1552310 - fix deleting preloaded intermediates by using the right field

Status: RESOLVED FIXED

(Core :: Security: PSM, defect, P1)

Description

[Dana Keeler (she/her) (use needinfo) [:keeler]]

Due to some confusion, currently the code that removes preloaded intermediates uses the wrong field. Right now it's pubKeyHash, but it should be derHash when bug 1552304 lands.

[Tracking Requested - why for this release]: this is for intermediate preloading, which we're trying to ship in 68 (it's currently set to be enabled for early beta and before)

Comment 1

[Dana Keeler (she/her) (use needinfo) [:keeler]]

Attachment: bug 1552310 - use the correct field to delete preloaded certificates that have been removed from the preload list r?jcj r?KevinJacobs

The initial implementation made some incorrect assumptions about the data that
was in our data set and used the wrong field to identify the certificates to
delete when they are removed from our preload list. Now that the data set has
the expected field (the hash of the whole certificate), we can use it instead.

Comment 2

[Pulsebot]

Pushed by dkeeler@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/5ca3dedbdd6e
use the correct field to delete preloaded certificates that have been removed from the preload list r=jcj,KevinJacobs

Comment 3

[Cosmin Sabou [:CosminS]]

https://hg.mozilla.org/mozilla-central/rev/5ca3dedbdd6e

Comment 4

[Julien Cristau [:jcristau]]

Please request beta uplift when you get a chance.

Comment 5

[Dana Keeler (she/her) (use needinfo) [:keeler]]

We're disabling cert_storage (and thus intermediate preloading) on non-nightly channels for now, so when bug 1555110 lands and is uplifted, we won't need this (I'll update the flags when the time comes).