On Tue, 12 Apr 2022 15:40:46 GMT, Claes Redestad <redes...@openjdk.org> wrote:
>> While this is technically true, `SSLAlgorithmConstraints` is an internal >> class, so it's very unlikely that we will ever get `SSLAlgorithmConstraints` >> other than `DEFAULT` here. > > Right, I see even `DEFAULT_SSL_ONLY` is only used statically in one place. > > So the patch is probably good enough. Out of scope here, but if these > permits-calls are (somewhat) performance-sensitive and the `DEFAULT` object > is likely the only instance of `SSLAlgorithmConstraints` we'll ever see then > perhaps it should be a specialized implementation that avoid the always-null > `userSpecifiedConstraints != null` and `peerSpecifiedConstraints != null` > checks. Thanks for reviewing! These permits calls are generally performing sufficiently well; the problem is that they in turn end up calling [AlgorithmDecomposer#decomposeImpl](https://github.com/openjdk/jdk/blob/36b59f3814fdaa44c9c04a0e8d63d0ba56929326/src/java.base/share/classes/sun/security/util/AlgorithmDecomposer.java#L53), which performs string splitting using a [pattern with negative look-behind](https://github.com/openjdk/jdk/blob/36b59f3814fdaa44c9c04a0e8d63d0ba56929326/src/java.base/share/classes/sun/security/util/AlgorithmDecomposer.java#L43), which is pretty slow. But that's another story. ------------- PR: https://git.openjdk.java.net/jdk/pull/8199
