----- Original Message ----- From: "Dr. Stephen Henson" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, March 31, 2003 7:52 PM Subject: Re: X509_STORE and X509_verify performance
> On Mon, Mar 31, 2003, Chris Jarshant wrote: > > > I generated 1000 test self-signed CA certs, and wrote > > a small program to add them all to an X509_STORE in > > preparation for verifying a certificate.. But this operation > > took a LONG, LONG time. Even adding 500 certs took > > approx. 30 seconds! It appeared to go real fast for > > the first 100 certs, then decelerate, so I suspect some kind > > of sorting or linear search algorithm that is slowing > > things down. > > > > Has anyone else experienced this? I am fearful of what is > > going to happen (or not happen) when I try my test > > 1000-cert deep chained cert verification. > > > > Well X509_STORE et al is rather broken but it shouldn't be that broken! > > Do all these certificates have distinct subject names or do they all match? > The addition algorithm should do an initial binary search for a matching > subject name followed by a linear search for an identical certificate. > Yes they all have distinct subject names of the form "Test CA Certificate X" where 0<=X<1000, and all of them have distinct private keys (of bit length 384; making 1000 2048-bit keys takes much too much time). I can send you the script I used to generate them if ya want, though I have a feeling you probably already know how. > Aw heck I've just had a horrible suspicion about what might be happening. I > suspect the STACK is having a new certificate appended: this stuffs up the > order then the next binary search calls qsort to restore it. This would happen > when *every* new certificate is added. Erk... Yeah, in one of the stack traces I saw under a debugger, I saw a qsort in there somewhere. Any workarounds you can think of? Could there be a performance feature added that allows you to delay the sorting until you're done, or perhaps don't sort it at all until the STORE is used for the first time during X509_verify()? Any way to override qsort with a NOP then when adding the last cert, change it back to qsort()? cj ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
