Bug 1774657 Updating an old dbm with lots of certs with keys to sql results in a database that is slow to access.

This patch solves the problems in 3 ways:
1) The initial underlying issue is solved by not generating a trust record for user certs if they have default trust values (lib/softoken/legacydb/pcertdb.c).
This will cause new databases created from old dbm databases to function normally.

2) Skip the integrity check if the record we are reading is already the default trust value (lib/softoken/sftkdb.c). This will increase the performance of reading sqlite databases created from the old dbm databases before patch 1 to perform reasonably.

3) Increase the cashe count. (lib/softoken/lowpbe.c). This affects applications which do multiple private key operations on the same private keys. Usually high speed operations would copy the keys to a session key for better performance, but sometimes that's not possible. This allows up to 20 RSA keys to be references by the application without a performance hit from the PBE checking integrity and/or decrypting the key entry.

Differential Revision: https://phabricator.services.mozilla.com/D165221

4 files changed, 23 insertions, 0 deletions

diff --git a/tests/dbtests/bigdb/cert9.db b/tests/dbtests/bigdb/cert9.db
new file mode 100644
index 000000000..461c26c41
--- /dev/null
+++ b/tests/dbtests/bigdb/cert9.db
diff --git a/tests/dbtests/bigdb/key4.db b/tests/dbtests/bigdb/key4.db
new file mode 100644
index 000000000..b45918d7f
--- /dev/null
+++ b/tests/dbtests/bigdb/key4.db
diff --git a/tests/dbtests/bigdb/pkcs11.txt b/tests/dbtests/bigdb/pkcs11.txt
new file mode 100644
index 000000000..adbb159ba
--- /dev/null
+++ b/tests/dbtests/bigdb/pkcs11.txt
@@ -0,0 +1,5 @@
+library=
+name=NSS Internal PKCS #11 Module
+parameters=configdir='sql:/tmp/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
+NSS=trustOrder=75 cipherOrder=100 slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,SHA256,SHA512,Camellia,SEED,ECC,RANDOM askpw=any timeout=30 ] }  Flags=internal,critical
+
diff --git a/tests/dbtests/dbtests.sh b/tests/dbtests/dbtests.sh
index 00740d092..b0b195d4d 100755
--- a/tests/dbtests/dbtests.sh
+++ b/tests/dbtests/dbtests.sh
@@ -51,6 +51,7 @@ dbtest_init()
   EMPTY_DIR=${HOSTDIR}/emptydir
   CONFLICT_DIR=${HOSTDIR}/conflictdir
   THREAD_DIR=${HOSTDIR}/threadir
+  BIG_DIR=${HOSTDIR}/bigdir
 
   html_head "CERT and Key DB Tests"
 
@@ -351,6 +352,23 @@ dbtest_main()
       *)
          html_failed "sdbthreadtst failed with an unrecognized error code."
       esac
+
+      # now verify that we can quickly dump a database that has explicit
+      # default trust values (generated by updating a dbm database with
+      # to a sql database with and older version of NSS).
+      mkdir -p ${BIG_DIR}
+      cp ${QADIR}/dbtests/bigdb/* ${BIG_DIR}/
+      echo "time certutil -K -d ${BIG_DIR} -f ${R_PWFILE}"
+      dtime=$(time -p (certutil -K -d ${BIG_DIR} -f ${R_PWFILE}) 2>&1 1>/dev/null)
+      echo "------------- time ----------------------"
+      echo $dtime
+      # now parse the real time to make sure it's subsecond
+      RARRAY=($dtime)
+      TIMEARRAY=(${RARRAY[1]//./ })
+      echo "${TIMEARRAY[0]} seconds"
+      test ${TIMEARRAY[0]} -lt 2
+      ret=$?
+      html_msg ${ret} 0 "certutil dump keys with explicit default trust flags"
     fi
 }