Closed Bug 959919 Opened 9 years ago Closed 9 years ago

Adapt FxA token server client to include X-Client-State header

Categories

(Firefox :: Sync, defect)

Product:
Firefox
Component:
Sync
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla29

People

(Reporter: rnewman, Assigned: jedp)

References

Details

(Whiteboard: [qa-])

Attachments

(1 file, 2 obsolete files)

Send X-Client-State header
11.25 KB, patch
rnewman
: review+
Details | Diff | Splinter Review 
Desktop equivalent of Android's Bug 959915.

This will allow us to receive a new node assignment when our generated key changes.

[qa-], because this will be tested implicitly.
linking the bug with the spec in it for completeness
Depends on: 959441
Assignee: nobody → jparsons
The conclusion of this sync-dev thread

  https://mail.mozilla.org/pipermail/sync-dev/2014-January/000764.html

leads me to believe that I should send this with every request to the token server:

  HKDF(BASE64URLSAFE(FIRST-16-BYTES(SHA256(kB))), salt=emailUTF8, context=KW("X-Client-State"), 16)

Is that correct?  Is there a more spec-like spec somewhere that I ought to refer to?
Thanks,
j
Flags: needinfo?(nalexander)
(In reply to Jed Parsons (use needinfo, please) [:jedp, :jparsons] from comment #2)
> The conclusion of this sync-dev thread
> 
>   https://mail.mozilla.org/pipermail/sync-dev/2014-January/000764.html
> 
> leads me to believe that I should send this with every request to the token
> server:
> 
>   HKDF(BASE64URLSAFE(FIRST-16-BYTES(SHA256(kB))), salt=emailUTF8,
> context=KW("X-Client-State"), 16)
> 
> Is that correct?  Is there a more spec-like spec somewhere that I ought to
> refer to?
> Thanks,
> j

No spec. Things are crazy!

Let's do Nick's proposal:

https://mail.mozilla.org/pipermail/sync-dev/2014-January/000772.html

BASE64URLSAFE(FIRST-16-BYTES(SHA256(kB)))
Flags: needinfo?(nalexander)
Confirmed with rfk on irc that the resulting header looks like what he'd like

Nick, how does this look as a way to compute the header?  Is this what you're doing on Android?
Attachment #8367031 - Flags: feedback?(nalexander)
Comment on attachment 8367031 [details] [diff] [review]
959919-x-client-state-header.patch

Review of attachment 8367031 [details] [diff] [review]:
-----------------------------------------------------------------

Yeah, looks fine.  I'll test with this vector on Android.
Attachment #8367031 - Flags: feedback?(nalexander) → feedback+
Comment on attachment 8367031 [details] [diff] [review]
959919-x-client-state-header.patch

Hi, Gregory, do you mind taking a look at this?

Summary:
- Adds an X-Client-State header
- removes unused conditionsAccepted arg (that's done by fxa now)
- provides way to add arbitrary headers to getToken request
- fixes bug in common utils encodeBase64URL
- adds tests for sha256 and header computation

thanks!
j
Attachment #8367031 - Flags: review?(gps)
Things changed!

LOWERCASE_HEX_ENCODE(FIRST-16-BYTES(SHA256(kB)))
Attached patch Send X-Client-State header (obsolete) — Splinter Review 
Small change in the encoding scheme (per comment 8)

Otherwise, same summary as in comment 7.

Leaving in the fix to encodeBase64Url.

Thanks!
j
Attachment #8367031 - Attachment is obsolete: true
Attachment #8367031 - Flags: review?(gps)
Attachment #8367045 - Flags: review?(gps)
Comment on attachment 8367045 [details] [diff] [review]
Send X-Client-State header

Review of attachment 8367045 [details] [diff] [review]:
-----------------------------------------------------------------

::: services/sync/modules/browserid_identity.js
@@ +67,5 @@
> +   * Compute the X-Client-State header given kB.
> +   * Return HEX(FIRST-16-BYTES(SHA256(kB)))
> +   */
> +  _computeXClientState: function(kB) {
> +    return CommonUtils.bytesAsHex(this._sha256(kB).slice(0, 16), false);

This function expects kB to be a byte array, because CryptoUtils.digestBytes does.

@@ +317,5 @@
>    _fetchTokenForUser: function(userData) {
>      let tokenServerURI = Svc.Prefs.get("tokenServerURI");
>      let log = this._log;
>      let client = this._tokenServerClient;
> +    let headers = {"X-Client-State": this._computeXClientState(userData.kB)};

If userData.kB is hex-encoded here, make sure you decode it.

::: services/sync/tests/unit/test_browserid_identity.js
@@ +137,5 @@
> +  let kB = "fd5c747806c07ce0b9d69dcfea144663e630b65ec4963596a22f24910d7dd15d";
> +  let bidUser = new BrowserIDManager();
> +  do_check_eq(kB.length, 64);
> +
> +  let header = bidUser._computeXClientState(kB);

But this test is passing in a 64-'byte' string. Which is wrong. You need to hex-decode the kB test string here.
Attachment #8367045 - Flags: review?(gps) → review-
(In reply to Richard Newman [:rnewman] from comment #10)
> @@ +317,5 @@
> >    _fetchTokenForUser: function(userData) {
> >      let tokenServerURI = Svc.Prefs.get("tokenServerURI");
> >      let log = this._log;
> >      let client = this._tokenServerClient;
> > +    let headers = {"X-Client-State": this._computeXClientState(userData.kB)};
> 
> If userData.kB is hex-encoded here, make sure you decode it.

Jed, do as _fetchSyncKeyBundle does it:

>      // both Jelly and FxAccounts give us kA/kB as hex.
>      let kB = Utils.hexToBytes(userData.kB);
Thank you both.  I got myself mixed up yesterday.  Fixing now.
This is the test I'm using on Android.

  @Test
  public void testClientState() throws Exception {
    final String hexKB = "fd5c747806c07ce0b9d69dcfea144663e630b65ec4963596a22f24910d7dd15d";
    final byte[] byteKB = Utils.hex2Byte(hexKB);
    final String clientState = FxAccountUtils.computeClientState(byteKB);
    final String expected = "6ae94683571c7a7c54dab4700aa3995f";
    Assert.assertEquals(expected, clientState);
  }

with

  public static String computeClientState(byte[] kB) throws NoSuchAlgorithmException {
    byte[] sha256 = Utils.sha256(kB);
    byte[] truncated = new byte[16];
    System.arraycopy(sha256, 0, truncated, 0, 16);
    return Utils.byte2Hex(truncated);    // Already lowercase.
  }
Excellent.  Thanks, Richard.
Comment on attachment 8367640 [details] [diff] [review]
Send X-Client-State header

Hi, Richard,

I think this straightens out the encoding snafu.  Is it looking better now?

Thanks for the test vectors and for your review,
j
Attachment #8367640 - Flags: review?(rnewman)
Comment on attachment 8367640 [details] [diff] [review]
Send X-Client-State header

Review of attachment 8367640 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good!
Attachment #8367640 - Flags: review?(rnewman) → review+
Sweet.  Thank you, Richard.
Keywords: checkin-needed
https://hg.mozilla.org/integration/fx-team/rev/9ff6690506a6
Flags: in-testsuite+
Keywords: checkin-needed
Whiteboard: [qa-] → [qa-][fixed-in-fx-team]
https://hg.mozilla.org/mozilla-central/rev/9ff6690506a6
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Whiteboard: [qa-][fixed-in-fx-team] → [qa-]
Target Milestone: --- → mozilla29
Component: Firefox Sync: Backend → Sync
Product: Cloud Services → Firefox
You need to log in before you can comment on or make changes to this bug.