Pairing authorisations: refactor proto, change sql table, add getters

6 years ago · a4411007b0
parent 33d789b688
commit a4411007b0
6 changed files with 202 additions and 95 deletions
--- a/app/sql.js
+++ b/app/sql.js
@ -73,6 +73,8 @@ module.exports = {
  removeAllContactSignedPreKeys,

  createOrUpdatePairingAuthorisation,
+  getAuthorisationForPubKey,
+  getSecondaryDevicesFor,

  createOrUpdateItem,
  getItemById,
@ -787,13 +789,17 @@ async function updateToLokiSchemaVersion2(currentVersion, instance) {
  await instance.run(
    `CREATE TABLE pairingAuthorisations(
      id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
-      issuerPubKey VARCHAR(255),
+      primaryDevicePubKey VARCHAR(255),
      secondaryDevicePubKey VARCHAR(255),
-      signature VARCHAR(255),
+      isGranted BOOLEAN,
      json TEXT
    );`
  );

+  await instance.run(`CREATE UNIQUE INDEX pairing_authorisations_secondary_device_pubkey ON pairingAuthorisations (
+    secondaryDevicePubKey
+  );`);
+
  await instance.run(
    `INSERT INTO loki_schema (
        version
@ -1223,14 +1229,16 @@ async function removeAllSignedPreKeys() {
 }

 const PAIRING_AUTHORISATIONS_TABLE = 'pairingAuthorisations';
-async function getPairingAuthorisation(issuerPubKey, secondaryDevicePubKey) {
+async function getAuthorisationForPubKey(pubKey, options) {
+  const granted = options && options.granted;
+  let filter = '';
+  if (granted) {
+    filter = 'AND isGranted = 1';
+  }
  const row = await db.get(
-    `SELECT * FROM ${PAIRING_AUTHORISATIONS_TABLE} WHERE
-      issuerPubKey = $issuerPubKey AND secondaryDevicePubKey = $secondaryDevicePubKey
-      LIMIT 1;`,
+    `SELECT json FROM ${PAIRING_AUTHORISATIONS_TABLE} WHERE secondaryDevicePubKey = $secondaryDevicePubKey ${filter};`,
    {
-      $issuerPubKey: issuerPubKey,
-      $secondaryDevicePubKey: secondaryDevicePubKey,
+      $secondaryDevicePubKey: pubKey,
    }
  );

@ -1240,39 +1248,41 @@ async function getPairingAuthorisation(issuerPubKey, secondaryDevicePubKey) {

  return jsonToObject(row.json);
 }
-async function createOrUpdatePairingAuthorisation(data) {
-  const { issuerPubKey, secondaryDevicePubKey, signature } = data;

-  const existing = await getPairingAuthorisation(
-    issuerPubKey,
-    secondaryDevicePubKey
-  );
-  // prevent adding duplicate entries
-  if (existing) {
-    return;
-  }
+async function createOrUpdatePairingAuthorisation(data) {
+  const { primaryDevicePubKey, secondaryDevicePubKey, grantSignature } = data;

  await db.run(
-    `INSERT INTO ${PAIRING_AUTHORISATIONS_TABLE} (
-      issuerPubKey,
+    `INSERT OR REPLACE INTO ${PAIRING_AUTHORISATIONS_TABLE} (
+      primaryDevicePubKey,
      secondaryDevicePubKey,
-      signature,
+      isGranted,
      json
    ) values (
-      $issuerPubKey,
+      $primaryDevicePubKey,
      $secondaryDevicePubKey,
-      $signature,
+      $isGranted,
      $json
    )`,
    {
-      $issuerPubKey: issuerPubKey,
+      $primaryDevicePubKey: primaryDevicePubKey,
      $secondaryDevicePubKey: secondaryDevicePubKey,
-      $signature: signature,
+      $isGranted: Boolean(grantSignature),
      $json: objectToJSON(data),
    }
  );
 }

+async function getSecondaryDevicesFor(primaryDevicePubKey) {
+  const rows = await db.all(
+    `SELECT secondaryDevicePubKey FROM ${PAIRING_AUTHORISATIONS_TABLE} WHERE primaryDevicePubKey = $primaryDevicePubKey AND isGranted = 1 ORDER BY secondaryDevicePubKey ASC;`,
+    {
+      $primaryDevicePubKey: primaryDevicePubKey,
+    }
+  );
+  return map(rows, row => row.secondaryDevicePubKey);
+}
+
 const ITEMS_TABLE = 'items';
 async function createOrUpdateItem(data) {
  return createOrUpdate(ITEMS_TABLE, data);
--- a/js/modules/data.js
+++ b/js/modules/data.js
@ -1,4 +1,4 @@
-/* global window, setTimeout, IDBKeyRange */
+/* global window, setTimeout, IDBKeyRange, dcodeIO */

 const electron = require('electron');

@ -90,6 +90,9 @@ module.exports = {
  removeAllContactSignedPreKeys,

  createOrUpdatePairingAuthorisation,
+  getGrantAuthorisationForPubKey,
+  getAuthorisationForPubKey,
+  getSecondaryDevicesFor,

  createOrUpdateItem,
  getItemById,
@ -573,21 +576,57 @@ async function removeAllContactSignedPreKeys() {
  await channels.removeAllContactSignedPreKeys();
 }

-async function createOrUpdatePairingAuthorisation(data) {
-  let sig;
-  if (isArrayBuffer(data.signature)) {
-    sig = arrayBufferToBase64(data.signature);
-  } else if (typeof signature === 'string') {
-    sig = data.signature;
-  } else {
-    throw new Error(
-      'Invalid signature provided in createOrUpdatePairingAuthorisation. Needs to be either ArrayBuffer or string.'
-    );
+function signatureToBase64(signature) {
+  if (signature.constructor === dcodeIO.ByteBuffer) {
+    return dcodeIO.ByteBuffer.wrap(signature).toString('base64');
+  } else if (isArrayBuffer(signature)) {
+    return arrayBufferToBase64(signature);
  }
+  throw new Error(
+    'Invalid signature provided in createOrUpdatePairingAuthorisation. Needs to be either ArrayBuffer or ByteBuffer.'
+  );
+}
+
+async function createOrUpdatePairingAuthorisation(data) {
+  const { requestSignature, grantSignature } = data;
+
  return channels.createOrUpdatePairingAuthorisation({
    ...data,
-    signature: sig,
+    requestSignature: signatureToBase64(requestSignature),
+    grantSignature: grantSignature ? signatureToBase64(grantSignature) : null,
+  });
+}
+
+async function getGrantAuthorisationForPubKey(pubKey) {
+  const authorisation = await channels.getAuthorisationForPubKey(pubKey, {
+    granted: true,
  });
+  if (!authorisation) {
+    return null;
+  }
+  return {
+    ...authorisation,
+    requestSignature: base64ToArrayBuffer(authorisation.requestSignature),
+    grantSignature: base64ToArrayBuffer(authorisation.grantSignature),
+  };
+}
+
+async function getAuthorisationForPubKey(pubKey) {
+  const authorisation = await channels.getAuthorisationForPubKey(pubKey);
+  if (!authorisation) {
+    return null;
+  }
+  return {
+    ...authorisation,
+    requestSignature: base64ToArrayBuffer(authorisation.requestSignature),
+    grantSignature: authorisation.grantSignature
+      ? base64ToArrayBuffer(authorisation.grantSignature)
+      : null,
+  };
+}
+
+function getSecondaryDevicesFor(primareyDevicePubKey) {
+  return channels.getSecondaryDevicesFor(primareyDevicePubKey);
 }

 // Items
--- a/libloki/api.js
+++ b/libloki/api.js
@ -63,30 +63,70 @@
    await outgoingMessage.sendToNumber(pubKey);
  }

-  async function sendPairingAuthorisation(secondaryDevicePubKey, signature) {
-    const pairingAuthorisation = new textsecure.protobuf.PairingAuthorisationMessage(
-      {
-        signature,
-        primaryDevicePubKey: textsecure.storage.user.getNumber(),
-        secondaryDevicePubKey,
-        type:
-          textsecure.protobuf.PairingAuthorisationMessage.Type.PAIRING_REQUEST,
-      }
+  function createPairingAuthorisationProtoMessage({
+    primaryDevicePubKey,
+    secondaryDevicePubKey,
+    requestSignature,
+    grantSignature,
+    type,
+  }) {
+    if (
+      !primaryDevicePubKey ||
+      !secondaryDevicePubKey ||
+      type === undefined ||
+      type === null
+    ) {
+      throw new Error(
+        'createPairingAuthorisationProtoMessage: pubkeys or type is not set'
+      );
+    }
+    if (requestSignature.constructor !== ArrayBuffer) {
+      throw new Error(
+        'createPairingAuthorisationProtoMessage expects a signature as ArrayBuffer'
+      );
+    }
+    if (grantSignature && grantSignature.constructor !== ArrayBuffer) {
+      throw new Error(
+        'createPairingAuthorisationProtoMessage expects a signature as ArrayBuffer'
+      );
+    }
+    return new textsecure.protobuf.PairingAuthorisationMessage({
+      requestSignature: new Uint8Array(requestSignature),
+      grantSignature: grantSignature ? new Uint8Array(grantSignature) : null,
+      primaryDevicePubKey,
+      secondaryDevicePubKey,
+      type,
+    });
+  }
+
+  async function sendPairingAuthorisation(authorisation, recipientPubKey) {
+    const pairingAuthorisation = createPairingAuthorisationProtoMessage(
+      authorisation
    );
    const content = new textsecure.protobuf.Content({
      pairingAuthorisation,
    });
    const options = {};
-    const outgoingMessage = new textsecure.OutgoingMessage(
-      null, // server
-      Date.now(), // timestamp,
-      [secondaryDevicePubKey], // numbers
-      content, // message
-      true, // silent
-      () => null, // callback
-      options
-    );
-    await outgoingMessage.sendToNumber(secondaryDevicePubKey);
+    const p = new Promise((resolve, reject) => {
+      const outgoingMessage = new textsecure.OutgoingMessage(
+        null, // server
+        Date.now(), // timestamp,
+        [recipientPubKey], // numbers
+        content, // message
+        true, // silent
+        result => {
+          // callback
+          if (result.errors.length > 0) {
+            reject(result.errors[0]);
+          } else {
+            resolve();
+          }
+        },
+        options
+      );
+      outgoingMessage.sendToNumber(recipientPubKey);
+    });
+    return p;
  }

  window.libloki.api = {
@ -94,5 +134,6 @@
    sendOnlineBroadcastMessage,
    broadcastOnlineStatus,
    sendPairingAuthorisation,
+    createPairingAuthorisationProtoMessage,
  };
 })();
--- a/libloki/crypto.js
+++ b/libloki/crypto.js
@ -171,32 +171,38 @@
      myKeyPair.privKey,
      data.buffer
    );
-    return new Uint8Array(signature);
+    return signature;
  }

  async function verifyPairingAuthorisation(
-    issuerPubKey,
+    primaryDevicePubKey,
    secondaryPubKey,
    signature,
    type
  ) {
-    const myKeyPair = await textsecure.storage.protocol.getIdentityKeyPair();
-    if (StringView.arrayBufferToHex(myKeyPair.pubKey) !== secondaryPubKey) {
-      throw new Error(
-        'Invalid pairing authorisation: we are not the recipient of the authorisation!'
-      );
-    }
-    const len = myKeyPair.pubKey.byteLength;
+    const secondaryPubKeyArrayBuffer = StringView.hexToArrayBuffer(
+      secondaryPubKey
+    );
+    const primaryDevicePubKeyArrayBuffer = StringView.hexToArrayBuffer(
+      primaryDevicePubKey
+    );
+    const len = secondaryPubKeyArrayBuffer.byteLength;
    const data = new Uint8Array(len + 1);
-    data.set(new Uint8Array(myKeyPair.pubKey), 0);
+    // For REQUEST type message, the secondary device signs the primary device pubkey
+    // For GRANT type message, the primary device signs the secondary device pubkey
+    let issuer;
+    if (type === textsecure.protobuf.PairingAuthorisationMessage.Type.GRANT) {
+      data.set(new Uint8Array(secondaryPubKeyArrayBuffer));
+      issuer = primaryDevicePubKeyArrayBuffer;
+    } else if (
+      type === textsecure.protobuf.PairingAuthorisationMessage.Type.REQUEST
+    ) {
+      data.set(new Uint8Array(primaryDevicePubKeyArrayBuffer));
+      issuer = secondaryPubKeyArrayBuffer;
+    }
    data[len] = type;
-    const issuerPubKeyArrayBuffer = StringView.hexToArrayBuffer(issuerPubKey);
    // Throws for invalid signature
-    await libsignal.Curve.async.verifySignature(
-      issuerPubKeyArrayBuffer,
-      data.buffer,
-      signature
-    );
+    await libsignal.Curve.async.verifySignature(issuer, data.buffer, signature);
  }

  const snodeCipher = new LokiSnodeChannel();
--- a/libloki/storage.js
+++ b/libloki/storage.js
@ -113,16 +113,33 @@
    }
  }

-  async function savePairingAuthorisation(
-    issuerPubKey,
+  function savePairingAuthorisation({
+    primaryDevicePubKey,
    secondaryDevicePubKey,
-    signature
-  ) {
-    return textsecure.storage.protocol.storePairingAuthorisation(
-      issuerPubKey,
+    requestSignature,
+    grantSignature,
+  }) {
+    return window.Signal.Data.createOrUpdatePairingAuthorisation({
+      primaryDevicePubKey,
      secondaryDevicePubKey,
-      signature
-    );
+      requestSignature,
+      grantSignature,
+    });
+  }
+
+  function getGrantAuthorisationForSecondaryPubKey(secondaryPubKey) {
+    return window.Signal.Data.getGrantAuthorisationForPubKey(secondaryPubKey);
+  }
+
+  function getAuthorisationForSecondaryPubKey(secondaryPubKey) {
+    return window.Signal.Data.getAuthorisationForPubKey(secondaryPubKey);
+  }
+
+  async function getAllDevicePubKeysForPrimaryPubKey(primaryDevicePubKey) {
+    const secondaryPubKeys =
+      (await window.Signal.Data.getSecondaryDevicesFor(primaryDevicePubKey)) ||
+      [];
+    return secondaryPubKeys.concat(primaryDevicePubKey);
  }

  window.libloki.storage = {
@ -131,6 +148,9 @@
    removeContactPreKeyBundle,
    verifyFriendRequestAcceptPreKey,
    savePairingAuthorisation,
+    getGrantAuthorisationForSecondaryPubKey,
+    getAuthorisationForSecondaryPubKey,
+    getAllDevicePubKeysForPrimaryPubKey,
  };

  // Libloki protocol store
@ -256,15 +276,4 @@
  store.clearContactSignedPreKeysStore = async () => {
    await window.Signal.Data.removeAllContactSignedPreKeys();
  };
-
-  store.storePairingAuthorisation = (
-    issuerPubKey,
-    secondaryDevicePubKey,
-    signature
-  ) =>
-    window.Signal.Data.createOrUpdatePairingAuthorisation({
-      issuerPubKey,
-      secondaryDevicePubKey,
-      signature,
-    });
 })();
--- a/protos/SignalService.proto
+++ b/protos/SignalService.proto
@ -51,13 +51,15 @@ message LokiAddressMessage {

 message PairingAuthorisationMessage {
  enum Type {
-    PAIRING_REQUEST = 1;
-    UNPAIRING_REQUEST = 2;
+    REQUEST = 1;
+    GRANT = 2;
+    REVOKE = 3;
  }
  optional string primaryDevicePubKey   = 1;
  optional string secondaryDevicePubKey = 2;
-  optional bytes  signature             = 3;
-  optional Type   type                  = 4;
+  optional bytes  requestSignature      = 3;
+  optional bytes  grantSignature        = 4;
+  optional Type   type                  = 5;
 }

 message PreKeyBundleMessage {