forked from mystiq/hydrogen-web
Merge pull request #586 from vector-im/bwindels/log-signature-failure
log signature verification failure in logger, not console
This commit is contained in:
commit
c5c08ea34b
4 changed files with 16 additions and 12 deletions
|
@ -99,13 +99,13 @@ export class LogItem implements ILogItem {
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Creates a new child item that finishes immediately
|
* Creates a new child item that finishes immediately
|
||||||
* and can hence not be modified anymore.
|
* Finished items should not be modified anymore as they can be serialized
|
||||||
*
|
* at any stage, but using `set` on the return value in a synchronous way should still be safe.
|
||||||
* Hence, the child item is not returned.
|
|
||||||
*/
|
*/
|
||||||
log(labelOrValues: LabelOrValues, logLevel?: LogLevel): void {
|
log(labelOrValues: LabelOrValues, logLevel?: LogLevel): ILogItem {
|
||||||
const item = this.child(labelOrValues, logLevel);
|
const item = this.child(labelOrValues, logLevel);
|
||||||
item.end = item.start;
|
item.end = item.start;
|
||||||
|
return item;
|
||||||
}
|
}
|
||||||
|
|
||||||
set(key: string | object, value?: unknown): void {
|
set(key: string | object, value?: unknown): void {
|
||||||
|
|
|
@ -264,7 +264,7 @@ export class DeviceTracker {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
curve25519Keys.add(curve25519Key);
|
curve25519Keys.add(curve25519Key);
|
||||||
const isValid = this._hasValidSignature(deviceKeys);
|
const isValid = this._hasValidSignature(deviceKeys, parentLog);
|
||||||
if (!isValid) {
|
if (!isValid) {
|
||||||
parentLog.log({
|
parentLog.log({
|
||||||
l: "ignore device with invalid signature",
|
l: "ignore device with invalid signature",
|
||||||
|
@ -279,11 +279,11 @@ export class DeviceTracker {
|
||||||
return verifiedKeys;
|
return verifiedKeys;
|
||||||
}
|
}
|
||||||
|
|
||||||
_hasValidSignature(deviceSection) {
|
_hasValidSignature(deviceSection, parentLog) {
|
||||||
const deviceId = deviceSection["device_id"];
|
const deviceId = deviceSection["device_id"];
|
||||||
const userId = deviceSection["user_id"];
|
const userId = deviceSection["user_id"];
|
||||||
const ed25519Key = deviceSection?.keys?.[`${SIGNATURE_ALGORITHM}:${deviceId}`];
|
const ed25519Key = deviceSection?.keys?.[`${SIGNATURE_ALGORITHM}:${deviceId}`];
|
||||||
return verifyEd25519Signature(this._olmUtil, userId, deviceId, ed25519Key, deviceSection);
|
return verifyEd25519Signature(this._olmUtil, userId, deviceId, ed25519Key, deviceSection, parentLog);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
@ -35,7 +35,7 @@ export class DecryptionError extends Error {
|
||||||
|
|
||||||
export const SIGNATURE_ALGORITHM = "ed25519";
|
export const SIGNATURE_ALGORITHM = "ed25519";
|
||||||
|
|
||||||
export function verifyEd25519Signature(olmUtil, userId, deviceOrKeyId, ed25519Key, value) {
|
export function verifyEd25519Signature(olmUtil, userId, deviceOrKeyId, ed25519Key, value, log = undefined) {
|
||||||
const clone = Object.assign({}, value);
|
const clone = Object.assign({}, value);
|
||||||
delete clone.unsigned;
|
delete clone.unsigned;
|
||||||
delete clone.signatures;
|
delete clone.signatures;
|
||||||
|
@ -49,7 +49,11 @@ export function verifyEd25519Signature(olmUtil, userId, deviceOrKeyId, ed25519Ke
|
||||||
olmUtil.ed25519_verify(ed25519Key, canonicalJson, signature);
|
olmUtil.ed25519_verify(ed25519Key, canonicalJson, signature);
|
||||||
return true;
|
return true;
|
||||||
} catch (err) {
|
} catch (err) {
|
||||||
console.warn("Invalid signature, ignoring.", ed25519Key, canonicalJson, signature, err);
|
if (log) {
|
||||||
|
const logItem = log.log({l: "Invalid signature, ignoring.", ed25519Key, canonicalJson, signature});
|
||||||
|
logItem.error = err;
|
||||||
|
logItem.logLevel = log.level.Warn;
|
||||||
|
}
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -189,10 +189,10 @@ export class Encryption {
|
||||||
log.log({l: "failures", servers: Object.keys(claimResponse.failures)}, log.level.Warn);
|
log.log({l: "failures", servers: Object.keys(claimResponse.failures)}, log.level.Warn);
|
||||||
}
|
}
|
||||||
const userKeyMap = claimResponse?.["one_time_keys"];
|
const userKeyMap = claimResponse?.["one_time_keys"];
|
||||||
return this._verifyAndCreateOTKTargets(userKeyMap, devicesByUser);
|
return this._verifyAndCreateOTKTargets(userKeyMap, devicesByUser, log);
|
||||||
}
|
}
|
||||||
|
|
||||||
_verifyAndCreateOTKTargets(userKeyMap, devicesByUser) {
|
_verifyAndCreateOTKTargets(userKeyMap, devicesByUser, log) {
|
||||||
const verifiedEncryptionTargets = [];
|
const verifiedEncryptionTargets = [];
|
||||||
for (const [userId, userSection] of Object.entries(userKeyMap)) {
|
for (const [userId, userSection] of Object.entries(userKeyMap)) {
|
||||||
for (const [deviceId, deviceSection] of Object.entries(userSection)) {
|
for (const [deviceId, deviceSection] of Object.entries(userSection)) {
|
||||||
|
@ -202,7 +202,7 @@ export class Encryption {
|
||||||
const device = devicesByUser.get(userId)?.get(deviceId);
|
const device = devicesByUser.get(userId)?.get(deviceId);
|
||||||
if (device) {
|
if (device) {
|
||||||
const isValidSignature = verifyEd25519Signature(
|
const isValidSignature = verifyEd25519Signature(
|
||||||
this._olmUtil, userId, deviceId, device.ed25519Key, keySection);
|
this._olmUtil, userId, deviceId, device.ed25519Key, keySection, log);
|
||||||
if (isValidSignature) {
|
if (isValidSignature) {
|
||||||
const target = EncryptionTarget.fromOTK(device, keySection.key);
|
const target = EncryptionTarget.fromOTK(device, keySection.key);
|
||||||
verifiedEncryptionTargets.push(target);
|
verifiedEncryptionTargets.push(target);
|
||||||
|
|
Loading…
Reference in a new issue