From abdfd947996218f03afa2cca883592380c47c835 Mon Sep 17 00:00:00 2001 From: Dana Keeler Date: Wed, 20 Apr 2022 17:59:01 +0000 Subject: [PATCH] Bug 1763524 - handle the builtin roots module better when scanning for client certificates r=jschanck Scanning for client certificates involves looking through each slot in each PKCS#11 module. There may be many certificates that don't have corresponding private keys in the NSS softoken, so it's more efficient to search for private keys and then find any matching certificates. This reasoning also applies to the NSS builtin roots module, which is the change this patch makes. Differential Revision: https://phabricator.services.mozilla.com/D143859 --- security/manager/ssl/nsNSSComponent.cpp | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/security/manager/ssl/nsNSSComponent.cpp b/security/manager/ssl/nsNSSComponent.cpp index 58b5eb783991..53eef93d0940 100644 --- a/security/manager/ssl/nsNSSComponent.cpp +++ b/security/manager/ssl/nsNSSComponent.cpp @@ -2677,11 +2677,15 @@ UniqueCERTCertList FindClientCertificatesWithPrivateKeys() { PK11SlotInfo* slot = list->module->slots[i]; MOZ_LOG(gPIPNSSLog, LogLevel::Debug, (" slot '%s'", PK11_GetSlotName(slot))); - // If this is the internal certificate/key slot, there may be many more - // certificates than private keys, so search by private keys. - if (internalSlot.get() == slot) { + // If this is the internal certificate/key slot or the slot on the + // builtin roots module, there may be many more certificates than private + // keys, so search by private keys (PK11_HasRootCerts will be true if the + // slot contains an object with the vendor-specific CK_CLASS + // CKO_NSS_BUILTIN_ROOT_LIST, which should only be the case for the NSS + // builtin roots module). + if (internalSlot.get() == slot || PK11_HasRootCerts(slot)) { MOZ_LOG(gPIPNSSLog, LogLevel::Debug, - (" (looking at internal slot)")); + (" (looking at internal/builtin slot)")); if (PK11_Authenticate(slot, true, nullptr) != SECSuccess) { MOZ_LOG(gPIPNSSLog, LogLevel::Debug, (" (couldn't authenticate)")); continue;