RFR 8072394: Performance improvement for X.509 certificate parsing
Sean Mullan
sean.mullan at oracle.com
Mon Feb 16 22:13:00 UTC 2015
On 02/13/2015 03:16 PM, Florian Weimer wrote:
> On 02/13/2015 08:43 PM, Sean Mullan wrote:
>> This fix looks fine, but I am trying to remember why a Set/LinkedHashSet
>> was used in the first place, it seem like an List/ArrayList would have
>> been more suitable. Even though PolicyInformation is an internal class,
>> it's probably better to not change that detail at this point unless we
>> have a better reason.
>
> I think the Set is part of the public API:
>
> <http://docs.oracle.com/javase/8/docs/api/java/security/cert/PolicyNode.html#getPolicyQualifiers-->
>
> RFC 5280 says this: “A certificate policy OID MUST NOT appear more than
> once in a certificate policies extension.” (Section 4.2.4.1)
Ah, thanks for the reminder.
> Based on that, PolicyQualifierInfo should have implemented value-based
> equals() and hashCode(), and the identity-based set is just a bug. (But
> the requirement I cited is a stronger requirement the Set would not
> enforce.)
>
> However, I think it's too late to fix this bug now. That's why I just
> added the identity counter. If you want the behavioral change instead,
> I can implement that as well.
Maybe it's not too late. This is not a commonly used class, and the
compatibility risk is probably fairly low. If you code up the changes, I
can file a CCC on your behalf.
--Sean
>
>> Can you add a noreg-perf label to the bug?
>
> Done, perhaps prematurely.
>
More information about the security-dev
mailing list