RFR 8072394: Performance improvement for X.509 certificate parsing
Florian Weimer
fweimer at redhat.com
Tue Feb 3 10:42:48 UTC 2015
The sun.security.x509.PolicyInformation constructor creates
java.security.cert.PolicyQualifierInfo instances and adds them to a
LinkedHashSet. PolicyQualifierInfo does not override hashCode(), so the
default implementation based on System.identityHashCode() is used, which
is rather slow.
I addressed this by implementing an explicit, identity-based hashCode()
using an atomic counter. Another approach would be to replace the
LinkedHashSet with a Set backed by an ArrayList.
<http://cr.openjdk.java.net/~fweimer/8072394/webrev.00/>
Before the change, this particular call to Object#hashCode() accounted
for 25% of all hits in hprof.
My benchmark involved parsing 1,000,000 certificates from the Google
certificate transparency log. The benchmark times includes loading the
DER-encoded certificates from an SQLite database. They are quite noisy
because the X.509 parsing code allocates heavily.
R says this about this change (run time is measured in seconds):
> old <- c(50.246, 51.237, 50.057, 49.611, 49.895, 49.268, 50.161,
49.992, 49.972, 50.380)
> new <- c(50.386, 50.628, 49.496, 49.196, 49.581, 49.845, 50.009,
49.229, 48.138, 48.762)
> t.test(old, new)
Welch Two Sample t-test
data: old and new
t = 1.9356, df = 16.015, p-value = 0.07077
alternative hypothesis: true difference in means is not equal to 0
95 percent confidence interval:
-0.05278151 1.16258151
sample estimates:
mean of x mean of y
50.0819 49.5270
--
Florian Weimer / Red Hat Product Security
More information about the security-dev
mailing list