add caching for issuer and subject (#14442)

* x509/certificate: cache issuer getter result

Store the Python Name object in a PyOnceLock so that repeated accesses
avoid re-running parse_name, which allocates a full Python Name object
tree from ASN.1 on every call.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>

* x509/certificate: cache subject getter result

Store the Python Name object in a PyOnceLock so that repeated accesses
avoid re-running parse_name, which allocates a full Python Name object
tree from ASN.1 on every call.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>

* tests/x509: fix test_country_jurisdiction_country_too_long after subject caching

The test assumed cert.subject re-parses the Name on every call, so it
checked each too-long-country warning in its own pytest.warns block.
After subject caching, parse_name runs only once (on the first access)
and emits both COUNTRY_NAME and JURISDICTION_COUNTRY_NAME warnings in a
single call. Subsequent accesses return the cached Name object without
re-parsing, so the second block saw no warnings.

Merge both assertions into a single pytest.warns block, which correctly
captures all warnings emitted during the first (and only) parse.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>

---------

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: abbra

src/rust/src/pkcs7.rs

@@ -768,6 +768,8 @@ where
             x509::certificate::Certificate {
                 raw: raw_cert,
                 cached_extensions: pyo3::sync::PyOnceLock::new(),
+                cached_issuer: pyo3::sync::PyOnceLock::new(),
+                cached_subject: pyo3::sync::PyOnceLock::new(),
             },
         )?)?;
 

src/rust/src/x509/certificate.rs

@@ -41,6 +41,8 @@ self_cell::self_cell!(
 pub(crate) struct Certificate {
     pub(crate) raw: OwnedCertificate,
     pub(crate) cached_extensions: pyo3::sync::PyOnceLock<pyo3::Py<pyo3::PyAny>>,
+    pub(crate) cached_issuer: pyo3::sync::PyOnceLock<pyo3::Py<pyo3::PyAny>>,
+    pub(crate) cached_subject: pyo3::sync::PyOnceLock<pyo3::Py<pyo3::PyAny>>,
 }
 
 #[pyo3::pymethods]
@@ -138,14 +140,28 @@ impl Certificate {
 
     #[getter]
     fn issuer<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<pyo3::Bound<'p, pyo3::PyAny>> {
-        Ok(x509::parse_name(py, self.raw.borrow_dependent().issuer())
-            .map_err(|e| e.add_location(asn1::ParseLocation::Field("issuer")))?)
+        Ok(self
+            .cached_issuer
+            .get_or_try_init(py, || {
+                x509::parse_name(py, self.raw.borrow_dependent().issuer())
+                    .map_err(|e| e.add_location(asn1::ParseLocation::Field("issuer")))
+                    .map(|v| v.unbind())
+            })?
+            .bind(py)
+            .clone())
     }
 
     #[getter]
     fn subject<'p>(&self, py: pyo3::Python<'p>) -> pyo3::PyResult<pyo3::Bound<'p, pyo3::PyAny>> {
-        Ok(x509::parse_name(py, self.raw.borrow_dependent().subject())
-            .map_err(|e| e.add_location(asn1::ParseLocation::Field("subject")))?)
+        Ok(self
+            .cached_subject
+            .get_or_try_init(py, || {
+                x509::parse_name(py, self.raw.borrow_dependent().subject())
+                    .map_err(|e| e.add_location(asn1::ParseLocation::Field("subject")))
+                    .map(|v| v.unbind())
+            })?
+            .bind(py)
+            .clone())
     }
 
     #[getter]
@@ -441,6 +457,8 @@ pub(crate) fn load_der_x509_certificate(
     Ok(Certificate {
         raw,
         cached_extensions: pyo3::sync::PyOnceLock::new(),
+        cached_issuer: pyo3::sync::PyOnceLock::new(),
+        cached_subject: pyo3::sync::PyOnceLock::new(),
     })
 }
 

src/rust/src/x509/ocsp_resp.rs

@@ -265,6 +265,8 @@ impl OCSPResponse {
                 x509::certificate::Certificate {
                     raw: raw_cert,
                     cached_extensions: pyo3::sync::PyOnceLock::new(),
+                    cached_issuer: pyo3::sync::PyOnceLock::new(),
+                    cached_subject: pyo3::sync::PyOnceLock::new(),
                 },
             )?)?;
         }

tests/x509/test_x509.py

@@ -1028,15 +1028,17 @@ def test_country_jurisdiction_country_too_long(self, backend):
             os.path.join("x509", "custom", "bad_country.pem"),
             x509.load_pem_x509_certificate,
         )
+        # Both warnings are emitted during the first parse_name call (when
+        # cert.subject is first accessed); subsequent accesses return the
+        # cached Name object without re-parsing, so both checks must live
+        # inside a single pytest.warns block.
         with pytest.warns(UserWarning):
             assert (
                 cert.subject.get_attributes_for_oid(x509.NameOID.COUNTRY_NAME)[
                     0
                 ].value
                 == "too long"
             )
-
-        with pytest.warns(UserWarning):
             assert (
                 cert.subject.get_attributes_for_oid(
                     x509.NameOID.JURISDICTION_COUNTRY_NAME