Represent identity keys as IdentityKey instances

2026-04-20 21:08:07 +01:00 · 2023-06-08 11:36:58 -04:00
parent 1c8443210a
commit 234707169e
34 changed files with 390 additions and 263 deletions
--- a/service/src/main/java/org/whispersystems/textsecuregcm/entities/BaseProfileResponse.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/entities/BaseProfileResponse.java
@@ -8,7 +8,9 @@ package org.whispersystems.textsecuregcm.entities;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
 import com.fasterxml.jackson.databind.annotation.JsonSerialize;
-import org.whispersystems.textsecuregcm.util.ByteArrayAdapter;
+import org.signal.libsignal.protocol.IdentityKey;
+import org.signal.libsignal.protocol.ecc.ECPublicKey;
+import org.whispersystems.textsecuregcm.util.IdentityKeyAdapter;

 import java.util.List;
 import java.util.UUID;
@@ -16,9 +18,9 @@ import java.util.UUID;
 public class BaseProfileResponse {

  @JsonProperty
-  @JsonSerialize(using = ByteArrayAdapter.Serializing.class)
-  @JsonDeserialize(using = ByteArrayAdapter.Deserializing.class)
-  private byte[] identityKey;
+  @JsonSerialize(using = IdentityKeyAdapter.Serializer.class)
+  @JsonDeserialize(using = IdentityKeyAdapter.Deserializer.class)
+  private IdentityKey identityKey;

  @JsonProperty
  private String unidentifiedAccess;
@@ -38,7 +40,7 @@ public class BaseProfileResponse {
  public BaseProfileResponse() {
  }

-  public BaseProfileResponse(final byte[] identityKey,
+  public BaseProfileResponse(final IdentityKey identityKey,
      final String unidentifiedAccess,
      final boolean unrestrictedUnidentifiedAccess,
      final UserCapabilities capabilities,
@@ -53,7 +55,7 @@ public class BaseProfileResponse {
    this.uuid = uuid;
  }

-  public byte[] getIdentityKey() {
+  public IdentityKey getIdentityKey() {
    return identityKey;
  }

--- a/service/src/main/java/org/whispersystems/textsecuregcm/entities/BatchIdentityCheckResponse.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/entities/BatchIdentityCheckResponse.java
@@ -11,13 +11,25 @@ import java.util.UUID;
 import javax.annotation.Nullable;
 import javax.validation.Valid;
 import javax.validation.constraints.NotNull;
-import org.whispersystems.textsecuregcm.util.ExactlySize;
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import com.fasterxml.jackson.databind.annotation.JsonSerialize;
+import org.signal.libsignal.protocol.IdentityKey;
+import org.signal.libsignal.protocol.ecc.ECPublicKey;
+import org.whispersystems.textsecuregcm.util.IdentityKeyAdapter;

 public record BatchIdentityCheckResponse(@Valid List<Element> elements) {

-  public record Element(@Deprecated @JsonInclude(JsonInclude.Include.NON_EMPTY) @Nullable UUID aci,
-                        @JsonInclude(JsonInclude.Include.NON_EMPTY) @Nullable UUID uuid,
-                        @NotNull @ExactlySize(33) byte[] identityKey) {
+  public record Element(@Deprecated
+                        @JsonInclude(JsonInclude.Include.NON_EMPTY)
+                        @Nullable UUID aci,
+
+                        @JsonInclude(JsonInclude.Include.NON_EMPTY)
+                        @Nullable UUID uuid,
+
+                        @NotNull
+                        @JsonSerialize(using = IdentityKeyAdapter.Serializer.class)
+                        @JsonDeserialize(using = IdentityKeyAdapter.Deserializer.class)
+                        IdentityKey identityKey) {

    public Element {
      if (aci == null && uuid == null) {
--- a/service/src/main/java/org/whispersystems/textsecuregcm/entities/ChangeNumberRequest.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/entities/ChangeNumberRequest.java
@@ -7,6 +7,7 @@ package org.whispersystems.textsecuregcm.entities;

 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import com.fasterxml.jackson.databind.annotation.JsonSerialize;
 import io.swagger.v3.oas.annotations.media.Schema;
 import java.util.ArrayList;
 import java.util.List;
@@ -15,9 +16,10 @@ import javax.annotation.Nullable;
 import javax.validation.Valid;
 import javax.validation.constraints.AssertTrue;
 import javax.validation.constraints.NotBlank;
-import javax.validation.constraints.NotEmpty;
 import javax.validation.constraints.NotNull;
+import org.signal.libsignal.protocol.IdentityKey;
 import org.whispersystems.textsecuregcm.util.ByteArrayAdapter;
+import org.whispersystems.textsecuregcm.util.IdentityKeyAdapter;
 import org.whispersystems.textsecuregcm.util.ValidPreKey;
 import org.whispersystems.textsecuregcm.util.ValidPreKey.PreKeyType;

@@ -39,8 +41,9 @@ public record ChangeNumberRequest(
    @JsonProperty("reglock") @Nullable String registrationLock,

    @Schema(description="the new public identity key to use for the phone-number identity associated with the new phone number")
-    @JsonDeserialize(using = ByteArrayAdapter.Deserializing.class)
-    @NotEmpty byte[] pniIdentityKey,
+    @JsonSerialize(using = IdentityKeyAdapter.Serializer.class)
+    @JsonDeserialize(using = IdentityKeyAdapter.Deserializer.class)
+    @NotNull IdentityKey pniIdentityKey,

    @Schema(description="""
        A list of synchronization messages to send to companion devices to supply the private keysManager
--- a/service/src/main/java/org/whispersystems/textsecuregcm/entities/ChangePhoneNumberRequest.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/entities/ChangePhoneNumberRequest.java
@@ -7,17 +7,18 @@ package org.whispersystems.textsecuregcm.entities;

 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import com.fasterxml.jackson.databind.annotation.JsonSerialize;
 import io.swagger.v3.oas.annotations.media.Schema;
-import org.whispersystems.textsecuregcm.util.ByteArrayAdapter;
-
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
-import javax.validation.constraints.AssertTrue;
 import javax.annotation.Nullable;
 import javax.validation.Valid;
+import javax.validation.constraints.AssertTrue;
 import javax.validation.constraints.NotBlank;
 import javax.validation.constraints.NotNull;
+import org.signal.libsignal.protocol.IdentityKey;
+import org.whispersystems.textsecuregcm.util.IdentityKeyAdapter;
 import org.whispersystems.textsecuregcm.util.ValidPreKey;
 import org.whispersystems.textsecuregcm.util.ValidPreKey.PreKeyType;

@@ -32,8 +33,9 @@ public record ChangePhoneNumberRequest(
    @JsonProperty("reglock") @Nullable String registrationLock,

    @Schema(description="the new public identity key to use for the phone-number identity associated with the new phone number")
-    @JsonDeserialize(using = ByteArrayAdapter.Deserializing.class)
-    @Nullable byte[] pniIdentityKey,
+    @JsonSerialize(using = IdentityKeyAdapter.Serializer.class)
+    @JsonDeserialize(using = IdentityKeyAdapter.Deserializer.class)
+    @Nullable IdentityKey pniIdentityKey,

    @Schema(description="""
        A list of synchronization messages to send to companion devices to supply the private keysManager
--- a/service/src/main/java/org/whispersystems/textsecuregcm/entities/PhoneNumberIdentityKeyDistributionRequest.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/entities/PhoneNumberIdentityKeyDistributionRequest.java
@@ -5,27 +5,24 @@

 package org.whispersystems.textsecuregcm.entities;

+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
 import io.swagger.v3.oas.annotations.media.Schema;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
 import javax.validation.Valid;
 import javax.validation.constraints.AssertTrue;
-import javax.validation.constraints.NotBlank;
-import javax.validation.constraints.NotEmpty;
 import javax.validation.constraints.NotNull;
-
-import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
-
-import org.whispersystems.textsecuregcm.util.ByteArrayAdapter;
+import org.signal.libsignal.protocol.IdentityKey;
+import org.whispersystems.textsecuregcm.util.IdentityKeyAdapter;
 import org.whispersystems.textsecuregcm.util.ValidPreKey;
 import org.whispersystems.textsecuregcm.util.ValidPreKey.PreKeyType;

 public record PhoneNumberIdentityKeyDistributionRequest(
-    @NotEmpty
-    @JsonDeserialize(using = ByteArrayAdapter.Deserializing.class)
+    @NotNull
+    @JsonDeserialize(using = IdentityKeyAdapter.Deserializer.class)
    @Schema(description="the new identity key for this account's phone-number identity")
-    byte[] pniIdentityKey,
+    IdentityKey pniIdentityKey,
    
    @NotNull
    @Valid
--- a/service/src/main/java/org/whispersystems/textsecuregcm/entities/PreKeyResponse.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/entities/PreKeyResponse.java
@@ -6,19 +6,21 @@ package org.whispersystems.textsecuregcm.entities;

 import com.fasterxml.jackson.annotation.JsonIgnore;
 import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
 import com.fasterxml.jackson.databind.annotation.JsonSerialize;
 import com.google.common.annotations.VisibleForTesting;
 import io.swagger.v3.oas.annotations.media.Schema;
-import org.whispersystems.textsecuregcm.util.ByteArrayAdapter;
-
 import java.util.List;
+import org.signal.libsignal.protocol.IdentityKey;
+import org.whispersystems.textsecuregcm.util.IdentityKeyAdapter;

 public class PreKeyResponse {

  @JsonProperty
-  @JsonSerialize(using = ByteArrayAdapter.Serializing.class)
+  @JsonSerialize(using = IdentityKeyAdapter.Serializer.class)
+  @JsonDeserialize(using = IdentityKeyAdapter.Deserializer.class)
  @Schema(description="the public identity key for the requested identity")
-  private byte[] identityKey;
+  private IdentityKey identityKey;

  @JsonProperty
  @Schema(description="information about each requested device")
@@ -26,13 +28,13 @@ public class PreKeyResponse {

  public PreKeyResponse() {}

-  public PreKeyResponse(byte[] identityKey, List<PreKeyResponseItem> devices) {
+  public PreKeyResponse(IdentityKey identityKey, List<PreKeyResponseItem> devices) {
    this.identityKey = identityKey;
-    this.devices     = devices;
+    this.devices = devices;
  }

  @VisibleForTesting
-  public byte[] getIdentityKey() {
+  public IdentityKey getIdentityKey() {
    return identityKey;
  }

--- a/service/src/main/java/org/whispersystems/textsecuregcm/entities/PreKeySignatureValidator.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/entities/PreKeySignatureValidator.java
@@ -9,27 +9,23 @@ import static com.codahale.metrics.MetricRegistry.name;
 import io.micrometer.core.instrument.Counter;
 import io.micrometer.core.instrument.Metrics;
 import java.util.Collection;
-import org.signal.libsignal.protocol.InvalidKeyException;
-import org.signal.libsignal.protocol.ecc.Curve;
-import org.signal.libsignal.protocol.ecc.ECPublicKey;
+import org.signal.libsignal.protocol.IdentityKey;

 public abstract class PreKeySignatureValidator {
  public static final Counter INVALID_SIGNATURE_COUNTER =
      Metrics.counter(name(PreKeySignatureValidator.class, "invalidPreKeySignature"));

-  public static boolean validatePreKeySignatures(final byte[] identityKeyBytes, final Collection<SignedPreKey> spks) {
+  public static boolean validatePreKeySignatures(final IdentityKey identityKey, final Collection<SignedPreKey> spks) {
    try {
-      final ECPublicKey identityKey = Curve.decodePoint(identityKeyBytes, 0);
-
      final boolean success = spks.stream()
-          .allMatch(spk -> identityKey.verifySignature(spk.getPublicKey(), spk.getSignature()));
+          .allMatch(spk -> identityKey.getPublicKey().verifySignature(spk.getPublicKey(), spk.getSignature()));

      if (!success) {
        INVALID_SIGNATURE_COUNTER.increment();
      }

      return success;
-    } catch (IllegalArgumentException | InvalidKeyException e) {
+    } catch (final IllegalArgumentException e) {
      INVALID_SIGNATURE_COUNTER.increment();
      return false;
    }
--- a/service/src/main/java/org/whispersystems/textsecuregcm/entities/PreKeyState.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/entities/PreKeyState.java
@@ -6,16 +6,16 @@ package org.whispersystems.textsecuregcm.entities;

 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import com.fasterxml.jackson.databind.annotation.JsonSerialize;
 import com.google.common.annotations.VisibleForTesting;
 import io.swagger.v3.oas.annotations.media.Schema;
-import org.whispersystems.textsecuregcm.util.ByteArrayAdapter;
-
 import java.util.ArrayList;
 import java.util.List;
 import javax.validation.Valid;
 import javax.validation.constraints.AssertTrue;
-import javax.validation.constraints.NotEmpty;
 import javax.validation.constraints.NotNull;
+import org.signal.libsignal.protocol.IdentityKey;
+import org.whispersystems.textsecuregcm.util.IdentityKeyAdapter;
 import org.whispersystems.textsecuregcm.util.ValidPreKey;
 import org.whispersystems.textsecuregcm.util.ValidPreKey.PreKeyType;

@@ -55,24 +55,24 @@ public class PreKeyState {
  private SignedPreKey pqLastResortPreKey;

  @JsonProperty
-  @JsonDeserialize(using = ByteArrayAdapter.Deserializing.class)
-  @NotEmpty
+  @JsonSerialize(using = IdentityKeyAdapter.Serializer.class)
+  @JsonDeserialize(using = IdentityKeyAdapter.Deserializer.class)
  @NotNull
  @Schema(description="Required. " +
      "The public identity key for this identity (account or phone-number identity). " +
      "If this device is not the primary device for the account, " +
      "must match the existing stored identity key for this identity.")
-  private byte[] identityKey;
+  private IdentityKey identityKey;

  public PreKeyState() {}

  @VisibleForTesting
-  public PreKeyState(byte[] identityKey, SignedPreKey signedPreKey, List<PreKey> keys) {
+  public PreKeyState(IdentityKey identityKey, SignedPreKey signedPreKey, List<PreKey> keys) {
    this(identityKey, signedPreKey, keys, null, null);
  }

  @VisibleForTesting
-  public PreKeyState(byte[] identityKey, SignedPreKey signedPreKey, List<PreKey> keys, List<SignedPreKey> pqKeys, SignedPreKey pqLastResortKey) {
+  public PreKeyState(IdentityKey identityKey, SignedPreKey signedPreKey, List<PreKey> keys, List<SignedPreKey> pqKeys, SignedPreKey pqLastResortKey) {
    this.identityKey = identityKey;
    this.signedPreKey = signedPreKey;
    this.preKeys = keys;
@@ -96,7 +96,7 @@ public class PreKeyState {
    return pqLastResortPreKey;
  }

-  public byte[] getIdentityKey() {
+  public IdentityKey getIdentityKey() {
    return identityKey;
  }

--- a/service/src/main/java/org/whispersystems/textsecuregcm/entities/RegistrationRequest.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/entities/RegistrationRequest.java
@@ -12,16 +12,16 @@ import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
 import com.fasterxml.jackson.databind.annotation.JsonSerialize;
 import com.google.common.annotations.VisibleForTesting;
 import io.swagger.v3.oas.annotations.media.Schema;
-import org.whispersystems.textsecuregcm.util.ByteArrayAdapter;
-import org.whispersystems.textsecuregcm.util.OptionalBase64ByteArrayDeserializer;
-import org.whispersystems.textsecuregcm.util.ValidPreKey;
-import org.whispersystems.textsecuregcm.util.ValidPreKey.PreKeyType;
-
+import java.util.List;
+import java.util.Optional;
 import javax.validation.Valid;
 import javax.validation.constraints.AssertTrue;
 import javax.validation.constraints.NotNull;
-import java.util.List;
-import java.util.Optional;
+import org.signal.libsignal.protocol.IdentityKey;
+import org.whispersystems.textsecuregcm.util.ByteArrayAdapter;
+import org.whispersystems.textsecuregcm.util.OptionalIdentityKeyAdapter;
+import org.whispersystems.textsecuregcm.util.ValidPreKey;
+import org.whispersystems.textsecuregcm.util.ValidPreKey.PreKeyType;

 public record RegistrationRequest(@Schema(requiredMode = Schema.RequiredMode.NOT_REQUIRED, description = """
                                  The ID of an existing verification session as it appears in a verification session
@@ -57,16 +57,18 @@ public record RegistrationRequest(@Schema(requiredMode = Schema.RequiredMode.NOT
                                  provided, an account will be created "atomically," and all other properties needed for
                                  atomic account creation must also be present.
                                  """)
-                                  @JsonDeserialize(using = OptionalBase64ByteArrayDeserializer.class)
-                                  Optional<byte[]> aciIdentityKey,
+                                  @JsonSerialize(using = OptionalIdentityKeyAdapter.Serializer.class)
+                                  @JsonDeserialize(using = OptionalIdentityKeyAdapter.Deserializer.class)
+                                  Optional<IdentityKey> aciIdentityKey,

                                  @Schema(requiredMode = Schema.RequiredMode.NOT_REQUIRED, description = """
                                  The PNI-associated identity key for the account, encoded as a base64 string. If
                                  provided, an account will be created "atomically," and all other properties needed for
                                  atomic account creation must also be present.
                                  """)
-                                  @JsonDeserialize(using = OptionalBase64ByteArrayDeserializer.class)
-                                  Optional<byte[]> pniIdentityKey,
+                                  @JsonSerialize(using = OptionalIdentityKeyAdapter.Serializer.class)
+                                  @JsonDeserialize(using = OptionalIdentityKeyAdapter.Deserializer.class)
+                                  Optional<IdentityKey> pniIdentityKey,

                                  @JsonUnwrapped
                                  @JsonProperty(access = JsonProperty.Access.READ_ONLY)
@@ -78,8 +80,8 @@ public record RegistrationRequest(@Schema(requiredMode = Schema.RequiredMode.NOT
      @JsonProperty("recoveryPassword") byte[] recoveryPassword,
      @JsonProperty("accountAttributes") AccountAttributes accountAttributes,
      @JsonProperty("skipDeviceTransfer") boolean skipDeviceTransfer,
-      @JsonProperty("aciIdentityKey") Optional<byte[]> aciIdentityKey,
-      @JsonProperty("pniIdentityKey") Optional<byte[]> pniIdentityKey,
+      @JsonProperty("aciIdentityKey") Optional<IdentityKey> aciIdentityKey,
+      @JsonProperty("pniIdentityKey") Optional<IdentityKey> pniIdentityKey,
      @JsonProperty("aciSignedPreKey") Optional<@Valid @ValidPreKey(type=PreKeyType.ECC) SignedPreKey> aciSignedPreKey,
      @JsonProperty("pniSignedPreKey") Optional<@Valid @ValidPreKey(type=PreKeyType.ECC) SignedPreKey> pniSignedPreKey,
      @JsonProperty("aciPqLastResortPreKey") Optional<@Valid @ValidPreKey(type=PreKeyType.KYBER) SignedPreKey> aciPqLastResortPreKey,
@@ -103,7 +105,7 @@ public record RegistrationRequest(@Schema(requiredMode = Schema.RequiredMode.NOT
  }

  @SuppressWarnings("OptionalUsedAsFieldOrParameterType")
-  private static boolean validatePreKeySignature(final Optional<byte[]> maybeIdentityKey,
+  private static boolean validatePreKeySignature(final Optional<IdentityKey> maybeIdentityKey,
      final Optional<SignedPreKey> maybeSignedPreKey) {

    return maybeSignedPreKey.map(signedPreKey -> maybeIdentityKey