x509/crl: replace serial number linear scan with O(1) HashMap lookup

get_revoked_certificate_by_serial_number previously iterated over every
revoked certificate on each call (O(n)). Build a HashMap<Vec<u8>,
OwnedRevokedCertificate> on first call using the existing iterator
infrastructure, then answer subsequent lookups in O(1).

Also removes the now-unused try_map_crl_to_revoked_cert unsafe helper.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>

Author: abbra

src/rust/src/x509/crl.rs

@@ -2,6 +2,8 @@
 // 2.0, and the BSD License. See the LICENSE file in the root of this repository
 // for complete details.
 
+use std::collections::HashMap;
+
 use cryptography_x509::certificate::SerialNumber;
 use cryptography_x509::common::{self, Asn1Read};
 use cryptography_x509::crl::{
@@ -46,6 +48,7 @@ pub(crate) fn load_der_x509_crl(
     Ok(CertificateRevocationList {
         owned,
         revoked_certs: pyo3::sync::PyOnceLock::new(),
+        serial_number_map: pyo3::sync::PyOnceLock::new(),
         cached_extensions: pyo3::sync::PyOnceLock::new(),
         cached_issuer: pyo3::sync::PyOnceLock::new(),
         cached_signature_algorithm_oid: pyo3::sync::PyOnceLock::new(),
@@ -87,6 +90,7 @@ pub(crate) struct CertificateRevocationList {
     owned: OwnedCertificateRevocationList,
 
     revoked_certs: pyo3::sync::PyOnceLock<Vec<OwnedRevokedCertificate>>,
+    serial_number_map: pyo3::sync::PyOnceLock<HashMap<Vec<u8>, OwnedRevokedCertificate>>,
     cached_extensions: pyo3::sync::PyOnceLock<pyo3::Py<pyo3::PyAny>>,
     cached_issuer: pyo3::sync::PyOnceLock<pyo3::Py<pyo3::PyAny>>,
     cached_signature_algorithm_oid: pyo3::sync::PyOnceLock<pyo3::Py<pyo3::PyAny>>,
@@ -417,21 +421,43 @@ impl CertificateRevocationList {
     ) -> pyo3::PyResult<Option<RevokedCertificate>> {
         let serial_bytes = py_uint_to_big_endian_bytes(py, serial)?;
 
-        // Use try_map_crl_to_revoked_cert to soundly extract the certificate
-        let owned = try_map_crl_to_revoked_cert(&self.owned, py, |crl| {
-            let certs = crl.tbs_cert_list.revoked_certificates.as_ref()?;
-
-            // TODO: linear scan. Make a hash or bisect!
-            certs
-                .unwrap_read()
-                .clone()
-                .find(|cert| serial_bytes == cert.user_certificate.as_bytes())
+        let map = self.serial_number_map.get_or_init(py, || {
+            let mut map = HashMap::new();
+            let mut it_data = map_crl_to_iterator_data(&self.owned, py, |crl| {
+                crl.tbs_cert_list
+                    .revoked_certificates
+                    .as_ref()
+                    .map(|v| v.unwrap_read().clone())
+            });
+            loop {
+                let revoked = try_map_arc_data_mut_crl_iterator(py, &mut it_data, |v| match v {
+                    Some(v) => match v.next() {
+                        Some(revoked) => Ok(revoked),
+                        None => Err(()),
+                    },
+                    None => Err(()),
+                });
+                match revoked {
+                    Ok(owned) => {
+                        let key = owned
+                            .borrow_dependent()
+                            .user_certificate
+                            .as_bytes()
+                            .to_vec();
+                        map.insert(key, owned);
+                    }
+                    Err(()) => break,
+                }
+            }
+            map
         });
 
-        Ok(owned.map(|o| RevokedCertificate {
-            owned: o,
-            cached_extensions: pyo3::sync::PyOnceLock::new(),
-        }))
+        Ok(map
+            .get(serial_bytes.as_ref())
+            .map(|owned| RevokedCertificate {
+                owned: owned.clone_with_py(py),
+                cached_extensions: pyo3::sync::PyOnceLock::new(),
+            }))
     }
 
     fn is_signature_valid<'p>(
@@ -500,33 +526,6 @@ where
     })
 }
 
-// Open-coded implementation of the API discussed in
-// https://github.com/joshua-maros/ouroboros/issues/38
-fn try_map_crl_to_revoked_cert<F>(
-    source: &OwnedCertificateRevocationList,
-    py: pyo3::Python<'_>,
-    f: F,
-) -> Option<OwnedRevokedCertificate>
-where
-    F: for<'a> FnOnce(&'a RawCertificateRevocationList<'a>) -> Option<RawRevokedCertificate<'a>>,
-{
-    OwnedRevokedCertificate::try_new(source.borrow_owner().clone_ref(py), |_| {
-        // SAFETY: This is safe because cloning the PyBytes Py<> ensures the data is
-        // alive, but Rust doesn't understand the lifetime relationship it
-        // produces.
-        match f(unsafe {
-            std::mem::transmute::<
-                &RawCertificateRevocationList<'_>,
-                &RawCertificateRevocationList<'_>,
-            >(source.borrow_dependent())
-        }) {
-            Some(cert) => Ok(cert),
-            None => Err(()),
-        }
-    })
-    .ok()
-}
-
 // Open-coded implementation of the API discussed in
 // https://github.com/joshua-maros/ouroboros/issues/38
 fn map_revoked_cert<F>(