Open Bug 391476 Opened 17 years ago Updated 2 years ago

propagate check signature flag within libpkix to avoid unnecessary certificate signature checks

Categories

(NSS :: Libraries, enhancement, P3)

enhancement

Tracking

(Not tracked)

ASSIGNED

People

(Reporter: alvolkov.bgs, Assigned: rrelyea)

References

Details

(Whiteboard: PKIX)

One of the argument of CERT_VerifyCert is checkSign flag. The function will not check certificate signature if this flag is set to PR_FALSE.

This feature will probably be needed in libpkix code.
Whiteboard: PKIX
Alexei, in our conversation last friday, I thought you told me that libPKIX
caches the chains, including the information about the validity of the 
signatures, so that it would not re-verify the signatures on the same 
chain over and over, even if the same chain was evaluated repeatedly for 
different usages.  Did I misunderstand?
No, you are correct. I forgot the fact that libpkix has cert chain cache that means that this flag should not be used in libpkix interface function at all
since the library already provides such optimization.
So, is this bug invalid, then?
Well, no. I guess there is no way to tell libpkix not to check the signature currently. It's always checked, but it may be cached so it would be very efficient. Is the purpose of the caller is to save CPU cycles, then we could just ignore the argument. But if he really wants to validate chains with invalid signatures, then I guess libpkix needs to be changed to do that ...
Assignee: nobody → alexei.volkov.bugs
Version: 3.12 → trunk
Priority: -- → P3
Unsetting target milestone in unresolved bugs whose targets have passed.
Target Milestone: 3.12 → ---

Need this to fix a problem in ocsp responses

Assignee: alvolkov.bgs → rrelyea
Blocks: 1672291
Status: NEW → ASSIGNED
QA Contact: jjones
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.