x509/certificate: cache public_key getter result (#14443)

abbra · claude · web-flow · commit 29cd7a887b07 · 2026-03-08T13:36:24.000Z
Store the public key object in a PyOnceLock so that repeated accesses
avoid re-parsing the SubjectPublicKeyInfo DER bytes.

Signed-off-by: Alexander Bokovoy &lt;abokovoy@redhat.com&gt;
Co-authored-by: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs
@@ -770,6 +770,7 @@ where
                 cached_extensions: pyo3::sync::PyOnceLock::new(),
                 cached_issuer: pyo3::sync::PyOnceLock::new(),
                 cached_subject: pyo3::sync::PyOnceLock::new(),
+                cached_public_key: pyo3::sync::PyOnceLock::new(),
             },
         )?)?;
 
diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs
@@ -43,6 +43,7 @@ pub(crate) struct Certificate {
     pub(crate) cached_extensions: pyo3::sync::PyOnceLock<pyo3::Py<pyo3::PyAny>>,
     pub(crate) cached_issuer: pyo3::sync::PyOnceLock<pyo3::Py<pyo3::PyAny>>,
     pub(crate) cached_subject: pyo3::sync::PyOnceLock<pyo3::Py<pyo3::PyAny>>,
+    pub(crate) cached_public_key: pyo3::sync::PyOnceLock<pyo3::Py<pyo3::PyAny>>,
 }
 
 #[pyo3::pymethods]
@@ -80,10 +81,17 @@ impl Certificate {
         &self,
         py: pyo3::Python<'p>,
     ) -> CryptographyResult<pyo3::Bound<'p, pyo3::PyAny>> {
-        keys::load_der_public_key_bytes(
-            py,
-            self.raw.borrow_dependent().tbs_cert.spki.tlv().full_data(),
-        )
+        Ok(self
+            .cached_public_key
+            .get_or_try_init(py, || {
+                keys::load_der_public_key_bytes(
+                    py,
+                    self.raw.borrow_dependent().tbs_cert.spki.tlv().full_data(),
+                )
+                .map(|v| v.unbind())
+            })?
+            .bind(py)
+            .clone())
     }
 
     #[getter]
@@ -459,6 +467,7 @@ pub(crate) fn load_der_x509_certificate(
         cached_extensions: pyo3::sync::PyOnceLock::new(),
         cached_issuer: pyo3::sync::PyOnceLock::new(),
         cached_subject: pyo3::sync::PyOnceLock::new(),
+        cached_public_key: pyo3::sync::PyOnceLock::new(),
     })
 }
 
diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs
@@ -267,6 +267,7 @@ impl OCSPResponse {
                     cached_extensions: pyo3::sync::PyOnceLock::new(),
                     cached_issuer: pyo3::sync::PyOnceLock::new(),
                     cached_subject: pyo3::sync::PyOnceLock::new(),
+                    cached_public_key: pyo3::sync::PyOnceLock::new(),
                 },
             )?)?;
         }

Original file line number	Diff line number	Diff line change
`@@ -267,6 +267,7 @@ impl OCSPResponse {`
`267`	`267`	`cached_extensions: pyo3::sync::PyOnceLock::new(),`
`268`	`268`	`cached_issuer: pyo3::sync::PyOnceLock::new(),`
`269`	`269`	`cached_subject: pyo3::sync::PyOnceLock::new(),`
	`270`	`+ cached_public_key: pyo3::sync::PyOnceLock::new(),`
`270`	`271`	`},`
`271`	`272`	`)?)?;`
`272`	`273`	`}`