Uploaded image for project: 'Santuario'
  1. Santuario
  2. SANTUARIO-558

XAdES validation extremely slow using old transformation/canonicalization algorithm

    XMLWordPrintableJSON

Details

    Description

      When the old transformation algorithm

      <ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
   <ds:XPath>not(ancestor-or-self::ds:Signature)</ds:XPath>
</ds:Transform>

      is used in a XAdES signature the validation of the signature takes "forever" (3.59MB XML file, about 3 hours).

      Using the more modern XPath2Filter 

      <ds:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2"> 
   <dsig-xpath:XPath Filter="subtract" xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2">/descendant::ds:Signature</dsig-xpath:XPath>
</ds:Transform> 

      there's no such issue.

      The call which causes this issue is org.apache.xml.security.signature.XMLSignature#checkSignatureValue(java.security.cert.X509Certificate)

      Unfortunately I don't have any control on the signatures I receive.

      Do you plan to optimize it? Is there a workaround?

      I'm sorry but I can't attach the file I used, but you can find similar samples here where the same issue is raised.

       

       

       

       

       

      Attachments

        Activity

          People

            coheigea Colm O hEigeartaigh
            jhack Giacomo Boccardo
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: