Require that unidentified access keys be exactly 16 bytes

2021-10-25 17:31:20 -04:00 · 2021-10-25 17:31:20 -04:00 · e6237480f8
parent 966d4e29d4
commit e6237480f8
3 changed files with 23 additions and 0 deletions
--- a/service/src/main/java/org/whispersystems/textsecuregcm/controllers/AccountController.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/controllers/AccountController.java
@ -544,6 +544,7 @@ public class AccountController {
  @PUT
  @Path("/attributes/")
  @Consumes(MediaType.APPLICATION_JSON)
+  @Produces(MediaType.APPLICATION_JSON)
  @ChangesDeviceEnabledState
  public void setAccountAttributes(@Auth DisabledPermittedAuthenticatedAccount disabledPermittedAuth,
      @HeaderParam("X-Signal-Agent") String userAgent,
--- a/service/src/main/java/org/whispersystems/textsecuregcm/entities/AccountAttributes.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/entities/AccountAttributes.java
@ -8,6 +8,7 @@ import com.fasterxml.jackson.annotation.JsonProperty;
 import com.google.common.annotations.VisibleForTesting;
 import javax.validation.constraints.Size;
 import org.whispersystems.textsecuregcm.storage.Device.DeviceCapabilities;
+import org.whispersystems.textsecuregcm.util.ExactlySize;

 public class AccountAttributes {

@ -25,6 +26,7 @@ public class AccountAttributes {
  private String registrationLock;

  @JsonProperty
+  @ExactlySize({0, 16})
  private byte[] unidentifiedAccessKey;

  @JsonProperty
@ -80,4 +82,9 @@ public class AccountAttributes {
  public boolean isDiscoverableByPhoneNumber() {
    return discoverableByPhoneNumber;
  }
+
+  @VisibleForTesting
+  public void setUnidentifiedAccessKey(final byte[] unidentifiedAccessKey) {
+    this.unidentifiedAccessKey = unidentifiedAccessKey;
+  }
 }
--- a/service/src/test/java/org/whispersystems/textsecuregcm/tests/controllers/AccountControllerTest.java
+++ b/service/src/test/java/org/whispersystems/textsecuregcm/tests/controllers/AccountControllerTest.java
@ -1673,6 +1673,21 @@ class AccountControllerTest {
    assertThat(response.getStatus()).isEqualTo(204);
  }

+  @Test
+  void testSetAccountAttributesBadUnidentifiedKeyLength() {
+    final AccountAttributes attributes = new AccountAttributes(false, 2222, null, null, false, null);
+    attributes.setUnidentifiedAccessKey(new byte[7]);
+
+    Response response =
+        resources.getJerseyTest()
+            .target("/v1/accounts/attributes/")
+            .request()
+            .header("Authorization", AuthHelper.getAuthHeader(AuthHelper.VALID_UUID, AuthHelper.VALID_PASSWORD))
+            .put(Entity.json(attributes));
+
+    assertThat(response.getStatus()).isEqualTo(422);
+  }
+
  @Test
  void testDeleteAccount() throws InterruptedException {
    Response response =