From 92ee0a52271fdde67371fed6613902bf585f475c Mon Sep 17 00:00:00 2001
From: Moxie Marlinspike <moxie+github@signal.org>
Date: Thu, 10 Jan 2019 10:27:27 -0800
Subject: [PATCH] Validate client requesting certificate has identity key

---
 .../controllers/CertificateController.java          | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/main/java/org/whispersystems/textsecuregcm/controllers/CertificateController.java b/src/main/java/org/whispersystems/textsecuregcm/controllers/CertificateController.java
index 53ee52066..339a7ed50 100644
--- a/src/main/java/org/whispersystems/textsecuregcm/controllers/CertificateController.java
+++ b/src/main/java/org/whispersystems/textsecuregcm/controllers/CertificateController.java
@@ -1,14 +1,19 @@
 package org.whispersystems.textsecuregcm.controllers;
 
 import com.codahale.metrics.annotation.Timed;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.whispersystems.textsecuregcm.auth.CertificateGenerator;
 import org.whispersystems.textsecuregcm.entities.DeliveryCertificate;
 import org.whispersystems.textsecuregcm.storage.Account;
+import org.whispersystems.textsecuregcm.util.Util;
 
 import javax.ws.rs.GET;
 import javax.ws.rs.Path;
 import javax.ws.rs.Produces;
+import javax.ws.rs.WebApplicationException;
 import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.Response;
 
 import java.io.IOException;
 import java.security.InvalidKeyException;
@@ -18,6 +23,8 @@ import io.dropwizard.auth.Auth;
 @Path("/v1/certificate")
 public class CertificateController {
 
+  private final Logger logger = LoggerFactory.getLogger(CertificateController.class);
+
   private final CertificateGenerator certificateGenerator;
 
   public CertificateController(CertificateGenerator certificateGenerator) {
@@ -30,6 +37,12 @@ public class CertificateController {
   @Path("/delivery")
   public DeliveryCertificate getDeliveryCertificate(@Auth Account account) throws IOException, InvalidKeyException {
     if (!account.getAuthenticatedDevice().isPresent()) throw new AssertionError();
+
+    if (Util.isEmpty(account.getIdentityKey())) {
+      logger.info("Requested certificate without identity key: " + account.getNumber());
+      throw new WebApplicationException(Response.Status.BAD_REQUEST);
+    }
+
     return new DeliveryCertificate(certificateGenerator.createFor(account, account.getAuthenticatedDevice().get()));
   }