RFR: 8284694: Avoid evaluating SSLAlgorithmConstraints twice
Daniel Jeliński
djelinski at openjdk.java.net
Tue Apr 12 18:29:43 UTC 2022
On Tue, 12 Apr 2022 15:40:46 GMT, Claes Redestad <redestad at openjdk.org> wrote:
>> While this is technically true, `SSLAlgorithmConstraints` is an internal class, so it's very unlikely that we will ever get `SSLAlgorithmConstraints` other than `DEFAULT` here.
>
> Right, I see even `DEFAULT_SSL_ONLY` is only used statically in one place.
>
> So the patch is probably good enough. Out of scope here, but if these permits-calls are (somewhat) performance-sensitive and the `DEFAULT` object is likely the only instance of `SSLAlgorithmConstraints` we'll ever see then perhaps it should be a specialized implementation that avoid the always-null `userSpecifiedConstraints != null` and `peerSpecifiedConstraints != null` checks.
Thanks for reviewing!
These permits calls are generally performing sufficiently well; the problem is that they in turn end up calling [AlgorithmDecomposer#decomposeImpl](https://github.com/openjdk/jdk/blob/36b59f3814fdaa44c9c04a0e8d63d0ba56929326/src/java.base/share/classes/sun/security/util/AlgorithmDecomposer.java#L53), which performs string splitting using a [pattern with negative look-behind](https://github.com/openjdk/jdk/blob/36b59f3814fdaa44c9c04a0e8d63d0ba56929326/src/java.base/share/classes/sun/security/util/AlgorithmDecomposer.java#L43), which is pretty slow. But that's another story.
-------------
PR: https://git.openjdk.java.net/jdk/pull/8199
More information about the security-dev
mailing list