Skip to content
This repository has been archived by the owner on Feb 2, 2023. It is now read-only.

Commit

Permalink
Browse files Browse the repository at this point in the history
8268427: Improve AlgorithmConstraints:checkAlgorithm performance 
Backport-of: 3b83bc1bc331d268987f56ea4f23124a7f6ee38b
  • Loading branch information
@eastig
eastig authored and Yuri Nesterenko committed Sep 13, 2021
1 parent 5c9dc7b commit 0bc58f9
Show file tree
Hide file tree
Showing 4 changed files with 95 additions and 40 deletions.
39 changes: 16 additions & 23 deletions src/java.base/share/classes/sun/security/util/AbstractAlgorithmConstraints.java
View file
Expand Up @@ -32,6 +32,7 @@
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.TreeSet;
import java.util.List;
import java.util.Set;

Expand All @@ -48,7 +49,7 @@ protected AbstractAlgorithmConstraints(AlgorithmDecomposer decomposer) {
}

// Get algorithm constraints from the specified security property.
static List<String> getAlgorithms(String propertyName) {
static Set<String> getAlgorithms(String propertyName) {
String property = AccessController.doPrivileged(
new PrivilegedAction<String>() {
@Override
Expand All @@ -72,38 +73,30 @@ public String run() {

// map the disabled algorithms
if (algorithmsInProperty == null) {
return Collections.emptyList();
return Collections.emptySet();
}
return new ArrayList<>(Arrays.asList(algorithmsInProperty));
Set<String> algorithmsInPropertySet = new TreeSet<>(String.CASE_INSENSITIVE_ORDER);
algorithmsInPropertySet.addAll(Arrays.asList(algorithmsInProperty));
return algorithmsInPropertySet;
}

static boolean checkAlgorithm(List<String> algorithms, String algorithm,
static boolean checkAlgorithm(Set<String> algorithms, String algorithm,
AlgorithmDecomposer decomposer) {
if (algorithm == null || algorithm.isEmpty()) {
throw new IllegalArgumentException("No algorithm name specified");
}

Set<String> elements = null;
for (String item : algorithms) {
if (item == null || item.isEmpty()) {
continue;
}

// check the full name
if (item.equalsIgnoreCase(algorithm)) {
return false;
}
if (algorithms.contains(algorithm)) {
return false;
}

// decompose the algorithm into sub-elements
if (elements == null) {
elements = decomposer.decompose(algorithm);
}
// decompose the algorithm into sub-elements
Set<String> elements = decomposer.decompose(algorithm);

// check the items of the algorithm
for (String element : elements) {
if (item.equalsIgnoreCase(element)) {
return false;
}
// check the element of the elements
for (String element : elements) {
if (algorithms.contains(element)) {
return false;
}
}

Expand Down
28 changes: 12 additions & 16 deletions src/java.base/share/classes/sun/security/util/DisabledAlgorithmConstraints.java
View file
Expand Up @@ -85,6 +85,9 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints {
private static final String PROPERTY_DISABLED_EC_CURVES =
"jdk.disabled.namedCurves";

private static final Pattern INCLUDE_PATTERN = Pattern.compile("include " +
PROPERTY_DISABLED_EC_CURVES, Pattern.CASE_INSENSITIVE);

private static class CertPathHolder {
static final DisabledAlgorithmConstraints CONSTRAINTS =
new DisabledAlgorithmConstraints(PROPERTY_CERTPATH_DISABLED_ALGS);
Expand All @@ -95,7 +98,7 @@ private static class JarHolder {
new DisabledAlgorithmConstraints(PROPERTY_JAR_DISABLED_ALGS);
}

private final List<String> disabledAlgorithms;
private final Set<String> disabledAlgorithms;
private final Constraints algorithmConstraints;

public static DisabledAlgorithmConstraints certPathConstraints() {
Expand Down Expand Up @@ -130,21 +133,14 @@ public DisabledAlgorithmConstraints(String propertyName,
disabledAlgorithms = getAlgorithms(propertyName);

// Check for alias
int ecindex = -1, i = 0;
for (String s : disabledAlgorithms) {
if (s.regionMatches(true, 0,"include ", 0, 8)) {
if (s.regionMatches(true, 8, PROPERTY_DISABLED_EC_CURVES, 0,
PROPERTY_DISABLED_EC_CURVES.length())) {
ecindex = i;
break;
}
Matcher matcher = INCLUDE_PATTERN.matcher(s);
if (matcher.matches()) {
disabledAlgorithms.remove(matcher.group());
disabledAlgorithms.addAll(
getAlgorithms(PROPERTY_DISABLED_EC_CURVES));
break;
}
i++;
}
if (ecindex > -1) {
disabledAlgorithms.remove(ecindex);
disabledAlgorithms.addAll(ecindex,
getAlgorithms(PROPERTY_DISABLED_EC_CURVES));
}
algorithmConstraints = new Constraints(propertyName, disabledAlgorithms);
}
Expand Down Expand Up @@ -332,8 +328,8 @@ private static class Holder {
"denyAfter\\s+(\\d{4})-(\\d{2})-(\\d{2})");
}

public Constraints(String propertyName, List<String> constraintArray) {
for (String constraintEntry : constraintArray) {
public Constraints(String propertyName, Set<String> constraintSet) {
for (String constraintEntry : constraintSet) {
if (constraintEntry == null || constraintEntry.isEmpty()) {
continue;
}
Expand Down
2 changes: 1 addition & 1 deletion src/java.base/share/classes/sun/security/util/LegacyAlgorithmConstraints.java
View file
Expand Up @@ -40,7 +40,7 @@ public class LegacyAlgorithmConstraints extends AbstractAlgorithmConstraints {
public static final String PROPERTY_TLS_LEGACY_ALGS =
"jdk.tls.legacyAlgorithms";

private final List<String> legacyAlgorithms;
private final Set<String> legacyAlgorithms;

public LegacyAlgorithmConstraints(String propertyName,
AlgorithmDecomposer decomposer) {
Expand Down
66 changes: 66 additions & 0 deletions test/micro/org/openjdk/bench/java/security/AlgorithmConstraintsPermits.java
View file
@@ -0,0 +1,66 @@
/*
* Copyright (c) 2021, Huawei Technologies Co., Ltd. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package org.openjdk.bench.java.security;

import org.openjdk.jmh.annotations.Benchmark;
import org.openjdk.jmh.annotations.BenchmarkMode;
import org.openjdk.jmh.annotations.Fork;
import org.openjdk.jmh.annotations.Mode;
import org.openjdk.jmh.annotations.OutputTimeUnit;
import org.openjdk.jmh.annotations.Param;
import org.openjdk.jmh.annotations.Scope;
import org.openjdk.jmh.annotations.Setup;
import org.openjdk.jmh.annotations.State;
import sun.security.util.DisabledAlgorithmConstraints;

import java.security.AlgorithmConstraints;
import java.security.CryptoPrimitive;
import java.util.concurrent.TimeUnit;
import java.util.EnumSet;
import java.util.Set;

import static sun.security.util.DisabledAlgorithmConstraints.PROPERTY_TLS_DISABLED_ALGS;

@BenchmarkMode(Mode.AverageTime)
@OutputTimeUnit(TimeUnit.NANOSECONDS)
@Fork(jvmArgsAppend = {"--add-exports", "java.base/sun.security.util=ALL-UNNAMED"})
@State(Scope.Thread)
public class AlgorithmConstraintsPermits {

AlgorithmConstraints tlsDisabledAlgConstraints;
Set<CryptoPrimitive> primitives = EnumSet.of(CryptoPrimitive.KEY_AGREEMENT);

@Param({"SSLv3", "DES", "NULL", "TLS1.3"})
String algorithm;

@Setup
public void setup() {
tlsDisabledAlgConstraints = new DisabledAlgorithmConstraints(PROPERTY_TLS_DISABLED_ALGS);
}

@Benchmark
public boolean permits() {
return tlsDisabledAlgConstraints.permits(primitives, algorithm, null);
}
}

1 comment on commit 0bc58f9

@openjdk-notifier
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review

Issues

Please sign in to comment.