8184916: DisabledAlgorithmConstraints loading should be delayed until needed
Sean Mullan
sean.mullan at oracle.com
Wed Jul 19 15:17:41 UTC 2017
No objection. Looks fine to me.
--Sean
On 7/19/17 7:44 AM, Alan Bateman wrote:
> I'm looking at the performance of an app that initializes a lot more
> security classes than I expected. One part to this is the initial
> opening of a JAR file which ends up loading a lot of machinery that
> should only be needed with signed JARs.
>
> Any objection if I change SignatureFileVerifier to initialize
> DisabledAlgorithmConstraints lazily? The proposed patch for jdk10/jdk10
> is below.
>
> Thanks,
>
> -Alan
>
>
> diff --git
> a/src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java
> b/src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java
> ---
> a/src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java
> +++
> b/src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java
> @@ -59,9 +59,15 @@
> /* Are we debugging ? */
> private static final Debug debug = Debug.getInstance("jar");
>
> - private static final DisabledAlgorithmConstraints JAR_DISABLED_CHECK =
> + /**
> + * Holder class to delay initialization of
> DisabledAlgorithmConstraints
> + * until needed.
> + */
> + private static class ConfigurationHolder {
> + static final DisabledAlgorithmConstraints JAR_DISABLED_CHECK =
> new DisabledAlgorithmConstraints(
> DisabledAlgorithmConstraints.PROPERTY_JAR_DISABLED_ALGS);
> + }
>
> private ArrayList<CodeSigner[]> signerCache;
>
> @@ -371,7 +377,7 @@
> Boolean permitted = permittedAlgs.get(algorithm);
> if (permitted == null) {
> try {
> - JAR_DISABLED_CHECK.permits(algorithm,
> + ConfigurationHolder.JAR_DISABLED_CHECK.permits(algorithm,
> new ConstraintsParameters(timestamp));
> } catch(GeneralSecurityException e) {
> permittedAlgs.put(algorithm, Boolean.FALSE);
>
More information about the security-dev
mailing list