Closed Bug 1911354 Opened 1 year ago Closed 1 year ago

Remove search by decoded serial in nssToken_FindCertificateByIssuerAndSerialNumber

Categories

(NSS :: Libraries, enhancement, P3)

Product:
NSS
Component:
Libraries
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jschanck, Assigned: jschanck)

References

Details

Attachments

(1 file)

Bug 1911354 - remove search by decoded serial in nssToken_FindCertificateByIssuerAndSerialNumber. r=rrelyea
48 bytes, text/x-phabricator-request
Details | Review

The nssToken_FindCertificateByIssuerAndSerialNumber function tries to find a certificate object on a token matching a particular issuer and serial number. Upon failing to find matching certificate, the function will remove the DER wrapper on the serial number and repeat the search. This was a workaround for a bug in early versions of NSS. As the affected versions are now over 22 years old, we can remove the mitigation.

https://hg.mozilla.org/projects/nss/rev/5f64228771f9aed094b58af789d6b22a0e0d1bb4

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED

So I need to be careful here. The search change wasn't just because of softoken, but also because of other PKCS #11 tokens. I think we are probably OK with this one, but some of these are really PKCS #11 compatibility issue... and some tokens have some pretty lone lifetimes (though even 22 years is pushing it). Upshot: I think this one is fine (well until we find the token that changed their code to handle our unwrapped serial numbers and never changed backed).

Regressions: 1982742

This change causes a regression in Thunderbird with smartcard decryption, bug 1982742.
(We also have other smartcard related bug reports in TB 140, but it isn't yet clear what causes them, for example bug 1979650.)

As I understand it, the intention was a cleanup, but now we have confirmation that the removed code is still required for proper functionality.

Could this get backed out and released with a NSS 3.104.1 bugfix release and uplifted to mozilla-esr140 ?

(In reply to Kai Engert [:KaiE:] from comment #4)

Could this get backed out and released with a NSS 3.104.1 bugfix release and uplifted to mozilla-esr140 ?

Sorry, false version suggestion.

mozilla-esr140 uses 3.112, which means we'd need a NSS 3.112.1

I wonder if it might be worth using the quick decoder here rather than a hand ASN.1 decode. It's more overhead, but less code review overhead, and the failing case is likely not too common. If you are looking up a cert by issue/SN then the user has pretty high expectations that the cert he's looking for is there.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: