Quantcast

FIPS Key Validation Performance Problem

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

FIPS Key Validation Performance Problem

Newton, Scott

Hi all,

 

Updating an application from the standard BC jars to the new BCFIPS jars, I have run into the following performance problem: There is a Trust Store that contains around 100 common CA certificates and the first time this Trust Store is handled, BouncyCastleFipsProvider does key validation on every single public key which freezes the application for about 5 seconds. After this initial delay, there are no more problems because BC caches the public key on the X509CertificateObject that is created, but the 5 second delay is unacceptable as is.

 

Are there any workarounds or ideas for how to resolve this problem?

 

See the following stack trace for context:

 

main State: RUNNABLE CPU usage on sample: 998ms

java.math.BigInteger.mulAdd(int[], int[], int, int, int) BigInteger.java:2916

java.math.BigInteger.montReduce(int[], int[], int, int) BigInteger.java:2866

java.math.BigInteger.implMontgomerySquare(int[], int[], int, long, int[]) BigInteger.java:2613

java.math.BigInteger.montgomerySquare(int[], int[], int, long, int[]) BigInteger.java:2571

java.math.BigInteger.oddModPow(BigInteger, BigInteger) BigInteger.java:2839

java.math.BigInteger.modPow(BigInteger, BigInteger) BigInteger.java:2502

org.bouncycastle.math.internal.Primes.enhancedMRProbablePrimeTest(BigInteger, SecureRandom, int)

org.bouncycastle.crypto.asymmetric.KeyUtils.validatedModulus(BigInteger)

org.bouncycastle.crypto.asymmetric.KeyUtils.validated(BigInteger, BigInteger)

org.bouncycastle.crypto.asymmetric.AsymmetricRSAPublicKey.<init>(Algorithm, AlgorithmIdentifier, RSAPublicKey)

org.bouncycastle.crypto.asymmetric.AsymmetricRSAPublicKey.<init>(Algorithm, SubjectPublicKeyInfo)

org.bouncycastle.jcajce.provider.ProvRSA$RSAKeyFactory.generatePublic(SubjectPublicKeyInfo)

org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider.getPublicKey(SubjectPublicKeyInfo)

org.bouncycastle.jcajce.provider.X509CertificateObject.getPublicKey()

sun.security.validator.PKIXValidator.<init>(String, PKIXBuilderParameters) PKIXValidator.java:148

sun.security.validator.Validator.getInstance(String, String, PKIXBuilderParameters) Validator.java:197

sun.security.ssl.X509TrustManagerImpl.getValidator(String) X509TrustManagerImpl.java:314

sun.security.ssl.X509TrustManagerImpl.<init>(String, PKIXBuilderParameters) X509TrustManagerImpl.java:90

sun.security.ssl.TrustManagerFactoryImpl$PKIXFactory.getInstance(ManagerFactoryParameters) TrustManagerFactoryImpl.java:277

sun.security.ssl.TrustManagerFactoryImpl.engineInit(ManagerFactoryParameters) TrustManagerFactoryImpl.java:90

javax.net.ssl.TrustManagerFactory.init(ManagerFactoryParameters) TrustManagerFactory.java:273

my.code.TrustManagerBuilder.getTrustManagers() TrustManagerBuilder.java:97

my.code.CryptoWbClientSocketFactory.createSSLContext(String) CryptoWbClientSocketFactory.java:60

my.code.CryptoCoreClientSocketFactory.<init>(ISecurityInfoProvider, String) CryptoCoreClientSocketFactory.java:50

 

 

Thanks!

 

Scott Newton

 

Loading...