mirrors/signal-desktop
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 2 Wiki Activity Actions

Use Libsignal to validate sealed-sender certificates

Browse source
This commit is contained in:
trevor-signal 2025-04-02 20:23:42 -04:00 committed by GitHub
commit 8959b727f9
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 19 additions and 45 deletions
Download patch file Download diff file Expand all files Collapse all files

64
ts/textsecure/MessageReceiver.ts
View file

@ -39,7 +39,6 @@ import {
Sessions, Sessions,
SignedPreKeys, SignedPreKeys,
} from '../LibSignalStores'; } from '../LibSignalStores';
import { verifySignature } from '../Curve';
import { createName } from '../util/attachmentPath'; import { createName } from '../util/attachmentPath';
import { assertDev, strictAssert } from '../util/assert'; import { assertDev, strictAssert } from '../util/assert';
import type { BatcherType } from '../util/batcher'; import type { BatcherType } from '../util/batcher';
@ -1623,60 +1622,35 @@ export default class MessageReceiver
} }
#validateUnsealedEnvelope(envelope: UnsealedEnvelope): void { #validateUnsealedEnvelope(envelope: UnsealedEnvelope): void {
const { unsealedContent: messageContent, certificate } = envelope; const {
unsealedContent: messageContent,
certificate,
serverTimestamp,
} = envelope;
const envelopeId = getEnvelopeId(envelope);
const logId = `MessageReceiver.validateUnsealedEnvelope(${envelopeId})`;
strictAssert( strictAssert(
messageContent !== undefined, messageContent !== undefined,
'Missing message content for sealed sender message' `${logId}: Missing message content for sealed sender message`
); );
strictAssert( strictAssert(
certificate !== undefined, certificate !== undefined,
'Missing sender certificate for sealed sender message' `${logId}: Missing sender certificate for sealed sender message`
);
strictAssert(
serverTimestamp > 0,
`${logId}: Sealed sender message was missing serverTimestamp`
); );
if (!envelope.serverTimestamp) {
throw new Error(
'MessageReceiver.decryptSealedSender: ' +
'Sealed sender message was missing serverTimestamp'
);
}
const serverCertificate = certificate.serverCertificate();
if ( if (
!verifySignature( !certificate.validate(
this.#serverTrustRoot, PublicKey.deserialize(Buffer.from(this.#serverTrustRoot)),
serverCertificate.certificateData(), serverTimestamp
serverCertificate.signature()
) )
) { ) {
throw new Error( throw new Error(`${logId}: Sealed sender certificate validation failed`);
'MessageReceiver.validateUnsealedEnvelope: ' +
'Server certificate trust root validation failed'
);
}
if (
!verifySignature(
serverCertificate.key().serialize(),
certificate.certificate(),
certificate.signature()
)
) {
throw new Error(
'MessageReceiver.validateUnsealedEnvelope: ' +
'Server certificate server signature validation failed'
);
}
const logId = getEnvelopeId(envelope);
if (envelope.serverTimestamp > certificate.expiration()) {
throw new Error(
'MessageReceiver.validateUnsealedEnvelope: ' +
`Sender certificate is expired for envelope ${logId}, ` +
`serverTimestamp: ${envelope.serverTimestamp}, ` +
`expiration: ${certificate.expiration()}`
);
} }
return undefined; return undefined;