Skip to Content.
Sympa Menu

metadata-support - RE: [Metadata-Support] significant slowdown in XML Signature validation

Subject: InCommon metadata support

List archive

RE: [Metadata-Support] significant slowdown in XML Signature validation


Chronological Thread 
  • From: "Cantor, Scott" <>
  • To: "" <>
  • Subject: RE: [Metadata-Support] significant slowdown in XML Signature validation
  • Date: Tue, 16 Feb 2016 21:10:01 +0000
  • Accept-language: en-US
  • Authentication-results: spf=pass (sender IP is 164.107.81.212) smtp.mailfrom=osu.edu; incommon.org; dkim=none (message not signed) header.d=none;incommon.org; dmarc=bestguesspass action=none header.from=osu.edu;
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:23

> makes the startup take about 4 seconds from the first log entry (INFO
> OpenSAML.Config : opensaml 2.5.5 library initialization complete) until it’s
> ready to respond (INFO Shibboleth.Listener : listener service starting).
> That
> of course eliminates all security of the metadata so not exactly something
> that can be done in any sort of real environment.

Ok, thanks for checking.

> With the MetadataFilter in place, it takes 90-120 seconds. So something
> with
> the signature process is chewing up a lot of time. I’d probably suspect
> something in the XML canonicalization that happens as part of signature
> validation. It seemed to be doing a ton of malloc calls, so I suspect that
> there’s something in the XML canonicalization that does that, and it
> increases
> exponentially with the size of the metadata file being validated.

Yes, it does, that's more or less known about that code (it's not mine, I'm
just stuck as the only maintainer left). I had thought the DOM portion alone
was nearly as bad, but apparently not. Most of the performance issues with it
had been reported on even larger files, but it's not that surprising.

> There’s likely little that can be done without significant effort into
> profiling
> the XML libraries and seeing exactly what they’re doing.

And there's nobody to do that work, frankly. We shipped a solution to this
problem years ago, but getting people to actually use it is up to the
federations.

-- Scott




Archive powered by MHonArc 2.6.16.

Top of Page