Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8156715

TrustStoreManager does not buffer keystore input stream

XMLWordPrintable

    • b04
    • generic
    • generic

      A DESCRIPTION OF THE REQUEST :
      During an analysis of a java application startup time the following performance problem was found: some libraries create SSLContext. As a part of this context creation sun.security.ssl.TrustManagerFactoryImpl class loads default JDK keystore (jre/lib/security/cacerts). sun.security.ssl.TrustManagerFactoryImpl creates a FileInputStream and passes it to java.security.KeyStore which delegates the load to sun.security.provider.JavaKeyStore#engineStore method. In this method the keystore content is loaded from the provided input stream. TrustManagerFactoryImpl and JavaKeyStore does not create a buffered input stream for this input stream, as a result JavaKeyStore spends time to read a keystore content by few bytes multiple times directly from the file.

      Example 1:
      java.io.FileInputStream.read() FileInputStream.java
      java.io.DataInputStream.readInt() DataInputStream.java:389
      sun.security.provider.JavaKeyStore.engineLoad(InputStream, char[]) JavaKeyStore.java:745
      sun.security.provider.JavaKeyStore$JKS.engineLoad(InputStream, char[]) JavaKeyStore.java:55
      java.security.KeyStore.load(InputStream, char[]) KeyStore.java:1445
      sun.security.ssl.TrustManagerFactoryImpl.getCacertsKeyStore(String) TrustManagerFactoryImpl.java:226
      sun.security.ssl.SSLContextImpl$DefaultSSLContext.getDefaultTrustManager() SSLContextImpl.java:767
      sun.security.ssl.SSLContextImpl$DefaultSSLContext.<init>() SSLContextImpl.java:733
      sun.reflect.NativeConstructorAccessorImpl.newInstance(Object[]) NativeConstructorAccessorImpl.java:62
      sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Object[]) DelegatingConstructorAccessorImpl.java:45
      java.lang.reflect.Constructor.newInstance(Object[]) Constructor.java:422
      java.security.Provider$Service.newInstance(Object) Provider.java:1595
      sun.security.jca.GetInstance.getInstance(Provider$Service, Class) GetInstance.java:236
      sun.security.jca.GetInstance.getInstance(String, Class, String) GetInstance.java:164
      javax.net.ssl.SSLContext.getInstance(String) SSLContext.java:156
      javax.net.ssl.SSLContext.getDefault() SSLContext.java:96
      javax.net.ssl.SSLSocketFactory.getDefault() SSLSocketFactory.java:122
      org.apache.http.impl.client.HttpClientBuilder.build() HttpClientBuilder.java
      io.hawt.web.ProxyServlet.init(ServletConfig) ProxyServlet.java:152
      org.eclipse.jetty.servlet.ServletHolder.initServlet() ServletHolder.java:612

      Example 2:
      java.io.FileInputStream.read() FileInputStream.java
      java.io.DataInputStream.readInt() DataInputStream.java:388
      sun.security.provider.JavaKeyStore.engineLoad(InputStream, char[]) JavaKeyStore.java:745
      sun.security.provider.JavaKeyStore$JKS.engineLoad(InputStream, char[]) JavaKeyStore.java:55
      java.security.KeyStore.load(InputStream, char[]) KeyStore.java:1445
      sun.security.ssl.TrustManagerFactoryImpl.getCacertsKeyStore(String) TrustManagerFactoryImpl.java:226
      sun.security.ssl.TrustManagerFactoryImpl.engineInit(KeyStore) TrustManagerFactoryImpl.java:50
      javax.net.ssl.TrustManagerFactory.init(KeyStore) TrustManagerFactory.java:250
      shaded.org.apache.http.conn.ssl.SSLContextBuilder.loadTrustMaterial(KeyStore, TrustStrategy) SSLContextBuilder.java:103

      JUSTIFICATION :
      Many libraries, client applications (like Maven) and application servers initialise SSL on startup, reducing of time to load SSL kestores will reduce startup time for such applications.

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      TrustManagerFactoryImpl or JavaKeyStore wrap the FileInputStream into a BufferedInputStream which reduces number of actual file reads
      ACTUAL -
      JavaKeyStore reads from a raw FileInputStream small portions of data multiple times.

            abarashev Artur Barashev
            webbuggrp Webbug Group
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved: