wolfssl icon indicating copy to clipboard operation
wolfssl copied to clipboard
verified publisher icon wolfSSL

Add a binary search for CRL

Open tmael opened this issue 3 years ago • 2 comments

Description

This PR improves the performance of CRL containing revoked certs ordered by certificate serial numbers.

Initial parsing of the CRL and checking certificates against a parsed CRL is time sensitive operation and must be designed for efficiency.

when checking a revoked cert against a parsed CRL, instead of using a link list for revoked certs, you can configure with static arrays and perform binary search:

CFLAGS ="-DCRL_STATIC_REVOKED_LIST -DCRL_MAX_REVOKED_CERTS=x"

CRL_STATIC_REVOKED_LIST to enable static arrays instead of dynamic memory allocations. The default value for CRL_MAX_REVOKED_CERTS is set to 4 and it can be changed with CRL_MAX_REVOKED_CERTS=x where x specifies the number of buffers for revoked certs in CRL_Entry up to a maximum of 22000.

Fixes zd#

Testing

Tested by generating a CRL with many serial numbers.

./configure --enable-debug --disable-shared --enable-all --enable-crl CFLAGS="-DCRL_USE_CERT_BUFFERS -DCRL_MAX_REVOKED_CERTS=8" && make

Checklist

  • [ ] added tests
  • [ ] updated/added doxygen
  • [ ] updated appropriate READMEs
  • [ ] Updated manual and documentation

tmael avatar Sep 06 '22 17:09 tmael

@dgarske, Good catch! fixed and verified wolfssl-multi-test.sh builds cleanly. CRL is typically used with TLS ( not wolfCrypt). I couldn't think of a better solution than to access the WOLFSSL_CRL structure to store unverified parsed CRL in CRL_Entry* oneEntry; temporarily and add it to the CRL_Entry* crlList after it has been processed and verified. Can you suggest a better solution?

tmael avatar Sep 21 '22 02:09 tmael

@dgarske, Good catch! fixed and verified wolfssl-multi-test.sh builds cleanly. CRL is typically used with TLS ( not wolfCrypt). I couldn't think of a better solution than to access the WOLFSSL_CRL structure to store unverified parsed CRL in CRL_Entry* oneEntry; temporarily and add it to the CRL_Entry* crlList after it has been processed and verified. Can you suggest a better solution?

Do not use WOLFSSL_CRL. Pass the members you need into the functions used by asn.c. For example ParseCRL only needs oneEntr so pass it directly.

dgarske avatar Sep 21 '22 17:09 dgarske

@dgarske, yes, forgot to push after restoring the WOLFSSL_CRL typedef. Sorry about that.

tmael avatar Sep 23 '22 00:09 tmael

jenkins retest this please

tmael avatar Oct 04 '22 16:10 tmael