RFR: 8317431: Implement simpler Comparator when building certification paths

Weijun Wang weijun at openjdk.org
Wed Jan 10 14:40:23 UTC 2024 

On Wed, 3 Jan 2024 16:55:39 GMT, Sean Mullan <mullan at openjdk.org> wrote:

> This enhancement simplifies and improves the performance of the Comparator that the PKIX CertPathBuilder uses to sort candidate certificates.
> 
> [RFC 5280](https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.1) requires that certificates include authority and subject key identifiers to facilitate cert path discovery. When the certificates comply with RFC 5280, the sorting algorithm is fast and efficient. However, there may be cases where certificates do not include the proper KIDs, for legacy or other reasons. This enhancement targets those cases and has shown an increase in performance of `CertPathBuilder.build` by up to 2x in tests involving certificates that do not contain KIDs. Specific changes include:
> 
> - Removed and simplified some of the steps in `PKIXCertComparator.compare` method. Some of these steps were not a good representation of common certificate hierarchies and were overly expensive to perform. 
> - Several methods in `X500Name` and `Builder` have been made obsolete and thus removed.
> - `X500Name` has been changed to use shared secrets instead of reflection to access non-public members of `X500Principal`, and vice-versa.
> - The `CertificateBuilder` test code has been enhanced to set reasonable defaults for serial number and validity fields of a certificate

src/java.base/share/classes/sun/security/provider/certpath/Builder.java line 36:

> 34: import sun.security.provider.certpath.PKIX.BuilderParams;
> 35: import sun.security.util.Debug;
> 36: import sun.security.x509.GeneralNameInterface;

`GeneralNameInterface` is useless now.

src/java.base/share/classes/sun/security/provider/certpath/ForwardBuilder.java line 556:

> 554:      * @return the common ancestor or null if none or an attribute of the
> 555:      *    last RDN of the common ancestor is geographical
> 556:      */

~Is it possible to return the common ancestors of all the 3 names: trusted, issuer1, issuer2?~ Also, it seems there is no need to return a list. Just a number is enough. Actually you care about the difference from the common part, so how about return the distance directly?

Update: ignore the 1st part of this comment.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/17248#discussion_r1447447541
PR Review Comment: https://git.openjdk.org/jdk/pull/17248#discussion_r1447468296

More information about the security-dev mailing list