Re: [Evolution] Automatically fetching public key for encrypted mail does not work

From: David Woodhouse <dwmw2 infradead org>
To: Milan Crha <mcrha redhat com>, evolution-list gnome org, Niklas Andersson <niklas andersson openforce se>
Cc: Watson Yuuma Sato <yuuma sato gmail com>
Subject: Re: [Evolution] Automatically fetching public key for encrypted mail does not work
Date: Tue, 01 Mar 2016 09:44:58 +0000

On Tue, 2016-03-01 at 10:03 +0100, Milan Crha wrote:


there was a Google Summer of Code project providing fetch of X.509
certificates (for S/MIME, which MS Exchange supports) from address
books. It took the certificates from Global Address List (GAL), as
advertised by the MS Exchange server. It's filled here:
for LDAP: https://bugzilla.gnome.org/show_bug.cgi?id=203251
for address books in general: https://bugzilla.gnome.org/show_bug.cgi?id=704246

The work is currently blocked on NSS. Feel free to join the later bug,
the reporter has better overview of the subject.


Actually the interesting bug is #736808. Specifically:
https://bugzilla.gnome.org/show_bug.cgi?id=736808#c2

The "making the certs available" part is solved by evolution-pkcs11.
Although that does want a little updating to make it build against the
latest Evolution.

As Milan says, the reason it's not merged into Evolution (or EDS) and
enabled by *default* is because of NSS.

The NSS PK11_ListCerts() function takes O(n²) time, because it iterates
over the certs, for each one calling back into a naïve 'collector'
function that checks it's unique and adds it to the list.

In my case it takes about ten minutes to process all the certs that
evolution-pkcs11 makes available.

When you bring up the prefs dialog (not even looking at certs),
Evolution calls that PK11_ListCerts() function.

Three times, in quick succession.

From the main thread, before it does any redrawing or anything else.

30 minutes later, you can finally see the prefs dialog :)

So... in comment #2 of the bug, as referenced above, it says what I
think needs doing — populate the dialog asynchronously instead of
making us wait, and instead of using PK11_ListCerts we use our *own*
code to iterate over the certs in the token, calling back to our own
*non-stupid* callback function which quickly inserts each one into a
GHashTable or something like that, instead of a linear list.

In the longer term, I'd love to just ditch NSS completely and use
something saner. But this should suffice for now to enable the GAL
certificate lookup.

-- 
David Woodhouse                            Open Source Technology Centre
David Woodhouse intel com                              Intel Corporation

Attachment: smime.p7s
Description: S/MIME cryptographic signature

References:
- Re: [Evolution] Automatically fetching public key for encrypted mail does not work
  - From: Milan Crha

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]