Closed Bug 1649633 Opened 1 year ago Closed 1 year ago

add and expose a function like PK11_FindCertInSlot that takes a SECItem instead of a CERTCertificate

Categories

(NSS :: Libraries, enhancement, P1)

enhancement

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: keeler, Assigned: keeler)

References

Details

Attachments

(2 files)

PK11_FindCertInSlot is handy in that it's low-level, but it still takes a CERTCertificate. Firefox would find it useful to be able to call a function like this that takes a SECItem representing an encoded certificate instead of a decoded NSS one.
e.g. we could implement the "is this certificate a built-in root" [0] and "does this certificate come from this particular slot" [1] checks without ever actually decoding certificates.
Eventually our goal is to never use NSS to decode a certificate in either the main Firefox process or content processes (the socket process will still have to decode certificates, but it'll be sandboxed).

[0] https://searchfox.org/mozilla-central/rev/5a4aaccb28665807a6fd49cf48367d47fbb5a19a/security/certverifier/CertVerifier.cpp#208
[1] https://searchfox.org/mozilla-central/rev/5a4aaccb28665807a6fd49cf48367d47fbb5a19a/security/manager/ssl/RootCertificateTelemetryUtils.cpp#82

PK11_FindEncodedCertInSlot can be used to determine the PKCS#11 object handle
of an encoded certificate in a given slot. If the given certificate does not
exist in that slot, CK_INVALID_HANDLE is returned.

Attachment #9160785 - Attachment description: Bug 1649633 - add PK11_FindEncodedCertInSlot r?kjacobs! j?jcj! → Bug 1649633 - add PK11_FindEncodedCertInSlot r?kjacobs!,jcj!
Status: NEW → ASSIGNED
Priority: -- → P1
You need to log in before you can comment on or make changes to this bug.