Closed Bug 216944 Opened 21 years ago Closed 20 years ago

CERT_VerifyCertificate optimizations issues

Categories

(NSS :: Libraries, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: julien.pierre, Assigned: julien.pierre)

Details

Attachments

(1 file)

A year ago, I create this function to be able to check multiple usages at once. There were several purposes : 1) it simplified the application code, which no longer had to make several function calls when it needed to check more than one usage 2) performance optimizations. It was possible to only do a single OCSP revocation check, signature check, and CRL revocation check. The later two were done by adding two parameters to __CERT_VerifyCertChain for checking the signature and the CRL respectively. They were only checked for the first usage. However, it turns out that there are issues with this. When calling CERT_VerifyCertChain, the chain that is examined varies depending on the usage. Specifically, CERT_FindCertIssuer takes a usage argument, so that it can find the matching issuing certificate. So in fact, for each usage, we may end up verifying a different cert chain, which invalidates the optimizations for CRL checking and signature verification as implemented today. This issue can be resolved in one of two ways : 1) eliminating the optimizations for CRL checking and signature verification. Eliminating the multiple CRL checking is OK, because if we go to the same CRL, the CRL cache will be in place already, and the second lookup will be nearly free. The signature check optimization is not as easy. If we rip it out, there will be performance impact, even if the multiple chains are identical. 2) eliminating the optimization for CRL checking, and rewriting the signature verification optimization This would involve modifying CERT_VerifyCertChain . It would basically need to save each cert chain after it verifies one usage, so that it's possible to compare that chain with the new one when verifying a different usage, and skip the signature verification for certs that appear in previously verified chains. The only optimization that can remain safely from CERT_VerifyCertificate is the single OCSP check, since we only check OCSP on the leaf cert, at a higher level.
Attachment #130209 - Flags: review?(wtc)
Comment on attachment 130209 [details] [diff] [review] patch using solution 1 - remove both CRL and signature optimizations r=wtc. The checkedChain local variable is now useless and should also be removed. Other than that, this patch is good. Remember to remove it before you check in the patch. Would be good to ask Bob, Nelson, or Ian what they think is the best solution.
Attachment #130209 - Flags: review?(wtc) → review+
This fix was checked in : revision 1.34 date: 2003/08/22 18:47:07; author: jpierre%netscape.com; state: Exp; lines: +19 -25 Fix for bug 216944 - CERT_VerifyCertificate optimizations issues . r= wtc
Assignee: wtchang → julien.pierre.bugs
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
This fix is in NSS 3.9.
Target Milestone: --- → 3.9
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: