(hopefully) improve mem consumption by default when comparing cert subjects

kares · kares · commit eb200e5341e8 · 2016-04-20T16:51:23.000+02:00
relates to #86
diff --git a/src/main/java/org/jruby/ext/openssl/x509store/Certificate.java b/src/main/java/org/jruby/ext/openssl/x509store/Certificate.java
@@ -47,14 +47,14 @@ public int type() {
 
     @Override
     public boolean isName(final Name name) {
-        return name.equalTo( x509.getSubjectX500Principal() );
+        return name.equalToCertificateSubject(x509);
     }
 
     @Override
     public boolean matches(final X509Object other) {
         if (other instanceof Certificate) {
             final Certificate that = (Certificate) other;
-            return this.x509.getSubjectX500Principal().equals( that.x509.getSubjectX500Principal() );
+            return X509AuxCertificate.equalSubjects(this.x509, that.x509);
         }
         return false;
     }
diff --git a/src/main/java/org/jruby/ext/openssl/x509store/Name.java b/src/main/java/org/jruby/ext/openssl/x509store/Name.java
@@ -30,10 +30,14 @@
 import java.io.IOException;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
+import java.security.Principal;
+import java.security.cert.X509Certificate;
 import javax.security.auth.x500.X500Principal;
 
 import org.bouncycastle.asn1.ASN1Encoding;
 import org.bouncycastle.asn1.x500.X500Name;
+import org.bouncycastle.jce.X509Principal;
+import org.bouncycastle.jce.provider.X509CertificateObject;
 
 import org.jruby.ext.openssl.SecurityHelper;
 
@@ -73,7 +77,7 @@ public static int hash(final X500Name name) throws IOException {
 
     private transient int hash = 0;
 
-    public int hash() {
+    public final int hash() {
         try {
             return hash == 0 ? hash = hash(name) : hash;
         }
@@ -106,6 +110,12 @@ public boolean equalTo(final X500Name name) {
         return this.name.equals(name);
     }
 
+    @SuppressWarnings("deprecation")
+    final boolean equalTo(final Principal principal) {
+        // assuming "legacy" non X500Principal impl (from BC)
+        return new X509Principal(this.name).equals(principal);
+    }
+
     public boolean equalTo(final X500Principal principal) {
         try {
             return new X500Principal(this.name.getEncoded(ASN1Encoding.DER)).equals(principal);
@@ -115,4 +125,17 @@ public boolean equalTo(final X500Principal principal) {
         }
     }
 
+    public final boolean equalToCertificateSubject(final X509AuxCertificate wrapper) {
+        // on Oracle/OpenJDK internal certificates: sun.security.x509.X509CertImpl
+        // BC: class org.bouncycastle.jcajce.provider.asymmetric.x509.X509CertificateObject
+        final X509Certificate cert = wrapper.cert;
+        if ( cert == null ) return equalTo( wrapper.getSubjectX500Principal() );
+
+        if ( cert instanceof X509CertificateObject ) {
+            return equalTo( cert.getSubjectDN() );
+        }
+        // otherwise need to take the 'expensive' path :
+        return equalTo( cert.getSubjectX500Principal() );
+    }
+
 }// X509_NAME
diff --git a/src/main/java/org/jruby/ext/openssl/x509store/X509AuxCertificate.java b/src/main/java/org/jruby/ext/openssl/x509store/X509AuxCertificate.java
@@ -55,6 +55,7 @@
 import org.bouncycastle.asn1.DERBitString;
 import org.bouncycastle.asn1.DEROctetString;
 import org.bouncycastle.asn1.x509.Certificate;
+import org.bouncycastle.jce.provider.X509CertificateObject;
 
 import org.jruby.ext.openssl.SecurityHelper;
 
@@ -68,7 +69,7 @@
 public class X509AuxCertificate extends X509Certificate implements Cloneable {
     private static final long serialVersionUID = -909543379295427515L;
 
-    private final X509Certificate cert;
+    final X509Certificate cert;
 
     final X509Aux aux;
 
@@ -235,7 +236,7 @@ public boolean equals(Object other) {
     }
 
     @Override
-    public int 	hashCode() {
+    public int hashCode() {
         int ret = cert.hashCode();
         ret += 3 * (aux == null ? 1 : aux.hashCode());
         return ret;
@@ -255,7 +256,7 @@ public void verify(PublicKey key, String sigProvider) throws CertificateExceptio
     }
 
     @Override
-    public  Set<String> getCriticalExtensionOIDs() {
+    public Set<String> getCriticalExtensionOIDs() {
         return cert.getCriticalExtensionOIDs();
     }
 
@@ -299,4 +300,14 @@ public Integer getNsCertType() throws CertificateException {
         }
     }
 
+    static boolean equalSubjects(final X509AuxCertificate cert1, final X509AuxCertificate cert2) {
+        if ( cert1.cert == cert2.cert ) return true;
+
+        if ( cert1.cert instanceof X509CertificateObject && cert2.cert instanceof X509CertificateObject ) {
+            return cert1.cert.getSubjectDN().equals( cert2.cert.getSubjectDN() ); // less expensive on mem
+        }
+        // otherwise need to take the 'expensive' path :
+        return cert1.getSubjectX500Principal().equals( cert2.getSubjectX500Principal() );
+    }
+
 }// X509AuxCertificate

Original file line number	Diff line number	Diff line change
`@@ -47,14 +47,14 @@ public int type() {`
`47`	`47`
`48`	`48`	`@Override`
`49`	`49`	`public boolean isName(final Name name) {`
`50`		`- return name.equalTo( x509.getSubjectX500Principal() );`
	`50`	`+ return name.equalToCertificateSubject(x509);`
`51`	`51`	`}`
`52`	`52`
`53`	`53`	`@Override`
`54`	`54`	`public boolean matches(final X509Object other) {`
`55`	`55`	`if (other instanceof Certificate) {`
`56`	`56`	`final Certificate that = (Certificate) other;`
`57`		`- return this.x509.getSubjectX500Principal().equals( that.x509.getSubjectX500Principal() );`
	`57`	`+ return X509AuxCertificate.equalSubjects(this.x509, that.x509);`
`58`	`58`	`}`
`59`	`59`	`return false;`
`60`	`60`	`}`