8268427: Improve AlgorithmConstraints:checkAlgorithm performance

[dongbohe]

Now AlgorithmConstraints:checkAlgorithm uses List to check if an algorithm has been disabled. It is less efficient when there are more disabled elements in the list, we can use Set instead of List to speed up the search.

Patch contains a benchmark that can be run with make test TEST="micro:java.security.AlgorithmConstraintsPermits".
Baseline results before patch:

Benchmark                            (algorithm)  Mode  Cnt    Score     Error  Units
AlgorithmConstraintsPermits.permits        SSLv3  avgt    5   21.687 ?   1.118  ns/op
AlgorithmConstraintsPermits.permits          DES  avgt    5  324.216 ?   6.233  ns/op
AlgorithmConstraintsPermits.permits         NULL  avgt    5  709.462 ?  51.259  ns/op
AlgorithmConstraintsPermits.permits       TLS1.3  avgt    5  687.497 ? 170.181  ns/op

Benchmark results after patch:

Benchmark                            (algorithm)  Mode  Cnt    Score    Error  Units
AlgorithmConstraintsPermits.permits        SSLv3  avgt    5   46.407 ?  1.057  ns/op
AlgorithmConstraintsPermits.permits          DES  avgt    5   65.722 ?  0.578  ns/op
AlgorithmConstraintsPermits.permits         NULL  avgt    5   43.988 ?  1.264  ns/op
AlgorithmConstraintsPermits.permits       TLS1.3  avgt    5  399.546 ? 11.194  ns/op

SSLv3, DES, NULL are the first, middle and last element in jdk.tls.disabledAlgorithms from conf/security/java.security.

Tomcat(maxKeepAliveRequests=1, which will disable HTTP/1.0 keep-alive)+Jmeter:
Before patch:

summary +  50349 in 00:00:30 = 1678.4/s Avg:   238 Min:   188 Max:   298 Err:     0 (0.00%) Active: 400 Started: 400 Finished: 0
summary = 135183 in 00:01:22 = 1654.5/s Avg:   226 Min:    16 Max:  1281 Err:     0 (0.00%)
summary +  50240 in 00:00:30 = 1674.1/s Avg:   238 Min:   200 Max:   308 Err:     0 (0.00%) Active: 400 Started: 400 Finished: 0
summary = 185423 in 00:01:52 = 1659.7/s Avg:   229 Min:    16 Max:  1281 Err:     0 (0.00%)
summary +  50351 in 00:00:30 = 1678.4/s Avg:   238 Min:   191 Max:   306 Err:     0 (0.00%) Active: 400 Started: 400 Finished: 0
summary = 235774 in 00:02:22 = 1663.7/s Avg:   231 Min:    16 Max:  1281 Err:     0 (0.00%)
summary +  50461 in 00:00:30 = 1681.9/s Avg:   237 Min:   174 Max:   303 Err:     0 (0.00%) Active: 400 Started: 400 Finished: 0

After patch:

summary +  59003 in 00:00:30 = 1966.6/s Avg:   203 Min:   158 Max:   272 Err:     0 (0.00%) Active: 400 Started: 400 Finished: 0
summary = 146675 in 00:01:18 = 1884.6/s Avg:   198 Min:    26 Max:   697 Err:     0 (0.00%)
summary +  58965 in 00:00:30 = 1965.9/s Avg:   203 Min:   166 Max:   257 Err:     0 (0.00%) Active: 400 Started: 400 Finished: 0
summary = 205640 in 00:01:48 = 1907.2/s Avg:   199 Min:    26 Max:   697 Err:     0 (0.00%)
summary +  59104 in 00:00:30 = 1969.1/s Avg:   203 Min:   157 Max:   266 Err:     0 (0.00%) Active: 400 Started: 400 Finished: 0
summary = 264744 in 00:02:18 = 1920.7/s Avg:   200 Min:    26 Max:   697 Err:     0 (0.00%)
summary +  59323 in 00:00:30 = 1977.6/s Avg:   202 Min:   158 Max:   256 Err:     0 (0.00%) Active: 400 Started: 400 Finished: 0

Testing: tier1, tier2

---

Progress

• Change must not contain extraneous whitespace
• Commit message must refer to an issue
• Change must be properly reviewed

Issue

• JDK-8268427: Improve AlgorithmConstraints:checkAlgorithm performance

Reviewers

• Xue-Lei Andrew Fan (@XueleiFan - Reviewer)
• Anthony Scarpino (@ascarpino - Reviewer) ⚠️ Review applies to 0253fdb

Contributors

• GaofengZhang <zhanggaofeng9@huawei.com>

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.java.net/jdk pull/4424/head:pull/4424
$ git checkout pull/4424

Update a local copy of the PR:
$ git checkout pull/4424
$ git pull https://git.openjdk.java.net/jdk pull/4424/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 4424

View PR using the GUI difftool:
$ git pr show -t 4424

Using diff file

Download this PR as a diff file:
https://git.openjdk.java.net/jdk/pull/4424.diff

[bridgekeeper]

👋 Welcome back dongbohe! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

@dongbohe The following label will be automatically applied to this pull request:

• security

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

[mlbridge]

Webrevs

• 04: Full - Incremental (02b09719)
• 03: Full - Incremental (b863e2b3)
• 02: Full - Incremental (0253fdb2)
• 01: Full - Incremental (dde672f6)
• 00: Full (84706053)

[mlbridge]

Mailing list message from Sean Mullan on security-dev:

Nice, the benchmark results look impressive. I'll take a closer look at
the patch a little later.

--Sean

On 6/9/21 4:03 AM, Dongbo He wrote:

[mlbridge]

Mailing list message from Sean Mullan on security-dev:

Nice, the benchmark results look impressive. I'll take a closer look at
the patch a little later.

--Sean

On 6/9/21 4:03 AM, Dongbo He wrote:

[XueleiFan]

Is it doable to have the getAlgorithms() method return a Set?

[dongbohe]

The collection required when new Constraints() should retain the default case of the elements, because some code will depend on this, for example, .
entry.startsWith("keySize").
But the set required by the permits should unify the case of the elements, because algorithm may be uppercase or lowercase, but the Set:contains() cannot handle this situation.
So we need to create a new Set that ignores the default case of elements.

[XueleiFan]

For the entry.startsWith("keySize") example, I don't think keySize is an algorithm that could be listed individually in the list. The "keySize" may be just a part one algorithm, for example "RSA keySize < 1024".

It's a good point about the lowercase and upper case. Did you check how constraints like the "keySize" are expressed in the list or set?

[dongbohe]

Yes, you're right. The "keySize" is not an independent algorithm listed in list, it exists in a form like "EC keySize < 224". So when the elements in the collection returned by getAlgorithms are all uppercase or lowercase, an IllegalArgumentException will be thrown in throw new IllegalArgumentException.
In the case of "keySize", the object in the list stored in algorithmConstraints is KeySizeConstraint, then keysize will be checked in algorithmConstraints.permits(algorithm, parameters) by KeySizeConstraint:permits.

[seanjmullan]

I think it would be worthwhile to see if we can take this a step further, and leverage the Constraint objects that are already created and stored in the Constraints object in a HashMap<String, List<Constraint>>. The key is the algorithm String, and the value is a List of Constraint objects that apply to it. If the algorithm is completely disabled, the List would contain one entry Constraint.DisabledConstraint (which has a permits method that always returns false).

This way we could potentially eliminate the List/Set cache entirely and just use the HashMap to check if the algorithm is disabled.

[dongbohe]

I think it would be worthwhile to see if we can take this a step further, and leverage the Constraint objects that are already created and stored in the Constraints object in a HashMap<String, List<Constraint>>. The key is the algorithm String, and the value is a List of Constraint objects that apply to it. If the algorithm is completely disabled, the List would contain one entry Constraint.DisabledConstraint (which has a permits method that always returns false).

This way we could potentially eliminate the List/Set cache entirely and just use the HashMap to check if the algorithm is disabled.

Thanks for the suggestion, Constraints is a private inner class in DisabledAlgorithmConstraints.java and cannot be accessed in AbstractAlgorithmConstraints.java:checkAlgorithm.
Moreover, this method does not seem to be applicable to class LegacyAlgorithmConstraints.java, because there is no Constraints object in it.

[XueleiFan]

Is it possible to keep the current behavior that the property could be case sensitive? It may be not desired to allow "keysize" for "keySize" spec in the property.

[dongbohe]

If we keep property sensitive, we may need to use TreeSet. I have updated the PR with TreeSet. Fortunately, the performance hasn't changed much.

[XueleiFan]

I did not get the point to use TreeSet. Is it sufficient if the toLowerCase() is not added (and don't compare keywords like "keySize" by ignoring cases)?

- algorithmsInProperty[i] = algorithmsInProperty[i].trim().toLowerCase(...);
+ algorithmsInProperty[i] = algorithmsInProperty[i].trim();

[XueleiFan]

Sorry, I missed a "case" in the original comment (corrected). I meant to keep the property case sensitive in the hash set so that the keywords like "keySize" could be used correctly.

[dongbohe]

checkAlgorithm check whether the item is in the collection by ignoring case. If the item in the HashSet is case-sensitive, the method will lose its original algorithmic logic, but will retain it by using a new TreeSet<>(String.CASE_INSENSITIVE_ORDER);

Can we use case sensitivity in checkAlgorithm to check an algorithm?

[XueleiFan]

The checkAlgorithm is using equalsIgnoreCase(), so it is safe for it. My concern is mainly about the keywords, like "keySize" used the property, not really the algorithm name. It is good to keep the current case sensitive checking behavior unchanged.

[dongbohe]

Hi, Xuelei, thank you for your comments. I may not express it clearly, let me clarify. My concern is that if we use the HashSet:contains method to check whether an item is in the hash set, we cannot use equalsIgnoreCase(), so I used new TreeSet<>(String.CASE_INSENSITIVE_ORDER) that can support equalsIgnoreCase().

According to my understanding, the current checkAlgorithm is not case sensitive, because it ignores the case of the item being checked. Looking forward to your suggestions。

[XueleiFan]

I see your point now. Thank you for the clarification. I need more time to think about if there is an improvement. I will be back.

[dongbohe]

The following is the Benchmark results for the new commit:

JMH:

Benchmark                            (algorithm)  Mode  Cnt    Score    Error  Units
AlgorithmConstraintsPermits.permits        SSLv3  avgt    5   47.353 ?  3.193  ns/op
AlgorithmConstraintsPermits.permits          DES  avgt    5   60.307 ?  1.351  ns/op
AlgorithmConstraintsPermits.permits         NULL  avgt    5   59.065 ?  0.728  ns/op
AlgorithmConstraintsPermits.permits       TLS1.3  avgt    5  428.311 ? 16.542  ns/op

Tomcat+Jmeter:

summary +  60455 in 00:00:30 = 2016.4/s Avg:   198 Min:   164 Max:   256 Err:     0 (0.00%) Active: 400 Started: 400 Finished: 0
summary = 106982 in 00:00:55 = 1927.6/s Avg:   188 Min:    25 Max:  1194 Err:     0 (0.00%)
summary +  60430 in 00:00:30 = 2014.6/s Avg:   198 Min:   160 Max:   252 Err:     0 (0.00%) Active: 400 Started: 400 Finished: 0
summary = 167412 in 00:01:25 = 1958.1/s Avg:   191 Min:    25 Max:  1194 Err:     0 (0.00%)
summary +  60480 in 00:00:30 = 2014.6/s Avg:   198 Min:   161 Max:   245 Err:     0 (0.00%) Active: 400 Started: 400 Finished: 0
summary = 227892 in 00:01:56 = 1972.8/s Avg:   193 Min:    25 Max:  1194 Err:     0 (0.00%)
summary +  60506 in 00:00:30 = 2016.6/s Avg:   198 Min:   161 Max:   255 Err:     0 (0.00%) Active: 400 Started: 400 Finished: 0

[ascarpino]

I will let Xuelei finish his review. From what I see in the code, the Comparator is used when the algorithm is fully disabled. The use of keywords later on in the Constraints constructor uses the ConstraintsEntry which I believe is stored with the upper and lower case. I think the code should be ok.

[XueleiFan]

This line could be placed and merged with line 96-98.

Set<String> elements = decomposer.decompose(algorithm);

[XueleiFan]

The check should be placed on the decomposed elements.

- if (algorithms.contains(algorithm)) 
+ if (algorithms.contains(element)) 

[XueleiFan]

Per the Java code conventions, the variable name could be "includePattern", rather than using capital all letters.

Please keep each line less than or equal to 80 bytes.

[XueleiFan]

I think the performance impact should be trivial if moving the "matcher" declaration into the for-loop block.

[XueleiFan]

I guess this line could be removed.

[XueleiFan]

I guess this line exceed 80 characters? Please keep it in 80 characters for each line.

[XueleiFan]

You may miss my previous comment. This variable is not static, hence all capital letters naming does not apply here.

As you are already here, it may be nice if you'd like to have this variable as a static final class field. Then, the compile() will be called one time at most for this class. As a static class field, you could use the capitalized name.

[dongbohe]

Sorry, I misunderstood what you meant before, I will fix it. Thank you!

[XueleiFan]

It may increase the readability a little bit if having the assignment in the declaration line:

-             Matcher matcher;
-             if ((matcher = INCLUDE_PATTERN.matcher(s)).matches()) {
+             Matcher matcher = INCLUDE_PATTERN.matcher(s);
+             if (matcher.matches()) {

[XueleiFan]

Looks good to me. Thank you!

[openjdk]

@dongbohe This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8268427: Improve AlgorithmConstraints:checkAlgorithm performance

Co-authored-by: GaofengZhang <zhanggaofeng9@huawei.com>
Reviewed-by: xuelei, ascarpino

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 236 new commits pushed to the master branch:

• 68ef21d: 4847239: (spec) File.createTempFile() should make it clear that it doesn't create the temporary directory
• 3fae4b3: 6633375: FileOutputStream_md.c should be merged into FileOutputStream.c
• 223759f: 8266901: Clarify the method description of Duration.toDaysPart()
• 35c4702: 8268967: Update java.security to use switch expressions
• b565459: 8267138: Stray suffix when starting gtests via GTestWrapper.java
• 1d16797: 8268469: Update java.time to use switch expressions
• ffa34ed: 8265919: RunThese30M fails "assert((!(((((JfrTraceIdBits::load(value)) & ((1 << 4) << 8)) != 0))))) failed: invariant"
• fdcae66: 8269092: Add OldObjectSampleEvent.allocationSize field
• fd43d9c: 8269225: JFR.stop misses the written info when the filename is only specified by JFR.start
• 3a8f3d6: 8269280: (bf) Replace StringBuffer in *Buffer.toString()
• ... and 226 more: https://git.openjdk.java.net/jdk/compare/4d1cf51b1d4a5e812c9f78b0104e40fbc4883a6c...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

As you do not have Committer status in this project an existing Committer must agree to sponsor your change. Possible candidates are the reviewers of this PR (@XueleiFan, @ascarpino) but any other Committer may sponsor as well.

➡️ To flag this PR as ready for integration with the above commit message, type /integrate in a new comment. (Afterwards, your sponsor types /sponsor in a new comment to perform the integration).

[dongbohe]

Thank you for your review, Xuelei.

Hi, mullan, ascarpino. Can I get some comments from you? @seanjmullan @ascarpino

[ascarpino]

I'm verifying if this copyright is ok or if it needs to be changed. Please don't integrate until I hear back from others.

[ascarpino]

This appears to be ok with the powers at be

[dongbohe]

/contributor add GaofengZhang zhanggaofeng9@huawei.com

[openjdk]

@dongbohe
Contributor GaofengZhang <zhanggaofeng9@huawei.com> successfully added.

[dongbohe]

/integrate

[openjdk]

@dongbohe
Your change (at version 02b0971) is now ready to be sponsored by a Committer.

[Hamlin-Li]

/sponsor

[openjdk]

Going to push as commit 3b83bc1.
Since your change was applied there have been 236 commits pushed to the master branch:

• 68ef21d: 4847239: (spec) File.createTempFile() should make it clear that it doesn't create the temporary directory
• 3fae4b3: 6633375: FileOutputStream_md.c should be merged into FileOutputStream.c
• 223759f: 8266901: Clarify the method description of Duration.toDaysPart()
• 35c4702: 8268967: Update java.security to use switch expressions
• b565459: 8267138: Stray suffix when starting gtests via GTestWrapper.java
• 1d16797: 8268469: Update java.time to use switch expressions
• ffa34ed: 8265919: RunThese30M fails "assert((!(((((JfrTraceIdBits::load(value)) & ((1 << 4) << 8)) != 0))))) failed: invariant"
• fdcae66: 8269092: Add OldObjectSampleEvent.allocationSize field
• fd43d9c: 8269225: JFR.stop misses the written info when the filename is only specified by JFR.start
• 3a8f3d6: 8269280: (bf) Replace StringBuffer in *Buffer.toString()
• ... and 226 more: https://git.openjdk.java.net/jdk/compare/4d1cf51b1d4a5e812c9f78b0104e40fbc4883a6c...master

Your commit was automatically rebased without conflicts.

[openjdk]

@Hamlin-Li @dongbohe Pushed as commit 3b83bc1.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.