Duplicate :
|
|
Relates :
|
A DESCRIPTION OF THE REQUEST : Attempting to parse the largest DoD CRL (From Email CA 11, downloadable from https://email-ca-11.c3pki.chamb.disa.mil/getInfo?template=toDisplayCRL, choose the option to "Download the latest CRL in binary form") results in an OutOfMemory exception under normal program execution. Adding heap space using the VM option -Xmx<max heap size> allows the CRL to be parsed. The CRL contains 834,474 serial numbers and using a profiler shows roughly 835,000 instances of the following objects: LinkedHashMapEntry totaling 26MB byte[] totaling 69MB int[] totaling 13MB BigInteger totaling 33MB Date totaling 20MB sun.security.x509.SerialNumber totaling 13MB sun.security.x509.X509CRLImpl$X509IssuerSerial totaling 20MB sun.security.x509.X509CRLEntryImpl totaling 26MB The generateCRL method of CertificateFactory allocated 221MB in 6,675,868 allocations. JUSTIFICATION : This seems like way too much overhead to load up just one CRL to check for a few serial numbers for revocation. It would be nice to populate a CertStore object with all DoD CRLs and let the CertPath API automatically do revocation checking but this needs an extremely large amount of memory and takes a very long time to load all the CRLs. ---------- BEGIN SOURCE ---------- import java.io.FileInputStream; import java.io.FileNotFoundException; import java.security.cert.CRLException; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.X509CRL; public class CrlTest { public static void main(String[] args) throws FileNotFoundException, CRLException, CertificateException { String crlFileName = "C:/usr/tra/crls/DODEMAILCA_11.crl"; CertificateFactory cf = CertificateFactory.getInstance("X.509"); X509CRL crl = (X509CRL) cf.generateCRL(new FileInputStream(crlFileName)); } } ---------- END SOURCE ----------