Open
Bug 391476
Opened 17 years ago
Updated 2 years ago
propagate check signature flag within libpkix to avoid unnecessary certificate signature checks
Categories
(NSS :: Libraries, enhancement, P3)
NSS
Libraries
Tracking
(Not tracked)
ASSIGNED
People
(Reporter: alvolkov.bgs, Assigned: rrelyea)
References
Details
(Whiteboard: PKIX)
One of the argument of CERT_VerifyCert is checkSign flag. The function will not check certificate signature if this flag is set to PR_FALSE. This feature will probably be needed in libpkix code.
Reporter | ||
Updated•17 years ago
|
Whiteboard: PKIX
Comment 1•17 years ago
|
||
Alexei, in our conversation last friday, I thought you told me that libPKIX caches the chains, including the information about the validity of the signatures, so that it would not re-verify the signatures on the same chain over and over, even if the same chain was evaluated repeatedly for different usages. Did I misunderstand?
Reporter | ||
Comment 2•17 years ago
|
||
No, you are correct. I forgot the fact that libpkix has cert chain cache that means that this flag should not be used in libpkix interface function at all since the library already provides such optimization.
Comment 3•17 years ago
|
||
So, is this bug invalid, then?
Comment 4•17 years ago
|
||
Well, no. I guess there is no way to tell libpkix not to check the signature currently. It's always checked, but it may be cached so it would be very efficient. Is the purpose of the caller is to save CPU cycles, then we could just ignore the argument. But if he really wants to validate chains with invalid signatures, then I guess libpkix needs to be changed to do that ...
Updated•17 years ago
|
Assignee: nobody → alexei.volkov.bugs
Version: 3.12 → trunk
Updated•17 years ago
|
Priority: -- → P3
Comment 5•15 years ago
|
||
Unsetting target milestone in unresolved bugs whose targets have passed.
Target Milestone: 3.12 → ---
Assignee | ||
Comment 6•4 years ago
|
||
Need this to fix a problem in ocsp responses
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•