-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can I optimize this on Android? #66
Comments
Hi @laiyi55, Thanks for the question. That's interesting. In general I think if you're proposing changes based on performance it would be helpful to know more about how you're profiling this code. Do you have any intuition as to why the builder step is expensive?
This doesn't look right to me. I don't think we want the leaf and intermediates from the Android platform verifier's built chain ( If the profiling justifies it perhaps there's a way to cache |
Thanks for your answer. So we can't use trust anchors to validate revocation information My test: |
Yes, in general the revocation cost is going to be higher on Android because of the lack of caching and multiple layers of JVM overhead compared to a platform like macOS (for example). However, it seems like there is room for optimization.
IIUC correctly, one of the biggest reasons its so expensive right now is that we are collecting all trust roots out of the system store, which involves reading from disk, parsing tons of X509, etc. Any networking that Android is doing shouldn't be contributing to the slowdown noticeably. We won't need 99% of those roots. I would need to do more research on this since I am not that familiar with how OCSP's signing/verification works. We definitely don't want to add the whole chain in there though. Instead, just passing in the intermediates and roots would provide a public key the client can use the verify the OCSP signature. Again, this is just a hypothesis and I would want to perform more research on what |
I found https cost more time on rust than java, then I found function verifyCertificateChain cost most time
CertificateVerifier.kt
it cost 200ms every request
If change it, we can save time
I have already try and it did work, so can we do this?
The text was updated successfully, but these errors were encountered: