-
Bug
-
Resolution: Cannot Reproduce
-
P4
-
None
-
6
-
x86
-
windows_xp
A DESCRIPTION OF THE REQUEST :
Attempting to parse the largest DoD CRL (From Email CA 11, downloadable from https://email-ca-11.c3pki.chamb.disa.mil/getInfo?template=toDisplayCRL, choose the option to "Download the latest CRL in binary form") results in an OutOfMemory exception under normal program execution. Adding heap space using the VM option -Xmx<max heap size> allows the CRL to be parsed.
The CRL contains 834,474 serial numbers and using a profiler shows roughly 835,000 instances of the following objects:
LinkedHashMapEntry totaling 26MB
byte[] totaling 69MB
int[] totaling 13MB
BigInteger totaling 33MB
Date totaling 20MB
sun.security.x509.SerialNumber totaling 13MB
sun.security.x509.X509CRLImpl$X509IssuerSerial totaling 20MB
sun.security.x509.X509CRLEntryImpl totaling 26MB
The generateCRL method of CertificateFactory allocated 221MB in 6,675,868 allocations.
JUSTIFICATION :
This seems like way too much overhead to load up just one CRL to check for a few serial numbers for revocation. It would be nice to populate a CertStore object with all DoD CRLs and let the CertPath API automatically do revocation checking but this needs an extremely large amount of memory and takes a very long time to load all the CRLs.
---------- BEGIN SOURCE ----------
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.security.cert.CRLException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509CRL;
public class CrlTest {
public static void main(String[] args) throws FileNotFoundException,
CRLException, CertificateException {
String crlFileName = "C:/usr/tra/crls/DODEMAILCA_11.crl";
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509CRL crl = (X509CRL) cf.generateCRL(new FileInputStream(crlFileName));
}
}
---------- END SOURCE ----------
Attempting to parse the largest DoD CRL (From Email CA 11, downloadable from https://email-ca-11.c3pki.chamb.disa.mil/getInfo?template=toDisplayCRL, choose the option to "Download the latest CRL in binary form") results in an OutOfMemory exception under normal program execution. Adding heap space using the VM option -Xmx<max heap size> allows the CRL to be parsed.
The CRL contains 834,474 serial numbers and using a profiler shows roughly 835,000 instances of the following objects:
LinkedHashMapEntry totaling 26MB
byte[] totaling 69MB
int[] totaling 13MB
BigInteger totaling 33MB
Date totaling 20MB
sun.security.x509.SerialNumber totaling 13MB
sun.security.x509.X509CRLImpl$X509IssuerSerial totaling 20MB
sun.security.x509.X509CRLEntryImpl totaling 26MB
The generateCRL method of CertificateFactory allocated 221MB in 6,675,868 allocations.
JUSTIFICATION :
This seems like way too much overhead to load up just one CRL to check for a few serial numbers for revocation. It would be nice to populate a CertStore object with all DoD CRLs and let the CertPath API automatically do revocation checking but this needs an extremely large amount of memory and takes a very long time to load all the CRLs.
---------- BEGIN SOURCE ----------
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.security.cert.CRLException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509CRL;
public class CrlTest {
public static void main(String[] args) throws FileNotFoundException,
CRLException, CertificateException {
String crlFileName = "C:/usr/tra/crls/DODEMAILCA_11.crl";
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509CRL crl = (X509CRL) cf.generateCRL(new FileInputStream(crlFileName));
}
}
---------- END SOURCE ----------
- duplicates
-
-
- Closed
-
- relates to
-
-
- Closed
-