[14] RFR 8162628: Migrate cacerts keystore from JKS
Weijun Wang
weijun.wang at oracle.com
Wed Aug 14 14:07:39 UTC 2019
The difference will be big. I've simplified the logic into
1. read bytes between first ": " and \r\n as alias
2. read bytes between first \r\n after first "-" and next "-" as a cert
3. goto 1
And I only store the cert bytes and do not create a Certificate until getCertificate() is read. I even haven't de-BASE64 them.
Time spent is still ~2.5x of JKS (when reading from a ByteArrayInputStream).
I guess the major reason is that there is no length field for the cert, so we must read-and-check all the time.
--Max
> On Aug 14, 2019, at 9:31 PM, Sean Mullan <sean.mullan at oracle.com> wrote:
>
> On 8/13/19 10:19 PM, Weijun Wang wrote:
>>> I will also pass a pretty large cacerts with public CA and our CAs and
>>> see wether your parser doesn't choke on it.
>> PEM is certainly slower than JKS because of text reading and de-Base64. I'll see if I can make any enhancement.
>
> This is a bit of a concern for me. In the past, reading cacerts has been a bit of a bottleneck and we have made some improvements over the years such as: https://bugs.openjdk.java.net/browse/JDK-8129988
>
> I would not want to see a regression in performance.
>
> --Sean
More information about the security-dev
mailing list