The easiest fix would be to avoid decoding the certificates with NSS. This would actually be fairly easy:
- Return an array of arrays of bytes from
CSTrustDomain would take that array and blindly loop over it in
FindIssuer rather than trying to match issuer/subject names (mozilla::pkix makes this fast by doing that check itself)
CSTrustDomain::GetCertTrust would have to use
mozilla::pkix::BackCert to get a handle on the certificate's subject/issuer/serial/public key for revocation checking.
- To see if a given cert is the content signing root, we could modify
nsINSSComponent::IsCertContentSigningRoot to take either a precomputed hash or the bytes of the cert to be hashed and compared.
- Back in
BackCert can be used to again get the cert's public key.
Unfortunately this doesn't really solve the problem of doing a certificate verification on the main thread. To address that issue, we would have to put this logic on some background thread and either return a promise or notify via an xpcom callback type. Further unfortunately, this API is used both from js and
ContentVerifier, where it seems we don't have any kind of js context ( https://searchfox.org/mozilla-central/rev/201450283cddc9e409cec707acb65ba6cf6037b1/dom/security/ContentVerifier.cpp#46 ), so maybe promises wouldn't work here. Also,
ContentVerifier imposes some constraints on how
nsIContentSignatureVerifier is used because it expects that it will make a network request to fetch the certificate chain that signed the data. This request can only be started and consumed from the main thread, so we're looking at going back and forth between many different threads. To be blunt, I'd like to get rid of this aspect of the API since it's not even actually used yet, but I'm told that "we've talked about [using] it in a number of places". I'm a bit skeptical, though, since we landed this code almost 3 years ago and this part of it still isn't being used. It might be worth splitting this functionality into pieces that can be a bit more separate from each other and yet make use of common utility functions or something.