Closed Bug 1014726 Opened 11 years ago Closed 10 years ago

[mig] Use a deterministic json signing/verification method

Categories

(Enterprise Information Security Graveyard :: MIG, task)

Product:
Enterprise Information Security Graveyard
Component:
MIG
Platform:
x86_64
Linux
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jvehent, Assigned: jvehent)

References

Details

Attachments

(1 file)

Getting one step closer: no more cgo with gpgme. Using pinentry and gpgagent wrappers from camlistore.
38 bytes, text/x-github-pull-request
Details | Review
Camlistore has a nice package to handle the signing of JSON. https://camlistore.googlesource.com/camlistore/+/master/pkg/jsonsign/ It would most likely be cleaner than the current "stringified json" approach.
Assignee: nobody → jvehent
I've done some analysis and it doesn't seem like replacing the current signing method with camlistore's brings much value. Signing and verifying still relies on the ordering of the json parameters applied by the json package. For now, since we use the same json encoder/decoder provided by the Go standard lib everywhere, ordering is not an issue. It may be if we start using clients that use various json libs. Leaving open for future ref.
Summary: [mig pgp] replace json signing with camlistore's json signing package → [mig pgp] Use a deterministic json signing/verification method
Need to evaluate https://github.com/square/go-jose for this.
Component: Operations Security (OpSec): General → Operations Security (OpSec): MIG
Summary: [mig pgp] Use a deterministic json signing/verification method → [mig] Use a deterministic json signing/verification method
Group: mozilla-employee-confidential
Component: Operations Security (OpSec): MIG → MIG
Product: mozilla.org → Enterprise Information Security
Version: other → unspecified
Group: mozilla-employee-confidential
Migrated to github issues: https://github.com/mozilla/mig/issues
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Product: Enterprise Information Security → Enterprise Information Security Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: