Skip to content
This repository has been archived by the owner on Apr 3, 2019. It is now read-only.

Backport ECDH key validation from private repo #1918

Merged
merged 5 commits into from
May 29, 2017
Merged

Conversation

rfk
Copy link
Contributor

@rfk rfk commented May 29, 2017

This backports the now-deployed-to-production code from https://github.com/mozilla/fxa-auth-server-private/pull/65 into the public repo. It validates incoming push public keys before writing them to the db, and does so in a way that works around a bug node's handling of invalid keys:

nodejs/node#13275

@vladikoff r?

rfk and others added 5 commits May 26, 2017 09:21
We currently allow devices to submit invalid public keys with
their push registration, causing attempts to notify those devices
to fail in an ugly way.  This adds additional validation so that
only known-good keys get stored in the db.
@ghost
Copy link

ghost commented May 29, 2017

Ouch. Have you seen real Firefox clients submit invalid keys?

@rfk
Copy link
Contributor Author

rfk commented May 29, 2017

Have you seen real Firefox clients submit invalid keys?

Fortunately no; we had some bogus keys in our tests that were causing strange failures.

@ghost
Copy link

ghost commented May 29, 2017

Whew. 😅 Still a hideous bug, but it's great to hear clients in the wild haven't been doing this.

@vladikoff vladikoff merged commit f2a3d15 into master May 29, 2017
@rfk rfk added this to the FxA-0: quality milestone Jun 1, 2017
@shane-tomlinson shane-tomlinson deleted the public-87.1-backport branch April 18, 2018 12:47
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants