If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Receipt verification should only use our own certificates

RESOLVED FIXED in 2013-04-04

Status

Marketplace
Payments/Refunds
P1
normal
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: andym, Assigned: andym, NeedInfo)

Tracking

2013-04-04
x86
Mac OS X
Points:
---

Details

(Assignee)

Description

5 years ago
The receipt verification checks the signature using a certificate. That certificated is loaded from the JWK. So that means we'll verify using any certificate passed to us. We should whitelist that for mozilla domains only. (and check ssl certs on the way).
(Assignee)

Comment 1

5 years ago
https://github.com/mozilla/zamboni/commit/f1a4cb
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
(Assignee)

Comment 2

5 years ago
Verified for me, basically receipts should still work.
Ryan, can you give us an example of how a receipt might have chained certs? What is the use case for chains? Would the marketplace cert always be at the root of the chain or could it be in other positions?

I am concerned that we are only whitelisting the cert at the root of the chain: https://github.com/andymckay/receipts/commit/c5555b39164f03a604c6dd9a677155c476dfcd1d#L1R167 This seems error prone.
Flags: needinfo?(rtilder)
You need to log in before you can comment on or make changes to this bug.