Update KT search requests to include a value and maybe an unidentified access key

2026-04-20 00:58:07 +01:00 · 2024-10-23 10:21:38 -04:00
parent 3fdb691702
commit 013e45596e
5 changed files with 140 additions and 34 deletions
--- a/service/src/main/java/org/whispersystems/textsecuregcm/controllers/KeyTransparencyController.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/controllers/KeyTransparencyController.java
@@ -56,8 +56,10 @@ public class KeyTransparencyController {
  private static final Logger LOGGER = LoggerFactory.getLogger(KeyTransparencyController.class);
  @VisibleForTesting
  static final Duration KEY_TRANSPARENCY_RPC_TIMEOUT = Duration.ofSeconds(15);
-  private static final byte USERNAME_PREFIX = (byte) 'u';
-  private static final byte E164_PREFIX = (byte) 'n';
+  @VisibleForTesting
+  static final byte USERNAME_PREFIX = (byte) 'u';
+  @VisibleForTesting
+  static final byte E164_PREFIX = (byte) 'n';
  @VisibleForTesting
  static final byte ACI_PREFIX = (byte) 'a';
  private final KeyTransparencyServiceClient keyTransparencyServiceClient;
@@ -76,7 +78,7 @@ public class KeyTransparencyController {
  @ApiResponse(responseCode = "200", description = "All search key lookups were successful", useReturnTypeSchema = true)
  @ApiResponse(responseCode = "403", description = "At least one search key lookup to value mapping was invalid")
  @ApiResponse(responseCode = "404", description = "At least one search key lookup did not find the key")
-  @ApiResponse(responseCode = "413", description = "Ratelimited")
+  @ApiResponse(responseCode = "429", description = "Ratelimited")
  @ApiResponse(responseCode = "422", description = "Invalid request format")
  @POST
  @Path("/search")
@@ -92,6 +94,8 @@ public class KeyTransparencyController {
    try {
      final CompletableFuture<byte[]> aciSearchKeyResponseFuture = keyTransparencyServiceClient.search(
          getFullSearchKeyByteString(ACI_PREFIX, request.aci().toCompactByteArray()),
+          ByteString.copyFrom(request.aciIdentityKey().serialize()),
+          Optional.empty(),
          request.lastTreeHeadSize(),
          request.distinguishedTreeHeadSize(),
          KEY_TRANSPARENCY_RPC_TIMEOUT);
@@ -99,6 +103,8 @@ public class KeyTransparencyController {
      final CompletableFuture<byte[]> e164SearchKeyResponseFuture = request.e164()
          .map(e164 -> keyTransparencyServiceClient.search(
              getFullSearchKeyByteString(E164_PREFIX, e164.getBytes(StandardCharsets.UTF_8)),
+              ByteString.copyFrom(request.aci().toCompactByteArray()),
+              Optional.of(ByteString.copyFrom(request.unidentifiedAccessKey().get())),
              request.lastTreeHeadSize(),
              request.distinguishedTreeHeadSize(),
              KEY_TRANSPARENCY_RPC_TIMEOUT))
@@ -107,6 +113,8 @@ public class KeyTransparencyController {
      final CompletableFuture<byte[]> usernameHashSearchKeyResponseFuture = request.usernameHash()
          .map(usernameHash -> keyTransparencyServiceClient.search(
              getFullSearchKeyByteString(USERNAME_PREFIX, request.usernameHash().get()),
+              ByteString.copyFrom(request.aci().toCompactByteArray()),
+              Optional.empty(),
              request.lastTreeHeadSize(),
              request.distinguishedTreeHeadSize(),
              KEY_TRANSPARENCY_RPC_TIMEOUT))
@@ -138,7 +146,7 @@ public class KeyTransparencyController {
  )
  @ApiResponse(responseCode = "200", description = "All search keys exist in the log", useReturnTypeSchema = true)
  @ApiResponse(responseCode = "404", description = "At least one search key lookup did not find the key")
-  @ApiResponse(responseCode = "413", description = "Ratelimited")
+  @ApiResponse(responseCode = "429", description = "Ratelimited")
  @ApiResponse(responseCode = "422", description = "Invalid request format")
  @POST
  @Path("/monitor")
--- a/service/src/main/java/org/whispersystems/textsecuregcm/entities/KeyTransparencySearchRequest.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/entities/KeyTransparencySearchRequest.java
@@ -8,11 +8,15 @@ package org.whispersystems.textsecuregcm.entities;
 import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
 import com.fasterxml.jackson.databind.annotation.JsonSerialize;
 import io.swagger.v3.oas.annotations.media.Schema;
+import org.signal.libsignal.protocol.IdentityKey;
 import org.whispersystems.textsecuregcm.identity.AciServiceIdentifier;
 import org.whispersystems.textsecuregcm.util.ByteArrayBase64UrlAdapter;
+import org.whispersystems.textsecuregcm.util.ByteArrayBase64WithPaddingAdapter;
 import org.whispersystems.textsecuregcm.util.E164;
+import org.whispersystems.textsecuregcm.util.IdentityKeyAdapter;
 import org.whispersystems.textsecuregcm.util.ServiceIdentifierAdapter;

+import javax.validation.constraints.AssertTrue;
 import javax.validation.constraints.NotNull;
 import javax.validation.constraints.Positive;
 import java.util.Optional;
@@ -33,9 +37,25 @@ public record KeyTransparencySearchRequest(
    @Schema(description = "The username hash to look up, encoded in web-safe unpadded base64.")
    Optional<byte[]> usernameHash,

+    @NotNull
+    @JsonSerialize(using = IdentityKeyAdapter.Serializer.class)
+    @JsonDeserialize(using = IdentityKeyAdapter.Deserializer.class)
+    @Schema(description="The public aci identity key associated with the provided aci")
+    IdentityKey aciIdentityKey,
+
+    @JsonSerialize(contentUsing = ByteArrayBase64WithPaddingAdapter.Serializing.class)
+    @JsonDeserialize(contentUsing = ByteArrayBase64WithPaddingAdapter.Deserializing.class)
+    @Schema(description="The unidentified access key associated with the account")
+    Optional<byte[]> unidentifiedAccessKey,
+
    @Schema(description = "The non-distinguished tree head size to prove consistency against.")
    Optional<@Positive Long> lastTreeHeadSize,

    @Schema(description = "The distinguished tree head size to prove consistency against.")
    Optional<@Positive Long> distinguishedTreeHeadSize
-) {}
+) {
+    @AssertTrue
+    public boolean isUnidentifiedAccessKeyProvidedWithE164() {
+      return unidentifiedAccessKey.isPresent() == e164.isPresent();
+    }
+}
--- a/service/src/main/java/org/whispersystems/textsecuregcm/keytransparency/KeyTransparencyServiceClient.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/keytransparency/KeyTransparencyServiceClient.java
@@ -52,13 +52,19 @@ public class KeyTransparencyServiceClient implements Managed {
    this.callbackExecutor = callbackExecutor;
  }

+  @SuppressWarnings("OptionalUsedAsFieldOrParameterType")
  public CompletableFuture<byte[]> search(
      final ByteString searchKey,
+      final ByteString mappedValue,
+      final Optional<ByteString> unidentifiedAccessKey,
      final Optional<Long> lastTreeHeadSize,
      final Optional<Long> distinguishedTreeHeadSize,
      final Duration timeout) {
    final SearchRequest.Builder searchRequestBuilder = SearchRequest.newBuilder()
-        .setSearchKey(searchKey);
+        .setSearchKey(searchKey)
+        .setMappedValue(mappedValue);
+
+    unidentifiedAccessKey.ifPresent(searchRequestBuilder::setUnidentifiedAccessKey);

    final ConsistencyParameters.Builder consistency = ConsistencyParameters.newBuilder();
    lastTreeHeadSize.ifPresent(consistency::setLast);
@@ -71,6 +77,7 @@ public class KeyTransparencyServiceClient implements Managed {
        .thenApply(AbstractMessageLite::toByteArray);
  }

+  @SuppressWarnings("OptionalUsedAsFieldOrParameterType")
  public CompletableFuture<byte[]> monitor(final List<MonitorKey> monitorKeys,
      final Optional<Long> lastTreeHeadSize,
      final Optional<Long> distinguishedTreeHeadSize,