Skip to content

Add x509storeadd perf test#94

Open
npajkovsky wants to merge 1 commit into
openssl:mainfrom
npajkovsky:x509storeadd
Open

Add x509storeadd perf test#94
npajkovsky wants to merge 1 commit into
openssl:mainfrom
npajkovsky:x509storeadd

Conversation

@npajkovsky

Copy link
Copy Markdown

Measure X509_STORE_add_cert()/X509_STORE_add_crl() as the store grows. The store keys objects by their subject/issuer X509_NAME into a hash table, so the cost of an add depends on how the names distribute over the buckets. Two workloads are measured across a sweep of store sizes (default 128..32768, override with -n):

spread - every object carries a distinct name and lands in a bucket
of its own, with randomised insertion order; the O(1)
common case.

bucket - every object carries the same name, so all of them collide
into a single bucket whose growth dominates the add cost;
the pathological case (e.g. many cross-signed certs sharing
one subject).

Both workloads insert a mix of programmatically generated certificates and CRLs signed with a throwaway Ed25519 key. For each size N the test fills a fresh X509_STORE with N objects, timing only the add loop and repeating until enough time has accumulated for the ~1us clock resolution; the best ns/add of 5 trials is reported.

With -d the results are also written to a gnuplot data file (columns: N spread bucket, NaN for a mode not measured; use -m both to fill all columns) and -l records a build label in the header, so results from different builds can be plotted against each other with the included x509storeadd.gnuplot script.

The tool is single-threaded and not wired into the cmake run target; build it and run on demand. Requires OpenSSL 3.0+ (EVP_PKEY_Q_keygen), so it is not built for 1.1.1 or the OpenSSL forks.

Assisted-by: Claude:claude-fable-5

Measure X509_STORE_add_cert()/X509_STORE_add_crl() as the store grows.
The store keys objects by their subject/issuer X509_NAME into a hash
table, so the cost of an add depends on how the names distribute over
the buckets.  Two workloads are measured across a sweep of store sizes
(default 128..32768, override with -n):

  spread - every object carries a distinct name and lands in a bucket
           of its own, with randomised insertion order; the O(1)
           common case.

  bucket - every object carries the same name, so all of them collide
           into a single bucket whose growth dominates the add cost;
           the pathological case (e.g. many cross-signed certs sharing
           one subject).

Both workloads insert a mix of programmatically generated certificates
and CRLs signed with a throwaway Ed25519 key.  For each size N the test
fills a fresh X509_STORE with N objects, timing only the add loop and
repeating until enough time has accumulated for the ~1us clock
resolution; the best ns/add of 5 trials is reported.

With -d the results are also written to a gnuplot data file (columns:
N spread bucket, NaN for a mode not measured; use -m both to fill all
columns) and -l records a build label in the header, so results from
different builds can be plotted against each other with the included
x509storeadd.gnuplot script.

The tool is single-threaded and not wired into the cmake run target;
build it and run on demand.  Requires OpenSSL 3.0+ (EVP_PKEY_Q_keygen),
so it is not built for 1.1.1 or the OpenSSL forks.

Assisted-by: Claude:claude-fable-5
Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org>
@npajkovsky npajkovsky self-assigned this Jul 9, 2026
@npajkovsky npajkovsky added the approval: review pending This pull request needs review by a committer label Jul 9, 2026
@npajkovsky npajkovsky moved this to Waiting Review in Development Board Jul 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approval: review pending This pull request needs review by a committer

Projects

Status: Waiting Review

Development

Successfully merging this pull request may close these issues.

2 participants