From 5ed804acea474f2e4d5114ac4d015158a5ab5722 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sun, 8 Mar 2026 14:53:26 +0200
Subject: [PATCH] x509/certificate: cache public_key getter result

Store the public key object in a PyOnceLock so that repeated accesses
avoid re-parsing the SubjectPublicKeyInfo DER bytes.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
---
 src/rust/src/pkcs7.rs            |  1 +
 src/rust/src/x509/certificate.rs | 17 +++++++++++++----
 src/rust/src/x509/ocsp_resp.rs   |  1 +
 3 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs
index 05f3bec6565a..ae1d15d5ec78 100644
--- a/src/rust/src/pkcs7.rs
+++ b/src/rust/src/pkcs7.rs
@@ -770,6 +770,7 @@ where
                 cached_extensions: pyo3::sync::PyOnceLock::new(),
                 cached_issuer: pyo3::sync::PyOnceLock::new(),
                 cached_subject: pyo3::sync::PyOnceLock::new(),
+                cached_public_key: pyo3::sync::PyOnceLock::new(),
             },
         )?)?;
 
diff --git a/src/rust/src/x509/certificate.rs b/src/rust/src/x509/certificate.rs
index a63dcc9a970f..fe01e625f13c 100644
--- a/src/rust/src/x509/certificate.rs
+++ b/src/rust/src/x509/certificate.rs
@@ -43,6 +43,7 @@ pub(crate) struct Certificate {
     pub(crate) cached_extensions: pyo3::sync::PyOnceLock<pyo3::Py<pyo3::PyAny>>,
     pub(crate) cached_issuer: pyo3::sync::PyOnceLock<pyo3::Py<pyo3::PyAny>>,
     pub(crate) cached_subject: pyo3::sync::PyOnceLock<pyo3::Py<pyo3::PyAny>>,
+    pub(crate) cached_public_key: pyo3::sync::PyOnceLock<pyo3::Py<pyo3::PyAny>>,
 }
 
 #[pyo3::pymethods]
@@ -80,10 +81,17 @@ impl Certificate {
         &self,
         py: pyo3::Python<'p>,
     ) -> CryptographyResult<pyo3::Bound<'p, pyo3::PyAny>> {
-        keys::load_der_public_key_bytes(
-            py,
-            self.raw.borrow_dependent().tbs_cert.spki.tlv().full_data(),
-        )
+        Ok(self
+            .cached_public_key
+            .get_or_try_init(py, || {
+                keys::load_der_public_key_bytes(
+                    py,
+                    self.raw.borrow_dependent().tbs_cert.spki.tlv().full_data(),
+                )
+                .map(|v| v.unbind())
+            })?
+            .bind(py)
+            .clone())
     }
 
     #[getter]
@@ -459,6 +467,7 @@ pub(crate) fn load_der_x509_certificate(
         cached_extensions: pyo3::sync::PyOnceLock::new(),
         cached_issuer: pyo3::sync::PyOnceLock::new(),
         cached_subject: pyo3::sync::PyOnceLock::new(),
+        cached_public_key: pyo3::sync::PyOnceLock::new(),
     })
 }
 
diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs
index 6acb0970f85b..bc1779e6ebc9 100644
--- a/src/rust/src/x509/ocsp_resp.rs
+++ b/src/rust/src/x509/ocsp_resp.rs
@@ -267,6 +267,7 @@ impl OCSPResponse {
                     cached_extensions: pyo3::sync::PyOnceLock::new(),
                     cached_issuer: pyo3::sync::PyOnceLock::new(),
                     cached_subject: pyo3::sync::PyOnceLock::new(),
+                    cached_public_key: pyo3::sync::PyOnceLock::new(),
                 },
             )?)?;
         }