RFR 8072394: Performance improvement for X.509 certificate parsing

Florian Weimer fweimer at redhat.com
Fri Feb 13 20:16:22 UTC 2015

On 02/13/2015 08:43 PM, Sean Mullan wrote:
> This fix looks fine, but I am trying to remember why a Set/LinkedHashSet
> was used in the first place, it seem like an List/ArrayList would have
> been more suitable. Even though PolicyInformation is an internal class,
> it's probably better to not change that detail at this point unless we
> have a better reason.

I think the Set is part of the public API:


RFC 5280 says this: “A certificate policy OID MUST NOT appear more than
once in a certificate policies extension.” (Section

Based on that, PolicyQualifierInfo should have implemented value-based
equals() and hashCode(), and the identity-based set is just a bug.  (But
the requirement I cited is a stronger requirement the Set would not

However, I think it's too late to fix this bug now.  That's why I just
added the identity counter.  If you want the behavioral change instead,
I can implement that as well.

> Can you add a noreg-perf label to the bug?

Done, perhaps prematurely.

Florian Weimer / Red Hat Product Security

More information about the security-dev mailing list