Make UUID in sealed sender certificate optional for buggy clients
This commit is contained in:
Moxie Marlinspike
parent
07822b371f
commit
79f2efdfd9
|
|
@ -28,18 +28,20 @@ public class CertificateGenerator {
|
||||||
this.serverCertificate = ServerCertificate.parseFrom(serverCertificate);
|
this.serverCertificate = ServerCertificate.parseFrom(serverCertificate);
|
||||||
}
|
}
|
||||||
|
|
||||||
public byte[] createFor(Account account, Device device) throws IOException, InvalidKeyException {
|
public byte[] createFor(Account account, Device device, boolean includeUuid) throws IOException, InvalidKeyException {
|
||||||
byte[] certificate = SenderCertificate.Certificate.newBuilder()
|
SenderCertificate.Certificate.Builder builder = SenderCertificate.Certificate.newBuilder()
|
||||||
.setSender(account.getNumber())
|
.setSender(account.getNumber())
|
||||||
.setSenderUuid(account.getUuid().toString())
|
.setSenderDevice(Math.toIntExact(device.getId()))
|
||||||
.setSenderDevice(Math.toIntExact(device.getId()))
|
.setExpires(System.currentTimeMillis() + TimeUnit.DAYS.toMillis(expiresDays))
|
||||||
.setExpires(System.currentTimeMillis() + TimeUnit.DAYS.toMillis(expiresDays))
|
.setIdentityKey(ByteString.copyFrom(Base64.decode(account.getIdentityKey())))
|
||||||
.setIdentityKey(ByteString.copyFrom(Base64.decode(account.getIdentityKey())))
|
.setSigner(serverCertificate);
|
||||||
.setSigner(serverCertificate)
|
|
||||||
.build()
|
|
||||||
.toByteArray();
|
|
||||||
|
|
||||||
byte[] signature = Curve.calculateSignature(privateKey, certificate);
|
if (includeUuid) {
|
||||||
|
builder.setSenderUuid(account.getUuid().toString());
|
||||||
|
}
|
||||||
|
|
||||||
|
byte[] certificate = builder.build().toByteArray();
|
||||||
|
byte[] signature = Curve.calculateSignature(privateKey, certificate);
|
||||||
|
|
||||||
return SenderCertificate.newBuilder()
|
return SenderCertificate.newBuilder()
|
||||||
.setCertificate(ByteString.copyFrom(certificate))
|
.setCertificate(ByteString.copyFrom(certificate))
|
||||||
|
|
|
||||||
|
|
@ -11,14 +11,17 @@ import org.whispersystems.textsecuregcm.util.Util;
|
||||||
import javax.ws.rs.GET;
|
import javax.ws.rs.GET;
|
||||||
import javax.ws.rs.Path;
|
import javax.ws.rs.Path;
|
||||||
import javax.ws.rs.Produces;
|
import javax.ws.rs.Produces;
|
||||||
|
import javax.ws.rs.QueryParam;
|
||||||
import javax.ws.rs.WebApplicationException;
|
import javax.ws.rs.WebApplicationException;
|
||||||
import javax.ws.rs.core.MediaType;
|
import javax.ws.rs.core.MediaType;
|
||||||
import javax.ws.rs.core.Response;
|
import javax.ws.rs.core.Response;
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.security.InvalidKeyException;
|
import java.security.InvalidKeyException;
|
||||||
|
import java.util.Optional;
|
||||||
|
|
||||||
import io.dropwizard.auth.Auth;
|
import io.dropwizard.auth.Auth;
|
||||||
|
|
||||||
|
@SuppressWarnings("OptionalUsedAsFieldOrParameterType")
|
||||||
@Path("/v1/certificate")
|
@Path("/v1/certificate")
|
||||||
public class CertificateController {
|
public class CertificateController {
|
||||||
|
|
||||||
|
|
@ -34,14 +37,17 @@ public class CertificateController {
|
||||||
@GET
|
@GET
|
||||||
@Produces(MediaType.APPLICATION_JSON)
|
@Produces(MediaType.APPLICATION_JSON)
|
||||||
@Path("/delivery")
|
@Path("/delivery")
|
||||||
public DeliveryCertificate getDeliveryCertificate(@Auth Account account) throws IOException, InvalidKeyException {
|
public DeliveryCertificate getDeliveryCertificate(@Auth Account account,
|
||||||
|
@QueryParam("includeUuid") Optional<Boolean> includeUuid)
|
||||||
|
throws IOException, InvalidKeyException
|
||||||
|
{
|
||||||
if (!account.getAuthenticatedDevice().isPresent()) throw new AssertionError();
|
if (!account.getAuthenticatedDevice().isPresent()) throw new AssertionError();
|
||||||
|
|
||||||
if (Util.isEmpty(account.getIdentityKey())) {
|
if (Util.isEmpty(account.getIdentityKey())) {
|
||||||
throw new WebApplicationException(Response.Status.BAD_REQUEST);
|
throw new WebApplicationException(Response.Status.BAD_REQUEST);
|
||||||
}
|
}
|
||||||
|
|
||||||
return new DeliveryCertificate(certificateGenerator.createFor(account, account.getAuthenticatedDevice().get()));
|
return new DeliveryCertificate(certificateGenerator.createFor(account, account.getAuthenticatedDevice().get(), includeUuid.orElse(false)));
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -25,6 +25,7 @@ import io.dropwizard.auth.PolymorphicAuthValueFactoryProvider;
|
||||||
import io.dropwizard.testing.junit.ResourceTestRule;
|
import io.dropwizard.testing.junit.ResourceTestRule;
|
||||||
import static junit.framework.TestCase.assertTrue;
|
import static junit.framework.TestCase.assertTrue;
|
||||||
import static org.junit.Assert.assertEquals;
|
import static org.junit.Assert.assertEquals;
|
||||||
|
import static org.junit.Assert.assertFalse;
|
||||||
|
|
||||||
public class CertificateControllerTest {
|
public class CertificateControllerTest {
|
||||||
|
|
||||||
|
|
@ -64,6 +65,31 @@ public class CertificateControllerTest {
|
||||||
.get(DeliveryCertificate.class);
|
.get(DeliveryCertificate.class);
|
||||||
|
|
||||||
|
|
||||||
|
SenderCertificate certificateHolder = SenderCertificate.parseFrom(certificateObject.getCertificate());
|
||||||
|
SenderCertificate.Certificate certificate = SenderCertificate.Certificate.parseFrom(certificateHolder.getCertificate());
|
||||||
|
|
||||||
|
ServerCertificate serverCertificateHolder = certificate.getSigner();
|
||||||
|
ServerCertificate.Certificate serverCertificate = ServerCertificate.Certificate.parseFrom(serverCertificateHolder.getCertificate());
|
||||||
|
|
||||||
|
assertTrue(Curve.verifySignature(Curve.decodePoint(serverCertificate.getKey().toByteArray(), 0), certificateHolder.getCertificate().toByteArray(), certificateHolder.getSignature().toByteArray()));
|
||||||
|
assertTrue(Curve.verifySignature(Curve.decodePoint(Base64.decode(caPublicKey), 0), serverCertificateHolder.getCertificate().toByteArray(), serverCertificateHolder.getSignature().toByteArray()));
|
||||||
|
|
||||||
|
assertEquals(certificate.getSender(), AuthHelper.VALID_NUMBER);
|
||||||
|
assertEquals(certificate.getSenderDevice(), 1L);
|
||||||
|
assertFalse(certificate.hasSenderUuid());
|
||||||
|
assertTrue(Arrays.equals(certificate.getIdentityKey().toByteArray(), Base64.decode(AuthHelper.VALID_IDENTITY)));
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testValidCertificateWithUuid() throws Exception {
|
||||||
|
DeliveryCertificate certificateObject = resources.getJerseyTest()
|
||||||
|
.target("/v1/certificate/delivery")
|
||||||
|
.queryParam("includeUuid", "true")
|
||||||
|
.request()
|
||||||
|
.header("Authorization", AuthHelper.getAuthHeader(AuthHelper.VALID_NUMBER, AuthHelper.VALID_PASSWORD))
|
||||||
|
.get(DeliveryCertificate.class);
|
||||||
|
|
||||||
|
|
||||||
SenderCertificate certificateHolder = SenderCertificate.parseFrom(certificateObject.getCertificate());
|
SenderCertificate certificateHolder = SenderCertificate.parseFrom(certificateObject.getCertificate());
|
||||||
SenderCertificate.Certificate certificate = SenderCertificate.Certificate.parseFrom(certificateHolder.getCertificate());
|
SenderCertificate.Certificate certificate = SenderCertificate.Certificate.parseFrom(certificateHolder.getCertificate());
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue