Closed Bug 799734 Opened 7 years ago Closed 6 years ago

Implement Java BrowserID crypto library for Android services projects

Categories

(Firefox for Android :: Android Sync, defect, P1)

All
Android
defect

Tracking

()

RESOLVED FIXED

People

(Reporter: nalexander, Assigned: nalexander)

References

(Blocks 1 open bug, )

Details

(Whiteboard: [qa-][fixed in elm][sec-review-needed] u= c= p=1 s=ready)

At least needs to generate keypairs, generate assertions, and parse/create JWT tokens.  Could possibly generate certificates for testing.
Blocks: 799726
Priority: -- → P2
Assignee: nobody → nalexander
Component: Android Sync → Android: Firefox Account
Priority: P2 → P1
See https://github.com/mozilla-services/android-sync/pull/271 for work in progress and outstanding review comments that have not been addressed.
Summary: Implement BrowserID crypto library for Android → Implement Java BrowserID crypto library for Android services projects
Bulk resolving Firefox Accounts bugs, since that project is dead.  For those interested, similar ideas are being explored under the name PiCL (Profile-in-the-Cloud).
Assignee: nalexander → nobody
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
Component: Android: Firefox Account → Android Sync
Product: Mozilla Services → Android Background Services
Whiteboard: [qa-]
Blocks: 918012
Since token server is back in the game, generating BrowserID assertions is back in the game!  As part of syncing against Sync 1.1 servers, but with new auth.  See https://mail.mozilla.org/pipermail/sync-dev/2013-August/000392.html.
Status: RESOLVED → REOPENED
Resolution: INVALID → ---
Let's get the review fun started!
Flags: needinfo?(rnewman)
Assignee: nobody → nalexander
First pass done on GitHub.

Curtis, who's the right person to sec-review a BrowserID impl?
Status: REOPENED → ASSIGNED
Flags: needinfo?(rnewman) → sec-review?(curtisk)
(In reply to Richard Newman [:rnewman] from comment #6)
> First pass done on GitHub.
> 
> Curtis, who's the right person to sec-review a BrowserID impl?

I honestly don't know off the top of my head, we'll take it to triage and see who has bandwidth and skill set.
Flags: sec-review?(curtisk) → sec-review?
(In reply to Curtis Koenig [:curtisk] from comment #7)
> (In reply to Richard Newman [:rnewman] from comment #6)
> > First pass done on GitHub.
> > 
> > Curtis, who's the right person to sec-review a BrowserID impl?
> 
> I honestly don't know off the top of my head, we'll take it to triage and
> see who has bandwidth and skill set.

To be clear: this is code that generates BrowserID certs and assertions, and *not* code that verifies BrowserID assertions.  Still needs sec-review, but not quite as delicate to implement.
https://hg.mozilla.org/projects/elm/rev/aaf21c55c69d
Whiteboard: [qa-] → [qa-][fixed in elm][sec-review-needed]
mgoodwin plan for this to be in Sprint 2
Flags: sec-review? → sec-review?(mgoodwin)
Blocks: 929066
Whiteboard: [qa-][fixed in elm][sec-review-needed] → [qa-][fixed in elm][sec-review-needed] u= c= p=1 s=ready
Depends on: 935707
To provide sec-review context: (see also https://bugzilla.mozilla.org/show_bug.cgi?id=799732#c10)

This code produces Browser ID certificates and assertions.  We only generate certificates for test purposes: no Android device is a BID IdP so it shouldn't be issuing certificates.  The tricky part here is making sure we generate keys and do the signing correctly, and making sure we format the JSON correctly.

In the Sync flow, we will use the FxAccount server client (Bug 892025) to fetch a BID certificate for the account being synced.  Then we use this code to produce a short-lived BID assertion that is subsequently exchanged for a token server token (using the code in Bug 799732).
https://hg.mozilla.org/mozilla-central/rev/aaf21c55c69d
Status: ASSIGNED → RESOLVED
Closed: 7 years ago6 years ago
Resolution: --- → FIXED
Depends on: 960110
Flags: sec-review?(mgoodwin)
Product: Android Background Services → Firefox for Android
You need to log in before you can comment on or make changes to this bug.