Patrick, POC wrote:
The recently-released NSS 3.6 contains improved CRL decoding.Does mozilla have a API I could use to parse through a CRL? I'm currently using Sun's CertificateFactory and calling the generateCRL() method but I find it very slow when dealing with large CRLs > 1 MB...Moreover if I build a list of such CRL objects, my JVM runs out of memory! I'm ready to try a C API.. I looked at the NSS command crlutil, but that tool is geared around the CRL being first imported in the NSS cert DB. -- POC
The function you want to look at is called CERT_DecodeDERCRLWithFlags .
One of its current limitations is that it can only deal with full CRLs. Delta CRLs, or CRLs containing issuing distribution point extensions, or freshest CRL extensions, currently cannot be decoded with this API. It is likely that this extra functionality will only become available in NSS 4.0. The additional work is not scheduled for the next version of NSS, which is NSS 3.7 .
If it is acceptable to you to decode only full CRLs, then the C API should meet your performance need. To give you an idea of how fast the decoding the NSS CRL decoding API has become in NSS 3.6, it is now capable of decoding a 26 MB CRL containing 1.2 million revoked certificate entries in under 8 seconds on a low-end 440 MHz Ultrasparc II machine. This is about 6 times as fast as in previous versions of NSS. It also needs about 1/4 as much RAM as before to do the decoding - which is still an additional 35 MB of memory, on top of the 26 MB DER source CRL. Both improvements are the result of a new ASN.1 DER decoder I wrote for NSS 3.6, called the "QuickDER" decoder (see SEC_QuickDERDecodeItem if you are interested). Documentation on that new decoder - as well as on the old, less efficient SEC_ASN1DecodeItem - will be written in upcoming months. But you don't need to use the ASN.1/DER decoder directly to decode a CRL. The cert.h header file should contain sufficient documentation on how to call CERT_DecodeDERCRLWithFlags .
