When generating large CRLs we keep the entire list of RevokedCertInfo read from the database in memory.
We iterate over the list twice:
- Archival of certs that appear on the CRL for the last time
- Add the certs to the BouncyCastle CRL-generator
By using a compressed in-memory buffer we can significantly reduce the amount of non-garbage-collectable memory used at any time.
The suggested fix implements the important parts of java.util.Collection to make the impact on the core code as small as possible.
CompressedCollection.clear() should be used to ensure that no resource leakage occur.
Data from the database should be read paginated to further reduce the maximum heap usage.