[xmlsec] XML canonization
Aleksey Sanin
aleksey at aleksey.com
Fri Oct 18 18:56:42 PDT 2002
The signature time almost does not depend on the input file size. The
typical flow looks
as follows:
1)
2) 3) 4)
whole XML Document---->the part you want to sign---->binary
data---->digest---->signature
where:
1) one or more XMLDSig transforms (for example, enveloped signature)
2) cannonicalization
3) SHA1 or MD5 or something else
4) RSA or DSA or HMAC or something else
The steps 4) does not depend on the input XML size (we always sign 20
bytes digest),
the step 3) is fast. The hard and costly part are steps 1) and 2). These
steps *do* depend
on the input XML and the complexety of the transforms in step 1).
Aleksey.
David Wen wrote:
>Aleksey,
>
>The signature part does not cost time, but the
>canonization does. Is there any performance
>measurement on that?
>
>David Wen
>
>On Fri, 18 Oct 2002 18:32:35 -0700 Aleksey Sanin <aleksey at aleksey.com> wrote:
>
>
>
>>Well, it depends on the situation:
>> 1) You are signing an XML file and want to
>>have XML signature in a
>> *separate* XML file.
>> In this case, you might sign the XML file
>>using external XML signature
>> and then this file will be treated as a
>>binary file (i.e., never
>>parsed->no need
>> in c14n)
>> 2) You have an XML file and you want to
>>insert XML signature in the
>> *same* file (or construct a new XML file
>>that contains original file
>>*and*
>> thew signature).
>> In this case you must do cannonicalization
>>because c14n is a way to
>>"serialize"
>> XML document from DOM representation to a
>>binary file.
>>
>>BTW, what kind of file are you trying to sign
>>and do you use xmlsec library?
>>Some people did performance testing for xmlsec
>>and it showed pretty good
>>results (for example, signing 10 MB file in 55
>>sec).
>>
>>Aleksey.
>>
>>
>>David Wen wrote:
>>
>>
>>
>>>Hi,
>>>
>>>We have an application where the XML file is
>>>huge and it takes hours to canonize it but the
>>>signature is very fast. My understanding of
>>>
>>>
>>the
>>
>>
>>>XML Dsig spec is that, although the
>>>
>>>
>>canonization
>>
>>
>>>algorithm is mandatory, but it is ok to not
>>>
>>>
>>apply
>>
>>
>>>it, right?
>>>
>>>Thanks!
>>>
>>>David Wen
>>>_______________________________________________
>>>xmlsec mailing list
>>>xmlsec at aleksey.com
>>>http://www.aleksey.com/mailman/listinfo/xmlsec
>>>
>>>
>>>
>>>
>>_______________________________________________
>>xmlsec mailing list
>>xmlsec at aleksey.com
>>http://www.aleksey.com/mailman/listinfo/xmlsec
>>
>>
>>
More information about the xmlsec
mailing list