Closed Bug 1911354 Opened 6 months ago Closed 6 months ago

Remove search by decoded serial in nssToken_FindCertificateByIssuerAndSerialNumber

Categories

(NSS :: Libraries, enhancement, P3)

Product:
NSS
Component:
Libraries
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jschanck, Assigned: jschanck)

Details

Attachments

(1 file)

Bug 1911354 - remove search by decoded serial in nssToken_FindCertificateByIssuerAndSerialNumber. r=rrelyea
48 bytes, text/x-phabricator-request
Details | Review

The nssToken_FindCertificateByIssuerAndSerialNumber function tries to find a certificate object on a token matching a particular issuer and serial number. Upon failing to find matching certificate, the function will remove the DER wrapper on the serial number and repeat the search. This was a workaround for a bug in early versions of NSS. As the affected versions are now over 22 years old, we can remove the mitigation.

https://hg.mozilla.org/projects/nss/rev/5f64228771f9aed094b58af789d6b22a0e0d1bb4

Status: ASSIGNED → RESOLVED
Closed: 6 months ago
Resolution: --- → FIXED

So I need to be careful here. The search change wasn't just because of softoken, but also because of other PKCS #11 tokens. I think we are probably OK with this one, but some of these are really PKCS #11 compatibility issue... and some tokens have some pretty lone lifetimes (though even 22 years is pushing it). Upshot: I think this one is fine (well until we find the token that changed their code to handle our unwrapped serial numbers and never changed backed).

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: