JDK-8049244 : XML Signature performance issue caused by unbuffered signature data
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.xml.crypto
  • Affected Version: 8,9
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2014-07-03
  • Updated: 2017-02-22
  • Resolved: 2014-07-08
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 8 JDK 9 Other
8u40Fixed 9 b23Fixed openjdk7uFixed
Serious performance issue, bug was initially filed against Apache Santuario.
From https://issues.apache.org/jira/browse/SANTUARIO-393 :

After upgrading from xmlsec (java) 1.4 to 1.5 we saw a significant drop
in signature generation performance especially when using a network
based HSM.

After some investigation it turns out that the problem is that the
hashing is done with one byte at a time which with network latencies
gives the bad performance.

Looking in the code of DOMSignedInfo.java it looks like the code intends
to use an UnsyncBufferedOutputStream however only its close method is
actually called, which as far as I can see won't have any side affect at
all when operated on a ByteArrayOutputStream.

The attached patch resolves the performance issue by actually using the
UnsyncBufferedOutputStream and that way perform the digests on a
possibly full buffer instead of byte by byte. The patch has been tested
on version 1.5.5 but also applies on 1.5.6.
Added noreg-perf label as writing a regression test for this would be very difficult. However, the customer that reported this to the Apache Santuario project has already tested the patch and confirmed that it fixes the issue.