SEC_LookupCrls returns CERTSignedCrl* objects without a slot or object ID

NEW
Unassigned

Status

NSS
Libraries
P2
normal
15 years ago
7 years ago

People

(Reporter: Julien Pierre, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

15 years ago
The CERTSignedCrl* objects returned by the function SEC_LookupCrls do not have a
slot pointer set or CK_OBJECT_HANDLE.

This means that if you want to do things like deleting one of them, you can't
just pass the pointer to SEC_DeletePermCRL. Instead, you need to look it up
again, by extracting the DER issuer out of the CERTSignedCrl*, then doing a
SEC_FindCrlByName on it to get a second CERTSignedCrl*.

This is done for example in PSM currently and I also had to do the same thing in
crlutil to implement the -E option that erases all CRLs from the cert database.

This double-lookup is very inefficient, particularly in the light of bug #170835
: in this enumeration codepath, the CRL cache is currently not used. So, when
you do the second lookup, the CRL ends up being decoded and allocated again.
This can be very bad for large CRLs.
Not returning valid slot pointers and object handles seems like a bug.
CRL issues seem like they're P2.
Priority: -- → P2
QA Contact: bishakhabanerjee → jason.m.reid
Assignee: wtchang → nobody
QA Contact: jason.m.reid → libraries
You need to log in before you can comment on or make changes to this bug.