981827 - Make Android and Desktop FxAccounts client use same key parameters

Status: RESOLVED FIXED

(Firefox for Android Graveyard :: Android Sync, defect, P1)

Description

[Nick Alexander :nalexander [he/him]]

At the moment, Android uses 1024-bit RSA keys (the RS128 JWT algorithm):

http://mxr.mozilla.org/mozilla-central/source/mobile/android/base/fxa/sync/FxAccountSyncAdapter.java#481

Desktop uses 1024-bit DSA keys (the DS128/DS160 JWT algorithm):

http://mxr.mozilla.org/mozilla-central/source/services/fxaccounts/FxAccounts.jsm#162

Note that RS128 fails on (some?) Android 2.2 devices (Bug 975625) so we should move Android to using DS160 ASAP.

I'll try to do some preliminary signature timings to understand what, if any, perf impact this change has.

Comment 2

[Nick Alexander :nalexander [he/him]]

Attachment: github PR

This is working well for me locally.  I'll push a try build so that we can tests on a 2.2 device.

Comment 3

[Nick Alexander :nalexander [he/him]]

https://tbpl.mozilla.org/?tree=Try&rev=2ab8f6889d48

Comment 4

[Nick Alexander :nalexander [he/him]]

edwong: this ticket tracks one way we might address Bug 975625, the issue tracking Android Sync generating bad signatures on (some?) 2.2 devices.

Could you kindly do the following on the 2.2 device you were seeing failures on:

1) Install a recent 31 Nightly on the device.
2) Configure an FxAccount.
3) Verify (via logs) that the device is still failing, with "invalid-signature" error messages from the token server.

4) Install the try build 31 Nightly from [1] (on top of the 31 Nightly from step 1). This should use the same FxAccount you created above.
5) Verify (via logs and a smoketest) that the device is no longer failing.

You should see a log message saying "Migrating V1 persisted State to V2...", if you are capturing the very first sync after upgrade.  Otherwise, you should just see success.

[1] https://ftp-ssl.mozilla.org/pub/mozilla.org/firefox/try-builds/nalexander@mozilla.com-2ab8f6889d48/try-android-armv6/fennec-31.0a1.en-US.android-arm-armv6.apk

If your device is 2.2 but not armv6, then try

https://ftp-ssl.mozilla.org/pub/mozilla.org/firefox/try-builds/nalexander@mozilla.com-2ab8f6889d48/try-android/fennec-31.0a1.en-US.android-arm.apk

Comment 5

[Nick Alexander :nalexander [he/him]]

edwong: further, could you smoke test the non-armv6 try build on a recent device, to make sure we haven't regressed the other 98% of our users running modern Android devices:

https://ftp-ssl.mozilla.org/pub/mozilla.org/firefox/try-builds/nalexander@mozilla.com-2ab8f6889d48/try-android/fennec-31.0a1.en-US.android-arm.apk

I have tested this on a Samsung Transformer Prime, and on a Samsung Galaxy S4.

Comment 6

[Richard Newman [:rnewman]]

Comment on attachment 8393251 [details] [review]
github PR

Looks good, but correct the bug number!

Comment 7

[Edwin Wong [:edwong]]

I'm swamped, load balancing to Karl

Comment 8

[Nick Alexander :nalexander [he/him]]

AaronMT: do you have a 2.2 device?  Can you add this ticket (specifically, the steps in https://bugzilla.mozilla.org/show_bug.cgi?id=981827#c4) to your list of things to test?  If not, can you set flags and route appropriately?  Thanks!

Comment 9

[Aaron Train [:aaronmt]]

(In reply to Nick Alexander :nalexander from comment #4)

HTC Legend (hardly such) (ARMv6, Android 2.2)

> 1) Install a recent 31 Nightly on the device.

Nightly (03/26)

> 2) Configure an FxAccount.
> 3) Verify (via logs) that the device is still failing, with
> "invalid-signature" error messages from the token server.

Confirmed.

> You should see a log message saying "Migrating V1 persisted State to V2...",
> if you are capturing the very first sync after upgrade.  Otherwise, you
> should just see success.


Confirmed: 
* I/FxAccounts( 1065): fennec :: StateFactory :: Migrating V1 persisted State to V2; stateLabel: Cohabiting

.... and there we have it, Sync working on this 2.2 device now

Comment 10

[Karl Thiessen [:kthiessen, he/him]]

After a bit of user error in fiddling about this morning, I can belatedly confirm that this works for me on the Samsung Galaxy running Android 2.2 that Edwin lent me for the purpose.

Comment 11

[Nick Alexander :nalexander [he/him]]

QA to the rescue!  Thanks, AaronMT; thanks, kthiessen.

Comment 12

[Nick Alexander :nalexander [he/him]]

https://hg.mozilla.org/integration/fx-team/rev/0baee5959b90

Comment 13

[Nick Alexander :nalexander [he/him]]

Attachment: 0baee5959b90

[Approval Request Comment]
Bug caused by (feature/regressing bug #): initial FxA landing.

User impact if declined: FxAccounts + Sync will not work on Android 2.2 devices.  (Bug 975625).

Testing completed (on m-c, etc.): just landed on m-c.  We'll want to bake there for a few days before uplifting to Aurora and Beta.  Try builds have been QA tested on a range of devices.

Risk to taking this patch (and alternatives if risky): this is the punchline to Bug 988437 (discussed also in Bug 993673).  The patch does carry some risk, but it's not adding much more than we've already landed by uplifting Bug 988437 all the way to Beta.  And any risk here should be discovered on Nightly quickly.

String or IDL/UUID changes made by this patch: none.

Comment 14

[Sylvestre Ledru [:Sylvestre]]

This will have to land in beta 8 (gtb: next Monday)  maximum.

Comment 15

[Ed Morley [:emorley]]

https://hg.mozilla.org/mozilla-central/rev/0baee5959b90

Comment 16

[Sylvestre Ledru [:Sylvestre]]

Comment on attachment 8404346 [details] [diff] [review]
0baee5959b90

Approving now. Sunday aurora will have this patch and beta8 next Tuesday.

Comment 17

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-aurora/rev/52674ce552fd
https://hg.mozilla.org/releases/mozilla-beta/rev/13a97e892449

Comment 18

[juan becerra [:juanb]]

Could someone try this out on Fx29b8 with the candidate builds that will be available tonight/tomorrow?