From a749b97707dc3a00020ffa061b939bf820f664f7 Mon Sep 17 00:00:00 2001
From: Greyson Parrelli <greyson@signal.org>
Date: Thu, 7 Dec 2023 15:14:44 -0500
Subject: [PATCH] Migrate to a new SVR2 enclave.

---
 app/build.gradle.kts                               |  6 ++++--
 .../thoughtcrime/securesms/jobs/Svr2MirrorJob.kt   |  2 +-
 .../migrations/ApplicationMigrations.java          |  7 ++++++-
 .../thoughtcrime/securesms/pin/SvrRepository.kt    | 14 +++++++++-----
 4 files changed, 20 insertions(+), 9 deletions(-)

diff --git a/app/build.gradle.kts b/app/build.gradle.kts
index d1b3128d2b..a93f2a4c9d 100644
--- a/app/build.gradle.kts
+++ b/app/build.gradle.kts
@@ -202,7 +202,8 @@ android {
     buildConfigField("String[]", "SIGNAL_SVR2_IPS", rootProject.extra["svr2_ips"] as String)
     buildConfigField("String", "SIGNAL_AGENT", "\"OWA\"")
     buildConfigField("String", "CDSI_MRENCLAVE", "\"0f6fd79cdfdaa5b2e6337f534d3baf999318b0c462a7ac1f41297a3e4b424a57\"")
-    buildConfigField("String", "SVR2_MRENCLAVE", "\"6ee1042f9e20f880326686dd4ba50c25359f01e9f733eeba4382bca001d45094\"")
+    buildConfigField("String", "SVR2_MRENCLAVE_DEPRECATED", "\"6ee1042f9e20f880326686dd4ba50c25359f01e9f733eeba4382bca001d45094\"")
+    buildConfigField("String", "SVR2_MRENCLAVE", "\"a6622ad4656e1abcd0bc0ff17c229477747d2ded0495c4ebee7ed35c1789fa97\"")
     buildConfigField("String", "UNIDENTIFIED_SENDER_TRUST_ROOT", "\"BXu6QIKVz5MA8gstzfOgRQGqyLqOwNKHL6INkv3IHWMF\"")
     buildConfigField("String", "ZKGROUP_SERVER_PUBLIC_PARAMS", "\"AMhf5ywVwITZMsff/eCyudZx9JDmkkkbV6PInzG4p8x3VqVJSFiMvnvlEKWuRob/1eaIetR31IYeAbm0NdOuHH8Qi+Rexi1wLlpzIo1gstHWBfZzy1+qHRV5A4TqPp15YzBPm0WSggW6PbSn+F4lf57VCnHF7p8SvzAA2ZZJPYJURt8X7bbg+H3i+PEjH9DXItNEqs2sNcug37xZQDLm7X36nOoGPs54XsEGzPdEV+itQNGUFEjY6X9Uv+Acuks7NpyGvCoKxGwgKgE5XyJ+nNKlyHHOLb6N1NuHyBrZrgtY/JYJHRooo5CEqYKBqdFnmbTVGEkCvJKxLnjwKWf+fEPoWeQFj5ObDjcKMZf2Jm2Ae69x+ikU5gBXsRmoF94GXTLfN0/vLt98KDPnxwAQL9j5V1jGOY8jQl6MLxEs56cwXN0dqCnImzVH3TZT1cJ8SW1BRX6qIVxEzjsSGx3yxF3suAilPMqGRp4ffyopjMD1JXiKR2RwLKzizUe5e8XyGOy9fplzhw3jVzTRyUZTRSZKkMLWcQ/gv0E4aONNqs4P\"")
     buildConfigField("String", "GENERIC_SERVER_PUBLIC_PARAMS", "\"AByD873dTilmOSG0TjKrvpeaKEsUmIO8Vx9BeMmftwUs9v7ikPwM8P3OHyT0+X3EUMZrSe9VUp26Wai51Q9I8mdk0hX/yo7CeFGJyzoOqn8e/i4Ygbn5HoAyXJx5eXfIbqpc0bIxzju4H/HOQeOpt6h742qii5u/cbwOhFZCsMIbElZTaeU+BWMBQiZHIGHT5IE0qCordQKZ5iPZom0HeFa8Yq0ShuEyAl0WINBiY6xE3H/9WnvzXBbMuuk//eRxXgzO8ieCeK8FwQNxbfXqZm6Ro1cMhCOF3u7xoX83QhpN\"")
@@ -381,7 +382,8 @@ android {
       buildConfigField("String", "SIGNAL_CDSI_URL", "\"https://cdsi.staging.signal.org\"")
       buildConfigField("String", "SIGNAL_KEY_BACKUP_URL", "\"https://api-staging.backup.signal.org\"")
       buildConfigField("String", "SIGNAL_SVR2_URL", "\"https://svr2.staging.signal.org\"")
-      buildConfigField("String", "SVR2_MRENCLAVE", "\"a8a261420a6bb9b61aa25bf8a79e8bd20d7652531feb3381cbffd446d270be95\"")
+      buildConfigField("String", "SVR2_MRENCLAVE_DEPRECATED", "\"a8a261420a6bb9b61aa25bf8a79e8bd20d7652531feb3381cbffd446d270be95\"")
+      buildConfigField("String", "SVR2_MRENCLAVE", "\"acb1973aa0bbbd14b3b4e06f145497d948fd4a98efc500fcce363b3b743ec482\"")
       buildConfigField("String", "UNIDENTIFIED_SENDER_TRUST_ROOT", "\"BbqY1DzohE4NUZoVF+L18oUPrK3kILllLEJh2UnPSsEx\"")
       buildConfigField("String", "ZKGROUP_SERVER_PUBLIC_PARAMS", "\"ABSY21VckQcbSXVNCGRYJcfWHiAMZmpTtTELcDmxgdFbtp/bWsSxZdMKzfCp8rvIs8ocCU3B37fT3r4Mi5qAemeGeR2X+/YmOGR5ofui7tD5mDQfstAI9i+4WpMtIe8KC3wU5w3Inq3uNWVmoGtpKndsNfwJrCg0Hd9zmObhypUnSkfYn2ooMOOnBpfdanRtrvetZUayDMSC5iSRcXKpdlukrpzzsCIvEwjwQlJYVPOQPj4V0F4UXXBdHSLK05uoPBCQG8G9rYIGedYsClJXnbrgGYG3eMTG5hnx4X4ntARBgELuMWWUEEfSK0mjXg+/2lPmWcTZWR9nkqgQQP0tbzuiPm74H2wMO4u1Wafe+UwyIlIT9L7KLS19Aw8r4sPrXZSSsOZ6s7M1+rTJN0bI5CKY2PX29y5Ok3jSWufIKcgKOnWoP67d5b2du2ZVJjpjfibNIHbT/cegy/sBLoFwtHogVYUewANUAXIaMPyCLRArsKhfJ5wBtTminG/PAvuBdJ70Z/bXVPf8TVsR292zQ65xwvWTejROW6AZX6aqucUj\"")
       buildConfigField("String", "GENERIC_SERVER_PUBLIC_PARAMS", "\"AHILOIrFPXX9laLbalbA9+L1CXpSbM/bTJXZGZiuyK1JaI6dK5FHHWL6tWxmHKYAZTSYmElmJ5z2A5YcirjO/yfoemE03FItyaf8W1fE4p14hzb5qnrmfXUSiAIVrhaXVwIwSzH6RL/+EO8jFIjJ/YfExfJ8aBl48CKHgu1+A6kWynhttonvWWx6h7924mIzW0Czj2ROuh4LwQyZypex4GuOPW8sgIT21KNZaafgg+KbV7XM1x1tF3XA17B4uGUaDbDw2O+nR1+U5p6qHPzmJ7ggFjSN6Utu+35dS1sS0P9N\"")
diff --git a/app/src/main/java/org/thoughtcrime/securesms/jobs/Svr2MirrorJob.kt b/app/src/main/java/org/thoughtcrime/securesms/jobs/Svr2MirrorJob.kt
index 7ce1ba6f13..86a34c5bd6 100644
--- a/app/src/main/java/org/thoughtcrime/securesms/jobs/Svr2MirrorJob.kt
+++ b/app/src/main/java/org/thoughtcrime/securesms/jobs/Svr2MirrorJob.kt
@@ -82,7 +82,7 @@ class Svr2MirrorJob private constructor(parameters: Parameters, private var seri
 
       return when (val response: BackupResponse = session.execute()) {
         is BackupResponse.Success -> {
-          Log.i(TAG, "Successfully migrated to SVR2!")
+          Log.i(TAG, "Successfully migrated to SVR2! $svr2")
           SignalStore.svr().appendAuthTokenToList(response.authorization.asBasic())
           ApplicationDependencies.getJobManager().add(RefreshAttributesJob())
           Result.success()
diff --git a/app/src/main/java/org/thoughtcrime/securesms/migrations/ApplicationMigrations.java b/app/src/main/java/org/thoughtcrime/securesms/migrations/ApplicationMigrations.java
index 0490652dcf..a4f4dead9b 100644
--- a/app/src/main/java/org/thoughtcrime/securesms/migrations/ApplicationMigrations.java
+++ b/app/src/main/java/org/thoughtcrime/securesms/migrations/ApplicationMigrations.java
@@ -141,9 +141,10 @@ public class ApplicationMigrations {
     static final int THREAD_COUNT_DB_MIGRATION     = 97;
     static final int SYNC_KEYS_MIGRATION           = 98;
     static final int SELF_REGISTERTED_STATE        = 99;
+    static final int SVR2_ENCLAVE_UPDATE           = 100;
   }
 
-  public static final int CURRENT_VERSION = 99;
+  public static final int CURRENT_VERSION = 100;
 
   /**
    * This *must* be called after the {@link JobManager} has been instantiated, but *before* the call
@@ -642,6 +643,10 @@ public class ApplicationMigrations {
       jobs.put(Version.SELF_REGISTERTED_STATE,  new SelfRegisteredStateMigrationJob());
     }
 
+    if (lastSeenVersion < Version.SVR2_ENCLAVE_UPDATE) {
+      jobs.put(Version.SVR2_ENCLAVE_UPDATE,  new Svr2MirrorMigrationJob());
+    }
+
     return jobs;
   }
 
diff --git a/app/src/main/java/org/thoughtcrime/securesms/pin/SvrRepository.kt b/app/src/main/java/org/thoughtcrime/securesms/pin/SvrRepository.kt
index 9155454c36..651e1d4609 100644
--- a/app/src/main/java/org/thoughtcrime/securesms/pin/SvrRepository.kt
+++ b/app/src/main/java/org/thoughtcrime/securesms/pin/SvrRepository.kt
@@ -39,10 +39,14 @@ object SvrRepository {
 
   val TAG = Log.tag(SvrRepository::class.java)
 
+  private val svr2Deprecated: SecureValueRecovery = ApplicationDependencies.getSignalServiceAccountManager().getSecureValueRecoveryV2(BuildConfig.SVR2_MRENCLAVE_DEPRECATED)
   private val svr2: SecureValueRecovery = ApplicationDependencies.getSignalServiceAccountManager().getSecureValueRecoveryV2(BuildConfig.SVR2_MRENCLAVE)
 
-  /** An ordered list of SVR implementations. They should be in priority order, with the most important one listed first. */
-  private val implementations: List<SecureValueRecovery> = listOf(svr2)
+  /** An ordered list of SVR implementations to read from. They should be in priority order, with the most important one listed first. */
+  private val readImplementations: List<SecureValueRecovery> = listOf(svr2, svr2Deprecated)
+
+  /** An ordered list of SVR implementations to write to. They should be in priority order, with the most important one listed first. */
+  private val writeImplementations: List<SecureValueRecovery> = listOf(svr2, svr2Deprecated)
 
   /**
    * A lock that ensures that only one thread at a time is altering the various pieces of SVR state.
@@ -122,7 +126,7 @@ object SvrRepository {
     val stopwatch = Stopwatch("pin-submission")
 
     operationLock.withLock {
-      for (implementation in implementations) {
+      for (implementation in readImplementations) {
         when (val response: RestoreResponse = implementation.restoreDataPostRegistration(userPin)) {
           is RestoreResponse.Success -> {
             Log.i(TAG, "[restoreMasterKeyPostRegistration] Successfully restored master key. $implementation", true)
@@ -187,7 +191,7 @@ object SvrRepository {
   }
 
   /**
-   * Sets the user's PIN the one specified, updating local stores as necessary.
+   * Sets the user's PIN to the one specified, updating local stores as necessary.
    * The resulting Single will not throw an error in any expected case, only if there's a runtime exception.
    */
   @WorkerThread
@@ -196,7 +200,7 @@ object SvrRepository {
     return operationLock.withLock {
       val masterKey: MasterKey = SignalStore.svr().getOrCreateMasterKey()
 
-      val responses: List<BackupResponse> = implementations
+      val responses: List<BackupResponse> = writeImplementations
         .filter { it != svr2 || FeatureFlags.svr2() }
         .map { it.setPin(userPin, masterKey) }
         .map { it.execute() }