Request kB generation if needed

RESOLVED WONTFIX

Status

RESOLVED WONTFIX
3 years ago
3 years ago

People

(Reporter: mbdejong, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

3 years ago
The SyncManager should tell the Sync app if it needs to generate keys, and if so, upload kA, kB to the onepw server afterwards.
(Reporter)

Comment 1

3 years ago
In bug 1227084 I'm drafting the code to check if `generateKeys` is set in the IAC request options [1], and if so, return an IAC response [2] that looks like this:

{
  id: ...,
  error: ...,
  response: {
    kA: 'Base64String',
    kB: 'Base64String'
  }
}

So when an FxA account exists, but no kA, kB is available for it, the SyncManager should ask the Sync app to generate them in the first request. To do this:

* leave out `kB` in the request options
* add a `generateKeys: true` option
* get IACResponse.response.kA and IACResponse.response.kB and upload them to the onepw server


Do you think this could work?

[1] https://github.com/michielbdejong/gaia/blob/8abbe61b283ec584022d09eb4fd97a9b6644baba/apps/sync/js/bootstrap.js#L57-L58

[2] https://github.com/michielbdejong/gaia/blob/8abbe61b283ec584022d09eb4fd97a9b6644baba/apps/sync/js/bootstrap.js#L120
Flags: needinfo?(ferjmoreno)
(Reporter)

Updated

3 years ago
Blocks: 824026
Depends on: 1227084
Replied through IRC:

18:08:55]  <~ferjm>	I believe kA and kB are already generated by the onepw server, so we don't need to generate and upload them again
[18:09:29]  <~ferjm>	in fact, there's no way to do that https://github.com/mozilla/fxa-auth-server/blob/master/docs/api.md
[18:09:47]  <@michielbdejong>	ah :)
[18:10:05]  <@michielbdejong>	It's weird though that they are generated server-side, right?
[18:10:58]  <@michielbdejong>	Although I guess the unwrapped kB only exists in memory for a short time, so it's probably pretty safe
[18:11:22]  <~ferjm>	you did the crypto part, but IIRC there were two set of keys: kA/kB which are stored in FxA server, and the sync crypto keys, which are stored in the sync server (crypto/keys) encrypted with kB
[18:11:44]  <@michielbdejong>	yes
[18:11:48]  <~ferjm>	IIUC what we need to generate here are the sync crypto keys only
[18:11:57]  <~ferjm>	use kB to encrypt them
[18:12:06]  <~ferjm>	and upload them to crypto/keys
[18:12:06]  <@michielbdejong>	ok, so that simplifies things. Then we don't need to change the IAC call.
[18:12:28]  <~ferjm>	no, I think all can happen inside the Sync app :)
Flags: needinfo?(ferjmoreno)
(Reporter)

Updated

3 years ago
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.