On Wed, 3 Jan 2024 16:55:39 GMT, Sean Mullan <mul...@openjdk.org> wrote:
> This enhancement simplifies and improves the performance of the Comparator > that the PKIX CertPathBuilder uses to sort candidate certificates. > > [RFC 5280](https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.1) requires > that certificates include authority and subject key identifiers to facilitate > cert path discovery. When the certificates comply with RFC 5280, the sorting > algorithm is fast and efficient. However, there may be cases where > certificates do not include the proper KIDs, for legacy or other reasons. > This enhancement targets those cases and has shown an increase in performance > of `CertPathBuilder.build` by up to 2x in tests involving certificates that > do not contain KIDs. Specific changes include: > > - Removed and simplified some of the steps in `PKIXCertComparator.compare` > method. Some of these steps were not a good representation of common > certificate hierarchies and were overly expensive to perform. > - Several methods in `X500Name` and `Builder` have been made obsolete and > thus removed. > - `X500Name` has been changed to use shared secrets instead of reflection to > access non-public members of `X500Principal`, and vice-versa. > - The `CertificateBuilder` test code has been enhanced to set reasonable > defaults for serial number and validity fields of a certificate src/java.base/share/classes/sun/security/provider/certpath/Builder.java line 36: > 34: import sun.security.provider.certpath.PKIX.BuilderParams; > 35: import sun.security.util.Debug; > 36: import sun.security.x509.GeneralNameInterface; `GeneralNameInterface` is useless now. src/java.base/share/classes/sun/security/provider/certpath/ForwardBuilder.java line 556: > 554: * @return the common ancestor or null if none or an attribute of the > 555: * last RDN of the common ancestor is geographical > 556: */ ~Is it possible to return the common ancestors of all the 3 names: trusted, issuer1, issuer2?~ Also, it seems there is no need to return a list. Just a number is enough. Actually you care about the difference from the common part, so how about return the distance directly? Update: ignore the 1st part of this comment. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/17248#discussion_r1447447541 PR Review Comment: https://git.openjdk.org/jdk/pull/17248#discussion_r1447468296
