crypto/tls: cache Leaf certificate during BuildNameToCertificate

I am working on a TLS server program, which issues new TLS certificates
on demand. The new certificates will be added into tls.Config.Certificates.
BuildNameToCertificate will be called to refresh the name table afterwards.
This change will reduce some workload on existing certificates.

Note that you can’t modify the Certificates field (or call BuildNameToCertificate)
on a Config in use by a Server. You can however modify an unused Config that gets
cloned in GetConfigForClient with appropriate locking.

Change-Id: I7bdb7d23fc5d68df83c73f3bfa3ba9181d38fbde
GitHub-Last-Rev: c3788f4116be47f2fdb777935c421e7dd694f5c8
GitHub-Pull-Request: golang/go#24920
Reviewed-on: https://go-review.googlesource.com/c/107627
Reviewed-by: Filippo Valsorda <filippo@golang.org>

diff --git a/src/crypto/tls/common.go b/src/crypto/tls/common.go
index ba47d565a08400f4ee4c12735184b0b3a0558a8b..9d9137bc687670d2a1b25429ab5aae58b2329df9 100644 (file)
--- a/src/crypto/tls/common.go
+++ b/src/crypto/tls/common.go
@@ -765,10 +765,14 @@ func (c *Config) BuildNameToCertificate() {
        c.NameToCertificate = make(map[string]*Certificate)
        for i := range c.Certificates {
                cert := &c.Certificates[i]
-               x509Cert, err := x509.ParseCertificate(cert.Certificate[0])
-               if err != nil {
-                       continue
+               if cert.Leaf == nil {
+                       x509Cert, err := x509.ParseCertificate(cert.Certificate[0])
+                       if err != nil {
+                               continue
+                       }
+                       cert.Leaf = x509Cert
                }
+               x509Cert := cert.Leaf
                if len(x509Cert.Subject.CommonName) > 0 {
                        c.NameToCertificate[x509Cert.Subject.CommonName] = cert
                }