Closed Bug 1352436 Opened 7 years ago Closed 7 years ago

Perform a security audit of autograph 2.0

Categories

(Cloud Services :: Security, enhancement)

Product:
Cloud Services
Component:
Security
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jvehent, Assigned: u581815)

References

Details

Both the autograph service and the pkcs7 library should go through a security audit / code review to make sure it handles key material securely.
Assigning to Greg for first pass in Q3. Will likely hire a 3rd party for a more in-depth review of the Go code of autograph, pkcs7 and hawk packages.
Assignee: jvehent → gguthe
I haven't reviewed much go or crypto. Are there specific attacks I should look for about handling key material securely?
Flags: needinfo?(jvehent)
it's not so much the crypto I'm concerned about. Autograph implements access controls that grant users permissions request signatures using specific keys. That access control is what, if broken, could put the entire service at risk.
Flags: needinfo?(jvehent)
Recommendations in the github issue: https://github.com/mozilla-services/foxsec/issues/359 and will open issues against the autograph repo.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.