PyCA x509 Rust backend — caching optimizations

I was working on my general purpose ASN.1 library and when creating Python bindings, I tested against PyCA code. Some operations in PyCA were slow compared to my code so I wanted to look into what could be improved. With the help of Claude Code I've got some repeatable patterns improved using the same approach PyCA already had in place for some properties.

Below is a report Claude created.

Background

The x509 Rust backend (src/rust/src/x509/) converts parsed ASN.1 data into Python objects on every property access. Operations like name parsing (parse_name), public-key loading, OID conversion, and serial-number iteration are not cheap: each one allocates Python objects, traverses ASN.1 sequences, and crosses the Rust/Python FFI boundary. In workloads that touch the same property more than once on the same object (chain building, path validation, CRL checking, OCSP processing) this cost is paid repeatedly and unnecessarily.

The existing mitigation is pyo3::sync::PyOnceLock<pyo3::Py<pyo3::PyAny>>: a thread-safe write-once cell that stores the Python object after the first computation. It was already used for extension lists everywhere. The work described here extends that pattern to the remaining uncached properties.

Caching pattern

Every cached getter follows the same idiom:

// struct field
cached_foo: pyo3::sync::PyOnceLock<pyo3::Py<pyo3::PyAny>>,

// getter
fn foo<'p>(&self, py: Python<'p>) -> PyResult<Bound<'p, PyAny>> {
    Ok(self.cached_foo
        .get_or_try_init(py, || expensive_computation(py).map(|v| v.unbind()))?
        .bind(py)
        .clone())
}

get_or_try_init is a no-op on every call after the first; the atomic check costs ~50 ns, the cached result is returned without any allocation.

What was implemented

Ten changes were made across five files, committed individually on the performance-improvements branch.

The OCSPResponse.certificates getter additionally had a documented O(n²) bug (each certificate extracted via clone().nth(i) restarted the iterator). It was replaced with a single linear pass using asn1::write_single to produce independent DER bytes for each certificate, eliminating the need for the map_arc_data_ocsp_response unsafe helper.

Benchmark results

Benchmarks measure repeated access on a single pre-loaded object — the workload that caching is designed to accelerate. Each benchmark creates the object once outside the timed loop, then calls the getter in a tight loop.

Comparison: main (baseline) vs abbra-p-f (PR), both built with maturin develop --release, Python 3.14, OpenSSL 3.5.

The subject/issuer/CRL-issuer gains are ~100× because parse_name is the most expensive operation — it constructs a full Python Name object tree from ASN.1 on every call. The cached path costs only an atomic load plus a Python reference clone (~50 ns regardless of name complexity).

crl_serial_number_lookup_hit is 34% faster rather than near-zero because get_revoked_certificate_by_serial_number must still construct a new RevokedCertificate Python object on each hit (the HashMap stores OwnedRevokedCertificate values that are cloned per call). The miss path (90% faster) avoids iterating the whole list and drops from O(n) to O(1).

ocsp_response_properties shows no meaningful change because the properties benchmarked there (issuer_key_hash, serial_number, signature_hash_algorithm on the response-level object) were already relatively cheap and the test exercises only a few iterations of the warm path.

Why the existing load benchmarks showed no improvement

test_load_der_certificate and test_load_pem_certificate each call x509.load_der_x509_certificate(bytes) per iteration, creating a fresh object with empty caches each time. The cache is always cold; caching adds zero benefit and a tiny overhead (extra PyOnceLock::new() fields). These benchmarks measure parsing throughput, not property-access throughput, so they are unaffected by this work.

Benchmark reproduction

uv venv /tmp/bench-venv --python python3.14
uv pip install --python /tmp/bench-venv/bin/python \
    maturin pytest pytest-benchmark certifi setuptools cffi
uv pip install --python /tmp/bench-venv/bin/python -e vectors/

# baseline (main branch)
git checkout main
cp tests/bench/test_x509.py /tmp/bench_test.py   # copy new benchmarks over
VIRTUAL_ENV=/tmp/bench-venv maturin develop --release
/tmp/bench-venv/bin/python -m pytest tests/bench/test_x509.py \
    -k "subject or issuer or public_key or signature or crl_serial or ocsp" \
    --benchmark-json=/tmp/bench_base.json --benchmark-enable \
    --benchmark-warmup=on --benchmark-min-rounds=200 -q

# PR branch
git checkout abbra-p-f
VIRTUAL_ENV=/tmp/bench-venv maturin develop --release
/tmp/bench-venv/bin/python -m pytest tests/bench/test_x509.py \
    -k "subject or issuer or public_key or signature or crl_serial or ocsp" \
    --benchmark-json=/tmp/bench_pr.json --benchmark-enable \
    --benchmark-warmup=on --benchmark-min-rounds=200 -q

python3 .github/bin/compare_benchmarks.py /tmp/bench_base.json /tmp/bench_pr.json