[jira] [Commented] (WSS-673) Using default Java Security and Merlin is very slow for PKCS12

Fri, 29 May 2020 06:14:14 -0700 


    [ 
https://issues.apache.org/jira/browse/WSS-673?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17119589#comment-17119589
 ] 

Joseph Athman commented on WSS-673:
-----------------------------------

Here is our properties we use to configure wss4j.
{code:java}
org.apache.wss4j.crypto.merlin.keystore.password=thePassword
org.apache.wss4j.crypto.merlin.keystore.alias=theAlias
org.apache.wss4j.crypto.merlin.keystore.file=client-keystore.p12
org.apache.wss4j.crypto.merlin.keystore.private.password=thePassword
org.apache.wss4j.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.wss4j.crypto.merlin.keystore.type=pkcs12{code}
>From what I can see, we get to the `Merlin.getPrivateKey` method which ends up 
>calling this:
{code:java}
Key keyTmp = keystore.getKey(identifier, pwd == null
 ? new char[]{} : pwd.toCharArray());{code}

The default keystore that comes with Java 8 (haven't tested over JVMs) does no 
caching of this lookup. With a PKCS12 file this is a very CPU intensive call. 
This gets invoked for every outgoing message we send that signs the SAML of the 
message.

Does that help?

> Using default Java Security and Merlin is very slow for PKCS12
> --------------------------------------------------------------
>
>                 Key: WSS-673
>                 URL: https://issues.apache.org/jira/browse/WSS-673
>             Project: WSS4J
>          Issue Type: Improvement
>          Components: WSS4J Core
>    Affects Versions: 2.2.5
>            Reporter: Joseph Athman
>            Assignee: Colm O hEigeartaigh
>            Priority: Major
>
> We use WSS4J to create SAML digital signatures. Recently, we switch from 
> storing our client private key from a JKS file to PKCS12 file. This seems to 
> have had the unintended consequence of causing huge spikes in CPU usage.
> After investigating the root cause, I believe the problem lies with the way 
> WSS4J will retrieve a new instance of the private key for every request. With 
> a PKCS12 file this appears to be extremely slow and CPU intensive due to the 
> amount of time it takes to decrypt the private key.
> I'm wondering if there is some way to have WSS4J cache this private key 
> lookup since it will always be the same each time. 
> Any ideas?



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to