keejef
/
session-ios
mirror of https://github.com/oxen-io/session-ios
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
dev
voice-calls-2
voice-calls
authentication
2.5.0
2.4.5
2.4.4
2.4.3
2.4.2
2.4.1
2.4.0
2.3.2
2.3.1
2.3.0
2.2.14
2.2.13
2.2.12
2.2.11
2.2.10
2.2.9
2.2.6
2.2.4
2.2.2
2.2.1
2.2.0
2.1.1
2.0.3
2.0.2
2.0.1
2.0.0
1.0.0-alpha.1
audit-2
audit
2.8.0
2.7.4
2.7.3
2.7.2
2.7.1
2.7.0
2.6.3
2.6.2
2.6.1
2.6.0
2.2.8
2.2.7
2.2.5
2.2.3
2.1.0
1.9.7
1.9.6
1.9.5
1.9.4
1.9.3
1.9.1
1.9.0
1.8.3
1.8.2
1.8.1
1.8.0
1.7.8
1.7.7
1.7.6
1.7.5
1.7.4
1.7.3
1.7.2
1.7.0
1.6.5
1.6.4
1.6.3
1.6.2
1.6.1
1.6.0
1.5.3
1.5.2
1.5.1-beta
1.5.0-beta
1.5.0
1.4.7
1.4.6
1.4.5
1.4.4
1.4.3
1.4.2
1.4.0-beta
1.4.0
1.3.0-alpha.1
1.3.0
1.2.6
1.2.5
1.2.4
1.2.3
1.2.1
1.2.0-alpha.2
1.2.0-alpha.1
1.2.0
1.13.0
1.12.9
1.12.8
1.12.7
1.12.6
1.12.5
1.12.4
1.12.2
1.12.1
1.11.9
1.11.8
1.11.7
1.11.6
1.11.5
1.11.4
1.11.3
1.11.24
1.11.23
1.11.22
1.11.21
1.11.20
1.11.2
1.11.19
1.11.18
1.11.17
1.11.16
1.11.15
1.11.14
1.11.13
1.11.12
1.11.11
1.11.10
1.11.1
1.11.0
1.10.2
1.10.1
1.10.0
1.1.0-alpha.4
1.1.0-alpha.3
1.1.0-alpha.2
1.1.0-alpha.1
1.1.0
1.0.8
1.0.7
1.0.6
1.0.5
1.0.4
1.0.3
1.0.2
1.0.1
1.0.0-alpha.3
1.0.0-alpha.2
1.0.0
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '32cf68bece'
${ noResults }
session-ios/SignalServiceKit/src/Messages/UD/OWSUDManager.swift

335 lines
11 KiB
Swift
Raw Blame History

//
// Copyright (c) 2018 Open Whisper Systems. All rights reserved.
//
import Foundation
import PromiseKit
import SignalMetadataKit
import SignalCoreKit
public enum OWSUDError: Error {
case assertionError(description: String)
case invalidData(description: String)
}
@objc
public enum UnidentifiedAccessMode: Int {
case unknown
case enabled
case disabled
case unrestricted
}
@objc public protocol OWSUDManager: class {
@objc func setup()
@objc func trustRoot() -> ECPublicKey
@objc func isUDEnabled() -> Bool
// MARK: - Recipient State
@objc
func setUnidentifiedAccessMode(_ mode: UnidentifiedAccessMode, recipientId: String)
@objc
func getAccess(forRecipientId recipientId: RecipientIdentifier) -> SSKUnidentifiedAccessPair?
// Returns the UD access key for a given recipient if they are
// a UD recipient and we have a valid profile key for them.
@objc func udAccessKeyForRecipient(_ recipientId: RecipientIdentifier) -> SMKUDAccessKey?
// MARK: - Local State
// MARK: Sender Certificate
// We use completion handlers instead of a promise so that message sending
// logic can access the strongly typed certificate data.
@objc func ensureSenderCertificateObjC(success:@escaping (SMKSenderCertificate) -> Void,
failure:@escaping (Error) -> Void)
// MARK: Unrestricted Access
@objc func shouldAllowUnrestrictedAccessLocal() -> Bool
@objc func setShouldAllowUnrestrictedAccessLocal(_ value: Bool)
}
// MARK: -
@objc
public class OWSUDManagerImpl: NSObject, OWSUDManager {
private let dbConnection: YapDatabaseConnection
// MARK: Local Configuration State
private let kUDCollection = "kUDCollection"
private let kUDCurrentSenderCertificateKey = "kUDCurrentSenderCertificateKey"
private let kUDUnrestrictedAccessKey = "kUDUnrestrictedAccessKey"
// MARK: Recipient State
private let kUnidentifiedAccessCollection = "kUnidentifiedAccessCollection"
var certificateValidator: SMKCertificateValidator
@objc
public required init(primaryStorage: OWSPrimaryStorage) {
self.dbConnection = primaryStorage.newDatabaseConnection()
self.certificateValidator = SMKCertificateDefaultValidator(trustRoot: OWSUDManagerImpl.trustRoot())
super.init()
SwiftSingletons.register(self)
}
@objc public func setup() {
AppReadiness.runNowOrWhenAppIsReady {
guard TSAccountManager.isRegistered() else {
return
}
self.ensureSenderCertificate().retainUntilComplete()
}
NotificationCenter.default.addObserver(self,
selector: #selector(registrationStateDidChange),
name: .RegistrationStateDidChange,
object: nil)
}
@objc
func registrationStateDidChange() {
AssertIsOnMainThread()
ensureSenderCertificate().retainUntilComplete()
}
// MARK: - Dependencies
private var profileManager: ProfileManagerProtocol {
return SSKEnvironment.shared.profileManager
}
private var tsAccountManager: TSAccountManager {
return TSAccountManager.sharedInstance()
}
// MARK: - Recipient state
@objc
public func getAccess(forRecipientId recipientId: RecipientIdentifier) -> SSKUnidentifiedAccessPair? {
let theirAccessMode = unidentifiedAccessMode(recipientId: recipientId)
guard theirAccessMode == .enabled || theirAccessMode == .unrestricted else {
return nil
}
guard let theirAccessKey = self.udAccessKeyForRecipient(recipientId) else {
return nil
}
guard let ourSenderCertificate = self.senderCertificate() else {
return nil
}
guard let ourAccessKey: SMKUDAccessKey = {
if self.shouldAllowUnrestrictedAccessLocal() {
return SMKUDAccessKey(randomKeyData: ())
} else {
guard let localNumber = self.tsAccountManager.localNumber() else {
owsFailDebug("localNumber was unexpectedly nil")
return nil
}
return self.udAccessKeyForRecipient(localNumber)
}
}() else {
return nil
}
let targetUnidentifiedAccess = SSKUnidentifiedAccess(accessKey: theirAccessKey, senderCertificate: ourSenderCertificate)
let selfUnidentifiedAccess = SSKUnidentifiedAccess(accessKey: ourAccessKey, senderCertificate: ourSenderCertificate)
return SSKUnidentifiedAccessPair(targetUnidentifiedAccess: targetUnidentifiedAccess,
selfUnidentifiedAccess: selfUnidentifiedAccess)
}
@objc
func unidentifiedAccessMode(recipientId: RecipientIdentifier) -> UnidentifiedAccessMode {
if tsAccountManager.localNumber() == recipientId {
if shouldAllowUnrestrictedAccessLocal() {
return .unrestricted
} else {
return .enabled
}
}
guard let existingRawValue = dbConnection.object(forKey: recipientId, inCollection: kUnidentifiedAccessCollection) as? Int else {
return .unknown
}
guard let existingValue = UnidentifiedAccessMode(rawValue: existingRawValue) else {
return .unknown
}
return existingValue
}
@objc
public func setUnidentifiedAccessMode(_ mode: UnidentifiedAccessMode, recipientId: String) {
dbConnection.setObject(mode.rawValue as Int, forKey: recipientId, inCollection: kUnidentifiedAccessCollection)
}
// Returns the UD access key for a given recipient
// if we have a valid profile key for them.
@objc
public func udAccessKeyForRecipient(_ recipientId: RecipientIdentifier) -> SMKUDAccessKey? {
guard isUDEnabled() else {
return nil
}
let theirAccessMode = unidentifiedAccessMode(recipientId: recipientId)
if theirAccessMode == .unrestricted {
return SMKUDAccessKey(randomKeyData: ())
}
guard let profileKey = profileManager.profileKeyData(forRecipientId: recipientId) else {
// Mark as "not a UD recipient".
return nil
}
do {
let udAccessKey = try SMKUDAccessKey(profileKey: profileKey)
return udAccessKey
} catch {
Logger.error("Could not determine udAccessKey: \(error)")
return nil
}
}
// MARK: - Sender Certificate
#if DEBUG
@objc
public func hasSenderCertificate() -> Bool {
return senderCertificate() != nil
}
#endif
private func senderCertificate() -> SMKSenderCertificate? {
guard let certificateData = dbConnection.object(forKey: kUDCurrentSenderCertificateKey, inCollection: kUDCollection) as? Data else {
return nil
}
do {
let certificate = try SMKSenderCertificate.parse(data: certificateData)
guard isValidCertificate(certificate) else {
Logger.warn("Current sender certificate is not valid.")
return nil
}
return certificate
} catch {
owsFailDebug("Certificate could not be parsed: \(error)")
return nil
}
}
func setSenderCertificate(_ certificateData: Data) {
dbConnection.setObject(certificateData, forKey: kUDCurrentSenderCertificateKey, inCollection: kUDCollection)
}
@objc
public func ensureSenderCertificateObjC(success:@escaping (SMKSenderCertificate) -> Void,
failure:@escaping (Error) -> Void) {
firstly {
ensureSenderCertificate()
}.map { certificate in
success(certificate)
}.catch { error in
failure(error)
}.retainUntilComplete()
}
public func ensureSenderCertificate() -> Promise<SMKSenderCertificate> {
// If there is a valid cached sender certificate, use that.
if let certificate = senderCertificate() {
return Promise.value(certificate)
}
// Try to obtain a new sender certificate.
return firstly {
requestSenderCertificate()
}.map { (certificateData: Data, certificate: SMKSenderCertificate) in
// Cache the current sender certificate.
self.setSenderCertificate(certificateData)
return certificate
}
}
private func requestSenderCertificate() -> Promise<(certificateData: Data, certificate: SMKSenderCertificate)> {
return firstly {
SignalServiceRestClient().requestUDSenderCertificate()
}.map { certificateData -> (certificateData: Data, certificate: SMKSenderCertificate) in
let certificate = try SMKSenderCertificate.parse(data: certificateData)
guard self.isValidCertificate(certificate) else {
throw OWSUDError.invalidData(description: "Invalid sender certificate returned by server")
}
return (certificateData: certificateData, certificate: certificate)
}
}
private func isValidCertificate(_ certificate: SMKSenderCertificate) -> Bool {
// Ensure that the certificate will not expire in the next hour.
// We want a threshold long enough to ensure that any outgoing message
// sends will complete before the expiration.
let nowMs = NSDate.ows_millisecondTimeStamp()
let anHourFromNowMs = nowMs + kHourInMs
do {
try certificateValidator.validate(senderCertificate: certificate, validationTime: anHourFromNowMs)
return true
} catch {
OWSLogger.error("Invalid certificate")
return false
}
}
@objc
public func isUDEnabled() -> Bool {
return !IsUsingProductionService()
}
@objc
public func trustRoot() -> ECPublicKey {
return OWSUDManagerImpl.trustRoot()
}
@objc
public class func trustRoot() -> ECPublicKey {
guard let trustRootData = NSData(fromBase64String: kUDTrustRoot) else {
// This exits.
owsFail("Invalid trust root data.")
}
do {
return try ECPublicKey(serializedKeyData: trustRootData as Data)
} catch {
// This exits.
owsFail("Invalid trust root.")
}
}
// MARK: - Unrestricted Access
@objc
public func shouldAllowUnrestrictedAccessLocal() -> Bool {
return dbConnection.bool(forKey: kUDUnrestrictedAccessKey, inCollection: kUDCollection, defaultValue: false)
}
@objc
public func setShouldAllowUnrestrictedAccessLocal(_ value: Bool) {
dbConnection.setBool(value, forKey: kUDUnrestrictedAccessKey, inCollection: kUDCollection)
// Try to update the account attributes to reflect this change.
tsAccountManager.updateAccountAttributes()
}
}
Reference in New Issue View Git Blame Copy Permalink