mozilla / pybrowserid Goto Github PK
View Code? Open in Web Editor NEWDEPRECATED - python client library for the BrowserID protocol
DEPRECATED - python client library for the BrowserID protocol
Traceback (most recent call last):
File "makecert.py", line 36, in <module>
issuer_keypair=(None, MOCKMYID_PRIVATE_KEY),
File "/home/djc/src/PyBrowserID/browserid/tests/support.py", line 144, in make_assertion
certificate = jwt.generate(certificate, iss_priv)
File "/home/djc/src/PyBrowserID/browserid/jwt.py", line 37, in generate
signature = encode_bytes(key.sign(signed_data))
File "/home/djc/src/PyBrowserID/browserid/crypto/fallback.py", line 92, in sign
return unhexlify(hex(m)[2:].rstrip("L").encode("ascii"))
TypeError: Odd-length string
This happens when using the makecert script you posted to the dev-identity ml. It doesn't happen always, maybe some 15% of the times I've run the script so far.
Verifiers (ours included) should probably not accept an assertion signed by a fallback if the domain in question is a native Identity Provider.
This mitigates the security risk of browserid.org being compromised, as fraudulent assertions from browserid.org for users with a native Identity Provider would get rejected.
(From mozilla/persona#1501)
As far as I can tell, current version of this library doesn't verify the certificate of "https://verifier.login.persona.org/verify". This allows Man-in-the-Middle attacks.
There was some chatter on dev-identity about whether or not the lookup process for support documents is allowed to follow HTTP redirects. I recall the answer being "no" for some technical/security reasons but I don't have a link to the details. We need to find a definitive answer on this and potentially change to code to avoid following redirects.
When creating a DSKey, if the data does not have what it takes, it breaks without telling what's wrong
let's fix this. in the init I propose to add:
class DSKey(object):
...
def __init__(self, data=None, obj=None):
...
if obj:
self.dsa = obj
else:
for key in ('p', 'q', 'g', 'y'):
if key not in data:
raise ValueError('missing %s in data - %s' % (key, str(data.keys()) ))
....
Thoughts ?
Maybe replace M2Crypto with https://cryptography.io/ if it provides the necessary functions, this may prove to be easier to install and maintain than the M2Crypto bindings.
https://github.com/mozilla/PyBrowserID/blob/master/browserid/certificates.py#L150
this error needs to tell which url failed
I just want to announce that I made Python 2 & 3 compliant implementation. You will find it in my 'six' branch at:
https://github.com/return42/PyBrowserID
I am working on a bunch of forked mozilla repositories. They are all assembled as git-submodules at:
https://github.com/return42/moz-cloud
To follow the Python 3 movement of the whole set, I recommend to checkout master
branch from moz-cloud
. Comments are welcome.
I get an InvalidSignatureError(u'untrusted root issuer: gmail.login.persona.org',)
when trying to verify a persona from a gmail user. Similar for yahoo users.
The support-document fetcher currently falls back to /pk if there is no support document. This is out of spec and was a hack to support diresworb.org. We should heck whether this is still necessary, and if not then remove the fallback code.
Could you please consider to use unittest.mock where possible?
Perhaps something like
Index: PyBrowserID-0.14.0/browserid/tests/test_supportdoc.py
===================================================================
--- PyBrowserID-0.14.0.orig/browserid/tests/test_supportdoc.py 2014-12-12 06:15:36.000000000 +0100
+++ PyBrowserID-0.14.0/browserid/tests/test_supportdoc.py 2021-05-27 11:15:09.807769893 +0200
@@ -1,7 +1,11 @@
import json
import socket
-from mock import Mock, patch
+try:
+ from unittest.mock import Mock, patch
+except ImportError:
+ from mock import Mock, patch
+
from requests.exceptions import RequestException
from browserid.supportdoc import fetch_support_document, SupportDocumentManager
Index: PyBrowserID-0.14.0/browserid/tests/test_verifiers.py
===================================================================
--- PyBrowserID-0.14.0.orig/browserid/tests/test_verifiers.py 2018-01-11 22:01:14.000000000 +0100
+++ PyBrowserID-0.14.0/browserid/tests/test_verifiers.py 2021-05-27 11:15:59.064034201 +0200
@@ -5,7 +5,11 @@
import time
import warnings
-from mock import Mock, patch
+try:
+ from unittest.mock import Mock, patch
+except ImportError:
+ from mock import Mock, patch
+
import browserid
from browserid.tests.support import (patched_supportdoc_fetching,
y = pow(g, x, p)
There's no need to error out if it's missing.
As of January 1 2019, Mozilla requires that all GitHub projects include this CODE_OF_CONDUCT.md file in the project root. The file has two parts:
If you have any questions about this file, or Code of Conduct policies and procedures, please reach out to [email protected].
(Message COC001)
This Mozilla repository has been identified as lacking a license. Consistent with Mozilla's Licensing Policy an open source license should be applied to the code in this repository.
Please add an appropriate LICENSE.md file to the root directory of the project. In general, Mozilla's licensing policies are as follows:
Client-side products created by Mozilla employees or contributors should use the Mozilla Public License, Version 2.0 (MPL).
Server-side products or utilities that support Mozilla products may use either the MPL or the Apache License 2.0 (Apache 2.0).
In special cases, another license might be appropriate. If the repository is a fork of another repository it must apply the license of the original. Similarly, another license might be appropriate to match that of a broader project (for example Rust crates that Firefox depends on are published under an Apache 2.0 / MIT dual license, as that is the dual license used by the Rust programming language and projects).
Please ensure that any license added to the LICENSE.md file matches other licensing information in the repository (for example, it should match any license indicated in a setup.py or package.json file).
Mozilla staff can access more information in our Software Licensing Runbook – search for “Licensing Runbook” in Confluence to find it.
If you have any questions you can contact Daniel Nazer who can be reached at dnazer on Mozilla email or Slack.
OPENLIC-2023-01
The bundle_certs_and_assertion() and unbundle_certs_and_assertion() functions include support for both "old-style" and "new-style" formatting of Backed Identity Assertions. The old-style formatting hasn't been in use for a long time, we can probably deprecate this feature and eventually remove it.
As described here, the verifier protocol is expanding to allow "unverified" email addresses, so that users can have access to some functionality before they have clicked through the verification email link:
https://bugzilla.mozilla.org/show_bug.cgi?id=794634
JR has a patch for django-browserid showing what this looks like from an API standpoint:
Assuming the details don't change, we should expand our verifier API to support this as well.
@rfk Further to our investigations of Bug 975625, I fed an assertion that succeeded at the Persona verifier through the LocalVerifier and the signatures are different (due to what looks like padding). If you go back to our IRC log, you'll see that the two signatures look the same (modulo padding) but in fact are not the same -- a few high bits differ. I believe this is a legitimate Android platform bug (see discussion in Bug 975625), but there is also a problem with the PyBrowserID code.
I wrote pyramid_persona a few days ago : it uses PyBrowserID to provide a persona-based login on pyramid. Sadly, using this prevents me from using python 3 for my pyramid projects. With many web frameworks starting to support python3, a web-oriented library such as PyBrowserID should start considering supporting it.
The port might not be easy, as PyBrowserID manipulates lots of unicode and bytestrings. Someone who knows the internal of the project might be better suited, but if no one wants to do it, I can try and do the port.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.