El lun, 01-12-2008 a las 17:06 +0100, Inma Marín escribió: > Hello, > I have a problem when validating an XML enveloped signature. The point > is that I want to verify an XML document which includes 3 enveloped > signatures. These enveloped signatures are independent, in such a way > that each of them are generated only over the XML document (removing > the already existing signatures). To that extent, an xpath expression > (not(ancestor-or-self::node()=//*[namespace-uri()='http://www.w3.org/2000/09/xmldsig#' > and local-name()='Signature'])) is used instead of an enveloped transform > (as an enveloped transform only removes the actual signature element, and I > need all existing signatures elements be removed). However, when verifying > this document, the verification last a lot of time!
I'm using this expression with success : not(ancestor-or-self::ds:Signature) > Particularly, if I try to verify an XML document with only one > signature, if it has been generated using the XPath expression , the > verification lasts 15 minutes more than if the signature has been > generated using the enveloped transform!! It sounds to me like it is trying to resolve the URI, but I can't confirm it, I'm saying this like a simple user and not a developer. > I am using xmlsec v1.2.1. > > > > Could you be so kind as to tell me why it happens, please? Does any > later version make this kind of verification quicker? If no, any idea > of making this verification more rapid? I'm using 1.4.2 with the expression written above and it's as fast as I can expect -- Franco Catrin L. TUXPAN Software S.A. http://www.tuxpan.com/fcatrin
