JDK-6440092 : X509Factory caching
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 6
  • Priority: P3
  • Status: Closed
  • Resolution: Duplicate
  • OS: generic
  • CPU: generic
  • Submitted: 2006-06-17
  • Updated: 2010-04-02
  • Resolved: 2006-06-19
Related Reports
Duplicate :  
JDK-6432000 - Static certificate cache can limit scalability
Description
Mr. Deviant writes at
http://mrdeviant.livejournal.com/76693.html

I'm profiling the online CA I wrote for work, and noticed some strange results for the X.509 CertificateFactory. So I took a look at sun.security.x509.provider.X509Factory and noticed that they have a static synchronized cache right in the critical path of engineGenerateCertificate(). Great. So even using a thread-local cert factory won't help.

It's great that they're caching previously decoded certs, but use the concurrent collection classes, will ya? They have a Cache class, which they claim "has properties that make it more suitable for caching than a Map", but it's based on a LinkedHashMap. So, really, it's just adding invocation overhead. Just use a ConcurrentHashMap with SoftReferences and be done with it.

There's also a bug in Sun's SSL implementation - it doesn't recognize certs with no Subject and a critical SubjectAltName extension, a configuration which is not only allowed, but in some cases, mandated, by RFC 3280.
Comments
EVALUATION A ConcurrentHashMap alone does not cut it because the cache needs to have a maximum size and a reasonable replacement policy, not a random one that just plugging in ConcurrentHashMap would provide.
19-06-2006