Sealed sender support

js/modules/metadata/SecretSessionCipher.js

@@ -102,37 +102,17 @@ function _createServerCertificateFromBuffer(serialized) {
 
 // public SenderCertificate(byte[] serialized)
 function _createSenderCertificateFromBuffer(serialized) {
-  const wrapper = textsecure.protobuf.SenderCertificate.decode(serialized);
+  const cert = textsecure.protobuf.SenderCertificate.decode(serialized);
 
-  if (!wrapper.signature || !wrapper.certificate) {
-    throw new Error('Missing fields');
-  }
-
-  const certificate = textsecure.protobuf.SenderCertificate.Certificate.decode(
-    wrapper.certificate.toArrayBuffer()
-  );
-
-  if (
-    !certificate.signer ||
-    !certificate.identityKey ||
-    !certificate.senderDevice ||
-    !certificate.expires ||
-    !certificate.sender
-  ) {
+  if (!cert.senderDevice || !cert.sender) {
     throw new Error('Missing fields');
   }
 
   return {
-    sender: certificate.sender,
-    senderDevice: certificate.senderDevice,
-    expires: certificate.expires.toNumber(),
-    identityKey: certificate.identityKey.toArrayBuffer(),
-    signer: _createServerCertificateFromBuffer(
-      certificate.signer.toArrayBuffer()
-    ),
+    sender: cert.sender,
+    senderDevice: cert.senderDevice,
 
-    certificate: wrapper.certificate.toArrayBuffer(),
-    signature: wrapper.signature.toArrayBuffer(),
+    certificate: cert.toArrayBuffer(),
 
     serialized,
   };
@@ -257,9 +237,7 @@ function _createUnidentifiedSenderMessageContent(
 ) {
   const innerMessage = new textsecure.protobuf.UnidentifiedSenderMessage.Message();
   innerMessage.type = _getProtoMessageType(type);
-  innerMessage.senderCertificate = textsecure.protobuf.SenderCertificate.decode(
-    senderCertificate.serialized
-  );
+  innerMessage.senderCertificate = senderCertificate;
   innerMessage.content = content;
 
   return {
@@ -392,15 +370,6 @@ SecretSessionCipher.prototype = {
       messageBytes
     );
 
-    await validator.validate(content.senderCertificate, timestamp);
-    if (
-      !constantTimeEqual(content.senderCertificate.identityKey, staticKeyBytes)
-    ) {
-      throw new Error(
-        "Sender's certificate key does not match key used in message"
-      );
-    }
-
     const { sender, senderDevice } = content.senderCertificate;
     const { number, deviceId } = me || {};
     if (sender === number && senderDevice === deviceId) {

libtextsecure/outgoing_message.js

@@ -429,16 +429,47 @@ OutgoingMessage.prototype = {
           options.messageKeysLimit = false;
         }
 
-        ciphers[address.getDeviceId()] = sessionCipher;
+        let content;
+        let type;
+        let destinationRegistrationId;
 
-        // Encrypt our plain text
-        const ciphertext = await sessionCipher.encrypt(plaintext);
-        if (!enableFallBackEncryption) {
-          // eslint-disable-next-line no-param-reassign
-          ciphertext.body = new Uint8Array(
-            dcodeIO.ByteBuffer.wrap(ciphertext.body, 'binary').toArrayBuffer()
+        if (window.lokiFeatureFlags.useSealedSender) {
+          const secretSessionCipher = new window.Signal.Metadata.SecretSessionCipher(
+            textsecure.storage.protocol
           );
+          ciphers[address.getDeviceId()] = secretSessionCipher;
+
+          var senderCert = new textsecure.protobuf.SenderCertificate();
+
+          senderCert.sender = ourKey;
+          senderCert.senderDevice = deviceId;
+
+          const ciphertext = await secretSessionCipher.encrypt(
+            address,
+            senderCert,
+            plaintext
+          );
+
+          type = textsecure.protobuf.Envelope.Type.UNIDENTIFIED_SENDER;
+          content = window.Signal.Crypto.arrayBufferToBase64(ciphertext);
+
+          destinationRegistrationId = null;
+        } else {
+          ciphers[address.getDeviceId()] = sessionCipher;
+
+          const ciphertext = await sessionCipher.encrypt(plaintext);
+          if (!enableFallBackEncryption) {
+            // eslint-disable-next-line no-param-reassign
+            ciphertext.body = new Uint8Array(
+              dcodeIO.ByteBuffer.wrap(ciphertext.body, 'binary').toArrayBuffer()
+            );
+          }
+
+          type = ciphertext.type;
+          content = ciphertext.body;
+          destinationRegistrationId = ciphertext.registrationId;
         }
+
         const getTTL = type => {
           switch (type) {
             case 'friend-request':
@@ -458,12 +489,12 @@ OutgoingMessage.prototype = {
         const ttl = getTTL(thisDeviceMessageType);
 
         return {
-          type: ciphertext.type, // FallBackSessionCipher sets this to FRIEND_REQUEST
+          type, // FallBackSessionCipher sets this to FRIEND_REQUEST
           ttl,
           ourKey,
           sourceDevice: 1,
-          destinationRegistrationId: ciphertext.registrationId,
-          content: ciphertext.body,
+          destinationRegistrationId,
+          content,
           pubKey: devicePubKey,
         };
       })

preload.js

@@ -495,10 +495,12 @@ window.pubkeyPattern = /@[a-fA-F0-9]{64,66}\b/g;
 // Limited due to the proof-of-work requirement
 window.SMALL_GROUP_SIZE_LIMIT = 10;
 
+// TODO: activate SealedSender once it is ready on all platforms
 window.lokiFeatureFlags = {
   multiDeviceUnpairing: true,
   privateGroupChats: false,
   useSnodeProxy: false,
+  useSealedSender: false,
 };
 
 // eslint-disable-next-line no-extend-native,func-names

protos/UnidentifiedDelivery.proto

@@ -13,17 +13,10 @@ message ServerCertificate {
     optional bytes signature   = 2;
 }
 
+// This should perhaps be renamed to something like `SenderInfo`
 message SenderCertificate {
-    message Certificate {
-        optional string            sender        = 1;
-        optional uint32            senderDevice  = 2;
-        optional fixed64           expires       = 3;
-        optional bytes             identityKey   = 4;
-        optional ServerCertificate signer        = 5;
-    }
-
-    optional bytes certificate = 1;
-    optional bytes signature   = 2;
+    optional string sender       = 1;
+    optional uint32 senderDevice = 2;
 }
 
 message UnidentifiedSenderMessage {