In NSS 3.4, CERT_FindCertIssuer was reimplemented. The new implementation calls NSSCertificate_BuildChain to build an entire cert chain, and then discards all but the second cert in the chain. As we verify a cert chain, we end up constructing the chain n times, once for each cert in the chain. This seems rather inefficient. nssCertificate_BuildChain contains a loop that finds the issuer of each cert and adds it to the chain. Seems like there ought to be an NSSCertificate_FindIssuer that does the equivalent of a single pass through the loop in nssCertificate_BuildChain, and CERT_FindCertIssuer should use that non-looping function instead.
I must have needed more sleep the day I filed this invalid bug. NSSCertificate_BuildChain takes an argument named rvLimit which controls the number of certs it puts into the chain it builds. CERT_FindCertIssuer calls it with a value of 2. It always puts the cert it is passed in as the first chain in the cert. So it only finds one cert each time it is called. There are other issues with the new cert chain code, but this bug is invalid.
Status: NEW → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.