Open Bug 1770921 Opened 2 years ago Updated 6 months ago

PK11_VerifyWithMechanism spends half the time just verifying the passed in signature

Categories

(NSS :: Libraries, enhancement, P3)

Product:
NSS
Component:
Libraries
Type:
enhancement

Tracking

(Not tracked)

People

(Reporter: emilio, Unassigned)

References

Details

And there doesn't seem to be any great way to tell it "I know my signature is ok".

Profile: https://share.firefox.dev/3NykzQo

(presumably signature was intended to be public key)

Looking at PK11_VerifyWithMechanism, if the key hasn't already been imported into softoken, it imports (and verifies) it. CryptoKey::PublicKeyValid imports (and verifies) the key, but then deletes the imported copy (if I understand correctly). Perhaps it shouldn't be destroying the key, since it's probably about to be used? (this would avoid double-verifying it)

Emilio, did Dana's suggestion help? We can look into this further if you think we're performing redundant public key validation steps.

Type: defect → enhancement
Flags: needinfo?(emilio)
Priority: -- → P3

So, re-using the generated key (https://phabricator.services.mozilla.com/D147648) does avoid verifying it over and over, though we leak it. I implemented Dana's suggestion in https://phabricator.services.mozilla.com/D147650, and yeah that should avoid all extra work for the most part.

Signature verification performance is still not amazing, but with that most of the overhead is gone.

Flags: needinfo?(emilio)
Severity: -- → S4
You need to log in before you can comment on or make changes to this bug.