Bug 962668 - Use skew from token server to generate better assertions. r=rnewman

2024-09-13 09:24:08 -07:00 · 2014-01-22 11:38:29 -08:00 · 2014-01-22 11:38:29 -08:00 · aa89c14bff
commit aa89c14bff
parent 9bf0da9087
2 changed files with 10 additions and 3 deletions
--- a/mobile/android/base/fxa/authenticator/FxAccountLoginPolicy.java
+++ b/mobile/android/base/fxa/authenticator/FxAccountLoginPolicy.java
@ -535,6 +535,7 @@ public class FxAccountLoginPolicy {
  public class EnsureAssertionStage implements LoginStage {
    @Override
    public void execute(final LoginStageDelegate delegate) throws Exception {
+      final long now = System.currentTimeMillis();
      BrowserIDKeyPair keyPair = fxAccount.getAssertionKeyPair();
      if (keyPair == null) {
        throw new IllegalStateException("keyPair must not be null");
@ -545,9 +546,12 @@ public class FxAccountLoginPolicy {
      }
      String assertion;
      try {
-        long now = System.currentTimeMillis();
+        // Hurrah for global state. We want to make the timestamp in the
+        // generated assertion as close to the timestamp on the consuming server
+        // as possible. In this case, the audience is the consuming server.
+        SkewHandler skewHandler = SkewHandler.getSkewHandlerFromEndpointString(delegate.audience);
        assertion = JSONWebTokenUtils.createAssertion(keyPair.getPrivate(), certificate, delegate.audience,
-            JSONWebTokenUtils.DEFAULT_ASSERTION_ISSUER, now, getAssertionDurationInMilliseconds());
+            JSONWebTokenUtils.DEFAULT_ASSERTION_ISSUER, now + skewHandler.getSkewInMillis(), getAssertionDurationInMilliseconds());
      } catch (Exception e) {
        // If we can't sign an assertion, we probably have some crypto
        // configuration error on device, which we are never going to recover
--- a/mobile/android/base/tokenserver/TokenServerClient.java
+++ b/mobile/android/base/tokenserver/TokenServerClient.java
@ -13,6 +13,7 @@ import java.util.concurrent.Executor;

 import org.json.simple.JSONObject;
 import org.mozilla.gecko.background.common.log.Logger;
+import org.mozilla.gecko.background.fxa.SkewHandler;
 import org.mozilla.gecko.sync.ExtendedJSONObject;
 import org.mozilla.gecko.sync.NonArrayJSONException;
 import org.mozilla.gecko.sync.NonObjectJSONException;
@ -203,11 +204,13 @@ public class TokenServerClient {

  public void getTokenFromBrowserIDAssertion(final String assertion, final boolean conditionsAccepted,
      final TokenServerClientDelegate delegate) {
-    BaseResource r = new BaseResource(uri);
+    final BaseResource r = new BaseResource(uri);

    r.delegate = new BaseResourceDelegate(r) {
      @Override
      public void handleHttpResponse(HttpResponse response) {
+        SkewHandler skewHandler = SkewHandler.getSkewHandlerForResource(r);
+        skewHandler.updateSkew(response, System.currentTimeMillis());
        try {
          TokenServerToken token = processResponse(response);
          invokeHandleSuccess(delegate, token);