From e9e0a97ccdb5feb78de43a5621862af1b18301ba Mon Sep 17 00:00:00 2001
From: ShenHongFei <shen.hongfei@outlook.com>
Date: Wed, 18 Dec 2024 15:15:24 +0800
Subject: [PATCH] src: modify SecureContext::SetCACert to not use root_certs

---
 src/crypto/crypto_context.cc | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/src/crypto/crypto_context.cc b/src/crypto/crypto_context.cc
index aa5fc61f19e435..53c9ef85c2606b 100644
--- a/src/crypto/crypto_context.cc
+++ b/src/crypto/crypto_context.cc
@@ -785,9 +785,17 @@ void SecureContext::SetCACert(const BIOPointer& bio) {
   if (!bio) return;
   while (X509Pointer x509 = X509Pointer(PEM_read_bio_X509_AUX(
              bio.get(), nullptr, NoPasswordCallback, nullptr))) {
-    CHECK_EQ(1,
-             X509_STORE_add_cert(GetCertStoreOwnedByThisSecureContext(),
-                                 x509.get()));
+    // Avoid calling GetCertStoreOwnedByThisSecureContext() in SetCACert method, 
+    // because it will create X509_STORE based on root_certs (more than 150), 
+    // which is very slow
+    X509_STORE* cert_store;
+    if (own_cert_store_cache_)
+      cert_store = own_cert_store_cache_;
+    else
+      SSL_CTX_set_cert_store(ctx_.get(), own_cert_store_cache_ = cert_store = X509_STORE_new());
+      // No need to call X509_STORE_free manually, 
+      // SSL_CTX_set_cert_store will take over the ownership of X509_STORE
+    CHECK_EQ(1, X509_STORE_add_cert(cert_store, x509.get()));
     CHECK_EQ(1, SSL_CTX_add_client_CA(ctx_.get(), x509.get()));
   }
 }