Open Bug 1548360 Opened 5 years ago Updated 2 years ago

Add support for delegated credentials to selfserv

Tracking

(Not tracked)

Status:

NEW

People

(Reporter: chrispatton, Unassigned)

References

(Blocks 1 open bug)

Details

Christopher Patton

Reporter

Description

•

5 years ago

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0

Steps to reproduce:

The test client tstclnt can enable support for delegated credentials (DCs, https://tools.ietf.org/html/draft-ietf-tls-subcerts-03) via the -E flag, but the test server selfserv does not currently support this extension. To demonstrate how DCs are used, we'd like to allow the test server to configure a DC and DC private key.

Right now, server-side support for DCs in NSS is quite limited. A single DC can be configured for a certificate via the SSLServerCertExtraData structure, but the DC will only be used in to authenticate the server if the server selects that certificate and the parameters of the handshake permit using it; otherwise the server will use the certificate private key. Hence, the server doesn't make its certificate selection based on whether or not a DC is configured.

This "minimally invasive" design is sufficient for testing purposes, but it's not all that useful in a real system. The typical use-case for DCs is a reverse proxy that has custody of one or more DC private keys, but not the end-entity certificate private key; in this case the server needs to fall back to another signing mechanism (e.g., Cloudflare's KeylessSSL) or else abort the handshake. We'd like to be able to support this configuration with selfverv.

A prerequisite for landing this feature is a rework of the semantics of certificate selection in order to account for this kind of scenario:
https://bugzilla.mozilla.org/show_bug.cgi?id=1547617

Note that this feature came up when implementing draft-03 of the extension:
https://bugzilla.mozilla.org/show_bug.cgi?id=1540403

Marco Castelluccio [:marco]