COM [mailto:Sean.Mullan@Sun.COM]
> Enviado el: lunes, 01 de diciembre de 2008 19:22
> Para: security-dev@xml.apache.org
> Asunto: Re: Problem verifying an XML enveloped signature
>
> Version 1.2.1 is quite old. Many performance enhancements have been made
> since then, especially in the transform processing. Please try the
> latest (version 1.4.2) if you can.
>
> --Sean
>
> Inma Marín wrote:
>> Hello,
>>
>>
>>
>> I have a problem when validating an XML enveloped signature. The point
>> is that I want to verify an XML document which includes 3 enveloped
>> signatures. These enveloped signatures are independent, in such a way
>> that each of them are generated only over the XML document (removing the
>> already existing signatures). To that extent, an xpath expression
>>
> (not(ancestor-or-self::node()=//*[namespace-uri()='http://www.w3.org/2000/09
> /xmldsig#'
>> and local-name()='Signature'])) is used instead of an enveloped
>> transform (as an enveloped transform only removes the actual signature
>> element, and I need all existing signatures elements be removed).
>> However, when verifying this document, the verification last a lot of
> time!
>>
>>
>> Particularly, if I try to verify an XML document with only one
>> signature, if it has been generated using the XPath expression , the
>> verification lasts 15 minutes more than if the signature has been
>> generated using the enveloped transform!!
>>
>>
>>
>> I am using xmlsec v1.2.1.
>>
>>
>>
>> Could you be so kind as to tell me why it happens, please? Does any
>> later version make this kind of verification quicker? If no, any idea of
>> making this verification more rapid?
>>
>>
>>
>> Thank you very much in advance.
>>
>>
>>
>>
>>
>> ------------------------------------------------------------
>> Inmaculada Marín López
>> Edificio ATICA - Planta baja
>> Campus de Espinardo
>> Universidad de Murcia
>> Teléfono +34 968 367906
>> e-mail: inma@dif.um.es <ma...@dif.um.es>
>> ------------------------------------------------------------
>>
>>
>>
>
>
>
>
>
>
RE: Problem verifying an XML enveloped signature
Posted by Inma Marín <in...@dif.um.es>.
Yes, I do the following:
- Get into http://santuario.apache.org/index.html
- I click on the 'Download' link on the left
- I see the 'Downloading the Libraries' page
- Then I click on the 'XML Project site' link under 'Obtaining the
Libraries'. This link goes to http://xml.apache.org/security/dist/, which
is not found :(.
Can you be so kind as to tell me what I am doing wrong, please? Or Maybe the
server is not available....
Thank you very much in advance.
Regards,
Inma.
-----Mensaje original-----
De: Ling Xiaohan [mailto:lingxh@cn.fujitsu.com]
Enviado el: miércoles, 03 de diciembre de 2008 10:16
Para: security-dev@xml.apache.org
Asunto: Re: Problem verifying an XML enveloped signature
You can try http://santuario.apache.org/index.html
----- Original Message -----
Can you be so kind as to tell me where I can download the latest version,
please? When I try to access http://santuario.apache.org/dist/ , I get a
'Not Found' page.
Thank you very much in advance.
-----Mensaje original-----
De: Sean.Mullan@Sun.COM [mailto:Sean.Mullan@Sun.COM]
Enviado el: lunes, 01 de diciembre de 2008 19:22
Para: security-dev@xml.apache.org
Asunto: Re: Problem verifying an XML enveloped signature
Version 1.2.1 is quite old. Many performance enhancements have been made
since then, especially in the transform processing. Please try the
latest (version 1.4.2) if you can.
--Sean
Inma Marín wrote:
> Hello,
>
>
>
> I have a problem when validating an XML enveloped signature. The point
> is that I want to verify an XML document which includes 3 enveloped
> signatures. These enveloped signatures are independent, in such a way
> that each of them are generated only over the XML document (removing the
> already existing signatures). To that extent, an xpath expression
>
(not(ancestor-or-self::node()=//*[namespace-uri()='http://www.w3.org/2000/09
/xmldsig#'
> and local-name()='Signature'])) is used instead of an enveloped
> transform (as an enveloped transform only removes the actual signature
> element, and I need all existing signatures elements be removed).
> However, when verifying this document, the verification last a lot of
time!
>
>
>
> Particularly, if I try to verify an XML document with only one
> signature, if it has been generated using the XPath expression , the
> verification lasts 15 minutes more than if the signature has been
> generated using the enveloped transform!!
>
>
>
> I am using xmlsec v1.2.1.
>
>
>
> Could you be so kind as to tell me why it happens, please? Does any
> later version make this kind of verification quicker? If no, any idea of
> making this verification more rapid?
>
>
>
> Thank you very much in advance.
>
>
>
>
>
> ------------------------------------------------------------
> Inmaculada Marín López
> Edificio ATICA - Planta baja
> Campus de Espinardo
> Universidad de Murcia
> Teléfono +34 968 367906
> e-mail: inma@dif.um.es <ma...@dif.um.es>
> ------------------------------------------------------------
>
>
>
Re: Problem verifying an XML enveloped signature
Posted by Ling Xiaohan <li...@cn.fujitsu.com>.
You can try http://santuario.apache.org/index.html
----- Original Message -----
Can you be so kind as to tell me where I can download the latest version,
please? When I try to access http://santuario.apache.org/dist/ , I get a
'Not Found' page.
Thank you very much in advance.
-----Mensaje original-----
De: Sean.Mullan@Sun.COM [mailto:Sean.Mullan@Sun.COM]
Enviado el: lunes, 01 de diciembre de 2008 19:22
Para: security-dev@xml.apache.org
Asunto: Re: Problem verifying an XML enveloped signature
Version 1.2.1 is quite old. Many performance enhancements have been made
since then, especially in the transform processing. Please try the
latest (version 1.4.2) if you can.
--Sean
Inma Marín wrote:
> Hello,
>
>
>
> I have a problem when validating an XML enveloped signature. The point
> is that I want to verify an XML document which includes 3 enveloped
> signatures. These enveloped signatures are independent, in such a way
> that each of them are generated only over the XML document (removing the
> already existing signatures). To that extent, an xpath expression
>
(not(ancestor-or-self::node()=//*[namespace-uri()='http://www.w3.org/2000/09
/xmldsig#'
> and local-name()='Signature'])) is used instead of an enveloped
> transform (as an enveloped transform only removes the actual signature
> element, and I need all existing signatures elements be removed).
> However, when verifying this document, the verification last a lot of
time!
>
>
>
> Particularly, if I try to verify an XML document with only one
> signature, if it has been generated using the XPath expression , the
> verification lasts 15 minutes more than if the signature has been
> generated using the enveloped transform!!
>
>
>
> I am using xmlsec v1.2.1.
>
>
>
> Could you be so kind as to tell me why it happens, please? Does any
> later version make this kind of verification quicker? If no, any idea of
> making this verification more rapid?
>
>
>
> Thank you very much in advance.
>
>
>
>
>
> ------------------------------------------------------------
> Inmaculada Marín López
> Edificio ATICA - Planta baja
> Campus de Espinardo
> Universidad de Murcia
> Teléfono +34 968 367906
> e-mail: inma@dif.um.es <ma...@dif.um.es>
> ------------------------------------------------------------
>
>
>
RE: Problem verifying an XML enveloped signature
Posted by Inma Marín <in...@dif.um.es>.
Can you be so kind as to tell me where I can download the latest version,
please? When I try to access http://santuario.apache.org/dist/ , I get a
'Not Found' page.
Thank you very much in advance.
-----Mensaje original-----
De: Sean.Mullan@Sun.COM [mailto:Sean.Mullan@Sun.COM]
Enviado el: lunes, 01 de diciembre de 2008 19:22
Para: security-dev@xml.apache.org
Asunto: Re: Problem verifying an XML enveloped signature
Version 1.2.1 is quite old. Many performance enhancements have been made
since then, especially in the transform processing. Please try the
latest (version 1.4.2) if you can.
--Sean
Inma Marín wrote:
> Hello,
>
>
>
> I have a problem when validating an XML enveloped signature. The point
> is that I want to verify an XML document which includes 3 enveloped
> signatures. These enveloped signatures are independent, in such a way
> that each of them are generated only over the XML document (removing the
> already existing signatures). To that extent, an xpath expression
>
(not(ancestor-or-self::node()=//*[namespace-uri()='http://www.w3.org/2000/09
/xmldsig#'
> and local-name()='Signature'])) is used instead of an enveloped
> transform (as an enveloped transform only removes the actual signature
> element, and I need all existing signatures elements be removed).
> However, when verifying this document, the verification last a lot of
time!
>
>
>
> Particularly, if I try to verify an XML document with only one
> signature, if it has been generated using the XPath expression , the
> verification lasts 15 minutes more than if the signature has been
> generated using the enveloped transform!!
>
>
>
> I am using xmlsec v1.2.1.
>
>
>
> Could you be so kind as to tell me why it happens, please? Does any
> later version make this kind of verification quicker? If no, any idea of
> making this verification more rapid?
>
>
>
> Thank you very much in advance.
>
>
>
>
>
> ------------------------------------------------------------
> Inmaculada Marín López
> Edificio ATICA - Planta baja
> Campus de Espinardo
> Universidad de Murcia
> Teléfono +34 968 367906
> e-mail: inma@dif.um.es <ma...@dif.um.es>
> ------------------------------------------------------------
>
>
>
RE: Problem verifying an XML enveloped signature
Posted by Inma Marín <in...@dif.um.es>.
Hello,
I have tried the latest version, but the verification still lasts a lot of
time. I must say that, with XML documents which contains few elements, the
verification is quick. However, I am testing an XML document which has
approximately 5500 elements (XML nodes), so the verification lasts more than
10 minutes.
Is it possible to get an XML verification in less time?
Thank you very much in advance.
Regards,
Inma.
> -----Mensaje original-----
> De: Sean.Mullan@Sun.COM [mailto:Sean.Mullan@Sun.COM]
> Enviado el: lunes, 01 de diciembre de 2008 19:22
> Para: security-dev@xml.apache.org
> Asunto: Re: Problem verifying an XML enveloped signature
>
> Version 1.2.1 is quite old. Many performance enhancements have been made
> since then, especially in the transform processing. Please try the
> latest (version 1.4.2) if you can.
>
> --Sean
>
> Inma Marín wrote:
> > Hello,
> >
> >
> >
> > I have a problem when validating an XML enveloped signature. The point
> > is that I want to verify an XML document which includes 3 enveloped
> > signatures. These enveloped signatures are independent, in such a way
> > that each of them are generated only over the XML document (removing
> the
> > already existing signatures). To that extent, an xpath expression
> > (not(ancestor-or-self::node()=//*[namespace-
> uri()='http://www.w3.org/2000/09/xmldsig#'
> > and local-name()='Signature'])) is used instead of an enveloped
> > transform (as an enveloped transform only removes the actual signature
> > element, and I need all existing signatures elements be removed).
> > However, when verifying this document, the verification last a lot of
> time!
> >
> >
> >
> > Particularly, if I try to verify an XML document with only one
> > signature, if it has been generated using the XPath expression , the
> > verification lasts 15 minutes more than if the signature has been
> > generated using the enveloped transform!!
> >
> >
> >
> > I am using xmlsec v1.2.1.
> >
> >
> >
> > Could you be so kind as to tell me why it happens, please? Does any
> > later version make this kind of verification quicker? If no, any idea
> of
> > making this verification more rapid?
> >
> >
> >
> > Thank you very much in advance.
> >
> >
> >
> >
> >
> > ------------------------------------------------------------
> > Inmaculada Marín López
> > Edificio ATICA - Planta baja
> > Campus de Espinardo
> > Universidad de Murcia
> > Teléfono +34 968 367906
> > e-mail: inma@dif.um.es <ma...@dif.um.es>
> > ------------------------------------------------------------
> >
> >
> >
Re: Problem verifying an XML enveloped signature
Posted by Sean Mullan <Se...@Sun.COM>.
Version 1.2.1 is quite old. Many performance enhancements have been made
since then, especially in the transform processing. Please try the
latest (version 1.4.2) if you can.
--Sean
Inma Marín wrote:
> Hello,
>
>
>
> I have a problem when validating an XML enveloped signature. The point
> is that I want to verify an XML document which includes 3 enveloped
> signatures. These enveloped signatures are independent, in such a way
> that each of them are generated only over the XML document (removing the
> already existing signatures). To that extent, an xpath expression
> (not(ancestor-or-self::node()=//*[namespace-uri()='http://www.w3.org/2000/09/xmldsig#'
> and local-name()='Signature'])) is used instead of an enveloped
> transform (as an enveloped transform only removes the actual signature
> element, and I need all existing signatures elements be removed).
> However, when verifying this document, the verification last a lot of time!
>
>
>
> Particularly, if I try to verify an XML document with only one
> signature, if it has been generated using the XPath expression , the
> verification lasts 15 minutes more than if the signature has been
> generated using the enveloped transform!!
>
>
>
> I am using xmlsec v1.2.1.
>
>
>
> Could you be so kind as to tell me why it happens, please? Does any
> later version make this kind of verification quicker? If no, any idea of
> making this verification more rapid?
>
>
>
> Thank you very much in advance.
>
>
>
>
>
> ------------------------------------------------------------
> Inmaculada Marín López
> Edificio ATICA - Planta baja
> Campus de Espinardo
> Universidad de Murcia
> Teléfono +34 968 367906
> e-mail: inma@dif.um.es <ma...@dif.um.es>
> ------------------------------------------------------------
>
>
>
Re: Problem verifying an XML enveloped signature
Posted by "Franco Catrin L." <fc...@tuxpan.com>.
El lun, 01-12-2008 a las 17:06 +0100, Inma Marín escribió:
> Hello,
> I have a problem when validating an XML enveloped signature. The point
> is that I want to verify an XML document which includes 3 enveloped
> signatures. These enveloped signatures are independent, in such a way
> that each of them are generated only over the XML document (removing
> the already existing signatures). To that extent, an xpath expression
> (not(ancestor-or-self::node()=//*[namespace-uri()='http://www.w3.org/2000/09/xmldsig#' and local-name()='Signature'])) is used instead of an enveloped transform (as an enveloped transform only removes the actual signature element, and I need all existing signatures elements be removed). However, when verifying this document, the verification last a lot of time!
I'm using this expression with success :
not(ancestor-or-self::ds:Signature)
> Particularly, if I try to verify an XML document with only one
> signature, if it has been generated using the XPath expression , the
> verification lasts 15 minutes more than if the signature has been
> generated using the enveloped transform!!
It sounds to me like it is trying to resolve the URI, but I can't
confirm it, I'm saying this like a simple user and not a developer.
> I am using xmlsec v1.2.1.
>
>
>
> Could you be so kind as to tell me why it happens, please? Does any
> later version make this kind of verification quicker? If no, any idea
> of making this verification more rapid?
I'm using 1.4.2 with the expression written above and it's as fast as I
can expect
--
Franco Catrin L. TUXPAN Software S.A.
http://www.tuxpan.com/fcatrin