Require that unidentified access keys be exactly 16 bytes

2021-10-25 17:31:20 -04:00 · 2021-10-25 17:31:20 -04:00 · e6237480f8
parent 966d4e29d4
commit e6237480f8
3 changed files with 23 additions and 0 deletions
--- a/service/src/main/java/org/whispersystems/textsecuregcm/controllers/AccountController.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/controllers/AccountController.java
@ -544,6 +544,7 @@ public class AccountController {
  @PUT
  @Path("/attributes/")
  @Consumes(MediaType.APPLICATION_JSON)
  @Produces(MediaType.APPLICATION_JSON)
  @ChangesDeviceEnabledState
  public void setAccountAttributes(@Auth DisabledPermittedAuthenticatedAccount disabledPermittedAuth,
      @HeaderParam("X-Signal-Agent") String userAgent,
--- a/service/src/main/java/org/whispersystems/textsecuregcm/entities/AccountAttributes.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/entities/AccountAttributes.java
@ -8,6 +8,7 @@ import com.fasterxml.jackson.annotation.JsonProperty;
 import com.google.common.annotations.VisibleForTesting;
 import javax.validation.constraints.Size;
 import org.whispersystems.textsecuregcm.storage.Device.DeviceCapabilities;
 import org.whispersystems.textsecuregcm.util.ExactlySize;
 public class AccountAttributes {
@ -25,6 +26,7 @@ public class AccountAttributes {
  private String registrationLock;
  @JsonProperty
  @ExactlySize({0, 16})
  private byte[] unidentifiedAccessKey;
  @JsonProperty
@ -80,4 +82,9 @@ public class AccountAttributes {
  public boolean isDiscoverableByPhoneNumber() {
    return discoverableByPhoneNumber;
  }
  @VisibleForTesting
  public void setUnidentifiedAccessKey(final byte[] unidentifiedAccessKey) {
    this.unidentifiedAccessKey = unidentifiedAccessKey;
  }
 }
--- a/service/src/test/java/org/whispersystems/textsecuregcm/tests/controllers/AccountControllerTest.java
+++ b/service/src/test/java/org/whispersystems/textsecuregcm/tests/controllers/AccountControllerTest.java
@ -1673,6 +1673,21 @@ class AccountControllerTest {
    assertThat(response.getStatus()).isEqualTo(204);
  }
  @Test
  void testSetAccountAttributesBadUnidentifiedKeyLength() {
    final AccountAttributes attributes = new AccountAttributes(false, 2222, null, null, false, null);
    attributes.setUnidentifiedAccessKey(new byte[7]);
    Response response =
        resources.getJerseyTest()
            .target("/v1/accounts/attributes/")
            .request()
            .header("Authorization", AuthHelper.getAuthHeader(AuthHelper.VALID_UUID, AuthHelper.VALID_PASSWORD))
            .put(Entity.json(attributes));
    assertThat(response.getStatus()).isEqualTo(422);
  }
  @Test
  void testDeleteAccount() throws InterruptedException {
    Response response =