RFR: 8317431: Implement simpler Comparator when building certification paths [v4]

Sean Mullan mullan at openjdk.org
Thu Mar 7 15:12:18 UTC 2024 

> This enhancement simplifies and improves the performance of the Comparator that the PKIX CertPathBuilder uses to sort candidate certificates.
> 
> [RFC 5280](https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.1) requires that certificates include authority and subject key identifiers to facilitate cert path discovery. When the certificates comply with RFC 5280, the sorting algorithm is fast and efficient. However, there may be cases where certificates do not include the proper KIDs, for legacy or other reasons. This enhancement targets those cases and has shown an increase in performance of `CertPathBuilder.build` by up to 2x in tests involving certificates that do not contain KIDs. Specific changes include:
> 
> - Removed and simplified some of the steps in `PKIXCertComparator.compare` method. Some of these steps were not a good representation of common certificate hierarchies and were overly expensive to perform. 
> - Several methods in `X500Name` and `Builder` have been made obsolete and thus removed.
> - `X500Name` has been changed to use shared secrets instead of reflection to access non-public members of `X500Principal`, and vice-versa.
> - The `CertificateBuilder` test code has been enhanced to set reasonable defaults for serial number and validity fields of a certificate

Sean Mullan has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains 15 additional commits since the last revision:

 - Weijun's comments.
 - Merge
 - Fix whitespace error. Improve debugging. Change return value of distanceToCommonAncestor().
 - Add more comments. Remove unnecessary import.
 - Fix whitespace.
 - Update copyrights.
 - Merge
 - Simplify and improve performance of PKIXCertComparator.
 - Regression test.
 - Use shared secrets instead of reflection.
 - ... and 5 more: https://git.openjdk.org/jdk/compare/fdb17ad8...20b714dd

-------------

Changes:
  - all: https://git.openjdk.org/jdk/pull/17248/files
  - new: https://git.openjdk.org/jdk/pull/17248/files/7a91821b..20b714dd

Webrevs:
 - full: https://webrevs.openjdk.org/?repo=jdk&pr=17248&range=03
 - incr: https://webrevs.openjdk.org/?repo=jdk&pr=17248&range=02-03

  Stats: 208166 lines in 4462 files changed: 72796 ins; 106611 del; 28759 mod
  Patch: https://git.openjdk.org/jdk/pull/17248.diff
  Fetch: git fetch https://git.openjdk.org/jdk.git pull/17248/head:pull/17248

PR: https://git.openjdk.org/jdk/pull/17248

More information about the security-dev mailing list