On Wed, Jun 3, 2009 at 7:02 AM, David Stutzman <dstutz.m...@nospam.dstutz.com> wrote: > I have a DB that has just shy of 7000 keys/certs in it. From the command > line using certutil -L takes ~5 mins or so and then finally starts showing > output all at once after the delay. It ends up using 80-90MB of ram > (according to task manager). certutil -K, however, starts listing keys > right away with no delay, all 6957 of them.
I inspected the code of ListCerts and ListKeys in certutil.c: http://mxr.mozilla.org/security/ident?i=ListCerts http://mxr.mozilla.org/security/ident?i=ListKeys Both of them first get a list of all certs or keys, and then iterate through that list. So I can't really explain why ListKeys can start listing keys right away with no delay. Perhaps because keys are much smaller than certs? Another difference I see is that PK11_ListPrivKeysInSlot goes right to PKCS #11 to find the private key objects in a "slot", whereas PK11_ListCerts or PK11_ListCertsInSlot needs to go through an intermediate layer (codename "Stan"). Perhaps that intermeidate layer also adds overhead to listing certs. It would be nice if you could file a bug report, and provide two call stacks of ListCerts and ListKeys. The need for the call stacks is that ListCerts and ListKeys (especially ListCerts) have several possible code paths, so we'd need to know exactly which code path is taken when you run certutil -L and certutil -K on your cert and key databases. Wan-Teh -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
