> This enhancement simplifies and improves the performance of the Comparator > that the PKIX CertPathBuilder uses to sort candidate certificates. > > [RFC 5280](https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.1) requires > that certificates include authority and subject key identifiers to facilitate > cert path discovery. When the certificates comply with RFC 5280, the sorting > algorithm is fast and efficient. However, there may be cases where > certificates do not include the proper KIDs, for legacy or other reasons. > This enhancement targets those cases and has shown an increase in performance > of `CertPathBuilder.build` by up to 2x in tests involving certificates that > do not contain KIDs. Specific changes include: > > - Removed and simplified some of the steps in `PKIXCertComparator.compare` > method. Some of these steps were not a good representation of common > certificate hierarchies and were overly expensive to perform. > - Several methods in `X500Name` and `Builder` have been made obsolete and > thus removed. > - `X500Name` has been changed to use shared secrets instead of reflection to > access non-public members of `X500Principal`, and vice-versa. > - The `CertificateBuilder` test code has been enhanced to set reasonable > defaults for serial number and validity fields of a certificate
Sean Mullan has updated the pull request incrementally with one additional commit since the last revision: Add more comments. Remove unnecessary import. ------------- Changes: - all: https://git.openjdk.org/jdk/pull/17248/files - new: https://git.openjdk.org/jdk/pull/17248/files/7098b73c..22444c6d Webrevs: - full: https://webrevs.openjdk.org/?repo=jdk&pr=17248&range=01 - incr: https://webrevs.openjdk.org/?repo=jdk&pr=17248&range=00-01 Stats: 59 lines in 2 files changed: 10 ins; 16 del; 33 mod Patch: https://git.openjdk.org/jdk/pull/17248.diff Fetch: git fetch https://git.openjdk.org/jdk.git pull/17248/head:pull/17248 PR: https://git.openjdk.org/jdk/pull/17248
