Bug ID: JDK-8038277 Improve the bootstrap performance of cacerts keystore

Type: Enhancement
Component: security-libs
Sub-Component: java.security

Priority: P3
Status: Open
Resolution: Unresolved

Submitted: 2014-03-24
Updated: 2020-11-25

There are a lot of CA certs in JDK releases.  The bootstrap of SunJSSE provider is pretty slow now.  It is reported it takes 5 seconds to instantiate an SSLEngine or SSLSocket instance.  The number of certs in cacerts impact the performance a lot.  It is only getting worse as more CAs are requesting us to add their root certs to the JRE. We may want to improve the loading and searching performance of cert store.

If so (only one cert is needed), we should implement a CertStore type that supports select-by-IssuerSerial.
30-10-2014
I did another round of benchmarking with 3 methods: 1. cacerts() loads the cacerts file into a KeyStore 2. sslcontext() calls SSLContext.getDefault() 3. sslengine() calls SSLContext.getDefault().createSSLEngine() For all 3 methods, I've called cacerts() in a @Setup method, which means it's called before the benchmarking: The result is Benchmark Mode Samples Score Score error Units o.s.MyBenchmark.cacerts ss 10 3.428 0.575 ms o.s.MyBenchmark.sslcontext ss 10 10.818 1.232 ms o.s.MyBenchmark.sslengine ss 10 151.478 9.157 ms A rough interpretation would be: 1. if cacerts is load once, loading it again costs no time (due to X509Factory cache) 2. creating a SSLContext also costs very little time 3. creating a SSLEngine costs a lot of time Without the @Setup method, the result is Benchmark Mode Samples Score Score error Units o.s.MyBenchmark.cacerts ss 10 89.946 26.308 ms o.s.MyBenchmark.sslcontext ss 10 92.649 3.355 ms o.s.MyBenchmark.sslengine ss 10 229.280 20.763 ms So cold loading cacerts costs about 90 ms. I reduce the number of certs in cacerts to 4 (which still contains all 4 signature algorithms now used in cacerts). The result is Benchmark Mode Samples Score Score error Units o.s.MyBenchmark.cacerts ss 10 54.334 4.409 ms o.s.MyBenchmark.sslcontext ss 10 60.821 8.757 ms o.s.MyBenchmark.sslengine ss 10 196.339 6.167 ms So it seems loading the other 70 certs costs 35 ms. The 54 ms above is likely spent on loading classes needed to parse the keystore.
21-08-2014
I have seen problems using NetBeans with the SHA2 verification in the JCE providers, where verifications crawl to a snail's pace. If I set a breakpoint well beyond the verification, it went ok, but if I stepped over the line with the verification, it went very slow. Never had time to really dive into this. Is there any chance you can put this particular example under a profiler and see where the most time is spent? If this is a really a problem, then let's move this bug to the SHA2, and change the synopsis. Thanks.
18-08-2014
Standalone tests and jmh show loading of cacerts using time under 300 ms and most spent on jar verification (of JCE libs) and JCA getInstance() loading. This is a 2012 Mac Mini.
06-08-2014
I got 3 seconds to load SSLEngine in an old sparc (glisten.us.oracle.com). If you are working a fast machine, 1.3 second is a pretty big fraction. See more possible cause in my comments in JDK-8022063.
02-04-2014
I choose a random alias and call "keytool -list -alias it", the time is similar to list all. That 0.6 second is the user field of time command. I'm just saying that if a SSLEngine needs 5 seconds to initialize, loading cacerts looks only a fraction. (Maybe reporter's system is too slow).
02-04-2014
0.6 second to list a single-element keystore is not a good performance. Did it also include the keytool bootstrap cost? Can you make a test about the performance of searching a cert in cacerts?
02-04-2014
How long will it take if cacerts is empty? On my desktop, keytool -list a single-element keystore in 0.6 second and cacerts in 1.3 second.
02-04-2014

Duplicate :	JDK-8022063 - SSLContext createSSLEngine takes 5+ seconds to complete
Relates :	JDK-6990459 - Overhead of loading certificates
Relates :	JDK-8022063 - SSLContext createSSLEngine takes 5+ seconds to complete