Raul,
I tested your jar, it really speeds up a lot. The same test (hundred
iterations) on a 1045 bytes xml document has a speed improvement of 8-9 times
faster.
Soo Leng
----- Original Message -----
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Saturday, May 01, 2004 7:32 PM
Subject: Speed optimizations
Hello,
I have been working in some optimizations in the xml security library; this
optimization has reduced the memory foot print & speed up the signing & verification
of big XML documents. The speed-up ratio varies enormously between tests case. Some
simple ones (verified a signed Liberty LogoutRequest wrapped in a SOAP enveloped)
accomplish in half time, the opensaml assertion test got a <10% and a modified
opensaml POSTProfile (where only the assertions are signed) got a 15%-20% speed-up.
Our Liberty implementation case got a 40% speed-up from the 1.1 release. So it's very
document dependant.
The changes are a big path file of 168.243 bytes that can be summarized in
four parts:
C14N rewrite: I'll see that a big part of time is gone in the canonicalization. This
part is our biggest time hog: So I have more or less rewrite it using a name spaces
table approach. As I descend the document nodes I fill a name space table with the
xmlns definitions and whether are rendered in c14n tree or not.
The old method relay of having the doc tree circumvented (i.e. have all the namespaces
of the parent copies in all of its children) and then look upward in the tree (using
the getParent() DOM function) to see if a current namespace had been already rendered.
This method is memory expensive (it creates a new attribute for every namespace
defined in a parent node) and not very efficient for big tree documents. The new one
seems better in these two aspects. But the speed improvements depend of the specific
DOM tree.
These changes permit to get rid of a lot of calls to circumventeBug2650
These changes are the 60% of the patch. And impact only:
org/apache/xml/security/c14n/implementations/*
Remove all unnecessary use of XPath API: It seems that using XPath is slow and memory
tax. So I have try to change all the xpath calls for their equivalent in DOM. These
have decrease the memory usage a little and improve a little the speed (the bigger
ones where already changed in 1.1). These changes impact: (See (1))
Trying to don't use XMLSignatureInput with nodesets: I have tried to don't used
XMLSignatureInput with a set of nodes but in the xpath transformation. Normally the
reference node specifies a node not a nodeset, only if there is a xpath transformation
a nodeset is needed. The use of a node instead of a nodeset is better for memory
purpose and permit to canonicalize using c14nSubtree instead of c14Xpathnodeset, the
latter need to visit every node in the document tree, the former only the node & its
children.
The problem is that if the enveloped signature transformation is used a nodeset is
needed again. In order to fix it, I have added a new field to the XMLSignatureInput
and added new functions to c14n classes to specified a exclude node in the
subtree(this way the c14n only skips the exclude node when it finds it). This change
impacts: (See (2))
Miscellaneous changes: In org/apache/xml/security/signature/Reference.java some time
is spend calculating the _transformsInput field in every deference (when signing or
verifying a reference) this field is seldom used (only for debugging purpouse) so it's
better to calculate it only when required.
Other little change can be done in org/apache/xml/security/signature/SignedInfo.java
to don't do the cannonicalization and the parse of importing of the signedinfo element
if safe c14n methods are used (these safes are the standard ones).
So if there is some interest I can contribute back these changes, so it can be peer
reviewed and fixed if needed. Or if any one want to test without the fuss of
recompilling I can send him the .jar file with the modified library.
Regards,
Raul Benito
p.s- Sorry for the big email in html but it reads better.
1:
org/apache/xml/security/keys/content/KeyValue.java
org/apache/xml/security/keys/content/RetrievalMethod.java
org/apache/xml/security/keys/keyresolver/implementations/DSAKeyValueResolver.java
org/apache/xml/security/keys/keyresolver/implementations/RSAKeyValueResolver.java
org/apache/xml/security/keys/keyresolver/implementations/X509CertificateResolver.java
org/apache/xml/security/keys/keyresolver/implementations/X509SKIResolver.java
org/apache/xml/security/keys/keyresolver/implementations/X509SubjectNameResolver.java
org/apache/xml/security/signature/SignatureProperties.java
org/apache/xml/security/signature/XMLSignature.java
org/apache/xml/security/transforms/Transforms.java (Already use a DOM method only
refactor to invoke a common one).
org/apache/xml/security/utils/ElementProxy.java
org/apache/xml/security/utils/SignatureElementProxy.java
org/apache/xml/security/utils/XMLUtils.java (Added the functions to do the DOM
searches).
2:
org/apache/xml/security/signature/XMLSignatureInput.java
org/apache/xml/security/transforms/implementations/TransformC14N.java
org/apache/xml/security/transforms/implementations/TransformC14NExclusive.java
org/apache/xml/security/transforms/implementations/TransformC14NExclusiveWithComments.java
org/apache/xml/security/transforms/implementations/TransformEnvelopedSignature.java
(and also move some methods XMLUtils)
org/apache/xml/security/utils/IdResolver.java
org/apache/xml/security/utils/SignatureElementProxy.java
org/apache/xml/security/utils/resolver/implementations/ResolverFragment.java
org/apache/xml/security/utils/resolver/implementations/ResolverXPointer.java
org/apache/xml/security/utils/XMLUtils.java (Added some methods)
(and the c14n implementations but these have been take on account above).
