crypto: Verify one-time keys using the device.

This commit is contained in:
Damir Jelić 2020-07-14 12:49:40 +02:00
parent 68125f5de6
commit c25f4c0642
3 changed files with 36 additions and 54 deletions

View file

@ -22,7 +22,7 @@ use serde_json::{json, Value};
#[cfg(test)]
use super::OlmMachine;
use matrix_sdk_common::api::r0::keys::{AlgorithmAndDeviceId, DeviceKeys, KeyAlgorithm};
use matrix_sdk_common::api::r0::keys::{AlgorithmAndDeviceId, DeviceKeys, KeyAlgorithm, SignedKey};
use matrix_sdk_common::events::Algorithm;
use matrix_sdk_common::identifiers::{DeviceId, UserId};
@ -162,6 +162,13 @@ impl Device {
self.is_signed_by_device(&mut json!(&device_keys))
}
pub(crate) fn verify_one_time_key(
&self,
one_time_key: &SignedKey,
) -> Result<(), SignatureError> {
self.is_signed_by_device(&mut json!(&one_time_key))
}
/// Mark the device as deleted.
pub(crate) fn mark_as_deleted(&self) {
self.deleted.store(true, Ordering::Relaxed);

View file

@ -48,6 +48,24 @@ use matrix_sdk_common::identifiers::UserId;
use olm_rs::utility::OlmUtility;
use serde_json::Value;
/// Verify a signed JSON object.
///
/// The object must have a signatures key associated with an object of the
/// form `user_id: {key_id: signature}`.
///
/// Returns Ok if the signature was successfully verified, otherwise an
/// SignatureError.
///
/// # Arguments
///
/// * `user_id` - The user who signed the JSON object.
///
/// * `key_id` - The id of the key that signed the JSON object.
///
/// * `signing_key` - The public ed25519 key which was used to sign the JSON
/// object.
///
/// * `json` - The JSON object that should be verified.
pub(crate) fn verify_json(
user_id: &UserId,
key_id: &str,

View file

@ -20,7 +20,7 @@ use std::mem;
use std::path::Path;
use std::result::Result as StdResult;
use super::error::{EventError, MegolmError, MegolmResult, OlmError, OlmResult, SignatureError};
use super::error::{EventError, MegolmError, MegolmResult, OlmError, OlmResult};
use super::olm::{
Account, GroupSessionKey, IdentityKeys, InboundGroupSession, OlmMessage, OutboundGroupSession,
Session,
@ -29,7 +29,6 @@ use super::store::memorystore::MemoryStore;
#[cfg(feature = "sqlite-cryptostore")]
use super::store::sqlite::SqliteStore;
use super::{device::Device, store::Result as StoreError, CryptoStore};
use crate::verify_json;
use matrix_sdk_common::api;
use matrix_sdk_common::events::{
@ -343,24 +342,10 @@ impl OlmMachine {
continue;
};
let signing_key = if let Some(k) = device.get_key(KeyAlgorithm::Ed25519) {
k
} else {
if let Err(e) = device.verify_one_time_key(&one_time_key) {
warn!(
"Tried to create an Olm session for {} {}, but the
device is missing the signing key",
user_id, device_id
);
continue;
};
if self
.verify_json(user_id, device_id, signing_key, &mut json!(&one_time_key))
.is_err()
{
warn!(
"Failed to verify the one-time key signatures for {} {}",
user_id, device_id
"Failed to verify the one-time key signatures for {} {}: {:?}",
user_id, device_id, e
);
continue;
}
@ -487,34 +472,6 @@ impl OlmMachine {
Ok(changed_devices)
}
/// Verify a signed JSON object.
///
/// The object must have a signatures key associated with an object of the
/// form `user_id: {key_id: signature}`.
///
/// Returns Ok if the signature was successfully verified, otherwise an
/// SignatureError.
///
/// # Arguments
///
/// * `user_id` - The user who signed the JSON object.
///
/// * `device_id` - The device that signed the JSON object.
///
/// * `user_key` - The public ed25519 key which was used to sign the JSON
/// object.
///
/// * `json` - The JSON object that should be verified.
fn verify_json(
&self,
user_id: &UserId,
device_id: &str,
user_key: &str,
json: &mut Value,
) -> Result<(), SignatureError> {
verify_json(user_id, device_id, user_key, json)
}
/// Get a tuple of device and one-time keys that need to be uploaded.
///
/// Returns an empty error if no keys need to be uploaded.
@ -1307,7 +1264,7 @@ mod test {
use serde_json::json;
use crate::machine::{OlmMachine, OneTimeKeys};
use crate::Device;
use crate::{verify_json, Device};
use matrix_sdk_common::api::r0::{
keys, to_device::send_event_to_device::Request as ToDeviceRequest,
@ -1545,7 +1502,7 @@ mod test {
let identity_keys = machine.account.identity_keys();
let ed25519_key = identity_keys.ed25519();
let ret = machine.verify_json(
let ret = verify_json(
&machine.user_id,
&machine.device_id,
ed25519_key,
@ -1576,7 +1533,7 @@ mod test {
let mut device_keys = machine.account.device_keys().await;
let ret = machine.verify_json(
let ret = verify_json(
&machine.user_id,
&machine.device_id,
"fake_key",
@ -1596,7 +1553,7 @@ mod test {
let mut one_time_key = one_time_keys.values_mut().next().unwrap();
let ret = machine.verify_json(
let ret = verify_json(
&machine.user_id,
&machine.device_id,
ed25519_key,
@ -1618,7 +1575,7 @@ mod test {
.await
.expect("Can't prepare initial key upload");
let ret = machine.verify_json(
let ret = verify_json(
&machine.user_id,
&machine.device_id,
ed25519_key,
@ -1626,7 +1583,7 @@ mod test {
);
assert!(ret.is_ok());
let ret = machine.verify_json(
let ret = verify_json(
&machine.user_id,
&machine.device_id,
ed25519_key,