Code Review Request JDK-8129988 JSSE should create a single instance of the cacerts KeyStore

Sean Mullan sean.mullan at oracle.com
Fri Dec 16 16:14:23 UTC 2016 

Hi Xuelei,

First cut of a review at this. I still need to review TrustStoreManager, 
so will get back to you later on that. Looks very good so far.

* KeyStores.java

Do an 'hg rename' on this file, so you can see the diffs between this 
and the new name (TrustStoreUtil), and you preserve the history.

* TrustStoreUtil.java

   54         Set<X509Certificate> set = new HashSet<X509Certificate>();

Use <> operator.

   71         } catch (KeyStoreException e) {
   72             // ignore
   73         }

This should be rare, but maybe we want to log this.

* TrustStoreManager.java

   65     public static KeyStore getgetTrustedKeyStore() throws Exception {

s/getget/get/

* TrustManagerFactoryImpl.java

   85     abstract X509TrustManager getInstance(
   86             Collection<X509Certificate> trustedCerts) throws 
KeyStoreException;

It no longer makes sense for this method to throw KeyStoreException.

* X509TrustManagerImpl.java

   71     X509TrustManagerImpl(String validatorType,
   72             Collection<X509Certificate> trustedCerts) throws 
KeyStoreException {

No longer can throw KeyStoreException so it can be removed from throws 
clause.

  83         if (debug != null && Debug.isOn("trustmanager")) {
  84             showTrustedCerts();

Not sure why you made this change (and on line 99) because 
showTrustedCerts is still only called if debug is enabled.

--Sean

On 11/26/16 7:46 PM, Xuelei Fan wrote:
> Hi,
>
> Please review the performance enhancement update:
>
>    http://cr.openjdk.java.net/~xuelei/8129988/webrev.00/
>
> In SunJSSE provider, there are two ways to use the default trust store
> (lib/security/cacerts), using the default SSLContext instance or using
> the default trust manager.
>
> The default SSLContext holds a strong reference to a collection of
> trusted certificates in cacerts in static mode.  The default trust
> manager reads the cacerts file and creates a KeyStore and parses the
> certificates each time.
>
> With the growth of cacerts, the loading and cache of trusted certificate
> is not performance friendly.
>
> In this fix, I'm trying to find a balance between CPU and memory: reuse
> the loaded trusted certificates if possible and release the unused
> trusted certificates if necessary.
>
> Thanks,
> Xuelei
>

More information about the security-dev mailing list