Closed Bug 157220 Opened 23 years ago Closed 23 years ago

CERT_FindCertIssuer inefficient in NSS 3.4+

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: nelson, Assigned: wtc)

Details

In NSS 3.4, CERT_FindCertIssuer was reimplemented. The new implementation calls NSSCertificate_BuildChain to build an entire cert chain, and then discards all but the second cert in the chain. As we verify a cert chain, we end up constructing the chain n times, once for each cert in the chain. This seems rather inefficient. nssCertificate_BuildChain contains a loop that finds the issuer of each cert and adds it to the chain. Seems like there ought to be an NSSCertificate_FindIssuer that does the equivalent of a single pass through the loop in nssCertificate_BuildChain, and CERT_FindCertIssuer should use that non-looping function instead.
This may be part of the performance problem I found in bug #164512.
Blocks: 164512
I must have needed more sleep the day I filed this invalid bug. NSSCertificate_BuildChain takes an argument named rvLimit which controls the number of certs it puts into the chain it builds. CERT_FindCertIssuer calls it with a value of 2. It always puts the cert it is passed in as the first chain in the cert. So it only finds one cert each time it is called. There are other issues with the new cert chain code, but this bug is invalid.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → INVALID
No longer blocks: 164512
You need to log in before you can comment on or make changes to this bug.