From b67cd4ddd2ddb05ff6a288d59a82212b485f500b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Damir=20Jeli=C4=87?= <poljar@termina.org.uk>
Date: Fri, 30 Oct 2020 13:21:14 +0100
Subject: [PATCH] crypto: Create a trusted public cross signing identity when
 we create a private one.

---
 matrix_sdk/src/client.rs                 |  2 --
 matrix_sdk_crypto/src/identities/user.rs | 36 +++++++++++++++++++
 matrix_sdk_crypto/src/machine.rs         | 13 +++++++
 matrix_sdk_crypto/src/olm/signing/mod.rs | 45 ++++++++++++++++++++----
 4 files changed, 87 insertions(+), 9 deletions(-)

diff --git a/matrix_sdk/src/client.rs b/matrix_sdk/src/client.rs
index 274ee528..14237e4d 100644
--- a/matrix_sdk/src/client.rs
+++ b/matrix_sdk/src/client.rs
@@ -1844,8 +1844,6 @@ impl Client {
 
         let (request, signature_request) = olm.bootstrap_cross_signing(false).await?;
 
-        println!("HELLOOO MAKING REQUEST {:#?}", request);
-
         let request = UploadSigningKeysRequest {
             auth: auth_data,
             master_key: request.master_key,
diff --git a/matrix_sdk_crypto/src/identities/user.rs b/matrix_sdk_crypto/src/identities/user.rs
index 02d80297..ea35e5a0 100644
--- a/matrix_sdk_crypto/src/identities/user.rs
+++ b/matrix_sdk_crypto/src/identities/user.rs
@@ -723,6 +723,7 @@ pub(crate) mod test {
     use matrix_sdk_common::{
         api::r0::keys::get_keys::Response as KeyQueryResponse, identifiers::user_id, locks::Mutex,
     };
+    use matrix_sdk_test::async_test;
 
     use super::{OwnUserIdentity, UserIdentities, UserIdentity};
 
@@ -818,4 +819,39 @@ pub(crate) mod test {
         assert!(second.trust_state());
         assert!(!first.trust_state());
     }
+
+    #[async_test]
+    async fn own_device_with_private_identity() {
+        let response = own_key_query();
+        let (_, device) = device(&response);
+
+        let account = ReadOnlyAccount::new(device.user_id(), device.device_id());
+        let (identity, _, _) = PrivateCrossSigningIdentity::new_with_account(&account).await;
+
+        let id = Arc::new(Mutex::new(identity.clone()));
+
+        let verification_machine = VerificationMachine::new(
+            ReadOnlyAccount::new(device.user_id(), device.device_id()),
+            id.clone(),
+            Arc::new(Box::new(MemoryStore::new())),
+        );
+
+        let public_identity = identity.as_public_identity().await.unwrap();
+
+        let mut device = Device {
+            inner: device,
+            verification_machine: verification_machine.clone(),
+            private_identity: id.clone(),
+            own_identity: Some(public_identity.clone()),
+            device_owner_identity: Some(public_identity.clone().into()),
+        };
+
+        assert!(!device.trust_state());
+
+        let mut device_keys = device.as_device_keys();
+
+        identity.sign_device_keys(&mut device_keys).await.unwrap();
+        device.inner.signatures = Arc::new(device_keys.signatures);
+        assert!(device.trust_state());
+    }
 }
diff --git a/matrix_sdk_crypto/src/machine.rs b/matrix_sdk_crypto/src/machine.rs
index 28eca41c..16821b18 100644
--- a/matrix_sdk_crypto/src/machine.rs
+++ b/matrix_sdk_crypto/src/machine.rs
@@ -392,6 +392,19 @@ impl OlmMachine {
 
             *identity = id;
 
+            let public = identity.as_public_identity().await.expect(
+                "Couldn't create a public version of the identity from a new private identity",
+            );
+
+            let changes = Changes {
+                identities: IdentityChanges {
+                    new: vec![public.into()],
+                    ..Default::default()
+                },
+                ..Default::default()
+            };
+
+            self.store.save_changes(changes).await?;
             self.store.save_identity(identity.clone()).await?;
             Ok((request, signature_request))
         } else {
diff --git a/matrix_sdk_crypto/src/olm/signing/mod.rs b/matrix_sdk_crypto/src/olm/signing/mod.rs
index a387768c..3cc9e3c0 100644
--- a/matrix_sdk_crypto/src/olm/signing/mod.rs
+++ b/matrix_sdk_crypto/src/olm/signing/mod.rs
@@ -32,8 +32,8 @@ use matrix_sdk_common::{
 };
 
 use crate::{
-    error::SignatureError, requests::UploadSigningKeysRequest, ReadOnlyAccount, ReadOnlyDevice,
-    UserIdentity,
+    error::SignatureError, requests::UploadSigningKeysRequest, OwnUserIdentity, ReadOnlyAccount,
+    ReadOnlyDevice, UserIdentity,
 };
 
 use pk_signing::{MasterSigning, PickledSignings, SelfSigning, Signing, SigningError, UserSigning};
@@ -103,6 +103,37 @@ impl PrivateCrossSigningIdentity {
         }
     }
 
+    pub(crate) async fn as_public_identity(&self) -> Result<OwnUserIdentity, SignatureError> {
+        let master = self
+            .master_key
+            .lock()
+            .await
+            .as_ref()
+            .ok_or(SignatureError::MissingSigningKey)?
+            .public_key
+            .clone();
+        let self_signing = self
+            .self_signing_key
+            .lock()
+            .await
+            .as_ref()
+            .ok_or(SignatureError::MissingSigningKey)?
+            .public_key
+            .clone();
+        let user_signing = self
+            .user_signing_key
+            .lock()
+            .await
+            .as_ref()
+            .ok_or(SignatureError::MissingSigningKey)?
+            .public_key
+            .clone();
+        let identity = OwnUserIdentity::new(master, self_signing, user_signing)?;
+        identity.mark_as_verified();
+
+        Ok(identity)
+    }
+
     /// Sign the given public user identity with this private identity.
     #[allow(dead_code)]
     pub(crate) async fn sign_user(
@@ -128,7 +159,7 @@ impl PrivateCrossSigningIdentity {
     ) -> Result<SignatureUploadRequest, SignatureError> {
         let mut device_keys = device.as_device_keys();
         device_keys.signatures.clear();
-        self.sign_device_keys(device_keys).await
+        self.sign_device_keys(&mut device_keys).await
     }
 
     /// Sign an Olm account with this private identity.
@@ -136,13 +167,13 @@ impl PrivateCrossSigningIdentity {
         &self,
         account: &ReadOnlyAccount,
     ) -> Result<SignatureUploadRequest, SignatureError> {
-        let device_keys = account.unsigned_device_keys();
-        self.sign_device_keys(device_keys).await
+        let mut device_keys = account.unsigned_device_keys();
+        self.sign_device_keys(&mut device_keys).await
     }
 
-    async fn sign_device_keys(
+    pub(crate) async fn sign_device_keys(
         &self,
-        mut device_keys: DeviceKeys,
+        mut device_keys: &mut DeviceKeys,
     ) -> Result<SignatureUploadRequest, SignatureError> {
         self.self_signing_key
             .lock()