Use new CDS implementation in staging

This commit is contained in:
Fedor Indutny 2022-03-09 11:28:40 -08:00 committed by GitHub
parent 5774fdef9f
commit 0c8c332805
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 284 additions and 130 deletions

View file

@ -308,12 +308,15 @@ function prepareUrl(
serverUrl: config.get<string>('serverUrl'), serverUrl: config.get<string>('serverUrl'),
storageUrl: config.get<string>('storageUrl'), storageUrl: config.get<string>('storageUrl'),
updatesUrl: config.get<string>('updatesUrl'), updatesUrl: config.get<string>('updatesUrl'),
directoryUrl: config.get<string>('directoryUrl'), directoryVersion: config.get<number | undefined>('directoryVersion') || 1,
directoryEnclaveId: config.get<string>('directoryEnclaveId'), directoryUrl: config.get<string | null>('directoryUrl') || undefined,
directoryTrustAnchor: config.get<string>('directoryTrustAnchor'), directoryEnclaveId:
config.get<string | null>('directoryEnclaveId') || undefined,
directoryTrustAnchor:
config.get<string | null>('directoryTrustAnchor') || undefined,
directoryV2Url: config.get<string>('directoryV2Url'), directoryV2Url: config.get<string>('directoryV2Url'),
directoryV2PublicKey: config.get<string>('directoryV2PublicKey'), directoryV2PublicKey: config.get<string>('directoryV2PublicKey'),
directoryV2CodeHash: config.get<string>('directoryV2CodeHash'), directoryV2CodeHashes: config.get<string>('directoryV2CodeHashes'),
cdnUrl0: config.get<ConfigType>('cdn').get<string>('0'), cdnUrl0: config.get<ConfigType>('cdn').get<string>('0'),
cdnUrl2: config.get<ConfigType>('cdn').get<string>('2'), cdnUrl2: config.get<ConfigType>('cdn').get<string>('2'),
certificateAuthority: config.get<string>('certificateAuthority'), certificateAuthority: config.get<string>('certificateAuthority'),

View file

@ -1,12 +1,15 @@
{ {
"serverUrl": "https://chat.staging.signal.org", "serverUrl": "https://chat.staging.signal.org",
"storageUrl": "https://storage-staging.signal.org", "storageUrl": "https://storage-staging.signal.org",
"directoryUrl": "https://api-staging.directory.signal.org", "directoryVersion": 2,
"directoryEnclaveId": "c98e00a4e3ff977a56afefe7362a27e4961e4f19e211febfbb19b897e6b80b15", "directoryUrl": null,
"directoryTrustAnchor": "-----BEGIN CERTIFICATE-----\nMIIFSzCCA7OgAwIBAgIJANEHdl0yo7CUMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNV\nBAYTAlVTMQswCQYDVQQIDAJDQTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExGjAYBgNV\nBAoMEUludGVsIENvcnBvcmF0aW9uMTAwLgYDVQQDDCdJbnRlbCBTR1ggQXR0ZXN0\nYXRpb24gUmVwb3J0IFNpZ25pbmcgQ0EwIBcNMTYxMTE0MTUzNzMxWhgPMjA0OTEy\nMzEyMzU5NTlaMH4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEUMBIGA1UEBwwL\nU2FudGEgQ2xhcmExGjAYBgNVBAoMEUludGVsIENvcnBvcmF0aW9uMTAwLgYDVQQD\nDCdJbnRlbCBTR1ggQXR0ZXN0YXRpb24gUmVwb3J0IFNpZ25pbmcgQ0EwggGiMA0G\nCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCfPGR+tXc8u1EtJzLA10Feu1Wg+p7e\nLmSRmeaCHbkQ1TF3Nwl3RmpqXkeGzNLd69QUnWovYyVSndEMyYc3sHecGgfinEeh\nrgBJSEdsSJ9FpaFdesjsxqzGRa20PYdnnfWcCTvFoulpbFR4VBuXnnVLVzkUvlXT\nL/TAnd8nIZk0zZkFJ7P5LtePvykkar7LcSQO85wtcQe0R1Raf/sQ6wYKaKmFgCGe\nNpEJUmg4ktal4qgIAxk+QHUxQE42sxViN5mqglB0QJdUot/o9a/V/mMeH8KvOAiQ\nbyinkNndn+Bgk5sSV5DFgF0DffVqmVMblt5p3jPtImzBIH0QQrXJq39AT8cRwP5H\nafuVeLHcDsRp6hol4P+ZFIhu8mmbI1u0hH3W/0C2BuYXB5PC+5izFFh/nP0lc2Lf\n6rELO9LZdnOhpL1ExFOq9H/B8tPQ84T3Sgb4nAifDabNt/zu6MmCGo5U8lwEFtGM\nRoOaX4AS+909x00lYnmtwsDVWv9vBiJCXRsCAwEAAaOByTCBxjBgBgNVHR8EWTBX\nMFWgU6BRhk9odHRwOi8vdHJ1c3RlZHNlcnZpY2VzLmludGVsLmNvbS9jb250ZW50\nL0NSTC9TR1gvQXR0ZXN0YXRpb25SZXBvcnRTaWduaW5nQ0EuY3JsMB0GA1UdDgQW\nBBR4Q3t2pn680K9+QjfrNXw7hwFRPDAfBgNVHSMEGDAWgBR4Q3t2pn680K9+Qjfr\nNXw7hwFRPDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkq\nhkiG9w0BAQsFAAOCAYEAeF8tYMXICvQqeXYQITkV2oLJsp6J4JAqJabHWxYJHGir\nIEqucRiJSSx+HjIJEUVaj8E0QjEud6Y5lNmXlcjqRXaCPOqK0eGRz6hi+ripMtPZ\nsFNaBwLQVV905SDjAzDzNIDnrcnXyB4gcDFCvwDFKKgLRjOB/WAqgscDUoGq5ZVi\nzLUzTqiQPmULAQaB9c6Oti6snEFJiCQ67JLyW/E83/frzCmO5Ru6WjU4tmsmy8Ra\nUd4APK0wZTGtfPXU7w+IBdG5Ez0kE1qzxGQaL4gINJ1zMyleDnbuS8UicjJijvqA\n152Sq049ESDz+1rRGc2NVEqh1KaGXmtXvqxXcTB+Ljy5Bw2ke0v8iGngFBPqCTVB\n3op5KBG3RjbF6RRSzwzuWfL7QErNC8WEy5yDVARzTA5+xmBc388v9Dm21HGfcC8O\nDD+gT9sSpssq0ascmvH49MOgjt1yoysLtdCtJW/9FZpoOypaHx0R+mJTLwPXVMrv\nDaVzWh5aiEx+idkSGMnX\n-----END CERTIFICATE-----\n", "directoryEnclaveId": null,
"directoryTrustAnchor": null,
"directoryV2Url": "https://cdsh.staging.signal.org", "directoryV2Url": "https://cdsh.staging.signal.org",
"directoryV2PublicKey": "2fe57da347cd62431528daac5fbb290730fff684afc4cfc2ed90995f58cb3b74", "directoryV2PublicKey": "2fe57da347cd62431528daac5fbb290730fff684afc4cfc2ed90995f58cb3b74",
"directoryV2CodeHash": "8c8025d787b4e7da35047c342a96c24a7119fd23ed9a3a774454a06315b4852a", "directoryV2CodeHashes": [
"2f79dc6c1599b71c70fc2d14f3ea2e3bc65134436eb87011c88845b137af673a"
],
"cdn": { "cdn": {
"0": "https://cdn-staging.signal.org", "0": "https://cdn-staging.signal.org",
"2": "https://cdn2-staging.signal.org" "2": "https://cdn2-staging.signal.org"

View file

@ -1,7 +1,10 @@
{ {
"serverUrl": "https://chat.signal.org", "serverUrl": "https://chat.signal.org",
"storageUrl": "https://storage.signal.org", "storageUrl": "https://storage.signal.org",
"directoryVersion": 1,
"directoryUrl": "https://api.directory.signal.org", "directoryUrl": "https://api.directory.signal.org",
"directoryEnclaveId": "c98e00a4e3ff977a56afefe7362a27e4961e4f19e211febfbb19b897e6b80b15",
"directoryTrustAnchor": "-----BEGIN CERTIFICATE-----\nMIIFSzCCA7OgAwIBAgIJANEHdl0yo7CUMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNV\nBAYTAlVTMQswCQYDVQQIDAJDQTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExGjAYBgNV\nBAoMEUludGVsIENvcnBvcmF0aW9uMTAwLgYDVQQDDCdJbnRlbCBTR1ggQXR0ZXN0\nYXRpb24gUmVwb3J0IFNpZ25pbmcgQ0EwIBcNMTYxMTE0MTUzNzMxWhgPMjA0OTEy\nMzEyMzU5NTlaMH4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEUMBIGA1UEBwwL\nU2FudGEgQ2xhcmExGjAYBgNVBAoMEUludGVsIENvcnBvcmF0aW9uMTAwLgYDVQQD\nDCdJbnRlbCBTR1ggQXR0ZXN0YXRpb24gUmVwb3J0IFNpZ25pbmcgQ0EwggGiMA0G\nCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCfPGR+tXc8u1EtJzLA10Feu1Wg+p7e\nLmSRmeaCHbkQ1TF3Nwl3RmpqXkeGzNLd69QUnWovYyVSndEMyYc3sHecGgfinEeh\nrgBJSEdsSJ9FpaFdesjsxqzGRa20PYdnnfWcCTvFoulpbFR4VBuXnnVLVzkUvlXT\nL/TAnd8nIZk0zZkFJ7P5LtePvykkar7LcSQO85wtcQe0R1Raf/sQ6wYKaKmFgCGe\nNpEJUmg4ktal4qgIAxk+QHUxQE42sxViN5mqglB0QJdUot/o9a/V/mMeH8KvOAiQ\nbyinkNndn+Bgk5sSV5DFgF0DffVqmVMblt5p3jPtImzBIH0QQrXJq39AT8cRwP5H\nafuVeLHcDsRp6hol4P+ZFIhu8mmbI1u0hH3W/0C2BuYXB5PC+5izFFh/nP0lc2Lf\n6rELO9LZdnOhpL1ExFOq9H/B8tPQ84T3Sgb4nAifDabNt/zu6MmCGo5U8lwEFtGM\nRoOaX4AS+909x00lYnmtwsDVWv9vBiJCXRsCAwEAAaOByTCBxjBgBgNVHR8EWTBX\nMFWgU6BRhk9odHRwOi8vdHJ1c3RlZHNlcnZpY2VzLmludGVsLmNvbS9jb250ZW50\nL0NSTC9TR1gvQXR0ZXN0YXRpb25SZXBvcnRTaWduaW5nQ0EuY3JsMB0GA1UdDgQW\nBBR4Q3t2pn680K9+QjfrNXw7hwFRPDAfBgNVHSMEGDAWgBR4Q3t2pn680K9+Qjfr\nNXw7hwFRPDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkq\nhkiG9w0BAQsFAAOCAYEAeF8tYMXICvQqeXYQITkV2oLJsp6J4JAqJabHWxYJHGir\nIEqucRiJSSx+HjIJEUVaj8E0QjEud6Y5lNmXlcjqRXaCPOqK0eGRz6hi+ripMtPZ\nsFNaBwLQVV905SDjAzDzNIDnrcnXyB4gcDFCvwDFKKgLRjOB/WAqgscDUoGq5ZVi\nzLUzTqiQPmULAQaB9c6Oti6snEFJiCQ67JLyW/E83/frzCmO5Ru6WjU4tmsmy8Ra\nUd4APK0wZTGtfPXU7w+IBdG5Ez0kE1qzxGQaL4gINJ1zMyleDnbuS8UicjJijvqA\n152Sq049ESDz+1rRGc2NVEqh1KaGXmtXvqxXcTB+Ljy5Bw2ke0v8iGngFBPqCTVB\n3op5KBG3RjbF6RRSzwzuWfL7QErNC8WEy5yDVARzTA5+xmBc388v9Dm21HGfcC8O\nDD+gT9sSpssq0ascmvH49MOgjt1yoysLtdCtJW/9FZpoOypaHx0R+mJTLwPXVMrv\nDaVzWh5aiEx+idkSGMnX\n-----END CERTIFICATE-----\n",
"cdn": { "cdn": {
"0": "https://cdn.signal.org", "0": "https://cdn.signal.org",
"2": "https://cdn2.signal.org" "2": "https://cdn2.signal.org"

View file

@ -376,12 +376,13 @@ try {
url: config.serverUrl, url: config.serverUrl,
storageUrl: config.storageUrl, storageUrl: config.storageUrl,
updatesUrl: config.updatesUrl, updatesUrl: config.updatesUrl,
directoryVersion: parseInt(config.directoryVersion, 10),
directoryUrl: config.directoryUrl, directoryUrl: config.directoryUrl,
directoryEnclaveId: config.directoryEnclaveId, directoryEnclaveId: config.directoryEnclaveId,
directoryTrustAnchor: config.directoryTrustAnchor, directoryTrustAnchor: config.directoryTrustAnchor,
directoryV2Url: config.directoryV2Url, directoryV2Url: config.directoryV2Url,
directoryV2PublicKey: config.directoryV2PublicKey, directoryV2PublicKey: config.directoryV2PublicKey,
directoryV2CodeHash: config.directoryV2CodeHash, directoryV2CodeHashes: (config.directoryV2CodeHashes || '').split(','),
cdnUrlObject: { cdnUrlObject: {
0: config.cdnUrl0, 0: config.cdnUrl0,
2: config.cdnUrl2, 2: config.cdnUrl2,

View file

@ -4,16 +4,23 @@
package signalservice; package signalservice;
message CDSClientRequest { message CDSClientRequest {
// From Signal /v2/directory/auth
optional bytes username = 1;
optional bytes password = 2;
// Each e164 is a big-endian uint64 (8 bytes).
repeated bytes e164 = 3;
// Each ACI/UAK pair is a 32-byte buffer, containing the 16-byte ACI followed // Each ACI/UAK pair is a 32-byte buffer, containing the 16-byte ACI followed
// by its 16-byte UAK. // by its 16-byte UAK.
repeated bytes aci_uak_pair = 4; optional bytes aci_uak_pairs = 1;
// Each E164 is an 8-byte big-endian number, as 8 bytes.
optional bytes prev_e164s = 2;
optional bytes new_e164s = 3;
optional bytes discard_e164s = 4;
// If true, the client has more pairs or e164s to send. If false or unset,
// this is the client's last request, and processing should commence.
optional bool has_more = 5;
// If set, a token which allows rate limiting to discount the e164s in
// the request's prev_e164s, only counting new_e164s. If not set, then
// rate limiting considers both prev_e164s' and new_e164s' size.
optional bytes token = 6;
} }
message CDSClientResponse { message CDSClientResponse {
@ -29,7 +36,7 @@ message CDSClientResponse {
// where the additional 2 bytes are the id/type/length additions of the // where the additional 2 bytes are the id/type/length additions of the
// protobuf marshaling added to each byte array. This avoids any data // protobuf marshaling added to each byte array. This avoids any data
// leakage based on the size of the encrypted output. // leakage based on the size of the encrypted output.
repeated bytes e164_pni_aci_triple = 1; optional bytes e164_pni_aci_triples = 1;
// If the user has run out of quota for lookups, they will receive // If the user has run out of quota for lookups, they will receive
// a response with just the following field set, followed by a websocket // a response with just the following field set, followed by a websocket
@ -37,4 +44,9 @@ message CDSClientResponse {
// the same request after the provided number of seconds has passed, // the same request after the provided number of seconds has passed,
// we expect it should work. // we expect it should work.
optional int32 retry_after_secs = 2; optional int32 retry_after_secs = 2;
// A token which allows subsequent calls' rate limiting to discount the
// e164s sent up in this request, only counting those in the next
// request's new_e164s.
optional bytes token = 3;
} }

View file

@ -56,12 +56,13 @@ const WebAPI = initializeWebAPI({
url: config.serverUrl, url: config.serverUrl,
storageUrl: config.storageUrl, storageUrl: config.storageUrl,
updatesUrl: config.updatesUrl, updatesUrl: config.updatesUrl,
directoryVersion: parseInt(config.directoryVersion, 10),
directoryUrl: config.directoryUrl, directoryUrl: config.directoryUrl,
directoryEnclaveId: config.directoryEnclaveId, directoryEnclaveId: config.directoryEnclaveId,
directoryTrustAnchor: config.directoryTrustAnchor, directoryTrustAnchor: config.directoryTrustAnchor,
directoryV2Url: config.directoryV2Url, directoryV2Url: config.directoryV2Url,
directoryV2PublicKey: config.directoryV2PublicKey, directoryV2PublicKey: config.directoryV2PublicKey,
directoryV2CodeHash: config.directoryV2CodeHash, directoryV2CodeHashes: (config.directoryV2CodeHashes || '').split(','),
cdnUrlObject: { cdnUrlObject: {
0: config.cdnUrl0, 0: config.cdnUrl0,
2: config.cdnUrl2, 2: config.cdnUrl2,

View file

@ -2,6 +2,8 @@
// SPDX-License-Identifier: AGPL-3.0-only // SPDX-License-Identifier: AGPL-3.0-only
import { EventEmitter } from 'events'; import { EventEmitter } from 'events';
import { noop } from 'lodash';
import { Readable } from 'stream';
import type { HsmEnclaveClient } from '@signalapp/signal-client'; import type { HsmEnclaveClient } from '@signalapp/signal-client';
import type { connection as WebSocket } from 'websocket'; import type { connection as WebSocket } from 'websocket';
import Long from 'long'; import Long from 'long';
@ -10,6 +12,7 @@ import { strictAssert } from '../util/assert';
import { dropNull } from '../util/dropNull'; import { dropNull } from '../util/dropNull';
import { explodePromise } from '../util/explodePromise'; import { explodePromise } from '../util/explodePromise';
import * as durations from '../util/durations'; import * as durations from '../util/durations';
import * as log from '../logging/log';
import type { UUIDStringType } from '../types/UUID'; import type { UUIDStringType } from '../types/UUID';
import { UUID_BYTE_SIZE } from '../types/UUID'; import { UUID_BYTE_SIZE } from '../types/UUID';
import * as Bytes from '../Bytes'; import * as Bytes from '../Bytes';
@ -23,13 +26,24 @@ enum State {
Closed, Closed,
} }
export type CDSRequestOptionsType = Readonly<{ export type CDSRequestOptionsType = Readonly<
e164s: ReadonlyArray<string>; {
acis: ReadonlyArray<UUIDStringType>; auth: CDSAuthType;
accessKeys: ReadonlyArray<string>; e164s: ReadonlyArray<string>;
auth: CDSAuthType; timeout?: number;
timeout?: number; } & (
}>; | {
version: 1;
acis?: undefined;
accessKeys?: undefined;
}
| {
version: 2;
acis: ReadonlyArray<UUIDStringType>;
accessKeys: ReadonlyArray<string>;
}
)
>;
export type CDSAuthType = Readonly<{ export type CDSAuthType = Readonly<{
username: string; username: string;
@ -50,19 +64,23 @@ export type CDSSocketResponseType = Readonly<{
retryAfterSecs?: number; retryAfterSecs?: number;
}>; }>;
const MAX_E164_COUNT = 5000;
const HANDSHAKE_TIMEOUT = 10 * durations.SECOND; const HANDSHAKE_TIMEOUT = 10 * durations.SECOND;
const REQUEST_TIMEOUT = 10 * durations.SECOND; const REQUEST_TIMEOUT = 10 * durations.SECOND;
const VERSION = new Uint8Array([0x02]);
const USERNAME_LENGTH = 32;
const PASSWORD_LENGTH = 31;
const E164_BYTE_SIZE = 8; const E164_BYTE_SIZE = 8;
const TRIPLE_BYTE_SIZE = UUID_BYTE_SIZE * 2 + E164_BYTE_SIZE;
export class CDSSocket extends EventEmitter { export class CDSSocket extends EventEmitter {
private state = State.Handshake; private state = State.Handshake;
private readonly finishedHandshake: Promise<void>; private readonly finishedHandshake: Promise<void>;
private readonly requestQueue = new Array<(buffer: Buffer) => void>(); private readonly responseStream = new Readable({
read: noop,
// Don't coalesce separate websocket messages
objectMode: true,
});
constructor( constructor(
private readonly socket: WebSocket, private readonly socket: WebSocket,
@ -93,15 +111,25 @@ export class CDSSocket extends EventEmitter {
return; return;
} }
const requestHandler = this.requestQueue.shift(); try {
strictAssert( this.responseStream.push(
requestHandler !== undefined, this.enclaveClient.establishedRecv(binaryData)
'No handler for incoming CDS data' );
); } catch (error) {
this.responseStream.destroy(error);
requestHandler(this.enclaveClient.establishedRecv(binaryData)); }
}); });
socket.on('close', (code, reason) => { socket.on('close', (code, reason) => {
if (this.state === State.Established) {
if (code === 1000) {
this.responseStream.push(null);
} else {
this.responseStream.destroy(
new Error(`Socket closed with code ${code} and reason ${reason}`)
);
}
}
this.state = State.Closed; this.state = State.Closed;
this.emit('close', code, reason); this.emit('close', code, reason);
}); });
@ -115,37 +143,32 @@ export class CDSSocket extends EventEmitter {
} }
public async request({ public async request({
e164s, version,
acis,
accessKeys,
auth,
timeout = REQUEST_TIMEOUT, timeout = REQUEST_TIMEOUT,
e164s,
acis = [],
accessKeys = [],
}: CDSRequestOptionsType): Promise<CDSSocketResponseType> { }: CDSRequestOptionsType): Promise<CDSSocketResponseType> {
strictAssert(
e164s.length < MAX_E164_COUNT,
'CDSSocket does not support paging. Use this for one-off requests'
);
log.info('CDSSocket.request(): awaiting handshake');
await this.finishedHandshake; await this.finishedHandshake;
strictAssert( strictAssert(
this.state === State.Established, this.state === State.Established,
'Connection not established' 'Connection not established'
); );
const username = Bytes.fromString(auth.username);
const password = Bytes.fromString(auth.password);
strictAssert(
username.length === USERNAME_LENGTH,
'Invalid username length'
);
strictAssert(
password.length === PASSWORD_LENGTH,
'Invalid password length'
);
strictAssert( strictAssert(
acis.length === accessKeys.length, acis.length === accessKeys.length,
`Number of ACIs ${acis.length} is different ` + `Number of ACIs ${acis.length} is different ` +
`from number of access keys ${accessKeys.length}` `from number of access keys ${accessKeys.length}`
); );
const aciUakPair = new Array<Uint8Array>(); const aciUakPairs = new Array<Uint8Array>();
for (let i = 0; i < acis.length; i += 1) { for (let i = 0; i < acis.length; i += 1) {
aciUakPair.push( aciUakPairs.push(
Bytes.concatenate([ Bytes.concatenate([
uuidToBytes(acis[i]), uuidToBytes(acis[i]),
Bytes.fromBase64(accessKeys[i]), Bytes.fromBase64(accessKeys[i]),
@ -154,64 +177,55 @@ export class CDSSocket extends EventEmitter {
} }
const request = Proto.CDSClientRequest.encode({ const request = Proto.CDSClientRequest.encode({
username, newE164s: Buffer.concat(
password, e164s.map(e164 => {
e164: e164s.map(e164 => { // Long.fromString handles numbers with or without a leading '+'
// Long.fromString handles numbers with or without a leading '+' return new Uint8Array(Long.fromString(e164).toBytesBE());
return new Uint8Array(Long.fromString(e164).toBytesBE()); })
}), ),
aciUakPair, aciUakPairs: Buffer.concat(aciUakPairs),
}).finish(); }).finish();
const { promise, resolve, reject } = explodePromise<Buffer>();
const timer = Timers.setTimeout(() => { const timer = Timers.setTimeout(() => {
reject(new Error('CDS request timed out')); this.responseStream.destroy(new Error('CDS request timed out'));
}, timeout); }, timeout);
log.info(`CDSSocket.request(): sending version=${version} request`);
this.socket.sendBytes( this.socket.sendBytes(
this.enclaveClient.establishedSend(Buffer.concat([VERSION, request])) this.enclaveClient.establishedSend(
Buffer.concat([Buffer.from([version]), request])
)
); );
this.requestQueue.push(resolve); const resultMap: Map<string, CDSSocketDictionaryEntryType> = new Map();
strictAssert( let retryAfterSecs: number | undefined;
this.requestQueue.length === 1,
'Concurrent use of CDS shold not happen'
);
const responseBytes = await promise;
Timers.clearTimeout(timer);
const response = Proto.CDSClientResponse.decode(responseBytes); for await (const message of this.responseStream) {
log.info('CDSSocket.request(): processing response message');
const dictionary: Record<string, CDSSocketDictionaryEntryType> = const response = Proto.CDSClientResponse.decode(message);
Object.create(null); const newRetryAfterSecs = dropNull(response.retryAfterSecs);
for (const tripleBytes of response.e164PniAciTriple ?? []) { decodeSingleResponse(resultMap, response);
strictAssert(
tripleBytes.length === UUID_BYTE_SIZE * 2 + E164_BYTE_SIZE,
'Invalid size of CDS response triple'
);
let offset = 0; if (newRetryAfterSecs) {
const e164Bytes = tripleBytes.slice(offset, offset + E164_BYTE_SIZE); retryAfterSecs = Math.max(newRetryAfterSecs, retryAfterSecs ?? 0);
offset += E164_BYTE_SIZE; }
const pniBytes = tripleBytes.slice(offset, offset + UUID_BYTE_SIZE);
offset += UUID_BYTE_SIZE;
const aciBytes = tripleBytes.slice(offset, offset + UUID_BYTE_SIZE);
offset += UUID_BYTE_SIZE;
const e164 = `+${Long.fromBytesBE(Array.from(e164Bytes)).toString()}`;
const pni = bytesToUuid(pniBytes);
const aci = bytesToUuid(aciBytes);
dictionary[e164] = { pni, aci };
} }
const result: Record<string, CDSSocketDictionaryEntryType> =
Object.create(null);
for (const [key, value] of resultMap) {
result[key] = value;
}
log.info('CDSSocket.request(): done');
Timers.clearTimeout(timer);
return { return {
dictionary, dictionary: result,
retryAfterSecs: dropNull(response.retryAfterSecs), retryAfterSecs,
}; };
} }
@ -239,3 +253,44 @@ export class CDSSocket extends EventEmitter {
return super.emit(type, ...args); return super.emit(type, ...args);
} }
} }
function decodeSingleResponse(
resultMap: Map<string, CDSSocketDictionaryEntryType>,
response: Proto.CDSClientResponse
): void {
for (
let i = 0;
i < response.e164PniAciTriples.length;
i += TRIPLE_BYTE_SIZE
) {
const tripleBytes = response.e164PniAciTriples.slice(
i,
i + TRIPLE_BYTE_SIZE
);
strictAssert(
tripleBytes.length === TRIPLE_BYTE_SIZE,
'Invalid size of CDS response triple'
);
let offset = 0;
const e164Bytes = tripleBytes.slice(offset, offset + E164_BYTE_SIZE);
offset += E164_BYTE_SIZE;
const pniBytes = tripleBytes.slice(offset, offset + UUID_BYTE_SIZE);
offset += UUID_BYTE_SIZE;
const aciBytes = tripleBytes.slice(offset, offset + UUID_BYTE_SIZE);
offset += UUID_BYTE_SIZE;
const e164Long = Long.fromBytesBE(Array.from(e164Bytes));
if (e164Long.isZero()) {
continue;
}
const e164 = `+${e164Long.toString()}`;
const pni = bytesToUuid(pniBytes);
const aci = bytesToUuid(aciBytes);
resultMap.set(e164, { pni, aci });
}
}

View file

@ -9,10 +9,12 @@ import * as Bytes from '../Bytes';
import { prefixPublicKey } from '../Curve'; import { prefixPublicKey } from '../Curve';
import type { AbortableProcess } from '../util/AbortableProcess'; import type { AbortableProcess } from '../util/AbortableProcess';
import * as durations from '../util/durations'; import * as durations from '../util/durations';
import { getBasicAuth } from '../util/getBasicAuth';
import { sleep } from '../util/sleep'; import { sleep } from '../util/sleep';
import * as log from '../logging/log'; import * as log from '../logging/log';
import { CDSSocket } from './CDSSocket'; import { CDSSocket } from './CDSSocket';
import type { import type {
CDSAuthType,
CDSRequestOptionsType, CDSRequestOptionsType,
CDSSocketDictionaryType, CDSSocketDictionaryType,
} from './CDSSocket'; } from './CDSSocket';
@ -21,7 +23,7 @@ import { connect as connectWebSocket } from './WebSocket';
export type CDSSocketManagerOptionsType = Readonly<{ export type CDSSocketManagerOptionsType = Readonly<{
url: string; url: string;
publicKey: string; publicKey: string;
codeHash: string; codeHashes: ReadonlyArray<string>;
certificateAuthority: string; certificateAuthority: string;
proxyUrl?: string; proxyUrl?: string;
version: string; version: string;
@ -32,7 +34,7 @@ export type CDSResponseType = CDSSocketDictionaryType;
export class CDSSocketManager { export class CDSSocketManager {
private readonly publicKey: PublicKey; private readonly publicKey: PublicKey;
private readonly codeHash: Buffer; private readonly codeHashes: Array<Buffer>;
private readonly proxyAgent?: ReturnType<typeof ProxyAgent>; private readonly proxyAgent?: ReturnType<typeof ProxyAgent>;
@ -42,7 +44,9 @@ export class CDSSocketManager {
this.publicKey = PublicKey.deserialize( this.publicKey = PublicKey.deserialize(
Buffer.from(prefixPublicKey(Bytes.fromHex(options.publicKey))) Buffer.from(prefixPublicKey(Bytes.fromHex(options.publicKey)))
); );
this.codeHash = Buffer.from(Bytes.fromHex(options.codeHash)); this.codeHashes = options.codeHashes.map(hash =>
Buffer.from(Bytes.fromHex(hash))
);
if (options.proxyUrl) { if (options.proxyUrl) {
this.proxyAgent = new ProxyAgent(options.proxyUrl); this.proxyAgent = new ProxyAgent(options.proxyUrl);
} }
@ -58,8 +62,10 @@ export class CDSSocketManager {
await sleep(delay); await sleep(delay);
} }
const { auth } = options;
log.info('CDSSocketManager: connecting socket'); log.info('CDSSocketManager: connecting socket');
const socket = await this.connect().getResult(); const socket = await this.connect(auth).getResult();
log.info('CDSSocketManager: connected socket'); log.info('CDSSocketManager: connected socket');
try { try {
@ -79,16 +85,14 @@ export class CDSSocketManager {
} }
} }
private connect(): AbortableProcess<CDSSocket> { private connect(auth: CDSAuthType): AbortableProcess<CDSSocket> {
const enclaveClient = HsmEnclaveClient.new(this.publicKey, [this.codeHash]); const enclaveClient = HsmEnclaveClient.new(this.publicKey, this.codeHashes);
const { const { publicKey: publicKeyHex, codeHashes, version } = this.options;
publicKey: publicKeyHex,
codeHash: codeHashHex,
version,
} = this.options;
const url = `${this.options.url}/discovery/${publicKeyHex}/${codeHashHex}`; const url = `${
this.options.url
}/discovery/${publicKeyHex}/${codeHashes.join(',')}`;
return connectWebSocket<CDSSocket>({ return connectWebSocket<CDSSocket>({
name: 'CDSSocket', name: 'CDSSocket',
@ -96,6 +100,9 @@ export class CDSSocketManager {
version, version,
proxyAgent: this.proxyAgent, proxyAgent: this.proxyAgent,
certificateAuthority: this.options.certificateAuthority, certificateAuthority: this.options.certificateAuthority,
extraHeaders: {
authorization: getBasicAuth(auth),
},
createResource: (socket: WebSocket): CDSSocket => { createResource: (socket: WebSocket): CDSSocket => {
return new CDSSocket(socket, enclaveClient); return new CDSSocket(socket, enclaveClient);

View file

@ -34,6 +34,7 @@ import { getUserAgent } from '../util/getUserAgent';
import { getStreamWithTimeout } from '../util/getStreamWithTimeout'; import { getStreamWithTimeout } from '../util/getStreamWithTimeout';
import { formatAcceptLanguageHeader } from '../util/userLanguages'; import { formatAcceptLanguageHeader } from '../util/userLanguages';
import { toWebSafeBase64 } from '../util/webSafeBase64'; import { toWebSafeBase64 } from '../util/webSafeBase64';
import { getBasicAuth } from '../util/getBasicAuth';
import type { SocketStatus } from '../types/SocketStatus'; import type { SocketStatus } from '../types/SocketStatus';
import { toLogFormat } from '../types/errors'; import { toLogFormat } from '../types/errors';
import { isPackIdValid, redactPackId } from '../types/Stickers'; import { isPackIdValid, redactPackId } from '../types/Stickers';
@ -338,10 +339,10 @@ async function _promiseAjax(
fetchOptions.headers['Unidentified-Access-Key'] = accessKey; fetchOptions.headers['Unidentified-Access-Key'] = accessKey;
} }
} else if (options.user && options.password) { } else if (options.user && options.password) {
const auth = Bytes.toBase64( fetchOptions.headers.Authorization = getBasicAuth({
Bytes.fromString(`${options.user}:${options.password}`) username: options.user,
); password: options.password,
fetchOptions.headers.Authorization = `Basic ${auth}`; });
} }
if (options.contentType) { if (options.contentType) {
@ -596,12 +597,13 @@ type InitializeOptionsType = {
url: string; url: string;
storageUrl: string; storageUrl: string;
updatesUrl: string; updatesUrl: string;
directoryEnclaveId: string; directoryVersion: number;
directoryTrustAnchor: string; directoryUrl?: string;
directoryUrl: string; directoryEnclaveId?: string;
directoryTrustAnchor?: string;
directoryV2Url: string; directoryV2Url: string;
directoryV2PublicKey: string; directoryV2PublicKey: string;
directoryV2CodeHash: string; directoryV2CodeHashes: ReadonlyArray<string>;
cdnUrlObject: { cdnUrlObject: {
readonly '0': string; readonly '0': string;
readonly [propName: string]: string; readonly [propName: string]: string;
@ -999,12 +1001,13 @@ export function initialize({
url, url,
storageUrl, storageUrl,
updatesUrl, updatesUrl,
directoryVersion,
directoryUrl,
directoryEnclaveId, directoryEnclaveId,
directoryTrustAnchor, directoryTrustAnchor,
directoryUrl,
directoryV2Url, directoryV2Url,
directoryV2PublicKey, directoryV2PublicKey,
directoryV2CodeHash, directoryV2CodeHashes,
cdnUrlObject, cdnUrlObject,
certificateAuthority, certificateAuthority,
contentProxyUrl, contentProxyUrl,
@ -1020,14 +1023,26 @@ export function initialize({
if (!is.string(updatesUrl)) { if (!is.string(updatesUrl)) {
throw new Error('WebAPI.initialize: Invalid updatesUrl'); throw new Error('WebAPI.initialize: Invalid updatesUrl');
} }
if (!is.string(directoryEnclaveId)) { if (directoryVersion === 1) {
throw new Error('WebAPI.initialize: Invalid directory enclave id'); if (!is.string(directoryEnclaveId)) {
} throw new Error('WebAPI.initialize: Invalid directory enclave id');
if (!is.string(directoryTrustAnchor)) { }
throw new Error('WebAPI.initialize: Invalid directory enclave id'); if (!is.string(directoryTrustAnchor)) {
} throw new Error('WebAPI.initialize: Invalid directory trust anchor');
if (!is.string(directoryUrl)) { }
throw new Error('WebAPI.initialize: Invalid directory url'); if (!is.string(directoryUrl)) {
throw new Error('WebAPI.initialize: Invalid directory url');
}
} else {
if (directoryEnclaveId) {
throw new Error('WebAPI.initialize: Invalid directory enclave id');
}
if (directoryTrustAnchor) {
throw new Error('WebAPI.initialize: Invalid directory trust anchor');
}
if (directoryUrl) {
throw new Error('WebAPI.initialize: Invalid directory url');
}
} }
if (!is.string(directoryV2Url)) { if (!is.string(directoryV2Url)) {
throw new Error('WebAPI.initialize: Invalid directory V2 url'); throw new Error('WebAPI.initialize: Invalid directory V2 url');
@ -1035,7 +1050,7 @@ export function initialize({
if (!is.string(directoryV2PublicKey)) { if (!is.string(directoryV2PublicKey)) {
throw new Error('WebAPI.initialize: Invalid directory V2 public key'); throw new Error('WebAPI.initialize: Invalid directory V2 public key');
} }
if (!is.string(directoryV2CodeHash)) { if (!is.array(directoryV2CodeHashes)) {
throw new Error('WebAPI.initialize: Invalid directory V2 code hash'); throw new Error('WebAPI.initialize: Invalid directory V2 code hash');
} }
if (!is.object(cdnUrlObject)) { if (!is.object(cdnUrlObject)) {
@ -1104,7 +1119,7 @@ export function initialize({
const cdsSocketManager = new CDSSocketManager({ const cdsSocketManager = new CDSSocketManager({
url: directoryV2Url, url: directoryV2Url,
publicKey: directoryV2PublicKey, publicKey: directoryV2PublicKey,
codeHash: directoryV2CodeHash, codeHashes: directoryV2CodeHashes,
certificateAuthority, certificateAuthority,
version, version,
proxyUrl, proxyUrl,
@ -2723,6 +2738,7 @@ export function initialize({
username: string; username: string;
password: string; password: string;
}> { }> {
strictAssert(directoryVersion === 1, 'Legacy CDS should not be used');
return (await _ajax({ return (await _ajax({
call: 'directoryAuth', call: 'directoryAuth',
httpType: 'GET', httpType: 'GET',
@ -2748,6 +2764,9 @@ export function initialize({
serverStaticPublic: Uint8Array; serverStaticPublic: Uint8Array;
quote: Uint8Array; quote: Uint8Array;
}) { }) {
strictAssert(directoryVersion === 1, 'Legacy CDS should not be used');
strictAssert(directoryEnclaveId, 'Legacy CDS needs directoryEnclaveId');
const SGX_CONSTANTS = getSgxConstants(); const SGX_CONSTANTS = getSgxConstants();
const quote = Buffer.from(quoteBytes); const quote = Buffer.from(quoteBytes);
@ -2835,6 +2854,8 @@ export function initialize({
}, },
encodedQuote: string encodedQuote: string
) { ) {
strictAssert(directoryVersion === 1, 'Legacy CDS should not be used');
// Parse timestamp as UTC // Parse timestamp as UTC
const { timestamp } = signatureBody; const { timestamp } = signatureBody;
const utcTimestamp = timestamp.endsWith('Z') const utcTimestamp = timestamp.endsWith('Z')
@ -2862,6 +2883,12 @@ export function initialize({
signatureBody: string, signatureBody: string,
certificates: string certificates: string
) { ) {
strictAssert(directoryVersion === 1, 'Legacy CDS should not be used');
strictAssert(
directoryTrustAnchor,
'Legacy CDS needs directoryTrustAnchor'
);
const CERT_PREFIX = '-----BEGIN CERTIFICATE-----'; const CERT_PREFIX = '-----BEGIN CERTIFICATE-----';
const pem = compact( const pem = compact(
certificates.split(CERT_PREFIX).map(match => { certificates.split(CERT_PREFIX).map(match => {
@ -2922,6 +2949,8 @@ export function initialize({
username: string; username: string;
password: string; password: string;
}) { }) {
strictAssert(directoryVersion === 1, 'Legacy CDS should not be used');
const keyPair = generateKeyPair(); const keyPair = generateKeyPair();
const { privKey, pubKey } = keyPair; const { privKey, pubKey } = keyPair;
// Remove first "key type" byte from public key // Remove first "key type" byte from public key
@ -3051,7 +3080,7 @@ export function initialize({
}; };
} }
async function getUuidsForE164s( async function getLegacyUuidsForE164s(
e164s: ReadonlyArray<string> e164s: ReadonlyArray<string>
): Promise<Dictionary<UUIDStringType | null>> { ): Promise<Dictionary<UUIDStringType | null>> {
const directoryAuth = await getDirectoryAuth(); const directoryAuth = await getDirectoryAuth();
@ -3127,6 +3156,24 @@ export function initialize({
return zipObject(e164s, uuids); return zipObject(e164s, uuids);
} }
async function getUuidsForE164s(
e164s: ReadonlyArray<string>
): Promise<Dictionary<UUIDStringType | null>> {
if (directoryVersion === 1) {
return getLegacyUuidsForE164s(e164s);
}
const auth = await getDirectoryAuthV2();
const dictionary = await cdsSocketManager.request({
version: 1,
auth,
e164s,
});
return mapValues(dictionary, value => value.aci ?? null);
}
async function getUuidsForE164sV2({ async function getUuidsForE164sV2({
e164s, e164s,
acis, acis,
@ -3135,6 +3182,7 @@ export function initialize({
const auth = await getDirectoryAuthV2(); const auth = await getDirectoryAuthV2();
return cdsSocketManager.request({ return cdsSocketManager.request({
version: 2,
auth, auth,
e164s, e164s,
acis, acis,

View file

@ -28,6 +28,7 @@ export type ConnectOptionsType<Resource extends IResource> = Readonly<{
version: string; version: string;
proxyAgent?: ReturnType<typeof ProxyAgent>; proxyAgent?: ReturnType<typeof ProxyAgent>;
timeout?: number; timeout?: number;
extraHeaders?: Record<string, string>;
createResource(socket: WebSocket): Resource; createResource(socket: WebSocket): Resource;
}>; }>;
@ -38,6 +39,7 @@ export function connect<Resource extends IResource>({
certificateAuthority, certificateAuthority,
version, version,
proxyAgent, proxyAgent,
extraHeaders = {},
timeout = TEN_SECONDS, timeout = TEN_SECONDS,
createResource, createResource,
}: ConnectOptionsType<Resource>): AbortableProcess<Resource> { }: ConnectOptionsType<Resource>): AbortableProcess<Resource> {
@ -46,6 +48,7 @@ export function connect<Resource extends IResource>({
.replace('http://', 'ws://'); .replace('http://', 'ws://');
const headers = { const headers = {
...extraHeaders,
'User-Agent': getUserAgent(version), 'User-Agent': getUserAgent(version),
}; };
const client = new WebSocketClient({ const client = new WebSocketClient({

18
ts/util/getBasicAuth.ts Normal file
View file

@ -0,0 +1,18 @@
// Copyright 2020-2022 Signal Messenger, LLC
// SPDX-License-Identifier: AGPL-3.0-only
import { fromString, toBase64 } from '../Bytes';
export type GetBasicAuthOptionsType = Readonly<{
username: string;
password: string;
}>;
export function getBasicAuth({
username,
password,
}: GetBasicAuthOptionsType): string {
const auth = toBase64(fromString(`${username}:${password}`));
return `Basic ${auth}`;
}