gecko-dev

David Keeler af0ce9fbd6 bug 1357226 - work around a library inefficiency with EC keys when verifying ECDSA signatures r=fkiefer,jcj Calling VFY_VerifyDigestDirect causes the provided SECKEYPublicKey to be reimported to the softoken regardless of if it already exists on it. EC keys must be verified upon import (to see if the point is on the curve to avoid some small subgroup attacks), and so repeatedly doing this with a static key (say, for example, a key corresponding to a built-in certificate transparency log) is inefficient. This patch alters the certificate transparency implementation to import these keys each once and then use PK11_Verify for ECDSA signature verification, which doesn't have the same drawback. Since this change causes CertVerifier to hold an NSS resource (via its MultiLogCTVerifier having a list of CTLogVerifier, each of which now has a SECKEYPublicKey), nsNSSComponent has to make sure it goes away before shutting down NSS. This patch ensures this happens in nsNSSComponent::ShutdownNSS(). MozReview-Commit-ID: 6VSmz7S53y2 --HG-- extra : rebase_source : 4994db9de80a6c1aec3d7e322ff30d040140ce92	2017-04-11 14:11:28 -07:00
..
gtest	bug 1357226 - work around a library inefficiency with EC keys when verifying ECDSA signatures r=fkiefer,jcj	2017-04-11 14:11:28 -07:00

David Keeler af0ce9fbd6 bug 1357226 - work around a library inefficiency with EC keys when verifying ECDSA signatures r=fkiefer,jcj

Calling VFY_VerifyDigestDirect causes the provided SECKEYPublicKey to be
reimported to the softoken regardless of if it already exists on it. EC keys
must be verified upon import (to see if the point is on the curve to avoid some
small subgroup attacks), and so repeatedly doing this with a static key (say,
for example, a key corresponding to a built-in certificate transparency log) is
inefficient. This patch alters the certificate transparency implementation to
import these keys each once and then use PK11_Verify for ECDSA signature
verification, which doesn't have the same drawback.

Since this change causes CertVerifier to hold an NSS resource (via its
MultiLogCTVerifier having a list of CTLogVerifier, each of which now has a
SECKEYPublicKey), nsNSSComponent has to make sure it goes away before shutting
down NSS. This patch ensures this happens in nsNSSComponent::ShutdownNSS().

MozReview-Commit-ID: 6VSmz7S53y2

--HG--
extra : rebase_source : 4994db9de80a6c1aec3d7e322ff30d040140ce92

2017-04-11 14:11:28 -07:00

gtest

bug 1357226 - work around a library inefficiency with EC keys when verifying ECDSA signatures r=fkiefer,jcj

2017-04-11 14:11:28 -07:00