Hello!
I'm studying the auth/sync flow and I have a problem with getting
correct x-keyid value to make a GET request to
https://token.services.mozilla.com/1.0/sync/1.5.
During the authentication flow via api.accounts.firefox.com I got kB,
keyRotationSecret(b'0x00'*32), keyRotationTimestamp,
identifier(b"https://identity.mozilla.com/apps/oldsync";) and user uid
(from https://api.accounts.firefox.com/v1/account/login?keys=true).
Then I'm trying to get the kid:
tmp = derive_key(kB + keyRotationSecret,
b"identity.mozilla.com/picl/v1/scoped_key\n" + identifier, 48,
unhexlify(uid))
kid = str(keyRotationTimestamp) + '-' +
base64.urlsafe_b64encode(tmp[:16]).decode('utf-8').rstrip("=")
where derive_key is the following function:
def derive_key(secret, info, size, salt):
kdf = HKDF(
algorithm=hashes.SHA256(),
length=size,
salt=salt,
info=info
)
return kdf.derive(secret)
So, i'm getting a value of kid but a GET-request to
https://token.services.mozilla.com/1.0/sync/1.5 gives me an error
message for wrong x-keyid. I also looked at the traffic in the Fiddler
and the x-keyid of the original flow (from the browser with the same
credentials) differs from the kid I had generated. I also had a look
at the source code of Firefox 85.0 (FXAccountsKeys.jsm) and noticed
that the first part of kid there (before the first '-') has the length
10 and in the original traffic from the Firefox i see in the Fiddler
that the first part has the length 13.
Can you explain me what's wrong with my kid generation? And how many
characters should be before the first '-' symbol in the kid?
_______________________________________________
Sync-dev mailing list
Sync-dev@mozilla.org
https://mail.mozilla.org/listinfo/sync-dev
