RFR 8072394: Performance improvement for X.509 certificate parsing

Florian Weimer fweimer at redhat.com
Tue Feb 3 10:42:48 UTC 2015

The sun.security.x509.PolicyInformation constructor creates
java.security.cert.PolicyQualifierInfo instances and adds them to a
LinkedHashSet. PolicyQualifierInfo does not override hashCode(), so the
default implementation based on System.identityHashCode() is used, which
is rather slow.

I addressed this by implementing an explicit, identity-based hashCode()
using an atomic counter.  Another approach would be to replace the
LinkedHashSet with a Set backed by an ArrayList.


Before the change, this particular call to Object#hashCode() accounted
for 25% of all hits in hprof.

My benchmark involved parsing 1,000,000 certificates from the Google
certificate transparency log.  The benchmark times includes loading the
DER-encoded certificates from an SQLite database.  They are quite noisy
because the X.509 parsing code allocates heavily.

R says this about this change (run time is measured in seconds):

> old <- c(50.246, 51.237, 50.057, 49.611, 49.895, 49.268, 50.161,
49.992, 49.972, 50.380)
> new <- c(50.386, 50.628, 49.496, 49.196, 49.581, 49.845, 50.009,
49.229, 48.138, 48.762)
> t.test(old, new)

	Welch Two Sample t-test

data:  old and new
t = 1.9356, df = 16.015, p-value = 0.07077
alternative hypothesis: true difference in means is not equal to 0
95 percent confidence interval:
 -0.05278151  1.16258151
sample estimates:
mean of x mean of y
  50.0819   49.5270

Florian Weimer / Red Hat Product Security

More information about the security-dev mailing list