754365 - Refactor SSL certificate verification logic in preparation for in-memory caching of cert chain verification results

Status: RESOLVED WONTFIX

(Core :: Security: PSM, defect)

Description

[Brian Smith (:briansmith, :bsmith, use NEEDINFO?)]

My plan for bug 679144 is to cache the cert verification results so that we can retrieve those results in HandshakeCallback for resumption handshakes, so that we do not need to access the DocShell at all, so we can remove the use of SyncRunnableBase.

This series of patches will make SSLServerCertVerificationResult an acceptable structure for use as an entry in the cache, by removing the reference to the infoObject and adding additional information.

This series of patches also addresses Honza's previous concern that there is too much duplication of logic between the async and synchronous cases of SSL server cert verification. At the end of this series, the two cases will behave identically, with the async version simply using the sync version on the background thread.

I am not done with the patches for bug 679144, but I would like to get these changes checked in in the interim to avoid bitrot.

Comment 1

[Brian Smith (:briansmith, :bsmith, use NEEDINFO?)]

devd: It is unlikely I will be able to work on this, but you may be able to use the unfinished work:
https://hg.mozilla.org/users/bsmith_mozilla.com/standalone-cert-validation

In particular, see:

https://hg.mozilla.org/users/bsmith_mozilla.com/standalone-cert-validation/file/b7af2b6e295e/security/manager/ssl/src/SSLServerCertVerification.h

and 

https://hg.mozilla.org/users/bsmith_mozilla.com/standalone-cert-validation/file/b7af2b6e295e/security/manager/ssl/tests/RunSSLServerCertVerification.cpp

You can see which prefs control which behaviors by looking at nsNSSComponent::setValidationOptions. Any time you change the prefs, you need to get a new nsCERTValInParamWrapper by calling GetDefaultCertValOptions().