Comments (5)
Yeah, I think right now we probably just close the connection with proper session termination on all error paths. Would be nice to fix this... that said... in general an mdoc reader need to handle the case where the mdoc just closes the connection w/o proper session termination ... so I don't think this is very urgent to fix.
from identity-credential.
#194 fixes this issue
from identity-credential.
While testing this bug we observed that the app is crashing. Debugging it we found that the UL suite send an tampered
request by changing the Y point in the public key. While IC API evaluates this request crash happens as the point is not in curve. This crash occurs in ensureSessionEncryption -> Util.coseKeyDecode(). As the method ensureSessionEncryption is not called within try block the crash is navigating to app which crash the app. Moving this call inside try catch will fix the crash and will send response with 10.
Tampered request: A26A655265616465724B6579D818584BA401022001215820513BB24EC15E1BFEBE47901B1C562E5245CAB394CF776A924814E6C4325F826D2258201924129F7E649D7116683E69DC1EB920A86765AF49A8DEF9E0EEBE444AF2FF5464646174615901233A221CB16FB7F7D1232811FB703F81785F5196EA62A830F0CD994B410C3A67DB76F59946FD54492051B468D346306279F34EAD3D7B265010E1553B58973D679D23E6AA0FB9A03415054B8DAD6D8DF4106C22B172BA8AC14F2F4636ECC99AD24A9227F6DB18F70C3F45838FFFF28AFB2E50407B1F99FE46E3F61FADC1F13F1312751AAFC9BBBC7DF49B68CFFAF13F9DD12C6DB81D999A68B42AEEF020B95F10560FE4EBCD17AAFCBF5172513C5B82E16887DB8141ACA39E3BAB15A5ED99B9AE0BCE643355AA7947094FB3933EE2C3814C73D2A155A18F9EABFCD00D7EE746E2200EADA565D4F1D7EFD523E4E3EDD98B742A2DA540E387C15745D4BE628216378118B2573DFE042776927C76A42C2EAFAA9B77113166A6309E812308F2BC0948CBB16C88
from identity-credential.
Also the library need to send status code of 11 if there are any CBOR encoding issue. As of now only status code of 10 is send(Which is also not working).
from identity-credential.
try{
ensureSessionEncryption(data);
}catch(IllegalStateExceptione){
mTransport.sendMessage(SessionEncryptionDevice.encodeStatusToReader(
Constants.SESSION_DATA_STATUS_ERROR_SESSION_ENCRYPTION));
mTransport.close();
reportError(newError("ErrordecodingEReaderKeyinSessionEstablishment",e));
return;
}
The above code is not capturing all exception the method throws. Internal logics of method "ensureSessionEncryption()" throws "IllegalArgumentException" as well which is however not cached in catch block. This cause the app to crash still.
from identity-credential.
Related Issues (20)
- Simple server-based issuance
- why there is a breaking change by updating the library with new identity-mdoc, storage related and key creation changes?
- FlowProcessor doesn't work with enums
- Migrate to from Timestamp to kotlinx.datetime.Instant, everywhere except identity-android-legacy HOT 1
- Basic wallet server infrastructure
- Build errors when making the identity-credential project
- Allow http connections to localhost for development
- Local dev performance issues
- Port issuing evidence collection flow to the server
- Argument names in the HPKE decryption function do not match the intended use.
- Add support for selfies as a verification method
- Handle when wallet server is unreachable
- Use PassphraseEntryField for German EID card
- German eID card proof and network connectivity
- PassphrasePrompt need title, body, and buttons HOT 2
- Detect facial poses, when recording a selfie
- The application crashes when you try to create a self signed document HOT 3
- Make Project and Build APKs fail on Linux.
- cannot perform over the internet verification with https://mdoc-reader-external.uc.r.appspot.com HOT 2
- QR code generation fails if BT and BT Scanning are disabled. HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from identity-credential.