SEC_LookupCrls returns CERTSignedCrl* objects without a slot or object ID



15 years ago
7 years ago


(Reporter: Julien Pierre, Unassigned)


Firefox Tracking Flags

(Not tracked)




15 years ago
The CERTSignedCrl* objects returned by the function SEC_LookupCrls do not have a
slot pointer set or CK_OBJECT_HANDLE.

This means that if you want to do things like deleting one of them, you can't
just pass the pointer to SEC_DeletePermCRL. Instead, you need to look it up
again, by extracting the DER issuer out of the CERTSignedCrl*, then doing a
SEC_FindCrlByName on it to get a second CERTSignedCrl*.

This is done for example in PSM currently and I also had to do the same thing in
crlutil to implement the -E option that erases all CRLs from the cert database.

This double-lookup is very inefficient, particularly in the light of bug #170835
: in this enumeration codepath, the CRL cache is currently not used. So, when
you do the second lookup, the CRL ends up being decoded and allocated again.
This can be very bad for large CRLs.
Not returning valid slot pointers and object handles seems like a bug.
CRL issues seem like they're P2.
Priority: -- → P2
QA Contact: bishakhabanerjee → jason.m.reid
Assignee: wtchang → nobody
QA Contact: jason.m.reid → libraries
You need to log in before you can comment on or make changes to this bug.