X509Factory cache control
Eirik Bjørsnøs
eirbjo at gmail.com
Mon Apr 24 09:00:31 UTC 2023
On Mon, Apr 24, 2023 at 10:28 AM Bernd <ecki at zusammenkunft.net> wrote:
> Not sure what exactly is cached, but for CRL only the latest CRL version
> should be cached and only for its lifetime (refresh time).
>
The current cache is not that sophisticated. It uses the encoded byte array
as a key which maps to the parsed CRL / cert. The lifetime is unlimited.
It is possible flush the (whole) cache by passing null parameters to
CertificateFactory methods (this is undocumented from what I can tell).
Also, CRLs get quite large, is it compressing the entire it caches?
>
My understanding is it caches the parsed CRL, yes. CRLs with an encoded
size larger than 4MB will not be cached, but 4MB parses into a more heap
memory.
Eirik.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20230424/9aef31f3/attachment.htm>
More information about the security-dev
mailing list