-
Type:
Bug
-
Resolution: Duplicate
-
Priority:
P3
-
None
-
Affects Version/s: 6
-
Component/s: security-libs
-
None
-
generic
-
generic
Mr. Deviant writes at
http://mrdeviant.livejournal.com/76693.html
I'm profiling the online CA I wrote for work, and noticed some strange results for the X.509 CertificateFactory. So I took a look at sun.security.x509.provider.X509Factory and noticed that they have a static synchronized cache right in the critical path of engineGenerateCertificate(). Great. So even using a thread-local cert factory won't help.
It's great that they're caching previously decoded certs, but use the concurrent collection classes, will ya? They have a Cache class, which they claim "has properties that make it more suitable for caching than a Map", but it's based on a LinkedHashMap. So, really, it's just adding invocation overhead. Just use a ConcurrentHashMap with SoftReferences and be done with it.
There's also a bug in Sun's SSL implementation - it doesn't recognize certs with no Subject and a critical SubjectAltName extension, a configuration which is not only allowed, but in some cases, mandated, by RFC 3280.
http://mrdeviant.livejournal.com/76693.html
I'm profiling the online CA I wrote for work, and noticed some strange results for the X.509 CertificateFactory. So I took a look at sun.security.x509.provider.X509Factory and noticed that they have a static synchronized cache right in the critical path of engineGenerateCertificate(). Great. So even using a thread-local cert factory won't help.
It's great that they're caching previously decoded certs, but use the concurrent collection classes, will ya? They have a Cache class, which they claim "has properties that make it more suitable for caching than a Map", but it's based on a LinkedHashMap. So, really, it's just adding invocation overhead. Just use a ConcurrentHashMap with SoftReferences and be done with it.
There's also a bug in Sun's SSL implementation - it doesn't recognize certs with no Subject and a critical SubjectAltName extension, a configuration which is not only allowed, but in some cases, mandated, by RFC 3280.
- duplicates
-
-
- Closed
-