Re: [xmlsec] XML canonization
C14N shouldn't be that long; does XMLSEC pipe it directly into the hash, or does it build a huge string? The latter is expensive... /r$ Of course, I don't construct long strings unless it is really necessary :) Everything is piped and, for example, in case of one enveloping transform you will never have more than 1K static buffer at any time. And it turns out that David is using Apache and is only going to try xmlsec :) Aleksey ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
Re: [xmlsec] XML canonization
The signature time almost does not depend on the input file size. The typical flow looks as follows: 1) 2) 3) 4) whole XML Document>the part you want to sign>binary data>digest>signature where: 1) one or more XMLDSig transforms (for example, enveloped signature) 2) cannonicalization 3) SHA1 or MD5 or something else 4) RSA or DSA or HMAC or something else The steps 4) does not depend on the input XML size (we always sign 20 bytes digest), the step 3) is fast. The hard and costly part are steps 1) and 2). These steps *do* depend on the input XML and the complexety of the transforms in step 1). Aleksey. David Wen wrote: Aleksey, The signature part does not cost time, but the canonization does. Is there any performance measurement on that? David Wen On Fri, 18 Oct 2002 18:32:35 -0700 Aleksey Sanin <[EMAIL PROTECTED]> wrote: Well, it depends on the situation: 1) You are signing an XML file and want to have XML signature in a *separate* XML file. In this case, you might sign the XML file using external XML signature and then this file will be treated as a binary file (i.e., never parsed->no need in c14n) 2) You have an XML file and you want to insert XML signature in the *same* file (or construct a new XML file that contains original file *and* thew signature). In this case you must do cannonicalization because c14n is a way to "serialize" XML document from DOM representation to a binary file. BTW, what kind of file are you trying to sign and do you use xmlsec library? Some people did performance testing for xmlsec and it showed pretty good results (for example, signing 10 MB file in 55 sec). Aleksey. David Wen wrote: Hi, We have an application where the XML file is huge and it takes hours to canonize it but the signature is very fast. My understanding of the XML Dsig spec is that, although the canonization algorithm is mandatory, but it is ok to not apply it, right? Thanks! David Wen ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
Re: [xmlsec] XML canonization
You have to do canonicalization if you think there is the slightest chance that a recipient will not keep your byte stream, but will DOMify, then reconstruct, for example. According to XML, and are the same thing. C14N defines a standard format so that everyone can generate the same hash, and therefore verify the sig. If you are confident that nobody will modify the bytes on the wire that you send, then you can skip the C14N transformation. I would not recommend this. C14N shouldn't be that long; does XMLSEC pipe it directly into the hash, or does it build a huge string? The latter is expensive... /r$ ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
Re: [xmlsec] XML canonization
It's well known that Java is slooow. I am not surprised at all. However, it'll be interesting to see how xmlsec will do. Will you mind to share the results of your evaluation? Aleksey David Wen wrote: Unfortunately, our case is 2). We are using Apache XML tool kit, .we'll give your tool a try. David Wen On Fri, 18 Oct 2002 18:32:35 -0700 Aleksey Sanin <[EMAIL PROTECTED]> wrote: Well, it depends on the situation: 1) You are signing an XML file and want to have XML signature in a *separate* XML file. In this case, you might sign the XML file using external XML signature and then this file will be treated as a binary file (i.e., never parsed->no need in c14n) 2) You have an XML file and you want to insert XML signature in the *same* file (or construct a new XML file that contains original file *and* thew signature). In this case you must do cannonicalization because c14n is a way to "serialize" XML document from DOM representation to a binary file. BTW, what kind of file are you trying to sign and do you use xmlsec library? Some people did performance testing for xmlsec and it showed pretty good results (for example, signing 10 MB file in 55 sec). Aleksey. David Wen wrote: Hi, We have an application where the XML file is huge and it takes hours to canonize it but the signature is very fast. My understanding of the XML Dsig spec is that, although the canonization algorithm is mandatory, but it is ok to not apply it, right? Thanks! David Wen ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
Re: [xmlsec] XML canonization
Well, it depends on the situation: 1) You are signing an XML file and want to have XML signature in a *separate* XML file. In this case, you might sign the XML file using external XML signature and then this file will be treated as a binary file (i.e., never parsed->no need in c14n) 2) You have an XML file and you want to insert XML signature in the *same* file (or construct a new XML file that contains original file *and* thew signature). In this case you must do cannonicalization because c14n is a way to "serialize" XML document from DOM representation to a binary file. BTW, what kind of file are you trying to sign and do you use xmlsec library? Some people did performance testing for xmlsec and it showed pretty good results (for example, signing 10 MB file in 55 sec). Aleksey. David Wen wrote: Hi, We have an application where the XML file is huge and it takes hours to canonize it but the signature is very fast. My understanding of the XML Dsig spec is that, although the canonization algorithm is mandatory, but it is ok to not apply it, right? Thanks! David Wen ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec ___ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec