You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by bu...@apache.org on 2004/05/03 23:16:17 UTC

DO NOT REPLY [Bug 28752] New: - Some patches for c14 and various other improvment

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=28752>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=28752

Some patches for c14 and various other improvment

           Summary: Some patches for c14 and various other improvment
           Product: Security
           Version: cvs
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Enhancement
          Priority: Other
         Component: Signature
        AssignedTo: security-dev@xml.apache.org
        ReportedBy: raul-info@r-bg.com


Hello,

I have been working in some optimizations in the xml security library; this
optimization has reduced the memory foot print & speed up the signing &
verification of big XML documents. The speed-up ratio varies enormously between
tests case. Some simple ones (verified a signed Liberty LogoutRequest wrapped in
a SOAP enveloped) accomplish in half time, the opensaml assertion test got a
<10% and a modified opensaml POSTProfile (where only the assertions are signed)
got a 15%-20% speed-up. Our Liberty implementation case got a 40% speed-up from
the 1.1 release. So it’s very document dependant.

            The changes are a big path file of 168.243 bytes that can be
summarized in four parts:

    * C14N rewrite: I’ll see that a big part of time is gone in the
canonicalization. This part is our biggest time hog: So I have more or less
rewrite it using a name spaces table approach. As I descend the document nodes I
fill a name space table with the xmlns definitions and whether are rendered in
c14n tree or not.
      The old method relay of having the doc tree circumvented (i.e. have all
the namespaces of the parent copies in all of its children) and then look upward
in the tree (using the getParent() DOM function) to see if a current namespace
had been already rendered. This method is memory expensive (it creates a new
attribute for every namespace defined in a parent node) and not very efficient
for big tree documents. The new one seems better in these two aspects. But the
speed improvements depend of the specific DOM tree.
      These changes permit to get rid of a lot of calls to circumventeBug2650
      These changes are the 60% of the patch. And impact only: 
org/apache/xml/security/c14n/implementations/*

    * Remove all unnecessary use of XPath API: It seems that using XPath is slow
and memory tax. So I have try to change all the xpath calls for their equivalent
in DOM. These have decrease the memory usage a little and improve a little the
speed (the bigger ones where already changed in 1.1). These changes impact: (See
(1))
    * Trying to don’t use XMLSignatureInput with nodesets: I have tried to don’t
used XMLSignatureInput with a set of nodes but in the xpath transformation.
Normally the reference node specifies a node not a nodeset, only if there is a
xpath transformation a nodeset is needed. The use of a node instead of a nodeset
is better for memory purpose and permit to canonicalize using c14nSubtree
instead of c14Xpathnodeset, the latter need to visit every node in the document
tree, the former only the node & its children.
      The problem is that if the enveloped signature transformation is used a
nodeset is needed again. In order to fix it, I have added a new field to the
XMLSignatureInput and added new functions to c14n classes to specified a exclude
node in the subtree(this way the c14n only skips the exclude node when it finds
it). This change impacts: (See (2))
    * Miscellaneous changes: In org/apache/xml/security/signature/Reference.java
some time is spend calculating the _transformsInput field in every deference
(when signing or verifying a reference) this field is seldom used (only for
debugging purpouse) so it’s better to calculate it only when required.
      Other little change can be done in
org/apache/xml/security/signature/SignedInfo.java to don’t do the
cannonicalization and the parse of importing of the signedinfo element if safe
c14n methods are used (these safes are the standard ones).

 

So if there is some interest I can contribute back these changes, so it can be
peer reviewed and fixed if needed. Or if any one want to test without the fuss
of recompilling  I can send him the .jar file with the modified library.

 

Regards,

 

Raul Benito


p.s- Sorry for the big email in html but it reads better.


1:

    * org/apache/xml/security/keys/content/KeyValue.java
    * org/apache/xml/security/keys/content/RetrievalMethod.java
    *
org/apache/xml/security/keys/keyresolver/implementations/DSAKeyValueResolver.java
    *
org/apache/xml/security/keys/keyresolver/implementations/RSAKeyValueResolver.java
    *
org/apache/xml/security/keys/keyresolver/implementations/X509CertificateResolver.java
    * org/apache/xml/security/keys/keyresolver/implementations/X509SKIResolver.java
    *
org/apache/xml/security/keys/keyresolver/implementations/X509SubjectNameResolver.java
    * org/apache/xml/security/signature/SignatureProperties.java
    * org/apache/xml/security/signature/XMLSignature.java
    * org/apache/xml/security/transforms/Transforms.java (Already use a DOM
method only refactor to invoke a common one).
    * org/apache/xml/security/utils/ElementProxy.java
    * org/apache/xml/security/utils/SignatureElementProxy.java
    * org/apache/xml/security/utils/XMLUtils.java (Added the functions to do the
DOM searches).


2:

    * org/apache/xml/security/signature/XMLSignatureInput.java       
    * org/apache/xml/security/transforms/implementations/TransformC14N.java
    * org/apache/xml/security/transforms/implementations/TransformC14NExclusive.java
    *
org/apache/xml/security/transforms/implementations/TransformC14NExclusiveWithComments.java
    *
org/apache/xml/security/transforms/implementations/TransformEnvelopedSignature.java
(and also move some methods XMLUtils)
    * org/apache/xml/security/utils/IdResolver.java
    * org/apache/xml/security/utils/SignatureElementProxy.java
    * org/apache/xml/security/utils/resolver/implementations/ResolverFragment.java
    * org/apache/xml/security/utils/resolver/implementations/ResolverXPointer.java
    * org/apache/xml/security/utils/XMLUtils.java (Added some methods)
    * (and the c14n implementations but these have been take on account above).