Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

8268427: Improve AlgorithmConstraints:checkAlgorithm performance #10

Closed
wants to merge 1 commit into from
Closed
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
@@ -32,6 +32,7 @@
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.TreeSet;
import java.util.List;
import java.util.Set;

@@ -48,7 +49,7 @@ protected AbstractAlgorithmConstraints(AlgorithmDecomposer decomposer) {
}

// Get algorithm constraints from the specified security property.
static List<String> getAlgorithms(String propertyName) {
static Set<String> getAlgorithms(String propertyName) {
@SuppressWarnings("removal")
String property = AccessController.doPrivileged(
new PrivilegedAction<String>() {
@@ -73,38 +74,30 @@ public String run() {

// map the disabled algorithms
if (algorithmsInProperty == null) {
return Collections.emptyList();
return Collections.emptySet();
}
return new ArrayList<>(Arrays.asList(algorithmsInProperty));
Set<String> algorithmsInPropertySet = new TreeSet<>(String.CASE_INSENSITIVE_ORDER);
algorithmsInPropertySet.addAll(Arrays.asList(algorithmsInProperty));
return algorithmsInPropertySet;
}

static boolean checkAlgorithm(List<String> algorithms, String algorithm,
static boolean checkAlgorithm(Set<String> algorithms, String algorithm,
AlgorithmDecomposer decomposer) {
if (algorithm == null || algorithm.isEmpty()) {
throw new IllegalArgumentException("No algorithm name specified");
}

Set<String> elements = null;
for (String item : algorithms) {
if (item == null || item.isEmpty()) {
continue;
}

// check the full name
if (item.equalsIgnoreCase(algorithm)) {
return false;
}
if (algorithms.contains(algorithm)) {
return false;
}

// decompose the algorithm into sub-elements
if (elements == null) {
elements = decomposer.decompose(algorithm);
}
// decompose the algorithm into sub-elements
Set<String> elements = decomposer.decompose(algorithm);

// check the items of the algorithm
for (String element : elements) {
if (item.equalsIgnoreCase(element)) {
return false;
}
// check the element of the elements
for (String element : elements) {
if (algorithms.contains(element)) {
return false;
}
}

@@ -85,6 +85,9 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints {
private static final String PROPERTY_DISABLED_EC_CURVES =
"jdk.disabled.namedCurves";

private static final Pattern INCLUDE_PATTERN = Pattern.compile("include " +
PROPERTY_DISABLED_EC_CURVES, Pattern.CASE_INSENSITIVE);

private static class CertPathHolder {
static final DisabledAlgorithmConstraints CONSTRAINTS =
new DisabledAlgorithmConstraints(PROPERTY_CERTPATH_DISABLED_ALGS);
@@ -95,7 +98,7 @@ private static class JarHolder {
new DisabledAlgorithmConstraints(PROPERTY_JAR_DISABLED_ALGS);
}

private final List<String> disabledAlgorithms;
private final Set<String> disabledAlgorithms;
private final Constraints algorithmConstraints;

public static DisabledAlgorithmConstraints certPathConstraints() {
@@ -130,21 +133,14 @@ public DisabledAlgorithmConstraints(String propertyName,
disabledAlgorithms = getAlgorithms(propertyName);

// Check for alias
int ecindex = -1, i = 0;
for (String s : disabledAlgorithms) {
if (s.regionMatches(true, 0,"include ", 0, 8)) {
if (s.regionMatches(true, 8, PROPERTY_DISABLED_EC_CURVES, 0,
PROPERTY_DISABLED_EC_CURVES.length())) {
ecindex = i;
break;
}
Matcher matcher = INCLUDE_PATTERN.matcher(s);
if (matcher.matches()) {
disabledAlgorithms.remove(matcher.group());
disabledAlgorithms.addAll(
getAlgorithms(PROPERTY_DISABLED_EC_CURVES));
break;
}
i++;
}
if (ecindex > -1) {
disabledAlgorithms.remove(ecindex);
disabledAlgorithms.addAll(ecindex,
getAlgorithms(PROPERTY_DISABLED_EC_CURVES));
}
algorithmConstraints = new Constraints(propertyName, disabledAlgorithms);
}
@@ -332,8 +328,8 @@ private static class Holder {
"denyAfter\\s+(\\d{4})-(\\d{2})-(\\d{2})");
}

public Constraints(String propertyName, List<String> constraintArray) {
for (String constraintEntry : constraintArray) {
public Constraints(String propertyName, Set<String> constraintSet) {
for (String constraintEntry : constraintSet) {
if (constraintEntry == null || constraintEntry.isEmpty()) {
continue;
}
@@ -40,7 +40,7 @@ public class LegacyAlgorithmConstraints extends AbstractAlgorithmConstraints {
public static final String PROPERTY_TLS_LEGACY_ALGS =
"jdk.tls.legacyAlgorithms";

private final List<String> legacyAlgorithms;
private final Set<String> legacyAlgorithms;

public LegacyAlgorithmConstraints(String propertyName,
AlgorithmDecomposer decomposer) {
@@ -0,0 +1,66 @@
/*
* Copyright (c) 2021, Huawei Technologies Co., Ltd. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package org.openjdk.bench.java.security;

import org.openjdk.jmh.annotations.Benchmark;
import org.openjdk.jmh.annotations.BenchmarkMode;
import org.openjdk.jmh.annotations.Fork;
import org.openjdk.jmh.annotations.Mode;
import org.openjdk.jmh.annotations.OutputTimeUnit;
import org.openjdk.jmh.annotations.Param;
import org.openjdk.jmh.annotations.Scope;
import org.openjdk.jmh.annotations.Setup;
import org.openjdk.jmh.annotations.State;
import sun.security.util.DisabledAlgorithmConstraints;

import java.security.AlgorithmConstraints;
import java.security.CryptoPrimitive;
import java.util.concurrent.TimeUnit;
import java.util.EnumSet;
import java.util.Set;

import static sun.security.util.DisabledAlgorithmConstraints.PROPERTY_TLS_DISABLED_ALGS;

@BenchmarkMode(Mode.AverageTime)
@OutputTimeUnit(TimeUnit.NANOSECONDS)
@Fork(jvmArgsAppend = {"--add-exports", "java.base/sun.security.util=ALL-UNNAMED"})
@State(Scope.Thread)
public class AlgorithmConstraintsPermits {

AlgorithmConstraints tlsDisabledAlgConstraints;
Set<CryptoPrimitive> primitives = EnumSet.of(CryptoPrimitive.KEY_AGREEMENT);

@Param({"SSLv3", "DES", "NULL", "TLS1.3"})
String algorithm;

@Setup
public void setup() {
tlsDisabledAlgConstraints = new DisabledAlgorithmConstraints(PROPERTY_TLS_DISABLED_ALGS);
}

@Benchmark
public boolean permits() {
return tlsDisabledAlgConstraints.permits(primitives, algorithm, null);
}
}