1649633 - add and expose a function like PK11_FindCertInSlot that takes a SECItem instead of a CERTCertificate

Status: RESOLVED FIXED

(NSS :: Libraries, enhancement, P1)

Description

[Dana Keeler (she/her) (use needinfo) [:keeler]]

PK11_FindCertInSlot is handy in that it's low-level, but it still takes a CERTCertificate. Firefox would find it useful to be able to call a function like this that takes a SECItem representing an encoded certificate instead of a decoded NSS one.
e.g. we could implement the "is this certificate a built-in root" [0] and "does this certificate come from this particular slot" [1] checks without ever actually decoding certificates.
Eventually our goal is to never use NSS to decode a certificate in either the main Firefox process or content processes (the socket process will still have to decode certificates, but it'll be sandboxed).

[0] https://searchfox.org/mozilla-central/rev/5a4aaccb28665807a6fd49cf48367d47fbb5a19a/security/certverifier/CertVerifier.cpp#208
[1] https://searchfox.org/mozilla-central/rev/5a4aaccb28665807a6fd49cf48367d47fbb5a19a/security/manager/ssl/RootCertificateTelemetryUtils.cpp#82

Comment 1

[Dana Keeler (she/her) (use needinfo) [:keeler]]

Attachment: Bug 1649633 - add PK11_FindEncodedCertInSlot r?kjacobs!,jcj!

PK11_FindEncodedCertInSlot can be used to determine the PKCS#11 object handle
of an encoded certificate in a given slot. If the given certificate does not
exist in that slot, CK_INVALID_HANDLE is returned.

Comment 2

[Dana Keeler (she/her) (use needinfo) [:keeler]]

Attachment: Bug 1649633 - follow-up to make test comparisons in pk11_find_certs_unittest.cc yoda comparisons r?kjacobs

Depends on D81924

Comment 3

[Kevin Jacobs [:kjacobs]]

https://hg.mozilla.org/projects/nss/rev/32fe710a942f240bca76ecbeda671aeb2cf1b8ee
https://hg.mozilla.org/projects/nss/rev/424dae31a1c1a068de5e1db29a95ac8b3baa06a0