Closed
Bug 1352436
Opened 7 years ago
Closed 7 years ago
Perform a security audit of autograph 2.0
Categories
(Cloud Services :: Security, enhancement)
Cloud Services
Security
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: jvehent, Assigned: u581815)
References
Details
Both the autograph service and the pkcs7 library should go through a security audit / code review to make sure it handles key material securely.
Reporter | ||
Comment 1•7 years ago
|
||
Assigning to Greg for first pass in Q3. Will likely hire a 3rd party for a more in-depth review of the Go code of autograph, pkcs7 and hawk packages.
Assignee: jvehent → gguthe
I haven't reviewed much go or crypto. Are there specific attacks I should look for about handling key material securely?
Flags: needinfo?(jvehent)
Reporter | ||
Comment 3•7 years ago
|
||
it's not so much the crypto I'm concerned about. Autograph implements access controls that grant users permissions request signatures using specific keys. That access control is what, if broken, could put the entire service at risk.
Flags: needinfo?(jvehent)
Recommendations in the github issue: https://github.com/mozilla-services/foxsec/issues/359 and will open issues against the autograph repo.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•