Closed
Bug 216944
Opened 21 years ago
Closed 20 years ago
CERT_VerifyCertificate optimizations issues
Categories
(NSS :: Libraries, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
3.9
People
(Reporter: julien.pierre, Assigned: julien.pierre)
Details
Attachments
(1 file)
3.12 KB,
patch
|
wtc
:
review+
|
Details | Diff | Splinter Review |
A year ago, I create this function to be able to check multiple usages at once.
There were several purposes :
1) it simplified the application code, which no longer had to make several
function calls when it needed to check more than one usage
2) performance optimizations.
It was possible to only do a single OCSP revocation check, signature check, and
CRL revocation check. The later two were done by adding two parameters to
__CERT_VerifyCertChain for checking the signature and the CRL respectively. They
were only checked for the first usage.
However, it turns out that there are issues with this.
When calling CERT_VerifyCertChain, the chain that is examined varies depending
on the usage. Specifically, CERT_FindCertIssuer takes a usage argument, so that
it can find the matching issuing certificate.
So in fact, for each usage, we may end up verifying a different cert chain,
which invalidates the optimizations for CRL checking and signature verification
as implemented today.
This issue can be resolved in one of two ways :
1) eliminating the optimizations for CRL checking and signature verification.
Eliminating the multiple CRL checking is OK, because if we go to the same CRL,
the CRL cache will be in place already, and the second lookup will be nearly free.
The signature check optimization is not as easy. If we rip it out, there will be
performance impact, even if the multiple chains are identical.
2) eliminating the optimization for CRL checking, and rewriting the signature
verification optimization
This would involve modifying CERT_VerifyCertChain . It would basically need to
save each cert chain after it verifies one usage, so that it's possible to
compare that chain with the new one when verifying a different usage, and skip
the signature verification for certs that appear in previously verified chains.
The only optimization that can remain safely from CERT_VerifyCertificate is the
single OCSP check, since we only check OCSP on the leaf cert, at a higher level.
Assignee | ||
Comment 1•21 years ago
|
||
Assignee | ||
Updated•21 years ago
|
Attachment #130209 -
Flags: review?(wtc)
Comment 2•21 years ago
|
||
Comment on attachment 130209 [details] [diff] [review]
patch using solution 1 - remove both CRL and signature optimizations
r=wtc.
The checkedChain local variable is now useless
and should also be removed. Other than that,
this patch is good. Remember to remove it before
you check in the patch.
Would be good to ask Bob, Nelson, or Ian what
they think is the best solution.
Attachment #130209 -
Flags: review?(wtc) → review+
Assignee | ||
Comment 3•20 years ago
|
||
This fix was checked in :
revision 1.34
date: 2003/08/22 18:47:07; author: jpierre%netscape.com; state: Exp; lines:
+19 -25
Fix for bug 216944 - CERT_VerifyCertificate optimizations issues . r= wtc
Assignee: wtchang → julien.pierre.bugs
Assignee | ||
Updated•20 years ago
|
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•