certificate/sign is fundamentally broken and cannot work as it is with existing sync.next plan

Nick Alexander nalexander at mozilla.com
Fri Nov 22 12:30:48 PST 2013


Hello team,

certificate/sign now returns a Browser ID certificate certifying a 
public email address [1].  Observe the {"email":"testtestk at ..."} below. 
  The private key signing the certificate is not the same as the private 
key of the IdP hosting the email address.  (If there even is a
Persona-style IdP at the appropriate host.)

The existing token server rightly rejects such bullshit certificates 
(and assertions generated from them).  This completely breaks the 
proposed sync.next plan.

I am going on PTO for 2 weeks and can't escalate this any further.

Nick

[1] long example:

Assertion from server login was:

eyJhbGciOiJSUzI1NiJ9.eyJwdWJsaWMta2V5Ijp7ImFsZ29yaXRobSI6IkRTIiwieSI6IjYxNDg5MzRlODQxNTczOTI0NmE5ODc2ZTc5YjI2YjczNDRkMjAzYzZlNTY2ZTgyMWQwNjgwYjQ4MmYwOGI5MDEzZmNkM2ZjNDA4OTFmMDg1ZDBmY2M1YjU3YmViZWFmOGZiMTg3ZmI2YjNiNGU2NDJhZGIzNDMxZWEyYTM0MmYwNWE4MTg4ZDhjY2ZhY2E3MzliMzcwOTBhMzhhZjdkNDM4ZjRkMmNjY2Q1Njg5M2RjYjA2MWI1MjYwMjc4OWQzMzAwYWNmYWY3ZDM0Mzc4YTdhNGVkYjNmOTM1MzNjYTRkM2M2YmI2ZDYyNjUyYzUwMjM3MWFlNzRhNDk4YzEzZTM3MzQwYTlmYWU1ZGRjZDBkYmUwNTdiMjY1MmM5MWEyMDc0OTcwNmY4ZTI4OWJiYjE4ODMxZDJkYjcwMDEwOGU4OTMxZTBlNWE1ZGYxOGI3NmFlMmQ1MjBhMGQ1YTlkYTc0NWU5YTEzNjgxNDQzMTg4NzRmNDE1OWIzNjM0MGVjNGRjNzdlYTgzNGY3YWVhZWU2YjU3ODJlNzU4NWZkNmZjMTFkYmMzMjMxMmJhNDk4MTE1M2YyYjg1NzkxZWU2YzIxODllNjkzMTVmZWNhN2QwNDQ1NTE0NGZmOTk4Mzc2ZDk2NmQ5OWQyNmVjMTM0ZjlhOTcxNzgwYmFlYTBiOTNlIiwicCI6ImQ2YzRlNTA0NTY5Nzc1NmM3YTMxMmQwMmMyMjg5YzI1ZDQwZjk5NTQyNjFmN2I1ODc2MjE0YjZkZjEwOWM3MzhiNzYyMjZiMTk5YmI3ZTMzZjhmYzdhYzFkY2MzMTZlMWU3Yzc4OTczOTUxYmZjNmZmMmUwMGNjOTg3Y2Q3NmZjZmIwYjhjMDA5NmIwYjQ2MGZmZmFjOTYwY2E0MTM2YzI4ZjRiZmI1ODBkZ
 TQ3Y2Y3ZT
c5MzRjMzk4NWUzYjNkOTQzYjc3ZjA2ZWYyYWYzYWMzNDk0ZmMzYzZmYzQ5ODEwYTYzODUzODYyYTAyYmIxYzgyNGEwMWI3ZmM2ODhlNDAyODUyN2E1OGFkNThjOWQ1MTI5MjI2NjBkYjVkNTA1YmMyNjNhZjI5M2JjOTNiY2Q2ZDg4NWExNTc1NzlkN2Y1Mjk1MjIzNmRkOWQwNmE0ZmMzYmMyMjQ3ZDIxZjFhNzBmNTg0OGViMDE3NjUxMzUzN2M5ODNmNWEzNjczN2YwMWY4MmI0NDU0NmU4ZTdmMGZhYmM0NTdlM2RlMWQ5YzVkYmE5Njk2NWIxMGEyYTA1ODBiMGFkMGY4ODE3OWUxMDA2NjEwN2ZiNzQzMTRhMDdlNjc0NTg2M2JjNzk3YjcwMDJlYmVjMGIwMDBhOThlYjY5NzQxNDcwOWFjMTdiNDAxIiwicSI6ImIxZTM3MGY2NDcyYzg3NTRjY2Q3NWU5OTY2NmVjOGVmMWZkNzQ4Yjc0OGJiYmMwODUwM2Q4MmNlODA1NWFiM2IiLCJnIjoiOWE4MjY5YWIyZTNiNzMzYTUyNDIxNzlkOGY4ZGRiMTdmZjkzMjk3ZDllYWIwMDM3NmRiMjExYTIyYjE5Yzg1NGRmYTgwMTY2ZGYyMTMyY2JjNTFmYjIyNGIwOTA0YWJiMjJkYTJjN2I3ODUwZjc4MjEyNGNiNTc1YjExNmY0MWVhN2M0ZmM3NWIxZDc3NTI1MjA0Y2Q3YzIzYTE1OTk5MDA0YzIzY2RlYjcyMzU5ZWU3NGU4ODZhMWRkZTc4NTVhZTA1ZmU4NDc0NDdkMGE2ODA1OTAwMmMzODE5YTc1ZGM3ZGNiYjMwZTM5ZWZhYzM2ZTA3ZTJjNDA0YjdjYTk4YjI2M2IyNWZhMzE0YmE5M2MwNjI1NzE4YmQ0ODljZWE2ZDA0YmE0YjBiN2YxNTZlZWI0YzU2YzQ0YjUwZTRmYjViY2U5ZDdhZTBk
 NTViMzc5M
jI1ZmViMDIxNGEwNGJlZDcyZjMzZTA2NjRkMjkwZTdjODQwZGYzZTJhYmI1ZTQ4MTg5ZmE0ZTkwNjQ2ZjE4NjdkYjI4OWM2NTYwNDc2Nzk5ZjdiZTg0MjBhNmRjMDFkMDc4ZGU0MzdmMjgwZmZmMmQ3ZGRmMTI0OGQ1NmUxYTU0YjkzM2E0MTYyOWQ2YzI1Mjk4M2M1ODc5NTEwNTgwMmQzMGQ3YmNkODE5Y2Y2ZWYifSwicHJpbmNpcGFsIjp7ImVtYWlsIjoidGVzdHRlc3RrQG1vY2tteWlkLmNvbSIsInVpZCI6ImM1Njg0YThjLWVkMGItNDIxMy1iZTgyLTNmODU5NGE0Njc0OSJ9LCJpYXQiOjEzODUxNTA0MjcyODMsImV4cCI6MTM4NTE4MTk2MzI4MywiaXNzIjoiYXBpLWFjY291bnRzLmRldi5sY2lwLm9yZyJ9.as9_EJQlE_JD_kwTKtdrRq4eSh9DW9lyzZlMvD4YsNJNEswbKmG0AUKXYsVUEZ1wY0tAFkelgs7fojKkD52p5bIVu-s-PH6y765qruyQ22JPy5DLBl_by-WAeAQybTHRjJs4LefEeMOYnvFztA2TCXQO1Rzm1dVlmLn5xmsxDoCG-H-IYJFvQgUkmxcSNbAFfF9BiNnxN_-LcMO82BTlh1xzQYGb2bVejE5T7vyOy1kcqWxu83bBgPupnKs9n88JT3_TpKFqkrQe1_lXNmH06OzCBY1nCZEiwLHgTr1Crt3i-WddrUS6WAKEXz9Tcnbhw0v85HXD8uClqPdCxV_MDA~eyJhbGciOiJEUzI1NiJ9.eyJleHAiOjE0MTY2ODY0MjczMzYsImF1ZCI6Imh0dHA6Ly9hdXRoLm9sZHN5bmMuZGV2LmxjaXAub3JnIn0.M5EAfpr3YqxO6vHLyoGwvGENsi9slld1ZpU2POy6QE9J1fgPCgtXY3r_P5x0_qHjd8IvQsvhKD92Z-fz0_
 bAZA

Corresponds to:

certificate header:    {"alg":"RS256"}
certificate payload: 
{"public-key":{"algorithm":"DS","y":"6148934e8415739246a9876e79b26b7344d203c6e566e821d0680b482f08b9013fcd3fc40891f085d0fcc5b57bebeaf8fb187fb6b3b4e642adb3431ea2a342f05a8188d8ccfaca739b37090a38af7d438f4d2cccd56893dcb061b52602789d3300acfaf7d34378a7a4edb3f93533ca4d3c6bb6d62652c502371ae74a498c13e37340a9fae5ddcd0dbe057b2652c91a20749706f8e289bbb18831d2db700108e8931e0e5a5df18b76ae2d520a0d5a9da745e9a1368144318874f4159b36340ec4dc77ea834f7aeaee6b5782e7585fd6fc11dbc32312ba4981153f2b85791ee6c2189e69315feca7d04455144ff998376d966d99d26ec134f9a971780baea0b93e","p":"d6c4e5045697756c7a312d02c2289c25d40f9954261f7b5876214b6df109c738b76226b199bb7e33f8fc7ac1dcc316e1e7c78973951bfc6ff2e00cc987cd76fcfb0b8c0096b0b460fffac960ca4136c28f4bfb580de47cf7e7934c3985e3b3d943b77f06ef2af3ac3494fc3c6fc49810a63853862a02bb1c824a01b7fc688e4028527a58ad58c9d512922660db5d505bc263af293bc93bcd6d885a157579d7f52952236dd9d06a4fc3bc2247d21f1a70f5848eb0176513537c983f5a36737f01f82b44546e8e7f0fabc457e3de1d9c5dba96965b10a2a0580b
 0ad0f8817
9e10066107fb74314a07e6745863bc797b7002ebec0b000a98eb697414709ac17b401","q":"b1e370f6472c8754ccd75e99666ec8ef1fd748b748bbbc08503d82ce8055ab3b","g":"9a8269ab2e3b733a5242179d8f8ddb17ff93297d9eab00376db211a22b19c854dfa80166df2132cbc51fb224b0904abb22da2c7b7850f782124cb575b116f41ea7c4fc75b1d77525204cd7c23a15999004c23cdeb72359ee74e886a1dde7855ae05fe847447d0a68059002c3819a75dc7dcbb30e39efac36e07e2c404b7ca98b263b25fa314ba93c0625718bd489cea6d04ba4b0b7f156eeb4c56c44b50e4fb5bce9d7ae0d55b379225feb0214a04bed72f33e0664d290e7c840df3e2abb5e48189fa4e90646f1867db289c6560476799f7be8420a6dc01d078de437f280fff2d7ddf1248d56e1a54b933a41629d6c252983c58795105802d30d7bcd819cf6ef"},"principal":{"email":"testtestk at mockmyid.com","uid":"c5684a8c-ed0b-4213-be82-3f8594a46749"},"iat":1385150427283,"exp":1385181963283,"iss":"api-accounts.dev.lcip.org"}
certificate signature: 
6acf7f10942513f243fe4c132ad76b46ae1e4a1f435bd972cd994cbc3e18b0d24d12cc1b2a61b401429762c554119d70634b401647a582cedfa232a40f9da9e5b215bbeb3e3c7eb2efae6aaeec90db624fcb90cb065fdbcbe5807804326d31d18c9b382de7c478c3989ef173b40d9309740ed51ce6d5d56598b9f9c66b310e8086f87f8860916f4205249b171235b0057c5f4188d9f137ff8b70c3bcd814e5875c7341819bd9b55e8c4e53eefc8ecb591ca96c6ef376c180fba99cab3d9fcf094f7fd3a4a16a92b41ed7f9573661f4e8ecc2058d67099122c0b1e04ebd42aedde2f9675dad44ba5802845f3f537276e1c34bfce475c3f2e0a5a8f742c55fcc0c
assertion   header:    {"alg":"DS256"}
assertion   payload: 
{"exp":1416686427336,"aud":"http://auth.oldsync.dev.lcip.org"}
assertion   signature: 
3391007e9af762ac4eeaf1cbca81b0bc610db22f6c9657756695363cecba404f49d5f80f0a0b57637aff3f9c74fea1e377c22f42cbe1283f7667e7f3d3f6c064




More information about the Dev-fxacct mailing list