Comments (7)
I'm going to create a branch of v0.4.2.
There is one non-trivial change in master... which I don't think we want to QA. Or should we add that to the hotpatch?
from browserid-crypto.
There is one non-trivial change in master... which I don't think we want to QA. Or should we add that to the hotpatch?
Oh, actually, that change is in bin/check-assertion
which I don't think is used in production.
from browserid-crypto.
This bug is probably invalid. The APIs take a date as input. Clock skew can be adjusted for by the caller.
Our issue is can be fixed by setting new Date()
to 10 seconds into the future, when we call jwcrypto.cert.verifyBundle
right here.
Closing, will open bug in core.
from browserid-crypto.
via IRC
warner: so if you pass in now+5min, it'll assert that .iat<now+5min and .exp>now+5min, which lets you tolerate a fast IDP clock for .iat, but makes it worse for .exp (the IDP clock's slowness plus the RTT from IDP to verifier must be >5min)
from browserid-crypto.
I don't see in browserid or jwcrypo where we pad for any clock skew... actually. In IRC I heard there was an allowance backed in, but I'm guessing this is using cert expiration as the skew allowance.
In test/assertion-test.js we actually test that an assertion with an expiration of 1 second ago fails to verify.
I'll add 120 seconds of skew allowance in the past, as discussed on IRC.
from browserid-crypto.
PR #59
@warner would you be available to review?
from browserid-crypto.
See also mozilla/persona#2814 where this was encountered by external IdPs (my copy being https://github.com/mook/browseridp/blob/acec78ccb6/content/interceptor.js#L148 )
(Sorry for spamming jwcrypto, nobody actually mentioned the browserid issue number)
from browserid-crypto.
Related Issues (20)
- Need a new release with node 4 enhancements HOT 2
- CODE_OF_CONDUCT.md file missing
- bignum doesn't build on node 12
- nsp advisory 1488 (acorn DoS via browserify)
- Support DS160 alg in header
- Missing PKCS#1 signature padding HOT 1
- ECC support HOT 4
- Example / link to verifying signatures in the browser?
- Can't install because bigint won't install (node v0.11.9) HOT 6
- ./bundle.sh generates bidbundle.js which doesn't export anything? HOT 1
- Is "bigint" a required dependency? HOT 6
- plan for JOSE and new data formats HOT 3
- Loading from objects on 0.5.x HOT 1
- add seanmonstar as admin
- Not implemented: no such algorithm: DS HOT 7
- Publish v0.5.1 to npm HOT 1
- update readme HOT 1
- Verification error HOT 23
- Rename to browserid-crypto HOT 1
- Remove the "new" browserid data format HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from browserid-crypto.