On Wed, 3 Jan 2024 16:55:39 GMT, Sean Mullan <mul...@openjdk.org> wrote:
> This enhancement simplifies and improves the performance of the Comparator > that the PKIX CertPathBuilder uses to sort candidate certificates. > > [RFC 5280](https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.1) requires > that certificates include authority and subject key identifiers to facilitate > cert path discovery. When the certificates comply with RFC 5280, the sorting > algorithm is fast and efficient. However, there may be cases where > certificates do not include the proper KIDs, for legacy or other reasons. > This enhancement targets those cases and has shown an increase in performance > of `CertPathBuilder.build` by up to 2x in tests involving certificates that > do not contain KIDs. Specific changes include: > > - Removed and simplified some of the steps in `PKIXCertComparator.compare` > method. Some of these steps were not a good representation of common > certificate hierarchies and were overly expensive to perform. > - Several methods in `X500Name` and `Builder` have been made obsolete and > thus removed. > - `X500Name` has been changed to use shared secrets instead of reflection to > access non-public members of `X500Principal`, and vice-versa. > - The `CertificateBuilder` test code has been enhanced to set reasonable > defaults for serial number and validity fields of a certificate src/java.base/share/classes/sun/security/provider/certpath/ForwardBuilder.java line 523: > 521: } > 522: if (tAo1 != null) { > 523: if (tAo2 != null) { Maybe it's unfamiliarity with this code, but I think we could use some comments here, especially since a similar condition is tested on line 534 (except tAo1 would be null in that case?). ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/17248#discussion_r1447668592
