X509CertificateCache should support looking up by DER, not just OSCertHandle |
||
Issue descriptionX509CertificateCache maintains a cache of OSCertHandles, which on all our platforms are ref-counted representations of the underlying platform handle. Because they're ref-counted, we can avoid the memory overhead of maintaining multiple independent representations, by ensuring any 'unique' OSCertHandles are replaced with their 'canonical' ref-counted version. In Issue 655585, it was pointed out that Android is spending a non-trivial amount of time converting the raw DER data into an OSCertHandle, an OpenSSL X509*. That's because the X509* does non-trivial recursive parsing. We should consider adding an additional API to the X509CertificateCache to allow lookups/parsing by the DER, and update X509Certificate::CreateFromDERCertChain / CreateFromBytes to use this short-circuit API. The effect of such an API change would allow avoiding the additional parsing for the throw-away OSCertHandle, allowing us to optimize for both memory and performance.
,
May 9 2017
Closing seems reasonable to me, unless there is some desire to track the fact that it's not fixed yet on some platforms. (Background just in case anyone reads this bug and wonders about the connection: X509CertificateCache is not used on use_byte_certs builds since CRYPTO_BUFFER_POOL already handles deduping.)
,
May 9 2017
|
||
►
Sign in to add a comment |
||
Comment 1 by davidben@chromium.org
, May 9 2017