It appears that opening the keystore, authenticating to it, searching
for and retreiving the right certificate uses approximately 90% of your
signing operation time (790 out of 890ms). I'm not sure how much you
can reduce this since there are a lot of things going on in this
"keystore-init" operation (you can look at the Java source code if you
want to learn exactly what's going on). One option you have for
"speeding" this up is to amortize the keystore-init time over all your
signing operations.
What does that mean? Setup your application to provide signing as a
service. Initialize the keystore and get the certificate as part of
the initialization of the service (so that it only happens once at the
start of the application or just for the first signing operation), and
then hold the reference to the signing key in memory.
Now all signing operations do not need to go through the keystore-init
process (until the application service is restarted) thereby "amortizing
the cost of the keystore-init operation" across all signing operations".
While it has not reduced the actual time for the keystore-init, it has
reduced it significantly in the context of what it takes to perform a
100, 1000 or 10,000 signing operations (the more signing ops, the lower
the cost).
Arshad Noor
StrongAuth, Inc.
Murugan Selvaraj wrote:
Thanks for your reply.I again drilled down my code to identify where the
bottle-necks are.I found that the following code takes 790 Millie
seconds
Init.init();
//Initializing key store
KEYSTORE = "xml/keystore.jks";
KEYSTORETYPE = "JKS";
KEYSTOREPASS = "xmlsecurity";
KEYALIAS = "test";
CERTIFICATEALIAS = "test";
Does any one have any idea how to improve the performance in this area.
Thanks
Murugan
-----Original Message-----
From: Arshad Noor [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 22, 2006 6:25 PM
To: [email protected]
Subject: Re: Improve performance of XML Signing
Murugan,
Characterization requires that you know more than the total time taken
for specific operations - you need to know how much of your time is
spent waiting for I/O, CPU, locks, etc. so that you know where to
optimize. Knowing that signing takes a total of 890ms still does not
indicate where you can apply resources towards improving performance.
You need to break it down further and then determine what you want to
improve before deciding how to improve it.
Arshad Noor
StrongAuth, Inc.
Murugan Selvaraj wrote:
Yes I have you characterized the performance of the end-to-end
transaction
to determine where your bottle-necks are.The bottle-necks are signing
the URI of the XML document that takes 890 milliseconds (We are not
even signing whole XML document)using enveloped sign.I just developed
one sample XML file .It is taking 890 milliseconds to sign the URI.Can
you now tell me how to improve the performance.
I have attached the XML document and the code below.
XML:
<?xml version="1.0" encoding="UTF-8" ?>
<DigitalWorkFlowPacket Id="new"
xmlns:tools="http://www.digitalBrIdge.net/DWF/Tools/1.0";
xmlns:dwf="http://www.digitalBrIdge.net/DWF/1.0";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:j="http://www.it.ojp.gov/jxdm/3.0.2";
xmlns:mc="http://home.icjis.maricopa.gov/icjisschemas/MC/1.0";>
<Signatures>
<Signature linkName="main">
<Reference type="uri">
main
</Reference>
</Signature>
</Signatures>
<div id="main">
1
</div>
</DigitalWorkFlowPacket>
CODE :
KeyStore ks = KeyStore.getInstance(KEYSTORETYPE);
FileInputStream fis = new
FileInputStream(KEYSTORE);
ks.load(fis, KEYSTOREPASS.toCharArray());
PrivateKey privateKey =
(PrivateKey)ks.getKey(KEYALIAS,KEYSTOREPASS.toCharArray());
XMLSignature xmlSig = new XMLSignature(doc,"",
XMLSignature.ALGO_ID_SIGNATURE_DSA);
org.w3c.dom.Element sigElement =
xmlSig.getElement();
signAttachElement.appendChild(sigElement);
Transforms transforms = new Transforms(doc);
transforms.addTransform(Transforms.TRANSFORM_ENVELOPED_SIGNATURE);
transforms.addTransform(Transforms.TRANSFORM_C14N_WITH_COMMENTS);
xmlSig.addDocument(strURISign,transforms,
Constants.ALGO_ID_DIGEST_SHA1);
X509Certificate cert =
(X509Certificate)ks.getCertificate(CERTIFICATEALIAS);
if (cert == null)
{
throw new Exception("X509 certificate not
found");
}
xmlSig.addKeyInfo(cert);
xmlSig.addKeyInfo(cert.getPublicKey());
//System.out.println("AFTER calling");
xmlSig.sign(privateKey);
-----Original Message-----
From: Arshad Noor [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 22, 2006 5:34 PM
To: [email protected]
Subject: Re: Improve performance of XML Signing
Have you characterized the performance of the end-to-end transaction
to determine where your bottle-necks are? Without that you're
shooting
in the dark - i.e. you could spend a lot of time optimizing components
of the process and still not a dent in the overall signing time.
Arshad Noor
StrongAuth, Inc.
Murugan Selvaraj wrote:
Hi All,
We are trying to improve the performance of the XML signing done using
apache tool kit.Can any one help and guide me on improving the
performance of the signing
Help would be appreciated!!!
Thanks
Murugan
