Closed Bug 799734 Opened 7 years ago Closed 6 years ago
Implement Java Browser
ID crypto library for Android services projects
At least needs to generate keypairs, generate assertions, and parse/create JWT tokens. Could possibly generate certificates for testing.
See https://github.com/mozilla-services/android-sync/pull/271 for work in progress and outstanding review comments that have not been addressed.
Summary: Implement BrowserID crypto library for Android → Implement Java BrowserID crypto library for Android services projects
Bulk resolving Firefox Accounts bugs, since that project is dead. For those interested, similar ideas are being explored under the name PiCL (Profile-in-the-Cloud).
Assignee: nalexander → nobody
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
Component: Android: Firefox Account → Android Sync
Product: Mozilla Services → Android Background Services
Since token server is back in the game, generating BrowserID assertions is back in the game! As part of syncing against Sync 1.1 servers, but with new auth. See https://mail.mozilla.org/pipermail/sync-dev/2013-August/000392.html.
Status: RESOLVED → REOPENED
Resolution: INVALID → ---
Let's get the review fun started!
First pass done on GitHub. Curtis, who's the right person to sec-review a BrowserID impl?
Status: REOPENED → ASSIGNED
Flags: needinfo?(rnewman) → sec-review?(curtisk)
(In reply to Richard Newman [:rnewman] from comment #6) > First pass done on GitHub. > > Curtis, who's the right person to sec-review a BrowserID impl? I honestly don't know off the top of my head, we'll take it to triage and see who has bandwidth and skill set.
Flags: sec-review?(curtisk) → sec-review?
(In reply to Curtis Koenig [:curtisk] from comment #7) > (In reply to Richard Newman [:rnewman] from comment #6) > > First pass done on GitHub. > > > > Curtis, who's the right person to sec-review a BrowserID impl? > > I honestly don't know off the top of my head, we'll take it to triage and > see who has bandwidth and skill set. To be clear: this is code that generates BrowserID certs and assertions, and *not* code that verifies BrowserID assertions. Still needs sec-review, but not quite as delicate to implement.
Whiteboard: [qa-] → [qa-][fixed in elm][sec-review-needed]
mgoodwin plan for this to be in Sprint 2
Flags: sec-review? → sec-review?(mgoodwin)
Whiteboard: [qa-][fixed in elm][sec-review-needed] → [qa-][fixed in elm][sec-review-needed] u= c= p=1 s=ready
To provide sec-review context: (see also https://bugzilla.mozilla.org/show_bug.cgi?id=799732#c10) This code produces Browser ID certificates and assertions. We only generate certificates for test purposes: no Android device is a BID IdP so it shouldn't be issuing certificates. The tricky part here is making sure we generate keys and do the signing correctly, and making sure we format the JSON correctly. In the Sync flow, we will use the FxAccount server client (Bug 892025) to fetch a BID certificate for the account being synced. Then we use this code to produce a short-lived BID assertion that is subsequently exchanged for a token server token (using the code in Bug 799732).
Status: ASSIGNED → RESOLVED
Closed: 7 years ago → 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.