Hello,
I have been working in
some
optimizations in the xml security library; this optimization has
reduced the
memory foot print & speed up the signing & verification of big
XML
documents. The speed-up ratio varies enormously between tests case.
Some simple
ones (verified a signed Liberty LogoutRequest
wrapped
in a SOAP enveloped) accomplish in half time, the opensaml
assertion test got a <10% and a modified opensaml
POSTProfile (where only the assertions are
signed) got a
15%-20% speed-up. Our
The changes are a big path file of 168.243 bytes that can be summarized in four parts:
- C14N rewrite: I’ll see that a big part
of time is gone in the canonicalization.
This part is our biggest time hog: So I have more or less rewrite it
using a name spaces table approach. As I descend the document nodes I
fill a name space table with the xmlns
definitions and whether are rendered in c14n tree or not.
The old method relay of having the doc tree circumvented (i.e. have all the namespaces of the parent copies in all of its children) and then look upward in the tree (using the getParent() DOM function) to see if a current namespace had been already rendered. This method is memory expensive (it creates a new attribute for every namespace defined in a parent node) and not very efficient for big tree documents. The new one seems better in these two aspects. But the speed improvements depend of the specific DOM tree.
These changes permit to get rid of a lot of calls to circumventeBug2650
These changes are the 60% of the patch. And impact only: org/apache/xml/security/c14n/implementations/*
- Remove all unnecessary use of XPath API: It seems that using XPath is slow and memory tax. So I have try to change all the xpath
calls for their equivalent in DOM. These have decrease the memory usage
a little and improve a little the speed (the bigger ones where already
changed in 1.1). These changes impact: (See (1))
- Trying to don’t use XMLSignatureInput with nodesets:
I have tried to don’t used XMLSignatureInput with a set of nodes but in the
xpath transformation. Normally the
reference node specifies a node not a nodeset,
only if there is a xpath
transformation a nodeset is needed. The
use of a node instead of a nodeset is
better for memory purpose and permit to canonicalize
using c14nSubtree instead of c14Xpathnodeset, the latter need to visit
every node in the document tree, the former only the node & its
children.
The problem is that if the enveloped signature transformation is used a nodeset is needed again. In order to fix it, I have added a new field to the XMLSignatureInput and added new functions to c14n classes to specified a exclude node in the subtree(this way the c14n only skips the exclude node when it finds it). This change impacts: (See (2))
- Miscellaneous changes: In
org/apache/xml/security/signature/Reference.java
some time is spend calculating the _transformsInput
field in every deference (when signing or verifying a reference) this
field is seldom used (only for debugging purpouse)
so it’s better to calculate it only when required.
Other little change can be done in org/apache/xml/security/signature/SignedInfo.java to don’t do the cannonicalization and the parse of importing of the signedinfo element if safe c14n methods are used (these safes are the standard ones).
So if there is some interest I can contribute back
these
changes, so it can be peer reviewed and fixed if needed. Or if any one
want to test without the fuss of recompilling I can send him the .jar
file with the modified library.
Regards,
Raul Benito
p.s- Sorry for the big email in html but it reads better.
1:
- org/apache/xml/security/keys/content/KeyValue.java
- org/apache/xml/security/keys/content/RetrievalMethod.java
- org/apache/xml/security/keys/keyresolver/implementations/DSAKeyValueResolver.java
- org/apache/xml/security/keys/keyresolver/implementations/RSAKeyValueResolver.java
- org/apache/xml/security/keys/keyresolver/implementations/X509CertificateResolver.java
- org/apache/xml/security/keys/keyresolver/implementations/X509SKIResolver.java
- org/apache/xml/security/keys/keyresolver/implementations/X509SubjectNameResolver.java
- org/apache/xml/security/signature/SignatureProperties.java
- org/apache/xml/security/signature/XMLSignature.java
- org/apache/xml/security/transforms/Transforms.java (Already use a DOM method only refactor to invoke a common one).
- org/apache/xml/security/utils/ElementProxy.java
- org/apache/xml/security/utils/SignatureElementProxy.java
- org/apache/xml/security/utils/XMLUtils.java (Added the functions to do the DOM searches).
2:
- org/apache/xml/security/signature/XMLSignatureInput.java
- org/apache/xml/security/transforms/implementations/TransformC14N.java
- org/apache/xml/security/transforms/implementations/TransformC14NExclusive.java
- org/apache/xml/security/transforms/implementations/TransformC14NExclusiveWithComments.java
- org/apache/xml/security/transforms/implementations/TransformEnvelopedSignature.java (and also move some methods XMLUtils)
- org/apache/xml/security/utils/IdResolver.java
- org/apache/xml/security/utils/SignatureElementProxy.java
- org/apache/xml/security/utils/resolver/implementations/ResolverFragment.java
- org/apache/xml/security/utils/resolver/implementations/ResolverXPointer.java
- org/apache/xml/security/utils/XMLUtils.java (Added some methods)
- (and the c14n implementations but
these have been take on account above).
