MirrorMirror
/
Signal-Server
mirror of https://github.com/signalapp/Signal-Server.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Disallow generation of certificates with key IDs reserved for testing.

This commit is contained in:
Jon Chambers 2021-03-26 16:14:26 -04:00 committed by Jon Chambers
parent 681cdf8eff
commit 9589b7758c
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
service/src/main/java/org/whispersystems/textsecuregcm/workers/CertificateCommand.java
View File

@ -20,12 +20,17 @@ import org.whispersystems.textsecuregcm.util.Base64;
import java.io.IOException;
import java.security.InvalidKeyException;
import java.util.Set;
import io.dropwizard.cli.Command;
import io.dropwizard.setup.Bootstrap;
public class CertificateCommand extends Command {
private static final Set<Integer> RESERVED_CERTIFICATE_IDS = Set.of(
0xdeadc357 // Reserved for testing; see https://github.com/signalapp/libsignal-client/pull/118
);
public CertificateCommand() {
super("certificate", "Generates server certificates for unidentified delivery");
}
@ -75,6 +80,11 @@ public class CertificateCommand extends Command {
ECPrivateKey key = Curve.decodePrivatePoint(Base64.decode(namespace.getString("key")));
int keyId = namespace.getInt("keyId");
if (RESERVED_CERTIFICATE_IDS.contains(keyId)) {
throw new IllegalArgumentException(
String.format("Key ID %08x has been reserved or revoked and may not be used in new certificates.", keyId));
}
ECKeyPair keyPair = Curve.generateKeyPair();
byte[] certificate = MessageProtos.ServerCertificate.Certificate.newBuilder()