Closed
Bug 857815
Opened 12 years ago
Closed 12 years ago
Receipt verification should only use our own certificates
Categories
(Marketplace Graveyard :: Payments/Refunds, defect, P1)
Tracking
(Not tracked)
RESOLVED
FIXED
2013-04-04
People
(Reporter: andy+bugzilla, Assigned: andy+bugzilla)
References
Details
The receipt verification checks the signature using a certificate. That certificated is loaded from the JWK. So that means we'll verify using any certificate passed to us. We should whitelist that for mozilla domains only. (and check ssl certs on the way).
Assignee | ||
Comment 1•12 years ago
|
||
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 2•12 years ago
|
||
Verified for me, basically receipts should still work.
Comment 3•12 years ago
|
||
Ryan, can you give us an example of how a receipt might have chained certs? What is the use case for chains? Would the marketplace cert always be at the root of the chain or could it be in other positions?
I am concerned that we are only whitelisting the cert at the root of the chain: https://github.com/andymckay/receipts/commit/c5555b39164f03a604c6dd9a677155c476dfcd1d#L1R167 This seems error prone.
Flags: needinfo?(rtilder)
Updated•5 years ago
|
Flags: needinfo?(rtilder)
You need to log in
before you can comment on or make changes to this bug.
Description
•