Closed Bug 149834 Opened 22 years ago Closed 19 years ago

Enhance PSM speed by using new NSS API CERT_VerifyCertificateNow

Categories

(Core Graveyard :: Security: UI, defect, P3)

Product:
Core Graveyard
Component:
Security: UI
Version:
1.0 Branch
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
psm2.4

People

(Reporter: julien.pierre, Assigned: jgmyers)

References

Details

(Keywords: fixed1.8.1, Whiteboard: [kerh-ehz])

Attachments

(1 file, 3 obsolete files)

Same patch as before, just updated to apply cleanly to the trunk
12.22 KB, patch
KaiE
: review+
KaiE
: approval-branch-1.8.1+
Details | Diff | Splinter Review 
PSM makes a lot of CERT_VerifyCert, multiple calls per certificate in order to 
check cert usage. When validation is enabled, this causes a huge performance 
problem.

For each certificate :
1) if a CRL is installed and matches the issuer, that CRL will be linearly 
searched (bug 149784 ) for each of the 12 calls to CERT_VerifyCert ( bug 149832 
)
2) if OCSP is enabled, there will be a new OCSP connection for each of the 12 
calls to CERT_VerifyCert (again, bug 149832)

As a test, I created a new profile with the Mozilla 1.0 release, and got myself 
a brand-new Thawte cert, on my home dual CPU 1.5 GHz Athlon machine on OS/2. 
Without validation, cert manager was fast, <1s delay to open cert manager or 
view the cert. 

I then installed the Thawte CRL. At that point, cert manager became basically 
unusable. It took 7s to view my certificate. Once I deleted the CRL, performance 
was back to normal.
Severity: normal → major
Depends on: 149784, 149832
No longer depends on: 149832
Blocks: 121916
Keywords: nsbeta1
This patch reduces the number of calls, but there is still room for
improvement, as separate verification calls are made for each of the column
fields in the certmanager. You should be able to optimize this down to one call
per cert (ie. per row) but I wasn't able to because I don't know the PSM GUI
code enough.

This patch divides the number of calls by 8.
Once you eliminate the redundant calls per column, you'll reduce it another
factor of 5.
PSM calls CERT_VerifyCertNow multiple times, because it is checking the validity
for multiple usages. It does so, because it wants to report a list of valid
usages in the UI.

If NSS is internally doing the verification each time within that function,
maybe we should create an optimized interface.

CERT_VerifyCert has separate logic for each usage, so we should probably
continue to call the function multiple times.

But maybe you could provide a stripped down version of the function, that allows
one to omit the revocation checks? PSM could do the revocation check separately,
by calling a Cert_VerifyCertRevocation and only if it succeeds calls a usage
verification check like Cert_VerifyCertIgnoreRevocationStatus.
Kai. Take a look at NSM which combines the verified and purposes columns into
one. This makes total sense since what's in verified can always be deduced from
what's in the purposes column (i.e., its redundant information which takes a
long time to compute.

Kai,

I am well aware that the CERT_VerifyCert API was inefficient in that it only
allowed one usage to be checked at a time. However, a new API has been created
in NSS 3.6, CERT_VerifyCertificate. See bug 149832.

The patch for PSM that I attached uses that new API so that all 8 usages can be
checked in one CERT_VerifyCertificate call instead of 8 CERT_VerifyCert calls.

However, the GetPurposes() method is getting called more than once per cert, in
fact, 5 times, once for each column in the cert manager. This seems to happen at
each repaint time (ie. when resizing the dialog). This can also be optimized
down to once per cert, but I didn't want to mess with the GUI code.
Depends on: 149832
Attached patch actual intended patch (obsolete) — Splinter Review 
I had uploaded the wrong file before.
This is the one that calls CERT_VerifyCertificate instead of CERT_VerifyCert .
Attachment #93389 - Attachment is obsolete: true
Oops. I have changed the very same source locations with my patch to bug 132589 :(

Since this patch is smaller, please delay this bug until 132589 has landed
(which will happen soon). Making this bug dependent. Julien, I will attach a
collision free version of your patch once that is done.
Depends on: 132589
Hmm, in addition I realize that your patch depends on NSS 3.6, so we need to
delay this bug, anyway.

Do you know when you want to land NSS 3.6 as the NSS_CLIENT_TAG?

Maybe we could file a bug for the proposed landing of NSS 3.6 and make it block
this bug? So we will get notified when we are ready to work on this bug again.

Kai. Can you open the following bugs:
- Move NSS_CLIENT_TAG (but check whether it should be an NSS bug in which case
work with the nss team and have a corresponding PSM tracking bug).
- Update the PSM version to 2.4 (when we start using 3.6 we should up the version).
- bug against bugzilla to have a PSM 2.4 version and target milestone.

Bugs filed. Adding dependency.

I assume the change suggested in this bug is something that depends on 3.6, but
it can be done after 3.6 (i.e. it is not required to make this change at the
same time).
Depends on: nssclienttag36
Correct. The old CERT_VerifyCert will still work, but no faster than before. You
will be able to call the new CERT_VerifyCertificate at any time after you move
to 3.6 .

FYI, there is now a CRL cache in NSS. So CRL checks that occur as part of the
cert verification will only be expensive the first time a cert of a given issure
is verified. Afterwards the CRL is cached and the CRL lookup will take less than
100 microseconds on even a slow machine.


Works for me. Even with 8 certs using OCSP, (out of a total of 20 personal certs
installed), and three CRLs installed, the Cert Manager opens very quickly.
Status: NEW → RESOLVED
Closed: 22 years ago
Priority: -- → P3
Resolution: --- → WORKSFORME
Target Milestone: --- → 2.4
Version: unspecified → 2.4
Kai,

Are you now using the new function CERT_VerifyCertificateNow ?

Reopening. Also changing summary that probbably caused confusion and motivated
John to close the bug.

I'll work on this right after bugs 168450 and 177260 have both been checked in.
Status: RESOLVED → REOPENED
Keywords: nsbeta1nsbeta1+
Resolution: WORKSFORME → ---
Summary: Cert manager is very slow with validation enabled → Enhance PSM speed by using new NSS API CERT_VerifyCertificateNow
Adding depends on bug 168450 and bug 177260
Depends on: 168450, 177260
Mass reassign ssaux bugs to nobody
Assignee: ssaux → nobody
Status: REOPENED → NEW
Attached patch Revised fix (obsolete) — Splinter Review 
Assignee: nobody → jgmyers

        Attachment #93469 -
        Attachment is obsolete: true
Status: NEW → ASSIGNED

    
  

        Attachment #144417 -
        Flags: review?(ssaux)

    
  
Product: PSM → Core

    
    

    
  
Comment on attachment 144417 [details] [diff] [review]
Revised fix

ssaux is no longer at aol, removing review request

        Attachment #144417 -
        Flags: review?(ssaux)

    
    

    
  


  
r=kengert

        Attachment #144417 -
        Attachment is obsolete: true

        Attachment #202387 -
        Flags: review+

    
  

        Attachment #202387 -
        Flags: superreview?(dveditz)

    
  
Whiteboard: [kerh-ehz]

    
  

        Attachment #202387 -
        Flags: superreview?(dveditz)

    
    

    
  
Checked in to trunk.

Status: ASSIGNED → RESOLVED
Closed: 22 years ago19 years ago
Resolution: --- → FIXED

    
  

        Attachment #202387 -
        Flags: branch-1.8.1+

    
  
Keywords: fixed1.8.1

    
  
Blocks: 307144

    
    

    
  
This bug introduced regression bug 351873.


    
    

    
  
Kai,

OCSP checking should still be done in CERT_VerifyCertificateNow . It just will get done one time instead of x times for each usage if calling CERT_VerifyCertNow x times. Are you sure that's the cause of the regression ?

    
    

    
  
(In reply to comment #22)
> 
> OCSP checking should still be done in CERT_VerifyCertificateNow . It just will
> get done one time instead of x times for each usage if calling
> CERT_VerifyCertNow x times. Are you sure that's the cause of the regression ?


Yes, I feel confident this is the cause of the regression.

As soon as the application code asks to verify usage "status responder", NSS will suppress OCSP.

 if ( (! (requiredUsages & certificateUsageStatusResponder)) &&
    statusConfig != NULL) {
    if (statusConfig->statusChecker != NULL) {
       rv = (* statusConfig->statusChecker)(handle, cert,
                                                    t, wincx);

In the past, we had multiple calls, so only the check for the responder usage suppressed ocsp.

As a work around in the application, I propose that PSM makes two separate calls to CERT_VerifyCertNow. One asking for the responder usage, and another call for all the other usages.

I will attached such a woraround patch to bug 351871. In my tests that patch fixed the issue.


    
  
Blocks: 351873

    
    

    
  
Kai,

Actually, I think this may be considered an NSS bug in CERT_VerifyCertificate / CERT_VerifyCertificateNow . It should skip the OCSP check only if the status responder usage is the only usage requested to be checked.


    
  
Version: psm2.4 → 1.0 Branch
Product: Core → Core Graveyard

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: