avoid passing NSS types to RootCABinNumber
Categories
(Core :: Security: PSM, enhancement, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox80 | --- | fixed |
People
(Reporter: keeler, Assigned: keeler)
References
(Blocks 1 open bug)
Details
(Whiteboard: [psm-assigned])
Attachments
(1 file)
To avoid using NSS types unnecessarily in PSM, we should use Span<uint8_t> instead of SECItem and PK11_FindEncodedCertInSlot instead of passing a PK11SlotInfo (which would require having a CERTCertificate).
|
Assignee | |
Comment 1•5 years ago
|
||
PSM internals are currently tightly-copuled with NSS data types. In many cases
this is unnecessary, because PSM often needs only a sequence of bytes (in the
case of certificates, for example). This tight coupling can also have
performance and architectural impacts. For example, thread contention for NSS
resources has caused performance issues in the past. This patch starts the
process of avoiding using these types as much as possible in PSM.
More specifically, RootCABinNumber can take a Span<uint8_t> instead of a
SECItem. Instead of taking a PK11SlotInfo (which essentially requires having a
CERTCertificate), we can use PK11_FindEncodedCertInSlot to see if the
certificate exists on a small number of specific slots to achieve the same
effect as before. Doing this should eventually allow us to avoid creating a
CERTCertificate, which implicitly involves searching all slots on all modules.
|
||
Comment 3•5 years ago
|
||
| bugherder | ||
Description
•