Open Bug 170836 Opened 22 years ago Updated 2 years ago

SEC_LookupCrls returns CERTSignedCrl* objects without a slot or object ID

Categories

(NSS :: Libraries, defect, P2)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

People

(Reporter: julien.pierre, Unassigned)

Details

The CERTSignedCrl* objects returned by the function SEC_LookupCrls do not have a
slot pointer set or CK_OBJECT_HANDLE.

This means that if you want to do things like deleting one of them, you can't
just pass the pointer to SEC_DeletePermCRL. Instead, you need to look it up
again, by extracting the DER issuer out of the CERTSignedCrl*, then doing a
SEC_FindCrlByName on it to get a second CERTSignedCrl*.

This is done for example in PSM currently and I also had to do the same thing in
crlutil to implement the -E option that erases all CRLs from the cert database.

This double-lookup is very inefficient, particularly in the light of bug #170835
: in this enumeration codepath, the CRL cache is currently not used. So, when
you do the second lookup, the CRL ends up being decoded and allocated again.
This can be very bad for large CRLs.
Not returning valid slot pointers and object handles seems like a bug.
CRL issues seem like they're P2.
Priority: -- → P2
QA Contact: bishakhabanerjee → jason.m.reid
Assignee: wtchang → nobody
QA Contact: jason.m.reid → libraries
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.