Closed Bug 1774657 Opened 3 years ago Closed 2 years ago

Updating an old dbm with lots of certs with keys to sql results in a database that is slow to access.

Categories

(NSS :: Libraries, defect, P3)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: rrelyea, Assigned: rrelyea)

References

Details

Attachments

(2 files)

nss-3.79-dont-verify-default.patch
5.50 KB, patch
Details | Diff | Splinter Review
Bug 1774657 Updating an old dbm with lots of certs with keys to sql results in a database that is slow to access.
48 bytes, text/x-phabricator-request
Details | Review

When we update a dbm database to sqlite, dbm exports empty trust objects, which sqlite duplications. In the sqlite db, trust objects are authenticated with an hmac based on the password. This means if you are logged into the database, accessing these trust objects can be slow as we have to check for the hmac on each entry.

To mitigate this, we should 1) skip the integrity check if the attribute value is the default attribute value (this is safe because if we fail the integrity check, the attribute will be treated as the default), and 2) fix dbm to not export trust objects if the underlying trust object just had the USER bit on (which means the cert has a corresponding private key).

downstream patch is included for reference, an phabricator patch will follow.

downstream bug for reference https://bugzilla.redhat.com/show_bug.cgi?id=2084334

Assignee: nobody → rrelyea
Status: NEW → ASSIGNED
Severity: -- → S3
Priority: -- → P3
Target Milestone: --- → 3.81

This patch solves the problems in 3 ways:

  1. The initial underlying issue is solved by not generating a trust record for user certs if they have default trust values (lib/softoken/legacydb/pcertdb.c).
    This will cause new databases created from old dbm databases to function normally.

  2. Skip the integrity check if the record we are reading is already the default trust value (lib/softoken/sftkdb.c). This will increase the performance of reading sqlite databases created from the old dbm databases before patch 1 to perform reasonably.

  3. Increase the cashe count. (lib/softoken/lowpbe.c). This affects applications which do multiple private key operations on the same private keys. Usually high speed operations would copy the keys to a session key for better performance, but sometimes that's not possible. This allows up to 20 RSA keys to be references by the application without a performance hit from the PBE checking integrity and/or decrypting the key entry.

Blocks: 1821434
Duplicate of this bug: 1788739

Comment on attachment 9309270 [details]
Bug 1774657 Updating an old dbm with lots of certs with keys to sql results in a database that is slow to access.

Revision D165221 was moved to bug 1774659. Setting attachment 9309270 [details] to obsolete.

Attachment #9309270 - Attachment is obsolete: true
Attachment #9309270 - Attachment is obsolete: false
Attachment #9309270 - Attachment description: WIP: Bug 1774657 Updating an old dbm with lots of certs with keys to sql results in a database that is slow to access. → Bug 1774657 Updating an old dbm with lots of certs with keys to sql results in a database that is slow to access.

https://hg.mozilla.org/projects/nss/rev/f7ae42e6be7e525fe91e01478a16734a8743e277

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Regressions: 1835357
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: