From e84fa87ed8c4cd26908a6eff25df1249e3930afa Mon Sep 17 00:00:00 2001 From: Andy Balaam Date: Wed, 29 Apr 2026 11:03:29 +0100 Subject: [PATCH] wip-broken-adding-x509_keys --- benchmarks/benches/crypto_bench.rs | 21 ++++--- .../src/dehydrated_devices.rs | 2 + bindings/matrix-sdk-crypto-ffi/src/lib.rs | 2 + bindings/matrix-sdk-crypto-ffi/src/machine.rs | 8 +-- crates/matrix-sdk-base/src/client.rs | 2 + crates/matrix-sdk-crypto/src/backups/mod.rs | 13 +++-- .../src/dehydrated_devices.rs | 19 +++++-- .../src/gossiping/machine.rs | 4 +- .../src/identities/manager.rs | 6 +- .../src/identities/room_identity_state.rs | 1 + .../matrix-sdk-crypto/src/identities/user.rs | 15 +++-- crates/matrix-sdk-crypto/src/lib.rs | 2 +- crates/matrix-sdk-crypto/src/machine/mod.rs | 26 +++++++-- .../src/machine/test_helpers.rs | 6 +- .../src/machine/tests/mod.rs | 42 +++++++------- .../src/machine/tests/olm_encryption.rs | 3 +- .../src/machine/tests/room_settings.rs | 10 ++-- .../machine/tests/send_encrypted_to_device.rs | 8 +-- crates/matrix-sdk-crypto/src/olm/account.rs | 56 ++----------------- .../src/olm/group_sessions/inbound.rs | 10 ++-- .../src/olm/group_sessions/sender_data.rs | 15 +++-- .../olm/group_sessions/sender_data_finder.rs | 3 +- .../src/session_manager/group_sessions/mod.rs | 8 +-- .../group_sessions/share_strategy.rs | 6 +- .../src/session_manager/sessions.rs | 8 +-- .../src/store/integration_tests.rs | 10 ++-- crates/matrix-sdk-crypto/src/store/mod.rs | 15 +++-- crates/matrix-sdk-crypto/src/x509/mod.rs | 17 ++++++ .../matrix-sdk-crypto/src/x509/x509_keys.rs | 20 +++++++ crates/matrix-sdk/src/encryption/mod.rs | 7 ++- 30 files changed, 204 insertions(+), 161 deletions(-) diff --git a/benchmarks/benches/crypto_bench.rs b/benchmarks/benches/crypto_bench.rs index 759c52636..ff3ce2008 100644 --- a/benchmarks/benches/crypto_bench.rs +++ b/benchmarks/benches/crypto_bench.rs @@ -43,7 +43,7 @@ fn huge_keys_query_response() -> get_keys::v3::Response { pub fn keys_query(c: &mut Criterion) { let runtime = Builder::new_multi_thread().build().expect("Can't create runtime"); - let machine = runtime.block_on(OlmMachine::new(alice_id(), alice_device_id())); + let machine = runtime.block_on(OlmMachine::new(alice_id(), alice_device_id(), None, None)); let response = keys_query_response(); let txn_id = TransactionId::new(); @@ -73,7 +73,7 @@ pub fn keys_query(c: &mut Criterion) { let dir = tempfile::tempdir().unwrap(); let store = Arc::new(runtime.block_on(SqliteCryptoStore::open(dir.path(), None)).unwrap()); let machine = runtime - .block_on(OlmMachine::with_store(alice_id(), alice_device_id(), store, None)) + .block_on(OlmMachine::with_store(alice_id(), alice_device_id(), None, store, None, None)) .unwrap(); group.bench_with_input( @@ -116,7 +116,12 @@ pub fn keys_claiming(c: &mut Criterion) { |b, response| { b.iter_batched( || { - let machine = runtime.block_on(OlmMachine::new(alice_id(), alice_device_id())); + let machine = runtime.block_on(OlmMachine::new( + alice_id(), + alice_device_id(), + None, + None, + )); runtime .block_on(machine.mark_request_as_sent(&txn_id, &keys_query_response)) .unwrap(); @@ -148,8 +153,10 @@ pub fn keys_claiming(c: &mut Criterion) { .block_on(OlmMachine::with_store( alice_id(), alice_device_id(), + None, store, None, + None, )) .unwrap(); runtime @@ -186,7 +193,7 @@ pub fn room_key_sharing(c: &mut Criterion) { let count = response.one_time_keys.values().fold(0, |acc, d| acc + d.len()); - let machine = runtime.block_on(OlmMachine::new(alice_id(), alice_device_id())); + let machine = runtime.block_on(OlmMachine::new(alice_id(), alice_device_id(), None, None)); runtime.block_on(machine.mark_request_as_sent(&txn_id, &keys_query_response)).unwrap(); runtime.block_on(machine.mark_request_as_sent(&txn_id, &response)).unwrap(); @@ -223,7 +230,7 @@ pub fn room_key_sharing(c: &mut Criterion) { let store = Arc::new(runtime.block_on(SqliteCryptoStore::open(dir.path(), None)).unwrap()); let machine = runtime - .block_on(OlmMachine::with_store(alice_id(), alice_device_id(), store, None)) + .block_on(OlmMachine::with_store(alice_id(), alice_device_id(), None, store, None, None)) .unwrap(); runtime.block_on(machine.mark_request_as_sent(&txn_id, &keys_query_response)).unwrap(); runtime.block_on(machine.mark_request_as_sent(&txn_id, &response)).unwrap(); @@ -260,7 +267,7 @@ pub fn room_key_sharing(c: &mut Criterion) { pub fn devices_missing_sessions_collecting(c: &mut Criterion) { let runtime = Builder::new_multi_thread().build().expect("Can't create runtime"); - let machine = runtime.block_on(OlmMachine::new(alice_id(), alice_device_id())); + let machine = runtime.block_on(OlmMachine::new(alice_id(), alice_device_id(), None, None)); let response = huge_keys_query_response(); let txn_id = TransactionId::new(); let users: Vec = response.device_keys.keys().cloned().collect(); @@ -288,7 +295,7 @@ pub fn devices_missing_sessions_collecting(c: &mut Criterion) { let store = Arc::new(runtime.block_on(SqliteCryptoStore::open(dir.path(), None)).unwrap()); let machine = runtime - .block_on(OlmMachine::with_store(alice_id(), alice_device_id(), store, None)) + .block_on(OlmMachine::with_store(alice_id(), alice_device_id(), None, store, None, None)) .unwrap(); runtime.block_on(machine.mark_request_as_sent(&txn_id, &response)).unwrap(); diff --git a/bindings/matrix-sdk-crypto-ffi/src/dehydrated_devices.rs b/bindings/matrix-sdk-crypto-ffi/src/dehydrated_devices.rs index 5fd9910c2..61849048d 100644 --- a/bindings/matrix-sdk-crypto-ffi/src/dehydrated_devices.rs +++ b/bindings/matrix-sdk-crypto-ffi/src/dehydrated_devices.rs @@ -93,7 +93,9 @@ impl DehydratedDevices { inner: ManuallyDrop::new(self.runtime.block_on(self.inner.rehydrate( &key, &device_id, + None, device_data, + None, ))?), } .into(); diff --git a/bindings/matrix-sdk-crypto-ffi/src/lib.rs b/bindings/matrix-sdk-crypto-ffi/src/lib.rs index 0d8df0a22..9e61bd712 100644 --- a/bindings/matrix-sdk-crypto-ffi/src/lib.rs +++ b/bindings/matrix-sdk-crypto-ffi/src/lib.rs @@ -1164,8 +1164,10 @@ mod tests { let machine = OlmMachine::new( "@ganfra146:matrix.org".to_owned(), "DEWRCMENGS".to_owned(), + None, path, None, + None, )?; assert_eq!( diff --git a/bindings/matrix-sdk-crypto-ffi/src/machine.rs b/bindings/matrix-sdk-crypto-ffi/src/machine.rs index 9d598dda3..45dbb709a 100644 --- a/bindings/matrix-sdk-crypto-ffi/src/machine.rs +++ b/bindings/matrix-sdk-crypto-ffi/src/machine.rs @@ -21,7 +21,6 @@ use matrix_sdk_crypto::{ store::types::{BackupDecryptionKey, Changes}, types::{Signature, requests::ToDeviceRequest}, }; -use rsa::RsaPrivateKey; use ruma::{ DeviceKeyAlgorithm, EventId, OneTimeKeyAlgorithm, OwnedTransactionId, OwnedUserId, RoomId, UserId, @@ -203,13 +202,13 @@ impl OlmMachine { pub fn new( user_id: String, device_id: String, - rsa_key: Option, + _rsa_key: Option, path: String, mut passphrase: Option, + _x509_keys: Option, ) -> Result, CryptoStoreError> { let user_id = parse_user_id(&user_id)?; let device_id = device_id.as_str().into(); - let rsa_key = if let Some(k) = rsa_key { serde::from_str(&k)? } else { None }; let runtime = Runtime::new().expect("Couldn't create a tokio runtime"); let store = runtime @@ -220,9 +219,10 @@ impl OlmMachine { let inner = runtime.block_on(InnerMachine::with_store( &user_id, device_id, - rsa_key, + None, Arc::new(store), None, + None, // TODO: AJB: make X509Keys from String ))?; Ok(Arc::new(OlmMachine { inner: ManuallyDrop::new(inner), runtime })) diff --git a/crates/matrix-sdk-base/src/client.rs b/crates/matrix-sdk-base/src/client.rs index 0f4ce099d..8a5b9d79a 100644 --- a/crates/matrix-sdk-base/src/client.rs +++ b/crates/matrix-sdk-base/src/client.rs @@ -382,6 +382,8 @@ impl BaseClient { None, self.crypto_store.clone(), custom_account, + // TODO: AJB: get existing x509_keys from the existing olm machine + None, ) .await .map_err(OlmError::from)?; diff --git a/crates/matrix-sdk-crypto/src/backups/mod.rs b/crates/matrix-sdk-crypto/src/backups/mod.rs index 0fc8fedb2..e9ac8755c 100644 --- a/crates/matrix-sdk-crypto/src/backups/mod.rs +++ b/crates/matrix-sdk-crypto/src/backups/mod.rs @@ -748,14 +748,14 @@ mod tests { #[async_test] async fn test_memory_store_backups() -> Result<(), OlmError> { - let machine = OlmMachine::new(alice_id(), alice_device_id(), None).await; + let machine = OlmMachine::new(alice_id(), alice_device_id(), None, None).await; backup_flow(machine).await } #[async_test] async fn test_verify_auth_data() -> Result<(), OlmError> { - let machine = OlmMachine::new(alice_id(), alice_device_id(), None).await; + let machine = OlmMachine::new(alice_id(), alice_device_id(), None, None).await; let backup_machine = machine.backup_machine(); let auth_data = json!({ @@ -834,7 +834,7 @@ mod tests { #[async_test] async fn test_import_backed_up_room_keys() { - let machine = OlmMachine::new(alice_id(), alice_device_id(), None).await; + let machine = OlmMachine::new(alice_id(), alice_device_id(), None, None).await; let backup_machine = machine.backup_machine(); // We set up a backup key, so that we can test `backup_machine.backup()` later. @@ -883,7 +883,7 @@ mod tests { #[async_test] async fn test_sign_backup_info() { - let machine = OlmMachine::new(alice_id(), alice_device_id(), None).await; + let machine = OlmMachine::new(alice_id(), alice_device_id(), None, None).await; let backup_machine = machine.backup_machine(); let decryption_key = BackupDecryptionKey::new(); @@ -917,8 +917,9 @@ mod tests { // Create the machine using `with_store` and without a call to enable_backup_v1, // like regenerate_olm would do - let alice = - OlmMachine::with_store(alice_id(), alice_device_id(), None, store, None).await.unwrap(); + let alice = OlmMachine::with_store(alice_id(), alice_device_id(), None, store, None, None) + .await + .unwrap(); let binding = alice.backup_machine().backup_key.read().await; let machine_backup_key = binding.as_ref().unwrap(); diff --git a/crates/matrix-sdk-crypto/src/dehydrated_devices.rs b/crates/matrix-sdk-crypto/src/dehydrated_devices.rs index 4061cc0d1..b4ad69951 100644 --- a/crates/matrix-sdk-crypto/src/dehydrated_devices.rs +++ b/crates/matrix-sdk-crypto/src/dehydrated_devices.rs @@ -63,6 +63,7 @@ use crate::{ types::{Changes, DehydratedDeviceKey, RoomKeyInfo}, }, verification::VerificationMachine, + x509::X509Keys, }; /// Error type for device dehydration issues. @@ -116,8 +117,13 @@ impl DehydratedDevices { store.clone(), ); - let store = - Store::new(account.static_data().clone(), user_identity, store, verification_machine); + let store = Store::new( + account.static_data().clone(), + user_identity, + store, + verification_machine, + None, + ); store .save_pending_changes(crate::store::types::PendingChanges { account: Some(account) }) .await?; @@ -149,10 +155,11 @@ impl DehydratedDevices { device_id: &DeviceId, rsa_key: Option, device_data: Raw, + x509_keys: Option, ) -> Result { let rehydrated = self .inner - .rehydrate(pickle_key.inner.as_ref(), device_id, rsa_key, device_data) + .rehydrate(pickle_key.inner.as_ref(), device_id, rsa_key, device_data, x509_keys) .await?; Ok(RehydratedDevice { rehydrated, original: self.inner.to_owned() }) @@ -573,7 +580,7 @@ mod tests { // Rehydrate the device. let rehydrated = bob .dehydrated_devices() - .rehydrate(&pickle_key(), &request.device_id, None, request.device_data) + .rehydrate(&pickle_key(), &request.device_id, None, request.device_data, None) .await .expect("We should be able to rehydrate the device"); @@ -633,7 +640,7 @@ mod tests { // Rehydrate the device. dehydrated_manager - .rehydrate(&stored_key, &request.device_id, None, request.device_data) + .rehydrate(&stored_key, &request.device_id, None, request.device_data, None) .await .expect("We should be able to rehydrate the device"); @@ -688,7 +695,7 @@ mod tests { // Rehydrate the device. let rehydrated = bob .dehydrated_devices() - .rehydrate(&pickle_key(), &device_id, None, request.device_data) + .rehydrate(&pickle_key(), &device_id, None, request.device_data, None) .await .expect("We should be able to rehydrate the device"); diff --git a/crates/matrix-sdk-crypto/src/gossiping/machine.rs b/crates/matrix-sdk-crypto/src/gossiping/machine.rs index 4c055bdcc..765e236cf 100644 --- a/crates/matrix-sdk-crypto/src/gossiping/machine.rs +++ b/crates/matrix-sdk-crypto/src/gossiping/machine.rs @@ -1309,7 +1309,7 @@ mod tests { let identity = Arc::new(Mutex::new(PrivateCrossSigningIdentity::empty(alice_id()))); let verification = VerificationMachine::new(static_data.clone(), identity.clone(), store.clone()); - let store = Store::new(static_data, identity, store, verification); + let store = Store::new(static_data, identity, store, verification, None); let session_cache = GroupSessionCache::new(store.clone()); let identity_manager = IdentityManager::new(store.clone()); @@ -1352,7 +1352,7 @@ mod tests { let verification = VerificationMachine::new(account.static_data.clone(), identity.clone(), store.clone()); - let store = Store::new(account.static_data().clone(), identity, store, verification); + let store = Store::new(account.static_data().clone(), identity, store, verification, None); store.save_device_data(&[device, another_device]).await.unwrap(); store.save_pending_changes(PendingChanges { account: Some(account) }).await.unwrap(); let session_cache = GroupSessionCache::new(store.clone()); diff --git a/crates/matrix-sdk-crypto/src/identities/manager.rs b/crates/matrix-sdk-crypto/src/identities/manager.rs index 8e353498b..99ca20973 100644 --- a/crates/matrix-sdk-crypto/src/identities/manager.rs +++ b/crates/matrix-sdk-crypto/src/identities/manager.rs @@ -1258,7 +1258,7 @@ pub(crate) mod testing { let store = Arc::new(CryptoStoreWrapper::new(&user_id, device_id, MemoryStore::new())); let verification = VerificationMachine::new(static_account.clone(), identity.clone(), store.clone()); - let store = Store::new(static_account, identity, store, verification); + let store = Store::new(static_account, identity, store, verification, None); store.save_pending_changes(PendingChanges { account: Some(account) }).await.unwrap(); IdentityManager::new(store) } @@ -2195,7 +2195,7 @@ pub(crate) mod tests { async fn common_verified_identity_changes_machine_setup() -> OlmMachine { use test_json::keys_query_sets::VerificationViolationTestData as DataSet; - let machine = OlmMachine::new(DataSet::own_id(), device_id!("LOCAL"), None).await; + let machine = OlmMachine::new(DataSet::own_id(), device_id!("LOCAL"), None, None).await; let keys_query = DataSet::own_keys_query_response_1(); let txn_id = TransactionId::new(); @@ -2314,7 +2314,7 @@ pub(crate) mod tests { use test_json::keys_query_sets::VerificationViolationTestData as DataSet; // Start on a non-verified session - let machine = OlmMachine::new(DataSet::own_id(), device_id!("LOCAL"), None).await; + let machine = OlmMachine::new(DataSet::own_id(), device_id!("LOCAL"), None, None).await; let keys_query = DataSet::own_keys_query_response_1(); let txn_id = TransactionId::new(); diff --git a/crates/matrix-sdk-crypto/src/identities/room_identity_state.rs b/crates/matrix-sdk-crypto/src/identities/room_identity_state.rs index 23eb61a77..b19674372 100644 --- a/crates/matrix-sdk-crypto/src/identities/room_identity_state.rs +++ b/crates/matrix-sdk-crypto/src/identities/room_identity_state.rs @@ -1180,6 +1180,7 @@ mod tests { MemoryStore::new(), )), verification_machine, + None, ), )) } diff --git a/crates/matrix-sdk-crypto/src/identities/user.rs b/crates/matrix-sdk-crypto/src/identities/user.rs index 9aed5502f..308e3e52c 100644 --- a/crates/matrix-sdk-crypto/src/identities/user.rs +++ b/crates/matrix-sdk-crypto/src/identities/user.rs @@ -44,7 +44,6 @@ use crate::{ requests::OutgoingVerificationRequest, }, verification::VerificationMachine, - x509, }; /// Enum over the different user identity types we can have. @@ -929,8 +928,8 @@ impl OtherUserIdentityData { self.user_id() == device.user_id() && self.self_signing_key.verify_device(device).is_ok() } - pub(crate) fn verify_certificate_chain(&self, certificate_authorities: Vec) -> bool { - let Some(this_user_sigs) = self.master_key.signatures().get(&self.user_id) else { + pub(crate) fn verify_certificate_chain(&self, _certificate_authorities: Vec) -> bool { + let Some(_this_user_sigs) = self.master_key.signatures().get(&self.user_id) else { return false; }; @@ -1778,7 +1777,7 @@ pub(crate) mod tests { use test_json::keys_query_sets::IdentityChangeDataSet as DataSet; let my_user_id = user_id!("@me:localhost"); - let machine = OlmMachine::new(my_user_id, device_id!("ABCDEFGH"), None).await; + let machine = OlmMachine::new(my_user_id, device_id!("ABCDEFGH"), None, None).await; machine.bootstrap_cross_signing(false).await.unwrap(); let my_id = machine.get_identity(my_user_id, None).await.unwrap().unwrap().own().unwrap(); @@ -1826,7 +1825,7 @@ pub(crate) mod tests { use test_json::keys_query_sets::IdentityChangeDataSet as DataSet; let my_user_id = user_id!("@me:localhost"); - let machine = OlmMachine::new(my_user_id, device_id!("ABCDEFGH"), None).await; + let machine = OlmMachine::new(my_user_id, device_id!("ABCDEFGH"), None, None).await; machine.bootstrap_cross_signing(false).await.unwrap(); let keys_query = DataSet::key_query_with_identity_a(); @@ -1864,7 +1863,7 @@ pub(crate) mod tests { async fn test_resolve_identity_verification_violation_with_withdraw() { use test_json::keys_query_sets::VerificationViolationTestData as DataSet; - let machine = OlmMachine::new(DataSet::own_id(), device_id!("LOCAL"), None).await; + let machine = OlmMachine::new(DataSet::own_id(), device_id!("LOCAL"), None, None).await; let keys_query = DataSet::own_keys_query_response_1(); let txn_id = TransactionId::new(); @@ -1904,7 +1903,7 @@ pub(crate) mod tests { async fn test_reset_own_keys_creates_verification_violation() { use test_json::keys_query_sets::VerificationViolationTestData as DataSet; - let machine = OlmMachine::new(DataSet::own_id(), device_id!("LOCAL"), None).await; + let machine = OlmMachine::new(DataSet::own_id(), device_id!("LOCAL"), None, None).await; let keys_query = DataSet::own_keys_query_response_1(); let txn_id = TransactionId::new(); @@ -1945,7 +1944,7 @@ pub(crate) mod tests { async fn test_own_keys_update_creates_own_identity_verification_violation() { use test_json::keys_query_sets::VerificationViolationTestData as DataSet; - let machine = OlmMachine::new(DataSet::own_id(), device_id!("LOCAL"), None).await; + let machine = OlmMachine::new(DataSet::own_id(), device_id!("LOCAL"), None, None).await; // Start with our own identity verified let own_keys = DataSet::own_keys_query_response_1(); diff --git a/crates/matrix-sdk-crypto/src/lib.rs b/crates/matrix-sdk-crypto/src/lib.rs index d04089ac7..f8de3087a 100644 --- a/crates/matrix-sdk-crypto/src/lib.rs +++ b/crates/matrix-sdk-crypto/src/lib.rs @@ -33,7 +33,7 @@ pub mod store; pub mod types; mod utilities; mod verification; -mod x509; +pub mod x509; #[cfg(any(test, feature = "testing"))] /// Testing facilities and helpers for crypto tests diff --git a/crates/matrix-sdk-crypto/src/machine/mod.rs b/crates/matrix-sdk-crypto/src/machine/mod.rs index c014f7c8c..8748caf83 100644 --- a/crates/matrix-sdk-crypto/src/machine/mod.rs +++ b/crates/matrix-sdk-crypto/src/machine/mod.rs @@ -117,6 +117,7 @@ use crate::{ }, utilities::timestamp_to_iso8601, verification::{Verification, VerificationMachine, VerificationRequest}, + x509::X509Keys, }; #[derive(Debug, Serialize)] @@ -195,8 +196,9 @@ impl OlmMachine { user_id: &UserId, device_id: &DeviceId, rsa_key: Option, + x509_keys: Option, ) -> Self { - OlmMachine::with_store(user_id, device_id, rsa_key, MemoryStore::new(), None) + OlmMachine::with_store(user_id, device_id, rsa_key, MemoryStore::new(), None, x509_keys) .await .expect("Reading and writing to the memory store always succeeds") } @@ -207,6 +209,7 @@ impl OlmMachine { device_id: &DeviceId, rsa_key: Option, device_data: Raw, + x509_keys: Option, ) -> Result { let account = Account::rehydrate(pickle_key, self.user_id(), device_id, device_data)?; let static_account = account.static_data().clone(); @@ -222,8 +225,12 @@ impl OlmMachine { }) .await?; - let (verification_machine, store, identity_manager) = - Self::new_helper_prelude(store, static_account, self.store().private_identity()); + let (verification_machine, store, identity_manager) = Self::new_helper_prelude( + store, + static_account, + self.store().private_identity(), + x509_keys, + ); Ok(Self::new_helper( device_id, @@ -240,10 +247,18 @@ impl OlmMachine { store_wrapper: Arc, account: StaticAccountData, user_identity: Arc>, + x509_keys: Option, ) -> (VerificationMachine, Store, IdentityManager) { let verification_machine = VerificationMachine::new(account.clone(), user_identity.clone(), store_wrapper.clone()); - let store = Store::new(account, user_identity, store_wrapper, verification_machine.clone()); + + let store = Store::new( + account, + user_identity, + store_wrapper, + verification_machine.clone(), + x509_keys, + ); let identity_manager = IdentityManager::new(store.clone()); @@ -322,6 +337,7 @@ impl OlmMachine { rsa_key: Option, store: impl IntoCryptoStore, custom_account: Option, + x509_keys: Option, ) -> StoreResult { let store = store.into_crypto_store(); @@ -414,7 +430,7 @@ impl OlmMachine { let store = Arc::new(CryptoStoreWrapper::new(user_id, device_id, store)); let (verification_machine, store, identity_manager) = - Self::new_helper_prelude(store, static_account, identity.clone()); + Self::new_helper_prelude(store, static_account, identity.clone(), x509_keys); // FIXME: We might want in the future a more generic high-level data migration // mechanism (at the store wrapper layer). diff --git a/crates/matrix-sdk-crypto/src/machine/test_helpers.rs b/crates/matrix-sdk-crypto/src/machine/test_helpers.rs index 52cb187ce..8660c4053 100644 --- a/crates/matrix-sdk-crypto/src/machine/test_helpers.rs +++ b/crates/matrix-sdk-crypto/src/machine/test_helpers.rs @@ -80,7 +80,7 @@ pub async fn get_prepared_machine_test_helper( user_id: &UserId, use_fallback_key: bool, ) -> (OlmMachine, OneTimeKeys) { - let machine = OlmMachine::new(user_id, bob_device_id(), None).await; + let machine = OlmMachine::new(user_id, bob_device_id(), None, None).await; let request = machine .store() @@ -123,7 +123,7 @@ pub async fn get_machine_pair_using_store( ) -> (OlmMachine, OlmMachine, OneTimeKeys) { let (bob, otk) = get_prepared_machine_test_helper(bob, use_fallback_key).await; - let alice = OlmMachine::with_store(alice, alice_device_id, None, alice_store, None) + let alice = OlmMachine::with_store(alice, alice_device_id, None, alice_store, None, None) .await .expect("Failed to create OlmMachine from supplied store"); @@ -139,7 +139,7 @@ pub async fn get_machine_pair( let (bob, otk) = get_prepared_machine_test_helper(bob, use_fallback_key).await; let alice_device = alice_device_id(); - let alice = OlmMachine::new(alice, alice_device, None).await; + let alice = OlmMachine::new(alice, alice_device, None, None).await; store_each_others_device_data(&alice, &bob).await; (alice, bob, otk) diff --git a/crates/matrix-sdk-crypto/src/machine/tests/mod.rs b/crates/matrix-sdk-crypto/src/machine/tests/mod.rs index 26c4aaba7..65653b3a7 100644 --- a/crates/matrix-sdk-crypto/src/machine/tests/mod.rs +++ b/crates/matrix-sdk-crypto/src/machine/tests/mod.rs @@ -142,7 +142,7 @@ pub fn to_device_requests_to_content( #[async_test] async fn test_create_olm_machine() { let test_start_ts = MilliSecondsSinceUnixEpoch::now(); - let machine = OlmMachine::new(user_id(), alice_device_id(), None).await; + let machine = OlmMachine::new(user_id(), alice_device_id(), None, None).await; let device_creation_time = machine.device_creation_time(); assert!(device_creation_time <= MilliSecondsSinceUnixEpoch::now()); @@ -163,7 +163,7 @@ async fn test_create_olm_machine() { #[async_test] async fn test_generate_one_time_keys() { - let machine = OlmMachine::new(user_id(), alice_device_id(), None).await; + let machine = OlmMachine::new(user_id(), alice_device_id(), None, None).await; machine .store() @@ -207,7 +207,7 @@ async fn test_generate_one_time_keys() { #[async_test] async fn test_device_key_signing() { - let machine = OlmMachine::new(user_id(), alice_device_id(), None).await; + let machine = OlmMachine::new(user_id(), alice_device_id(), None, None).await; let (device_keys, identity_keys) = { let cache = machine.store().cache().await.unwrap(); @@ -229,7 +229,7 @@ async fn test_device_key_signing() { #[async_test] async fn test_session_invalidation() { - let machine = OlmMachine::new(user_id(), alice_device_id(), None).await; + let machine = OlmMachine::new(user_id(), alice_device_id(), None, None).await; let room_id = room_id!("!test:example.org"); machine.create_outbound_group_session_with_defaults_test_helper(room_id).await.unwrap(); @@ -290,7 +290,7 @@ fn test_one_time_key_signing() { #[async_test] async fn test_keys_for_upload() { - let machine = OlmMachine::new(user_id(), alice_device_id(), None).await; + let machine = OlmMachine::new(user_id(), alice_device_id(), None, None).await; let decryption_settings = DecryptionSettings { sender_device_trust_requirement: TrustRequirement::Untrusted }; @@ -1260,7 +1260,7 @@ async fn test_query_ratcheted_key() { // Need a second bob session to check gossiping let bob_id = user_id(); let bob_other_device = device_id!("OTHERBOB"); - let bob_other_machine = OlmMachine::new(bob_id, bob_other_device, None).await; + let bob_other_machine = OlmMachine::new(bob_id, bob_other_device, None, None).await; let bob_other_device = DeviceData::from_machine_test_helper(&bob_other_machine).await.unwrap(); bob.store().save_device_data(&[bob_other_device]).await.unwrap(); bob.get_device(bob_id, device_id!("OTHERBOB"), None) @@ -1477,7 +1477,7 @@ async fn test_room_key_with_fake_identity_keys() { async fn test_importing_private_cross_signing_keys_verifies_the_public_identity() { async fn create_additional_machine(machine: &OlmMachine) -> OlmMachine { let second_machine = - OlmMachine::new(machine.user_id(), "ADDITIONAL_MACHINE".into(), None).await; + OlmMachine::new(machine.user_id(), "ADDITIONAL_MACHINE".into(), None, None).await; let identity = machine .get_identity(machine.user_id(), None) @@ -1568,7 +1568,7 @@ async fn test_wait_on_key_query_doesnt_block_store() { // This test will end immediately if it works, and times out after a few seconds // if it failed. - let machine = OlmMachine::new(bob_id(), bob_device_id(), None).await; + let machine = OlmMachine::new(bob_id(), bob_device_id(), None, None).await; // Mark Alice as a tracked user, so it gets into the groups of users for which // we need to query keys. @@ -1642,8 +1642,9 @@ async fn test_fix_incorrect_usage_of_backup_key_causing_decryption_errors() { // Create the machine using `with_store` and without a call to enable_backup_v1, // like regenerate_olm would do - let alice = - OlmMachine::with_store(user_id(), alice_device_id(), None, store, None).await.unwrap(); + let alice = OlmMachine::with_store(user_id(), alice_device_id(), None, store, None, None) + .await + .unwrap(); let exported_key = ExportedRoomKey::from_backed_up_room_key( owned_room_id!("!room:id"), @@ -1679,9 +1680,10 @@ async fn test_olm_machine_with_custom_account() { let account = vodozemac::olm::Account::new(); let curve_key = account.identity_keys().curve25519; - let alice = OlmMachine::with_store(user_id(), alice_device_id(), None, store, Some(account)) - .await - .unwrap(); + let alice = + OlmMachine::with_store(user_id(), alice_device_id(), None, store, Some(account), None) + .await + .unwrap(); assert_eq!( alice.identity_keys().curve25519, @@ -2023,9 +2025,10 @@ async fn test_mark_all_tracked_users_as_dirty() { .await .unwrap(); - let alice = OlmMachine::with_store(user_id(), alice_device_id(), None, store, Some(account)) - .await - .unwrap(); + let alice = + OlmMachine::with_store(user_id(), alice_device_id(), None, store, Some(account), None) + .await + .unwrap(); // All users are marked as not dirty. alice.store().load_tracked_users().await.unwrap().iter().for_each(|tracked_user| { @@ -2054,9 +2057,10 @@ async fn test_verified_latch_migration() { let to_track_not_dirty = vec![(bob_id, false), (carol_id, false)]; store.save_tracked_users(&to_track_not_dirty).await.unwrap(); - let alice = OlmMachine::with_store(user_id(), alice_device_id(), None, store, Some(account)) - .await - .unwrap(); + let alice = + OlmMachine::with_store(user_id(), alice_device_id(), None, store, Some(account), None) + .await + .unwrap(); let alice_store = alice.store(); diff --git a/crates/matrix-sdk-crypto/src/machine/tests/olm_encryption.rs b/crates/matrix-sdk-crypto/src/machine/tests/olm_encryption.rs index 005f3d4dd..4145e7e4a 100644 --- a/crates/matrix-sdk-crypto/src/machine/tests/olm_encryption.rs +++ b/crates/matrix-sdk-crypto/src/machine/tests/olm_encryption.rs @@ -155,7 +155,8 @@ async fn test_getting_most_recent_session() { #[async_test] async fn test_get_most_recent_session_of_device_with_no_curve_key() { let alice_machine = - OlmMachine::new(user_id!("@alice:example.org"), device_id!("ALICE_DEVICE"), None).await; + OlmMachine::new(user_id!("@alice:example.org"), device_id!("ALICE_DEVICE"), None, None) + .await; let bob_user_id = user_id!("@bob:example.com"); let bob_device_id = device_id!("BOB_DEVICE"); diff --git a/crates/matrix-sdk-crypto/src/machine/tests/room_settings.rs b/crates/matrix-sdk-crypto/src/machine/tests/room_settings.rs index e271c8587..2626be3de 100644 --- a/crates/matrix-sdk-crypto/src/machine/tests/room_settings.rs +++ b/crates/matrix-sdk-crypto/src/machine/tests/room_settings.rs @@ -11,14 +11,14 @@ use crate::{ #[async_test] async fn test_room_settings_returns_none_for_unknown_room() { - let machine = OlmMachine::new(tests::user_id(), tests::alice_device_id(), None).await; + let machine = OlmMachine::new(tests::user_id(), tests::alice_device_id(), None, None).await; let settings = machine.room_settings(room_id!("!test2:localhost")).await.unwrap(); assert!(settings.is_none()); } #[async_test] async fn test_stores_and_returns_room_settings() { - let machine = OlmMachine::new(tests::user_id(), tests::alice_device_id(), None).await; + let machine = OlmMachine::new(tests::user_id(), tests::alice_device_id(), None, None).await; let room_id = room_id!("!test:localhost"); let settings = RoomSettings { @@ -36,7 +36,7 @@ async fn test_stores_and_returns_room_settings() { #[async_test] async fn test_set_room_settings_rejects_invalid_algorithms() { - let machine = OlmMachine::new(tests::user_id(), tests::alice_device_id(), None).await; + let machine = OlmMachine::new(tests::user_id(), tests::alice_device_id(), None, None).await; let room_id = room_id!("!test:localhost"); let err = machine @@ -54,7 +54,7 @@ async fn test_set_room_settings_rejects_invalid_algorithms() { #[async_test] async fn test_set_room_settings_rejects_changes() { - let machine = OlmMachine::new(tests::user_id(), tests::alice_device_id(), None).await; + let machine = OlmMachine::new(tests::user_id(), tests::alice_device_id(), None, None).await; let room_id = room_id!("!test:localhost"); // Initial settings @@ -80,7 +80,7 @@ async fn test_set_room_settings_rejects_changes() { #[async_test] async fn test_set_room_settings_accepts_noop_changes() { - let machine = OlmMachine::new(tests::user_id(), tests::alice_device_id(), None).await; + let machine = OlmMachine::new(tests::user_id(), tests::alice_device_id(), None, None).await; let room_id = room_id!("!test:localhost"); // Initial settings diff --git a/crates/matrix-sdk-crypto/src/machine/tests/send_encrypted_to_device.rs b/crates/matrix-sdk-crypto/src/machine/tests/send_encrypted_to_device.rs index 23946e8dd..fcba17eb2 100644 --- a/crates/matrix-sdk-crypto/src/machine/tests/send_encrypted_to_device.rs +++ b/crates/matrix-sdk-crypto/src/machine/tests/send_encrypted_to_device.rs @@ -164,7 +164,7 @@ async fn test_receive_custom_encrypted_to_device_with_no_sender_device_keys_fail { let (bob, otk) = get_prepared_machine_test_helper(bob_id(), false).await; - let alice = OlmMachine::new(tests::alice_id(), tests::alice_device_id()).await; + let alice = OlmMachine::new(tests::alice_id(), tests::alice_device_id(), None, None).await; let bob_device = DeviceData::from_machine_test_helper(&bob).await.unwrap(); alice.store().save_device_data(&[bob_device]).await.unwrap(); @@ -215,7 +215,7 @@ async fn test_excluding_insecure_means_custom_to_device_events_from_unverified_d let (bob, otk) = get_prepared_machine_test_helper(bob_id(), false).await; // Alice is the sender - let alice = OlmMachine::new(tests::alice_id(), tests::alice_device_id()).await; + let alice = OlmMachine::new(tests::alice_id(), tests::alice_device_id(), None, None).await; let bob_device = DeviceData::from_machine_test_helper(&bob).await.unwrap(); alice.store().save_device_data(&[bob_device]).await.unwrap(); @@ -268,7 +268,7 @@ async fn test_excluding_insecure_does_not_prevent_key_events_being_processed() { let (bob, otk) = get_prepared_machine_test_helper(bob_id(), false).await; // Alice is the sender - let alice = OlmMachine::new(tests::alice_id(), tests::alice_device_id()).await; + let alice = OlmMachine::new(tests::alice_id(), tests::alice_device_id(), None, None).await; let bob_device = DeviceData::from_machine_test_helper(&bob).await.unwrap(); alice.store().save_device_data(&[bob_device]).await.unwrap(); @@ -755,7 +755,7 @@ async fn test_share_strategy_prevents_encryption() { use crate::CrossSigningKeyExport; // Create the local user (`@me`), and import the public identity keys - let machine = OlmMachine::new(DataSet::me_id(), DataSet::me_device_id()).await; + let machine = OlmMachine::new(DataSet::me_id(), DataSet::me_device_id(), None, None).await; let keys_query = DataSet::me_keys_query_response(); machine.mark_request_as_sent(&TransactionId::new(), &keys_query).await.unwrap(); diff --git a/crates/matrix-sdk-crypto/src/olm/account.rs b/crates/matrix-sdk-crypto/src/olm/account.rs index 67728dfb4..9a9c54780 100644 --- a/crates/matrix-sdk-crypto/src/olm/account.rs +++ b/crates/matrix-sdk-crypto/src/olm/account.rs @@ -25,27 +25,21 @@ use js_option::JsOption; use matrix_sdk_common::deserialized_responses::{ AlgorithmInfo, DeviceLinkProblem, EncryptionInfo, VerificationLevel, VerificationState, }; -use rsa::{RsaPrivateKey, rand_core::OsRng, signature::RandomizedSigner}; +use rsa::RsaPrivateKey; use ruma::{ CanonicalJsonValue, DeviceId, DeviceKeyAlgorithm, DeviceKeyId, MilliSecondsSinceUnixEpoch, OneTimeKeyAlgorithm, OneTimeKeyId, OwnedDeviceId, OwnedDeviceKeyId, OwnedOneTimeKeyId, OwnedUserId, RoomId, SecondsSinceUnixEpoch, UInt, UserId, api::client::{ dehydrated_device::{DehydratedDeviceData, DehydratedDeviceV2}, - keys::{ - upload_keys, - upload_signatures::v3::{Request as SignatureUploadRequest, SignedKeys}, - }, + keys::{upload_keys, upload_signatures::v3::Request as SignatureUploadRequest}, }, canonical_json::to_canonical_value, events::{AnyToDeviceEvent, room::history_visibility::HistoryVisibility}, serde::Raw, }; use serde::{Deserialize, Serialize, de::Error}; -use serde_json::{ - json, - value::{RawValue as RawJsonValue, to_raw_value}, -}; +use serde_json::value::{RawValue as RawJsonValue, to_raw_value}; use sha2::{Digest, Sha256}; use tokio::sync::Mutex; use tracing::{Span, debug, field::debug, info, instrument, trace, warn}; @@ -68,13 +62,13 @@ use crate::{ dehydrated_devices::DehydrationError, error::{EventError, OlmResult, SessionCreationError}, identities::DeviceData, - olm::{SenderData, utility::to_signable_json}, + olm::SenderData, store::{ Store, types::{Changes, DeviceChanges}, }, types::{ - CrossSigningKey, DeviceKeys, EventEncryptionAlgorithm, MasterPubkey, OneTimeKey, SignedKey, + CrossSigningKey, DeviceKeys, EventEncryptionAlgorithm, OneTimeKey, SignedKey, events::{ olm_v1::AnyDecryptedOlmEvent, room::encrypted::{ @@ -863,25 +857,6 @@ impl Account { signature, ); - //let key_name = device_id!("todo_key_id"); - - //let key_algorithm: DeviceKeyAlgorithm = serde_json::from_str("rsa").expect( - // "Hard-coded string unexpectedly failed to deserialize as a - // DeviceKeyAlgorithm.", - //); - - //let device_key_id = DeviceKeyId::from_parts(key_algorithm, key_name); - - // TODO: AJB: more properly support an RSA algorithm type? - - let device_key_id = - serde_json::from_value(json!("rsa:todo_key_id")).expect("Failed to deserialize x"); - - let rsa_signature = self.sign_json_rsa(canonical_json.clone())?; - if let Some(rsa_signature) = rsa_signature { - cross_signing_key.signatures.add_signature_rsa(signer, device_key_id, rsa_signature); - } - Ok(()) } @@ -896,27 +871,6 @@ impl Account { self.inner.sign_json(json) } - /// Sign the supplied JSON string with our RSA key. - /// - /// # Arguments - /// - /// * `json` - The canonical JSON value to sign string. - pub fn sign_json_rsa( - &self, - json: CanonicalJsonValue, - ) -> Result, SignatureError> { - let json = to_signable_json(json)?; - - Ok(match &self.rsa_key { - Some(rsa_key) => { - let mut rng = OsRng::default(); - let signing_key = rsa::pss::SigningKey::::new(rsa_key.clone()); - Some(signing_key.sign_with_rng(&mut rng, json.as_bytes())) - } - None => None, - }) - } - /// Sign and prepare one-time keys to be uploaded. /// /// If no one-time keys need to be uploaded, returns an empty `BTreeMap`. diff --git a/crates/matrix-sdk-crypto/src/olm/group_sessions/inbound.rs b/crates/matrix-sdk-crypto/src/olm/group_sessions/inbound.rs index a5ee1f5e8..435c7ad29 100644 --- a/crates/matrix-sdk-crypto/src/olm/group_sessions/inbound.rs +++ b/crates/matrix-sdk-crypto/src/olm/group_sessions/inbound.rs @@ -949,7 +949,7 @@ mod tests { #[async_test] async fn test_pickle_snapshot() { - let account = Account::new(alice_id()); + let account = Account::new(alice_id(), None); let room_id = room_id!("!test:localhost"); let (_, session) = account.create_group_session_pair_with_defaults(room_id).await; @@ -1161,7 +1161,7 @@ mod tests { #[async_test] #[allow(deprecated)] async fn test_session_comparison() { - let alice = Account::with_device_id(alice_id(), alice_device_id()); + let alice = Account::with_device_id(alice_id(), alice_device_id(), None); let room_id = room_id!("!test:localhost"); let (_, inbound) = alice.create_group_session_pair_with_defaults(room_id).await; @@ -1189,7 +1189,7 @@ mod tests { #[async_test] #[allow(deprecated)] async fn test_session_comparison_sender_data() { - let alice = Account::with_device_id(alice_id(), alice_device_id()); + let alice = Account::with_device_id(alice_id(), alice_device_id(), None); let room_id = room_id!("!test:localhost"); let (_, mut inbound) = alice.create_group_session_pair_with_defaults(room_id).await; @@ -1434,7 +1434,7 @@ mod tests { #[async_test] async fn test_shared_history_in_pickle() { - let alice = Account::with_device_id(alice_id(), alice_device_id()); + let alice = Account::with_device_id(alice_id(), alice_device_id(), None); let room_id = room_id!("!test:localhost"); let (_, mut inbound) = alice.create_group_session_pair_with_defaults(room_id).await; @@ -1458,7 +1458,7 @@ mod tests { #[async_test] async fn test_shared_history_in_export() { - let alice = Account::with_device_id(alice_id(), alice_device_id()); + let alice = Account::with_device_id(alice_id(), alice_device_id(), None); let room_id = room_id!("!test:localhost"); let (_, mut inbound) = alice.create_group_session_pair_with_defaults(room_id).await; diff --git a/crates/matrix-sdk-crypto/src/olm/group_sessions/sender_data.rs b/crates/matrix-sdk-crypto/src/olm/group_sessions/sender_data.rs index d34b39209..ed00a3742 100644 --- a/crates/matrix-sdk-crypto/src/olm/group_sessions/sender_data.rs +++ b/crates/matrix-sdk-crypto/src/olm/group_sessions/sender_data.rs @@ -753,7 +753,7 @@ mod tests { #[async_test] async fn test_from_device_for_unsigned_device() { let bob_account = - Account::with_device_id(user_id!("@bob:example.com"), device_id!("BOB_DEVICE")); + Account::with_device_id(user_id!("@bob:example.com"), device_id!("BOB_DEVICE"), None); let bob_device = create_unsigned_device(bob_account.device_keys()); let sender_data = SenderData::from_device(&bob_device); @@ -771,7 +771,7 @@ mod tests { async fn test_from_device_for_unverified_user() { let bob_identity = PrivateCrossSigningIdentity::new(owned_user_id!("@bob:example.com")); let bob_account = - Account::with_device_id(user_id!("@bob:example.com"), device_id!("BOB_DEVICE")); + Account::with_device_id(user_id!("@bob:example.com"), device_id!("BOB_DEVICE"), None); let bob_device = create_signed_device_of_unverified_user( bob_account.device_keys().clone(), &bob_identity, @@ -794,13 +794,16 @@ mod tests { #[async_test] async fn test_from_device_for_verified_user() { - let alice_account = - Account::with_device_id(user_id!("@alice:example.com"), device_id!("ALICE_DEVICE")); + let alice_account = Account::with_device_id( + user_id!("@alice:example.com"), + device_id!("ALICE_DEVICE"), + None, + ); let alice_identity = PrivateCrossSigningIdentity::for_account(&alice_account); let bob_identity = PrivateCrossSigningIdentity::new(owned_user_id!("@bob:example.com")); let bob_account = - Account::with_device_id(user_id!("@bob:example.com"), device_id!("BOB_DEVICE")); + Account::with_device_id(user_id!("@bob:example.com"), device_id!("BOB_DEVICE"), None); let bob_device = create_signed_device_of_verified_user( bob_account.device_keys().clone(), &bob_identity, @@ -826,7 +829,7 @@ mod tests { async fn test_from_device_for_verification_violation_user() { let bob_identity = PrivateCrossSigningIdentity::new(owned_user_id!("@bob:example.com")); let bob_account = - Account::with_device_id(user_id!("@bob:example.com"), device_id!("BOB_DEVICE")); + Account::with_device_id(user_id!("@bob:example.com"), device_id!("BOB_DEVICE"), None); let bob_device = create_signed_device_of_unverified_user(bob_account.device_keys(), &bob_identity).await; bob_device diff --git a/crates/matrix-sdk-crypto/src/olm/group_sessions/sender_data_finder.rs b/crates/matrix-sdk-crypto/src/olm/group_sessions/sender_data_finder.rs index c60b76671..72fcb07cf 100644 --- a/crates/matrix-sdk-crypto/src/olm/group_sessions/sender_data_finder.rs +++ b/crates/matrix-sdk-crypto/src/olm/group_sessions/sender_data_finder.rs @@ -866,6 +866,7 @@ mod tests { Arc::clone(&me.private_identity), store_wrapper, verification_machine, + None, ) } @@ -911,7 +912,7 @@ mod tests { is_verified: bool, signer: Option<&TestUser>, ) -> Self { - let account = Account::with_device_id(user_id, device_id); + let account = Account::with_device_id(user_id, device_id, None); let user_id = user_id.to_owned(); let private_identity = Arc::new(Mutex::new(PrivateCrossSigningIdentity::for_account(&account))); diff --git a/crates/matrix-sdk-crypto/src/session_manager/group_sessions/mod.rs b/crates/matrix-sdk-crypto/src/session_manager/group_sessions/mod.rs index 9103821fc..bf867b8ae 100644 --- a/crates/matrix-sdk-crypto/src/session_manager/group_sessions/mod.rs +++ b/crates/matrix-sdk-crypto/src/session_manager/group_sessions/mod.rs @@ -1202,7 +1202,7 @@ mod tests { let keys_query = keys_query_response(); let txn_id = TransactionId::new(); - let machine = OlmMachine::new(user_id, device_id).await; + let machine = OlmMachine::new(user_id, device_id, None, None).await; // complete a /keys/query and /keys/claim for @example:localhost machine.mark_request_as_sent(&txn_id, &keys_query).await.unwrap(); @@ -1601,7 +1601,7 @@ mod tests { let keys_query = keys_query_response(); let txn_id = TransactionId::new(); - let machine = OlmMachine::new(alice_id(), alice_device_id()).await; + let machine = OlmMachine::new(alice_id(), alice_device_id(), None, None).await; machine.mark_request_as_sent(&txn_id, &keys_query).await.unwrap(); machine.mark_request_as_sent(&txn_id, &bob_keys_query_response()).await.unwrap(); @@ -1655,7 +1655,7 @@ mod tests { #[async_test] async fn test_resend_session_after_unwedging() { - let machine = OlmMachine::new(alice_id(), alice_device_id()).await; + let machine = OlmMachine::new(alice_id(), alice_device_id(), None, None).await; assert_let!(Ok(Some((txn_id, device_keys_request))) = machine.upload_device_keys().await); let device_keys_response = upload_keys::v3::Response::new(BTreeMap::from([( OneTimeKeyAlgorithm::SignedCurve25519, @@ -1666,7 +1666,7 @@ mod tests { let room_id = room_id!("!test:localhost"); let bob_id = user_id!("@bob:localhost"); - let bob_account = Account::new(bob_id); + let bob_account = Account::new(bob_id, None); let keys_query_data = json!({ "device_keys": { "@bob:localhost": { diff --git a/crates/matrix-sdk-crypto/src/session_manager/group_sessions/share_strategy.rs b/crates/matrix-sdk-crypto/src/session_manager/group_sessions/share_strategy.rs index 8e430b435..33512fb75 100644 --- a/crates/matrix-sdk-crypto/src/session_manager/group_sessions/share_strategy.rs +++ b/crates/matrix-sdk-crypto/src/session_manager/group_sessions/share_strategy.rs @@ -1097,7 +1097,7 @@ mod tests { use KeyDistributionTestData as DataSet; // Create the local user (`@me`), and import the public identity keys - let machine = OlmMachine::new(DataSet::me_id(), DataSet::me_device_id()).await; + let machine = OlmMachine::new(DataSet::me_id(), DataSet::me_device_id(), None, None).await; let keys_query = DataSet::me_keys_query_response(); machine.mark_request_as_sent(&TransactionId::new(), &keys_query).await.unwrap(); @@ -1872,7 +1872,7 @@ mod tests { async fn test_should_not_error_on_unsigned_of_unverified() { use VerificationViolationTestData as DataSet; - let machine = OlmMachine::new(DataSet::own_id(), device_id!("LOCAL")).await; + let machine = OlmMachine::new(DataSet::own_id(), device_id!("LOCAL"), None, None).await; // Tell the OlmMachine about our own public keys. let own_keys = DataSet::own_keys_query_response_1(); @@ -3186,7 +3186,7 @@ mod tests { async fn unsigned_of_verified_setup() -> OlmMachine { use test_json::keys_query_sets::VerificationViolationTestData as DataSet; - let machine = OlmMachine::new(DataSet::own_id(), device_id!("LOCAL")).await; + let machine = OlmMachine::new(DataSet::own_id(), device_id!("LOCAL"), None, None).await; // Tell the OlmMachine about our own public keys. let own_keys = DataSet::own_keys_query_response_1(); diff --git a/crates/matrix-sdk-crypto/src/session_manager/sessions.rs b/crates/matrix-sdk-crypto/src/session_manager/sessions.rs index d27b9bc47..4c22bfcf8 100644 --- a/crates/matrix-sdk-crypto/src/session_manager/sessions.rs +++ b/crates/matrix-sdk-crypto/src/session_manager/sessions.rs @@ -621,7 +621,7 @@ mod tests { } fn bob_account() -> Account { - Account::with_device_id(user_id!("@bob:localhost"), device_id!("BOBDEVICE")) + Account::with_device_id(user_id!("@bob:localhost"), device_id!("BOBDEVICE"), None, None) } fn keys_claim_with_failure() -> KeyClaimResponse { @@ -651,7 +651,7 @@ mod tests { let user_id = user_id(); let device_id = device_id(); - let account = Account::with_device_id(user_id, device_id); + let account = Account::with_device_id(user_id, device_id, None); let store = Arc::new(CryptoStoreWrapper::new(user_id, device_id, MemoryStore::new())); let identity = Arc::new(Mutex::new(PrivateCrossSigningIdentity::empty(user_id))); let verification = VerificationMachine::new( @@ -660,7 +660,7 @@ mod tests { store.clone(), ); - let store = Store::new(account.static_data().clone(), identity, store, verification); + let store = Store::new(account.static_data().clone(), identity, store, verification, None); let device = DeviceData::from_account(&account); store.save_pending_changes(PendingChanges { account: Some(account) }).await.unwrap(); store @@ -969,7 +969,7 @@ mod tests { let response = ruma_response_from_json(&response_json); let alice = user_id!("@alice:example.org"); - let mut alice_account = Account::with_device_id(alice, "DEVICEID".into()); + let mut alice_account = Account::with_device_id(alice, "DEVICEID".into(), None); let alice_device = DeviceData::from_account(&alice_account); let (manager, _identity_manager) = session_manager_test_helper().await; diff --git a/crates/matrix-sdk-crypto/src/store/integration_tests.rs b/crates/matrix-sdk-crypto/src/store/integration_tests.rs index 0f5e121b6..611aac5c7 100644 --- a/crates/matrix-sdk-crypto/src/store/integration_tests.rs +++ b/crates/matrix-sdk-crypto/src/store/integration_tests.rs @@ -111,12 +111,12 @@ macro_rules! cryptostore_integration_tests { } fn get_account() -> Account { - Account::with_device_id(alice_id(), alice_device_id()) + Account::with_device_id(alice_id(), alice_device_id(), None) } pub(crate) async fn get_account_and_session() -> (Account, Session) { - let alice = Account::with_device_id(alice_id(), alice_device_id()); - let mut bob = Account::with_device_id(bob_id(), bob_device_id()); + let alice = Account::with_device_id(alice_id(), alice_device_id(), None); + let mut bob = Account::with_device_id(bob_id(), bob_device_id(), None); bob.generate_one_time_keys(1); let one_time_key = *bob.one_time_keys().values().next().unwrap(); @@ -794,11 +794,13 @@ macro_rules! cryptostore_integration_tests { let alice_device_1 = DeviceData::from_account(&Account::with_device_id( "@alice:localhost".try_into().unwrap(), "FIRSTDEVICE".into(), + None, )); let alice_device_2 = DeviceData::from_account(&Account::with_device_id( "@alice:localhost".try_into().unwrap(), "SECONDDEVICE".into(), + None, )); let json = json!({ @@ -902,7 +904,7 @@ macro_rules! cryptostore_integration_tests { let store = get_store(dir, None, true).await; - let account = Account::with_device_id(&user_id, device_id); + let account = Account::with_device_id(&user_id, device_id, None); store.save_pending_changes(PendingChanges { account: Some(account), }) .await diff --git a/crates/matrix-sdk-crypto/src/store/mod.rs b/crates/matrix-sdk-crypto/src/store/mod.rs index 9460d27d0..41dfa5d24 100644 --- a/crates/matrix-sdk-crypto/src/store/mod.rs +++ b/crates/matrix-sdk-crypto/src/store/mod.rs @@ -82,6 +82,7 @@ use crate::{ SecretsBundle, }, verification::VerificationMachine, + x509::X509Keys, }; #[cfg(doc)] use crate::{backups::BackupMachine, identities::OwnUserIdentity}; @@ -546,6 +547,7 @@ impl Store { identity: Arc>, store: Arc, verification_machine: VerificationMachine, + x509_keys: Option, ) -> Self { Self { inner: Arc::new(StoreInner { @@ -558,6 +560,7 @@ impl Store { tracked_users: Default::default(), loaded_tracked_users: Default::default(), account: Default::default(), + x509_keys, })), }), } @@ -1929,8 +1932,8 @@ mod tests { #[async_test] async fn test_merge_received_group_session() { - let alice_account = Account::with_device_id(user_id!("@a:s.co"), device_id!("ABC")); - let bob = OlmMachine::new(user_id!("@b:s.co"), device_id!("DEF")).await; + let alice_account = Account::with_device_id(user_id!("@a:s.co"), device_id!("ABC"), None); + let bob = OlmMachine::new(user_id!("@b:s.co"), device_id!("DEF"), None, None).await; let room_id = room_id!("!test:localhost"); @@ -2226,8 +2229,8 @@ mod tests { async fn test_build_room_key_bundle() { // Given: Alice has sent a number of room keys to Bob, including some in the // wrong room, and some that are not marked as shared... - let alice = OlmMachine::new(user_id!("@a:s.co"), device_id!("ALICE")).await; - let bob = OlmMachine::new(user_id!("@b:s.co"), device_id!("BOB")).await; + let alice = OlmMachine::new(user_id!("@a:s.co"), device_id!("ALICE"), None, None).await; + let bob = OlmMachine::new(user_id!("@b:s.co"), device_id!("BOB"), None, None).await; let room1_id = room_id!("!room1:localhost"); let room2_id = room_id!("!room2:localhost"); @@ -2313,9 +2316,9 @@ mod tests { #[async_test] async fn test_receive_room_key_bundle() { - let alice = OlmMachine::new(user_id!("@a:s.co"), device_id!("ALICE")).await; + let alice = OlmMachine::new(user_id!("@a:s.co"), device_id!("ALICE"), None, None).await; let alice_key = alice.identity_keys().curve25519; - let bob = OlmMachine::new(user_id!("@b:s.co"), device_id!("BOB")).await; + let bob = OlmMachine::new(user_id!("@b:s.co"), device_id!("BOB"), None, None).await; let room_id = room_id!("!room1:localhost"); diff --git a/crates/matrix-sdk-crypto/src/x509/mod.rs b/crates/matrix-sdk-crypto/src/x509/mod.rs index 24916fd87..85172c2a3 100644 --- a/crates/matrix-sdk-crypto/src/x509/mod.rs +++ b/crates/matrix-sdk-crypto/src/x509/mod.rs @@ -1,3 +1,20 @@ +// Copyright 2026 The Matrix.org Foundation C.I.C. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +//! Types and traits for verification of users and devices using X.509 keys and +//! certificates. + mod x509_keys; pub use x509_keys::X509Keys; diff --git a/crates/matrix-sdk-crypto/src/x509/x509_keys.rs b/crates/matrix-sdk-crypto/src/x509/x509_keys.rs index f6a3d92d6..395e0ed1a 100644 --- a/crates/matrix-sdk-crypto/src/x509/x509_keys.rs +++ b/crates/matrix-sdk-crypto/src/x509/x509_keys.rs @@ -1,3 +1,17 @@ +// Copyright 2026 The Matrix.org Foundation C.I.C. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + use std::sync::Arc; use ruma::{DeviceKeyAlgorithm, DeviceKeyId, UserId, canonical_json::to_canonical_value}; @@ -46,3 +60,9 @@ impl X509Keys { Ok(signer.sign(json.as_bytes()).expect("unable to sign")) } } + +impl std::fmt::Debug for X509Keys { + fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { + f.debug_tuple("X509Keys").field(&"".to_owned()).finish() + } +} diff --git a/crates/matrix-sdk/src/encryption/mod.rs b/crates/matrix-sdk/src/encryption/mod.rs index efe6c2bb5..5fb36ea0b 100644 --- a/crates/matrix-sdk/src/encryption/mod.rs +++ b/crates/matrix-sdk/src/encryption/mod.rs @@ -179,9 +179,10 @@ pub async fn export_secrets_bundle_from_store( store.load_account().await.map_err(|e| BundleExportError::StoreError(e.into()))?; if let Some(account) = account { - let machine = OlmMachine::with_store(&account.user_id, &account.device_id, store, None) - .await - .map_err(BundleExportError::StoreError)?; + let machine = + OlmMachine::with_store(&account.user_id, &account.device_id, None, store, None, None) + .await + .map_err(BundleExportError::StoreError)?; let bundle = machine.store().export_secrets_bundle().await?;