mozilla / pybrowserid Goto Github PK

Traceback (most recent call last):
  File "makecert.py", line 36, in <module>
    issuer_keypair=(None, MOCKMYID_PRIVATE_KEY),
  File "/home/djc/src/PyBrowserID/browserid/tests/support.py", line 144, in make_assertion
    certificate = jwt.generate(certificate, iss_priv)
  File "/home/djc/src/PyBrowserID/browserid/jwt.py", line 37, in generate
    signature = encode_bytes(key.sign(signed_data))
  File "/home/djc/src/PyBrowserID/browserid/crypto/fallback.py", line 92, in sign
    return unhexlify(hex(m)[2:].rstrip("L").encode("ascii"))
TypeError: Odd-length string

This happens when using the makecert script you posted to the dev-identity ml. It doesn't happen always, maybe some 15% of the times I've run the script so far.

Verifiers (ours included) should probably not accept an assertion signed by a fallback if the domain in question is a native Identity Provider.

This mitigates the security risk of browserid.org being compromised, as fraudulent assertions from browserid.org for users with a native Identity Provider would get rejected.

(From mozilla/persona#1501)

As far as I can tell, current version of this library doesn't verify the certificate of "https://verifier.login.persona.org/verify". This allows Man-in-the-Middle attacks.

There was some chatter on dev-identity about whether or not the lookup process for support documents is allowed to follow HTTP redirects. I recall the answer being "no" for some technical/security reasons but I don't have a link to the details. We need to find a definitive answer on this and potentially change to code to avoid following redirects.

When creating a DSKey, if the data does not have what it takes, it breaks without telling what's wrong

let's fix this. in the init I propose to add:

class DSKey(object):
    ...

    def __init__(self, data=None, obj=None):
        ...
        if obj:
            self.dsa = obj
        else:
            for key in ('p', 'q', 'g', 'y'):
                if key not in data:
                    raise ValueError('missing %s in data - %s' % (key, str(data.keys()) ))
            ....

Thoughts ?

Maybe replace M2Crypto with https://cryptography.io/ if it provides the necessary functions, this may prove to be easier to install and maintain than the M2Crypto bindings.

https://github.com/mozilla/PyBrowserID/blob/master/browserid/certificates.py#L150

this error needs to tell which url failed

I just want to announce that I made Python 2 & 3 compliant implementation. You will find it in my 'six' branch at:

https://github.com/return42/PyBrowserID

I am working on a bunch of forked mozilla repositories. They are all assembled as git-submodules at:

https://github.com/return42/moz-cloud

To follow the Python 3 movement of the whole set, I recommend to checkout master branch from moz-cloud. Comments are welcome.

I get an InvalidSignatureError(u'untrusted root issuer: gmail.login.persona.org',) when trying to verify a persona from a gmail user. Similar for yahoo users.

The support-document fetcher currently falls back to /pk if there is no support document. This is out of spec and was a hack to support diresworb.org. We should heck whether this is still necessary, and if not then remove the fallback code.

Could you please consider to use unittest.mock where possible?

Perhaps something like

Index: PyBrowserID-0.14.0/browserid/tests/test_supportdoc.py
===================================================================
--- PyBrowserID-0.14.0.orig/browserid/tests/test_supportdoc.py	2014-12-12 06:15:36.000000000 +0100
+++ PyBrowserID-0.14.0/browserid/tests/test_supportdoc.py	2021-05-27 11:15:09.807769893 +0200
@@ -1,7 +1,11 @@
 import json
 import socket
 
-from mock import Mock, patch
+try:
+    from unittest.mock import Mock, patch
+except ImportError:
+    from mock import Mock, patch
+
 from requests.exceptions import RequestException
 
 from browserid.supportdoc import fetch_support_document, SupportDocumentManager
Index: PyBrowserID-0.14.0/browserid/tests/test_verifiers.py
===================================================================
--- PyBrowserID-0.14.0.orig/browserid/tests/test_verifiers.py	2018-01-11 22:01:14.000000000 +0100
+++ PyBrowserID-0.14.0/browserid/tests/test_verifiers.py	2021-05-27 11:15:59.064034201 +0200
@@ -5,7 +5,11 @@
 import time
 import warnings
 
-from mock import Mock, patch
+try:
+    from unittest.mock import Mock, patch
+except ImportError:
+    from mock import Mock, patch
+
 
 import browserid
 from browserid.tests.support import (patched_supportdoc_fetching,

y = pow(g, x, p)

There's no need to error out if it's missing.

As of January 1 2019, Mozilla requires that all GitHub projects include this CODE_OF_CONDUCT.md file in the project root. The file has two parts:

1. Required Text - All text under the headings Community Participation Guidelines and How to Report, are required, and should not be altered.
2. Optional Text - The Project Specific Etiquette heading provides a space to speak more specifically about ways people can work effectively and inclusively together. Some examples of those can be found on the Firefox Debugger project, and Common Voice. (The optional part is commented out in the raw template file, and will not be visible until you modify and uncomment that part.)

If you have any questions about this file, or Code of Conduct policies and procedures, please reach out to [email protected].

(Message COC001)

This Mozilla repository has been identified as lacking a license. Consistent with Mozilla's Licensing Policy an open source license should be applied to the code in this repository.

Please add an appropriate LICENSE.md file to the root directory of the project. In general, Mozilla's licensing policies are as follows:

• Client-side products created by Mozilla employees or contributors should use the Mozilla Public License, Version 2.0 (MPL).

• Server-side products or utilities that support Mozilla products may use either the MPL or the Apache License 2.0 (Apache 2.0).

In special cases, another license might be appropriate. If the repository is a fork of another repository it must apply the license of the original. Similarly, another license might be appropriate to match that of a broader project (for example Rust crates that Firefox depends on are published under an Apache 2.0 / MIT dual license, as that is the dual license used by the Rust programming language and projects).

Please ensure that any license added to the LICENSE.md file matches other licensing information in the repository (for example, it should match any license indicated in a setup.py or package.json file).

Mozilla staff can access more information in our Software Licensing Runbook – search for “Licensing Runbook” in Confluence to find it.

If you have any questions you can contact Daniel Nazer who can be reached at dnazer on Mozilla email or Slack.

OPENLIC-2023-01

The bundle_certs_and_assertion() and unbundle_certs_and_assertion() functions include support for both "old-style" and "new-style" formatting of Backed Identity Assertions. The old-style formatting hasn't been in use for a long time, we can probably deprecate this feature and eventually remove it.

As described here, the verifier protocol is expanding to allow "unverified" email addresses, so that users can have access to some functionality before they have clicked through the verification email link:

https://bugzilla.mozilla.org/show_bug.cgi?id=794634

JR has a patch for django-browserid showing what this looks like from an API standpoint:

mozilla/django-browserid#96

Assuming the details don't change, we should expand our verifier API to support this as well.

@rfk Further to our investigations of Bug 975625, I fed an assertion that succeeded at the Persona verifier through the LocalVerifier and the signatures are different (due to what looks like padding). If you go back to our IRC log, you'll see that the two signatures look the same (modulo padding) but in fact are not the same -- a few high bits differ. I believe this is a legitimate Android platform bug (see discussion in Bug 975625), but there is also a problem with the PyBrowserID code.

I wrote pyramid_persona a few days ago : it uses PyBrowserID to provide a persona-based login on pyramid. Sadly, using this prevents me from using python 3 for my pyramid projects. With many web frameworks starting to support python3, a web-oriented library such as PyBrowserID should start considering supporting it.

The port might not be easy, as PyBrowserID manipulates lots of unicode and bytestrings. Someone who knows the internal of the project might be better suited, but if no one wants to do it, I can try and do the port.