On Mon, Mar 31, 2003, Chris Jarshant wrote: > I generated 1000 test self-signed CA certs, and wrote > a small program to add them all to an X509_STORE in > preparation for verifying a certificate.. But this operation > took a LONG, LONG time. Even adding 500 certs took > approx. 30 seconds! It appeared to go real fast for > the first 100 certs, then decelerate, so I suspect some kind > of sorting or linear search algorithm that is slowing > things down. > > Has anyone else experienced this? I am fearful of what is > going to happen (or not happen) when I try my test > 1000-cert deep chained cert verification. >
Well X509_STORE et al is rather broken but it shouldn't be that broken! Do all these certificates have distinct subject names or do they all match? The addition algorithm should do an initial binary search for a matching subject name followed by a linear search for an identical certificate. Aw heck I've just had a horrible suspicion about what might be happening. I suspect the STACK is having a new certificate appended: this stuffs up the order then the next binary search calls qsort to restore it. This would happen when *every* new certificate is added. Erk... Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
