As part of path validation, PKIX_PL_Cert_IsCertTrusted fetches the desired certificate usage from the NSS global context pointer (plContext). plContext->certificateUsage is of type SECCertificateUsage Instead of being in the global context, we should instead pass this in as a validation parameter. Since the validation parameters are at the PKIX_* level (not PKIX_PL_*), should we provide an abstraction layer so, that the SECCertificate type is reflected as part of the PKIX_* namespace?
It seems to me that *plContext should never be "global". There should be one per thread. And as David Barron noted in Bug 391775, the way we use it now, the context's arena just grows boundlessly for the lifetime of the process. Creating one context per thread doesn't fix that, by itself, but with such a context, it is possible to "mark" and "release" the thread's arenapool between operations to avoid such boundless growth.
Yes, alexei already has another bug on that - 391244
OS: Linux → All
Priority: -- → P2
Hardware: PC → All
Summary: certificate usage is part of the NSS global state context → certificate usage is part of the libPKIX global state context
Target Milestone: --- → 3.12
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 387024
You need to log in before you can comment on or make changes to this bug.