[14] RFR 8162628: Migrate cacerts keystore from JKS
Sean Mullan
sean.mullan at oracle.com
Thu Aug 22 14:40:47 UTC 2019
On 8/14/19 10:07 AM, Weijun Wang wrote:
> The difference will be big. I've simplified the logic into
>
> 1. read bytes between first ": " and \r\n as alias
> 2. read bytes between first \r\n after first "-" and next "-" as a cert
> 3. goto 1
>
> And I only store the cert bytes and do not create a Certificate until getCertificate() is read. I even haven't de-BASE64 them.
>
> Time spent is still ~2.5x of JKS (when reading from a ByteArrayInputStream).
>
> I guess the major reason is that there is no length field for the cert, so we must read-and-check all the time.
Could you store the length as an attribute, perhaps?
--Sean
>
> --Max
>
>> On Aug 14, 2019, at 9:31 PM, Sean Mullan <sean.mullan at oracle.com> wrote:
>>
>> On 8/13/19 10:19 PM, Weijun Wang wrote:
>>>> I will also pass a pretty large cacerts with public CA and our CAs and
>>>> see wether your parser doesn't choke on it.
>>> PEM is certainly slower than JKS because of text reading and de-Base64. I'll see if I can make any enhancement.
>>
>> This is a bit of a concern for me. In the past, reading cacerts has been a bit of a bottleneck and we have made some improvements over the years such as: https://bugs.openjdk.java.net/browse/JDK-8129988
>>
>> I would not want to see a regression in performance.
>>
>> --Sean
>
More information about the security-dev
mailing list