Closed
Bug 799734
Opened 12 years ago
Closed 11 years ago
Implement Java BrowserID crypto library for Android services projects
Categories
(Firefox for Android Graveyard :: Android Sync, defect, P1)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: nalexander, Assigned: nalexander)
References
()
Details
(Whiteboard: [qa-][fixed in elm][sec-review-needed] u= c= p=1 s=ready)
At least needs to generate keypairs, generate assertions, and parse/create JWT tokens. Could possibly generate certificates for testing.
|
Assignee | |
Updated•12 years ago
|
Priority: -- → P2
|
|
Assignee | |
Updated•12 years ago
|
Assignee: nobody → nalexander
|
||
Updated•12 years ago
|
Component: Android Sync → Android: Firefox Account
|
|
Assignee | |
Updated•12 years ago
|
Priority: P2 → P1
|
|
Assignee | |
Comment 1•12 years ago
|
||
See https://github.com/mozilla-services/android-sync/pull/271 for work in progress and outstanding review comments that have not been addressed.
|
|
Assignee | |
Updated•12 years ago
|
Summary: Implement BrowserID crypto library for Android → Implement Java BrowserID crypto library for Android services projects
|
|
Assignee | |
Comment 2•12 years ago
|
||
Bulk resolving Firefox Accounts bugs, since that project is dead. For those interested, similar ideas are being explored under the name PiCL (Profile-in-the-Cloud).
Assignee: nalexander → nobody
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
|
||
Updated•12 years ago
|
Component: Android: Firefox Account → Android Sync
Product: Mozilla Services → Android Background Services
|
||
Updated•11 years ago
|
Whiteboard: [qa-]
|
|
Assignee | |
Comment 3•11 years ago
|
||
Since token server is back in the game, generating BrowserID assertions is back in the game! As part of syncing against Sync 1.1 servers, but with new auth. See https://mail.mozilla.org/pipermail/sync-dev/2013-August/000392.html.
Status: RESOLVED → REOPENED
Resolution: INVALID → ---
|
|
||
Comment 4•11 years ago
|
||
Fun!
|
|
Assignee | |
Updated•11 years ago
|
Assignee: nobody → nalexander
|
|
||
Comment 6•11 years ago
|
||
First pass done on GitHub.
Curtis, who's the right person to sec-review a BrowserID impl?
Status: REOPENED → ASSIGNED
Flags: needinfo?(rnewman) → sec-review?(curtisk)
(In reply to Richard Newman [:rnewman] from comment #6)
> First pass done on GitHub.
>
> Curtis, who's the right person to sec-review a BrowserID impl?
I honestly don't know off the top of my head, we'll take it to triage and see who has bandwidth and skill set.
Flags: sec-review?(curtisk) → sec-review?
|
|
Assignee | |
Comment 8•11 years ago
|
||
(In reply to Curtis Koenig [:curtisk] from comment #7)
> (In reply to Richard Newman [:rnewman] from comment #6)
> > First pass done on GitHub.
> >
> > Curtis, who's the right person to sec-review a BrowserID impl?
>
> I honestly don't know off the top of my head, we'll take it to triage and
> see who has bandwidth and skill set.
To be clear: this is code that generates BrowserID certs and assertions, and *not* code that verifies BrowserID assertions. Still needs sec-review, but not quite as delicate to implement.
|
|
Assignee | |
Comment 9•11 years ago
|
||
Whiteboard: [qa-] → [qa-][fixed in elm][sec-review-needed]
mgoodwin plan for this to be in Sprint 2
Flags: sec-review? → sec-review?(mgoodwin)
|
||
Updated•11 years ago
|
Whiteboard: [qa-][fixed in elm][sec-review-needed] → [qa-][fixed in elm][sec-review-needed] u= c= p=1 s=ready
|
|
Assignee | |
Comment 11•11 years ago
|
||
To provide sec-review context: (see also https://bugzilla.mozilla.org/show_bug.cgi?id=799732#c10)
This code produces Browser ID certificates and assertions. We only generate certificates for test purposes: no Android device is a BID IdP so it shouldn't be issuing certificates. The tricky part here is making sure we generate keys and do the signing correctly, and making sure we format the JSON correctly.
In the Sync flow, we will use the FxAccount server client (Bug 892025) to fetch a BID certificate for the account being synced. Then we use this code to produce a short-lived BID assertion that is subsequently exchanged for a token server token (using the code in Bug 799732).
|
||
Comment 12•11 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 12 years ago → 11 years ago
Resolution: --- → FIXED
|
|
||
Updated•8 years ago
|
Flags: sec-review?(mgoodwin)
|
||
Updated•7 years ago
|
Product: Android Background Services → Firefox for Android
|
|
||
Updated•4 years ago
|
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•