Closed
Bug 1096102
Opened 11 years ago
Closed 11 years ago
Migrate msisdn-gateway from jwcrypto to browserid-crypto, including cert format changes
Categories
(Cloud Services Graveyard :: MobileID, defect)
Cloud Services Graveyard
MobileID
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: rfkelly, Unassigned)
Details
Attachments
(1 file)
The upstream "jwcrypto" library has been renamed to "browserid-crypto" and trimmed down somewhat, in an attempt to increase maintainability of the code. Specifically, the idea is to make it less like a general-purpose JWT-handling library and more like a special-purpose library for doing BrowserID crypto.
We should migrate msisdn-gateway to use the latest upstream release of browserid-crypto, so that all our projects are working from a consistent version of a maintained codebase.
Unfortunately, one of the upstream simplifications was the removal of "new-style" browserid certificate formats, as described here:
https://github.com/mozilla/browserid-crypto/issues/97.
We thought that nobody was using this format in production, but the msisdn-gateway is, since it ships with jwcrypto==0.5.x which uses the new formats by default.
This can be confirmed by viewing the public key and noting that it contains a "kty" field:
https://msisdn.services.mozilla.com/.well-known/browserid
By contrast, the old-style format uses an "algorithm" field for this information (among other less-obvious differences):
https://api.accounts.firefox.com/.well-known/browserid
As far as I can tell, this is the *only* piece of production software that uses the new-style formats. Even the MobileID client code that talks to this server doesn't use them - it uses gecko's builtin jwcrypto routines that only support the old-style formats. (This strange mis-match only works because the client doesn't try to introspect the certificate it gets back from the server, and our hosted verifier supports both formats).
So I propose that we migrate production msisdn-gateway to use the old-style formats and upgrade it to use the latest release of browserid-crypto. This will put all of our production browserid-using services on a single consistent data format.
To do so, we will need to:
1. Confirm that all clients of msisdn-gateway are in fact using the old-style data formats, either because they're on jwcrypto < 0.5.0 or because they're using the native jwcrypto code in gecko.
2. Convert the production msisdn-gateway keypair from new-style to old-style format. We should be able to do this without deploying new code, since it's using a version of jwcrypto that supports both formats.
3. Update msisdn-gateway to use browserid-crypto == 0.7.0 and deploy it through to production. I will work on the PR for this.
4. Wait for any certs issued by previous versions of msisdn-gateway to expire.
5. At this point we are free to deploy a version of our hosted verifier using browserid-crypto ==0.7.0, which will not longer support the new-style format.
I don't think this will involve much actual code, but will need to be a carefully staged and managed process.
:natim :alexis :ferjm - thoughts?
|
Reporter | |
Comment 1•11 years ago
|
||
> 1. Confirm that all clients of msisdn-gateway are in fact using the old-style data formats, either
> because they're on jwcrypto < 0.5.0 or because they're using the native jwcrypto code in gecko.
This is almost certainly true, as I see the msisdn-gateway server contains a "validateJWCryptoKey" function which asserts that all submitted keys are in the old-style format. Whoever's idea it was to add this, THANK YOU :-)
|
|
Reporter | |
Comment 2•11 years ago
|
||
> 2. Convert the production msisdn-gateway keypair from new-style to old-style format. We should be
> able to do this without deploying new code, since it's using a version of jwcrypto that supports both
> formats.
By way of confirmation, the test keys found in "test.json" in the repo are old-style and evidently load fine. So I think this should be a simple matter of re-formatting the "BIDPublicKey" and "BIDSecretKey" fields in our various configs.
I can provide a script that will do this automatically, if that would be helpful.
|
|
Reporter | |
Comment 3•11 years ago
|
||
Given the above two comments, the PR against msisdn-gateway is a simple search-and-replace to change the module name.
Attachment #8519623 -
Flags: review?(rhubscher)
|
|
Reporter | |
Comment 4•11 years ago
|
||
> So I think this should be a simple matter of re-formatting the
> "BIDPublicKey" and "BIDSecretKey" fields in our various configs.
Actually, for DSA keys the required changes are pretty simple:
* "kty": "DSA" => "algorithm": "DS"
* base64-encoded fields => hex-encoded fields
|
||
Updated•11 years ago
|
Attachment #8519623 -
Flags: review?(rhubscher) → review+
|
|
||
Comment 5•11 years ago
|
||
|
|
||
Updated•11 years ago
|
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Comment 6•11 years ago
|
||
Thanks Rémy.
FWIW, I think we should keep this open until we confirm that prod keys are converted over to the other format where necessary.
|
|
||
Comment 7•11 years ago
|
||
I think they still are using the old format in stage and production. I am asking ops to verify this.
Dean or Bobm could you please make sure that the "BIDPublicKey" and "BIDSecretKey" configuration variables for MSISDN stage and MSISDN prod use {"algorithm": "DS"} and hex-encoded fields?
Flags: needinfo?(dwilson)
Flags: needinfo?(bobm)
|
|
||
Comment 8•11 years ago
|
||
"algorithm": "DS" is present for both keys in stage and prod. The values also appear to be hex.
Flags: needinfo?(bobm)
|
|
||
Updated•11 years ago
|
Flags: needinfo?(dwilson)
|
|
||
Comment 9•11 years ago
|
||
Ok great
|
|
Reporter | |
Comment 10•11 years ago
|
||
Great! It sounds like we can safely push out this change with no config change and no hassle:
> 3. Update msisdn-gateway to use browserid-crypto == 0.7.0 and deploy it through to production.
I'm not sure what the release schedule is for msisdn-gateway, but it would be great to get the change out fairly soon in order to fix Bug 1096106, and also since this:
> 4. Wait for any certs issued by previous versions of msisdn-gateway to expire.
Currently blocks new deployments of the verifier.
|
||
Updated•11 years ago
|
QA Contact: jbonacci → rpappalardo
|
|
||
Comment 11•11 years ago
|
||
I have tagged the 0.5.1 release and Dean deployed it to stage.
QA told me they are going to take care of it just after the Loop room release which should happens this week.
See Bug 1100296 to follow this.
|
|
Reporter | |
Comment 12•11 years ago
|
||
As of Bug 1108679, viewing the browserid public key at:
https://msisdn.services.mozilla.com/.well-known/browserid
Correctly shows the key in old-style format, with "algorithm":"DS" rather than "kty":"DSA". So I think we can mark this verified.
|
||
Updated•7 years ago
|
Product: Cloud Services → Cloud Services Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•