Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce version 0x81, including microsecond timestamps #13

Closed
wants to merge 13 commits into from
Closed

Introduce version 0x81, including microsecond timestamps #13

wants to merge 13 commits into from

Commits on Oct 12, 2015

  1. Spelling corrections (deterministically)

    @dolph
    dolph committed Oct 12, 2015
    Configuration menu
    Copy the full SHA
    bf8ca33 View commit details
    Browse the repository at this point in the history

  2. Adjust line wrapping to 79 chars

    @dolph
    dolph committed Oct 12, 2015
    Configuration menu
    Copy the full SHA
    23422cf View commit details
    Browse the repository at this point in the history

  3. Introduce a second version to the specification

    @dolph
    dolph committed Oct 12, 2015
    Configuration menu
    Copy the full SHA
    0a218da View commit details
    Browse the repository at this point in the history

  4. Introduce microsecond timestamps to the specification 

    Given that the timestamp is already a 64-bit unsigned big-endian
integer, the spec will remain viable for over 500,000 years.

This allows us to more precisely compare token creation timestamps
against revocation event timestamps (which already have microsecond
precision). This helps us avoid a race condition wherein a token can be
created *after* a revocation event, but appear to be created *before*
it, thus matching the revocation event and being considered invalid.
After this change, the specification is still vulnerable to this race
condition, but the time window to reproduce it is narrowed to a single
microsecond, instead of a single second.

Closes fernet#12
    @dolph
    dolph committed Oct 12, 2015
    Configuration menu
    Copy the full SHA
    75b357c View commit details
    Browse the repository at this point in the history

Commits on Oct 14, 2015

  1. Include mentions of version 0x81 where applicable

    @dolph
    dolph committed Oct 14, 2015
    Configuration menu
    Copy the full SHA
    622a36a View commit details
    Browse the repository at this point in the history

  2. Specify URL safe b64 variant in readme 

    Closes fernet#3
    @dolph
    dolph committed Oct 14, 2015
    Configuration menu
    Copy the full SHA
    29c0a1e View commit details
    Browse the repository at this point in the history

  3. Explain how to revert to old timestamp values 

    This is mostly intended to further explain the change in version 0x81.
    @dolph
    dolph committed Oct 14, 2015
    Configuration menu
    Copy the full SHA
    80b4ffa View commit details
    Browse the repository at this point in the history

  4. Move the acceptance test documentation in Spec.md

    @dolph
    dolph committed Oct 14, 2015
    Configuration menu
    Copy the full SHA
    4d53223 View commit details
    Browse the repository at this point in the history

  5. Rename Spec.md to README.md 

    This will ensure that Github will render the spec on the repository's
homepage (the repo is already called "spec", after all!).
    @dolph
    dolph committed Oct 14, 2015
    Configuration menu
    Copy the full SHA
    4d993a8 View commit details
    Browse the repository at this point in the history

  6. Grammar fix 

    I think I wrote this thinking there was only one difference between the
two versions, my grammar followed suit, but the statement should be more
generic to handle more than just two versions and more than just one
difference between the existing two versions.
    @dolph
    dolph committed Oct 14, 2015
    Configuration menu
    Copy the full SHA
    cff53e1 View commit details
    Browse the repository at this point in the history

  7. Add acceptance tests for 0x81 tokens with TODOs 

    TODOs are serving as placeholders for actual 0x81 tokens, which I've
neither created by hand nor written an implementation to produce, yet.
    @dolph
    dolph committed Oct 14, 2015
    Configuration menu
    Copy the full SHA
    5b702c4 View commit details
    Browse the repository at this point in the history

  8. Correct microsecond placement in "now" timestamps 

    I accidentally put them in the TZ, whoops!
    @dolph
    dolph committed Oct 14, 2015
    Configuration menu
    Copy the full SHA
    1f13494 View commit details
    Browse the repository at this point in the history

Commits on Oct 15, 2015

  1. Add valid 0x81 tokens to acceptance tests 

    I rebuilt the valid 0x80 tokens in the acceptance tests manually using
the following function to convert them. This explicitly illustrates the
differences between 0x80 and 0x81.

import base64
import hashlib
import hmac
import struct

def upgrade_to_81(x80_token, secret):
    """Upgrade an 0x80 token to 0x81 given a new timestamp and secret."""
    # Decode the 0x80 version token.
    x80_bytes = base64.urlsafe_b64decode(x80_token)

    # Unpack the timestamp so we can manipulate it.
    seconds = struct.unpack('>Q', x80_bytes[1:9])

    # Convert seconds to microseconds, and add some microseconds.
    microseconds = int(seconds * 1e6) + 123456

    x81_bytes = '\x81'  # New version identifier.
    x81_bytes += struct.pack(">Q", microseconds)
    x81_bytes += x80_bytes[9:-32]
    x81_bytes += hmac.new(
        base64.b64decode(secret)[16:],
        x81_bytes,
        hashlib.sha256).digest()

    return base64.urlsafe_b64encode(x81_bytes)
    @dolph
    dolph committed Oct 15, 2015
    Configuration menu
    Copy the full SHA
    2688de4 View commit details
    Browse the repository at this point in the history