Cross-signing validation for self-sigs, expose signatures over `/user…

…/keys/query` and `/user/devices/{userId}` (#1962) * Enable unstable feature again * Try to verify when a device signs a key * Try to verify when a key signs a device * It's the self-signing key, not the master key * Fix error * Try to verify master key uploads * Actually we can't guarantee we can do that so nevermind * Add signatures into /devices/list request * Fix nil pointer * Reprioritise map creation * Don't skip devices that don't have signatures * Add some debug logging * Fix logic error in QuerySignatures * Fix bugs * Expose master and self-signing keys on /devices/list hopefully * maps are tedious * Expose signatures via /keys/query * Upload signatures when uploading keys * Fixes * Disable the feature again
matrix-org · Aug 6, 2021 · e95b1fd · e95b1fd
1 parent 8e5a013
commit e95b1fd
Show file tree

Hide file tree

Showing 9 changed files with 341 additions and 37 deletions.
diff --git a/federationapi/routing/devices.go b/federationapi/routing/devices.go
@@ -37,12 +37,28 @@ func GetUserDevices(
 		return jsonerror.InternalServerError()
 	}
 
+	sigReq := &keyapi.QuerySignaturesRequest{
+		TargetIDs: map[string][]gomatrixserverlib.KeyID{},
+	}
+	sigRes := &keyapi.QuerySignaturesResponse{}
+	for _, dev := range res.Devices {
+		sigReq.TargetIDs[userID] = append(sigReq.TargetIDs[userID], gomatrixserverlib.KeyID(dev.DeviceID))
+	}
+	keyAPI.QuerySignatures(req.Context(), sigReq, sigRes)
+
 	response := gomatrixserverlib.RespUserDevices{
 		UserID:   userID,
 		StreamID: res.StreamID,
 		Devices:  []gomatrixserverlib.RespUserDevice{},
 	}
 
+	if masterKey, ok := sigRes.MasterKeys[userID]; ok {
+		response.MasterKey = &masterKey
+	}
+	if selfSigningKey, ok := sigRes.SelfSigningKeys[userID]; ok {
+		response.SelfSigningKey = &selfSigningKey
+	}
+
 	for _, dev := range res.Devices {
 		var key gomatrixserverlib.RespUserDeviceKeys
 		err := json.Unmarshal(dev.DeviceKeys.KeyJSON, &key)
@@ -56,6 +72,20 @@ func GetUserDevices(
 			DisplayName: dev.DisplayName,
 			Keys:        key,
 		}
+
+		if targetUser, ok := sigRes.Signatures[userID]; ok {
+			if targetKey, ok := targetUser[gomatrixserverlib.KeyID(dev.DeviceID)]; ok {
+				for sourceUserID, forSourceUser := range targetKey {
+					for sourceKeyID, sourceKey := range forSourceUser {
+						if _, ok := device.Keys.Signatures[sourceUserID]; !ok {
+							device.Keys.Signatures[sourceUserID] = map[gomatrixserverlib.KeyID]gomatrixserverlib.Base64Bytes{}
+						}
+						device.Keys.Signatures[sourceUserID][sourceKeyID] = sourceKey
+					}
+				}
+			}
+		}
+
 		response.Devices = append(response.Devices, device)
 	}
 

diff --git a/keyserver/api/api.go b/keyserver/api/api.go
@@ -20,6 +20,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/matrix-org/dendrite/keyserver/types"
 	userapi "github.com/matrix-org/dendrite/userapi/api"
 	"github.com/matrix-org/gomatrixserverlib"
 )
@@ -38,6 +39,7 @@ type KeyInternalAPI interface {
 	QueryKeyChanges(ctx context.Context, req *QueryKeyChangesRequest, res *QueryKeyChangesResponse)
 	QueryOneTimeKeys(ctx context.Context, req *QueryOneTimeKeysRequest, res *QueryOneTimeKeysResponse)
 	QueryDeviceMessages(ctx context.Context, req *QueryDeviceMessagesRequest, res *QueryDeviceMessagesResponse)
+	QuerySignatures(ctx context.Context, req *QuerySignaturesRequest, res *QuerySignaturesResponse)
 }
 
 // KeyError is returned if there was a problem performing/querying the server
@@ -242,6 +244,24 @@ type QueryDeviceMessagesResponse struct {
 	Error    *KeyError
 }
 
+type QuerySignaturesRequest struct {
+	// A map of target user ID -> target key/device IDs to retrieve signatures for
+	TargetIDs map[string][]gomatrixserverlib.KeyID `json:"target_ids"`
+}
+
+type QuerySignaturesResponse struct {
+	// A map of target user ID -> target key/device ID -> origin user ID -> origin key/device ID -> signatures
+	Signatures map[string]map[gomatrixserverlib.KeyID]types.CrossSigningSigMap
+	// A map of target user ID -> cross-signing master key
+	MasterKeys map[string]gomatrixserverlib.CrossSigningKey
+	// A map of target user ID -> cross-signing self-signing key
+	SelfSigningKeys map[string]gomatrixserverlib.CrossSigningKey
+	// A map of target user ID -> cross-signing user-signing key
+	UserSigningKeys map[string]gomatrixserverlib.CrossSigningKey
+	// The request error, if any
+	Error *KeyError
+}
+
 type InputDeviceListUpdateRequest struct {
 	Event gomatrixserverlib.DeviceListUpdateEvent
 }