1562773 - Add a Pref to Enable Delegated Credentials in NSS

Status: RESOLVED FIXED

(Core :: Security: PSM, enhancement, P2)

Description

[J.C. Jones [:jcj] (he/they)]

When certificate verification logic can handle Delegated Credentials and error cases are updated if or as necessary, we should enable support for Delegated Credentials.

Potentially this might be begin as an origin trial of some sort.

Comment 1

[J.C. Jones [:jcj] (he/they)]

Attachment: Bug 1562773 - Add a preference to enable Delegated Credentials in NSS

This patch adds a new pref, "security.tls.enable_delegated_credentials",
default false, which controls the NSS option SSL_ENABLE_DELEGATED_CREDENTIALS.

This patch does not add a test (yet). WIP.

Comment 2

[J.C. Jones [:jcj] (he/they)]

Attachment: Bug 1562773 - Add delegated credentials tests r?keeler

Depends on D37907

Comment 3

[Pulsebot]

Pushed by jjones@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/b61d69854431
Add a preference to enable Delegated Credentials in NSS r=keeler

Comment 4

[Noemi Erli[:noemi_erli]]

https://hg.mozilla.org/mozilla-central/rev/b61d69854431

Comment 5

[J.C. Jones [:jcj] (he/they)]

Attachment: Bug 1562773 - Propagate Delegated Credential flag to nsITransportSecurityInfo r?keeler

Comment 6

[J.C. Jones [:jcj] (he/they)]

Kevin - Please take over D39807 and D37918. The test still fails, probably due to a serialization issue (see Dana's comments in the patch), but the trivial fixes aren't themselves fixing it, either.

I'd recommend starting with a Wireshark session of the xpcshell test run, confirm that the data on the wire looks like DC is in use when it's suppose to be, and then debug the serialization routines.

Comment 7

[Pulsebot]

Pushed by rmaries@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f32f7a644981
Propagate Delegated Credential flag to nsITransportSecurityInfo r=keeler
https://hg.mozilla.org/integration/autoland/rev/154b23d4a214
Add delegated credentials tests r=keeler,jcj

Comment 8

[Razvan Maries]

Backed out for build bustages.

Push with failure: https://treeherder.mozilla.org/#/jobs?repo=autoland&selectedJob=266032757&resultStatus=testfailed%2Cbusted%2Cexception&revision=154b23d4a214532d23e520fa86657304fd329ba9

Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=266032757&repo=autoland&lineNumber=44039

Backout: https://hg.mozilla.org/integration/autoland/rev/8c56099404b587372a81a82b35afa256dcae5f75

Comment 9

[Kevin Jacobs [:kjacobs]]

Apparently there's a mirror class (netwerk/base/FuzzySecurityInfo.cpp) that's only compiled in fuzzing builds...

Will re-flag once the new try run succeeds. Sorry about that.

Comment 10

[Pulsebot]

Pushed by nbeleuzu@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/8dcf26ff6310
Propagate Delegated Credential flag to nsITransportSecurityInfo r=keeler,jcj

Comment 11

[Cristian Brindusan [:cbrindusan]]

https://hg.mozilla.org/mozilla-central/rev/8dcf26ff6310

Comment 12

[Kevin Jacobs [:kjacobs]]

Looks like the last check-in didn't take the remaining test patch.

Can we get D37918 Bug 1562773 - Add delegated credentials tests r?keeler landed please? Thanks.

Comment 13

[Pulsebot]

Pushed by jjones@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f3cf877afac2
Add delegated credentials tests r=keeler,jcj

Comment 14

[Alexandru Michis [:malexandru]]

https://hg.mozilla.org/mozilla-central/rev/f3cf877afac2