Validate pre-key signatures via the legacy "set signed pre-key" endpoint

service/src/test/java/org/whispersystems/textsecuregcm/controllers/KeysControllerTest.java

@@ -32,7 +32,6 @@ import java.util.Optional;
 import java.util.OptionalInt;
 import java.util.UUID;
 import java.util.concurrent.CompletableFuture;
-import java.util.function.Consumer;
 import javax.ws.rs.client.Entity;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
@@ -42,6 +41,9 @@ import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.EnumSource;
+import org.junit.jupiter.params.provider.ValueSource;
 import org.mockito.ArgumentCaptor;
 import org.signal.libsignal.protocol.IdentityKey;
 import org.signal.libsignal.protocol.ecc.Curve;
@@ -269,8 +271,6 @@ class KeysControllerTest {
     when(KEYS.getEcCount(AuthHelper.VALID_UUID, sampleDeviceId)).thenReturn(CompletableFuture.completedFuture(5));
     when(KEYS.getPqCount(AuthHelper.VALID_UUID, sampleDeviceId)).thenReturn(CompletableFuture.completedFuture(5));
 
-    when(AuthHelper.VALID_ACCOUNT.getIdentityKey(IdentityType.ACI)).thenReturn(null);
-
     when(KEYS.getEcSignedPreKey(AuthHelper.VALID_UUID, AuthHelper.VALID_DEVICE.getId()))
         .thenReturn(CompletableFuture.completedFuture(Optional.of(VALID_DEVICE_SIGNED_KEY)));
 
@@ -309,7 +309,7 @@ class KeysControllerTest {
 
   @Test
   void putSignedPreKeyV2() {
-    final ECSignedPreKey signedPreKey = KeysHelper.signedECPreKey(9998, IDENTITY_KEY_PAIR);
+    final ECSignedPreKey signedPreKey = KeysHelper.signedECPreKey(9998, AuthHelper.VALID_IDENTITY_KEY_PAIR);
 
     try (final Response response = resources.getJerseyTest()
                                  .target("/v2/keys/signed")
@@ -324,7 +324,7 @@ class KeysControllerTest {
 
   @Test
   void putPhoneNumberIdentitySignedPreKeyV2() {
-    final ECSignedPreKey pniSignedPreKey = KeysHelper.signedECPreKey(9998, PNI_IDENTITY_KEY_PAIR);
+    final ECSignedPreKey pniSignedPreKey = KeysHelper.signedECPreKey(9998, AuthHelper.VALID_PNI_IDENTITY_KEY_PAIR);
 
     try (final Response response = resources.getJerseyTest()
         .target("/v2/keys/signed")
@@ -338,6 +338,23 @@ class KeysControllerTest {
     }
   }
 
+  @ParameterizedTest
+  @EnumSource(IdentityType.class)
+  void putSignedPreKeyV2BadSignature(final IdentityType identityType) {
+    final ECSignedPreKey signedPreKey = KeysHelper.signedECPreKey(9998, Curve.generateKeyPair());
+
+    try (final Response response = resources.getJerseyTest()
+        .target("/v2/keys/signed")
+        .queryParam("identity", identityType.name().toLowerCase())
+        .request()
+        .header("Authorization", AuthHelper.getAuthHeader(AuthHelper.VALID_UUID, AuthHelper.VALID_PASSWORD))
+        .put(Entity.entity(signedPreKey, MediaType.APPLICATION_JSON_TYPE))) {
+
+      assertThat(response.getStatus()).isEqualTo(422);
+      verify(KEYS, never()).storeEcSignedPreKeys(any(), anyByte(), any());
+    }
+  }
+
   @Test
   void validSingleRequestTestV2() {
     PreKeyResponse result = resources.getJerseyTest()
@@ -740,14 +757,10 @@ class KeysControllerTest {
   @Test
   void putKeysTestV2() {
     final ECPreKey preKey = KeysHelper.ecPreKey(31337);
-    final ECKeyPair identityKeyPair = Curve.generateKeyPair();
-    final ECSignedPreKey signedPreKey = KeysHelper.signedECPreKey(31338, identityKeyPair);
-    final IdentityKey identityKey = new IdentityKey(identityKeyPair.getPublicKey());
+    final ECSignedPreKey signedPreKey = KeysHelper.signedECPreKey(31338, AuthHelper.VALID_IDENTITY_KEY_PAIR);
 
     final SetKeysRequest setKeysRequest = new SetKeysRequest(List.of(preKey), signedPreKey, null, null);
 
-    when(AuthHelper.VALID_ACCOUNT.getIdentityKey(IdentityType.ACI)).thenReturn(identityKey);
-
     Response response =
         resources.getJerseyTest()
                  .target("/v2/keys")
@@ -768,14 +781,10 @@ class KeysControllerTest {
 
   @Test
   void putKeysTestV2EmptySingleUseKeysList() {
-    final ECKeyPair identityKeyPair = Curve.generateKeyPair();
-    final ECSignedPreKey signedPreKey = KeysHelper.signedECPreKey(31338, identityKeyPair);
-    final IdentityKey identityKey = new IdentityKey(identityKeyPair.getPublicKey());
+    final ECSignedPreKey signedPreKey = KeysHelper.signedECPreKey(31338, AuthHelper.VALID_IDENTITY_KEY_PAIR);
 
     final SetKeysRequest setKeysRequest = new SetKeysRequest(List.of(), signedPreKey, List.of(), null);
 
-    when(AuthHelper.VALID_ACCOUNT.getIdentityKey(IdentityType.ACI)).thenReturn(identityKey);
-
     try (final Response response =
         resources.getJerseyTest()
             .target("/v2/keys")
@@ -794,17 +803,13 @@ class KeysControllerTest {
   @Test
   void putKeysPqTestV2() {
     final ECPreKey preKey = KeysHelper.ecPreKey(31337);
-    final ECKeyPair identityKeyPair = Curve.generateKeyPair();
-    final ECSignedPreKey signedPreKey = KeysHelper.signedECPreKey(31338, identityKeyPair);
-    final KEMSignedPreKey pqPreKey = KeysHelper.signedKEMPreKey(31339, identityKeyPair);
-    final KEMSignedPreKey pqLastResortPreKey = KeysHelper.signedKEMPreKey(31340, identityKeyPair);
-    final IdentityKey identityKey = new IdentityKey(identityKeyPair.getPublicKey());
+    final ECSignedPreKey signedPreKey = KeysHelper.signedECPreKey(31338, AuthHelper.VALID_IDENTITY_KEY_PAIR);
+    final KEMSignedPreKey pqPreKey = KeysHelper.signedKEMPreKey(31339, AuthHelper.VALID_IDENTITY_KEY_PAIR);
+    final KEMSignedPreKey pqLastResortPreKey = KeysHelper.signedKEMPreKey(31340, AuthHelper.VALID_IDENTITY_KEY_PAIR);
 
     final SetKeysRequest setKeysRequest =
         new SetKeysRequest(List.of(preKey), signedPreKey, List.of(pqPreKey), pqLastResortPreKey);
 
-    when(AuthHelper.VALID_ACCOUNT.getIdentityKey(IdentityType.ACI)).thenReturn(identityKey);
-
     Response response =
         resources.getJerseyTest()
                  .target("/v2/keys")
@@ -901,14 +906,10 @@ class KeysControllerTest {
   @Test
   void putKeysByPhoneNumberIdentifierTestV2() {
     final ECPreKey preKey = KeysHelper.ecPreKey(31337);
-    final ECKeyPair identityKeyPair = Curve.generateKeyPair();
-    final ECSignedPreKey signedPreKey = KeysHelper.signedECPreKey(31338, identityKeyPair);
-    final IdentityKey identityKey = new IdentityKey(identityKeyPair.getPublicKey());
+    final ECSignedPreKey signedPreKey = KeysHelper.signedECPreKey(31338, AuthHelper.VALID_PNI_IDENTITY_KEY_PAIR);
 
     final SetKeysRequest setKeysRequest = new SetKeysRequest(List.of(preKey), signedPreKey, null, null);
 
-    when(AuthHelper.VALID_ACCOUNT.getIdentityKey(IdentityType.PNI)).thenReturn(identityKey);
-
     Response response =
         resources.getJerseyTest()
             .target("/v2/keys")
@@ -930,17 +931,13 @@ class KeysControllerTest {
   @Test
   void putKeysByPhoneNumberIdentifierPqTestV2() {
     final ECPreKey preKey = KeysHelper.ecPreKey(31337);
-    final ECKeyPair identityKeyPair = Curve.generateKeyPair();
-    final ECSignedPreKey signedPreKey = KeysHelper.signedECPreKey(31338, identityKeyPair);
-    final KEMSignedPreKey pqPreKey = KeysHelper.signedKEMPreKey(31339, identityKeyPair);
-    final KEMSignedPreKey pqLastResortPreKey = KeysHelper.signedKEMPreKey(31340, identityKeyPair);
-    final IdentityKey identityKey = new IdentityKey(identityKeyPair.getPublicKey());
+    final ECSignedPreKey signedPreKey = KeysHelper.signedECPreKey(31338, AuthHelper.VALID_PNI_IDENTITY_KEY_PAIR);
+    final KEMSignedPreKey pqPreKey = KeysHelper.signedKEMPreKey(31339, AuthHelper.VALID_PNI_IDENTITY_KEY_PAIR);
+    final KEMSignedPreKey pqLastResortPreKey = KeysHelper.signedKEMPreKey(31340, AuthHelper.VALID_PNI_IDENTITY_KEY_PAIR);
 
     final SetKeysRequest setKeysRequest =
         new SetKeysRequest(List.of(preKey), signedPreKey, List.of(pqPreKey), pqLastResortPreKey);
 
-    when(AuthHelper.VALID_ACCOUNT.getIdentityKey(IdentityType.PNI)).thenReturn(identityKey);
-
     Response response =
         resources.getJerseyTest()
             .target("/v2/keys")

service/src/test/java/org/whispersystems/textsecuregcm/tests/util/AuthHelper.java

@@ -29,7 +29,8 @@ import java.util.UUID;
 import org.junit.jupiter.api.extension.AfterEachCallback;
 import org.junit.jupiter.api.extension.ExtensionContext;
 import org.signal.libsignal.protocol.IdentityKey;
-import org.signal.libsignal.protocol.ecc.ECPublicKey;
+import org.signal.libsignal.protocol.ecc.Curve;
+import org.signal.libsignal.protocol.ecc.ECKeyPair;
 import org.whispersystems.textsecuregcm.auth.AccountAuthenticator;
 import org.whispersystems.textsecuregcm.auth.AuthenticatedAccount;
 import org.whispersystems.textsecuregcm.auth.SaltedTokenHash;
@@ -70,8 +71,11 @@ public class AuthHelper {
   public static final UUID   UNDISCOVERABLE_UUID     = UUID.randomUUID();
   public static final String UNDISCOVERABLE_PASSWORD = "IT'S A SECRET TO EVERYBODY.";
 
-  public static final IdentityKey VALID_IDENTITY = new IdentityKey(ECPublicKey.fromPublicKeyBytes(
-      Base64.getDecoder().decode("BcxxDU9FGMda70E7+Uvm7pnQcEdXQ64aJCpPUeRSfcFo")));
+  public static final ECKeyPair VALID_IDENTITY_KEY_PAIR = Curve.generateKeyPair();
+  public static final IdentityKey VALID_IDENTITY = new IdentityKey(VALID_IDENTITY_KEY_PAIR.getPublicKey());
+
+  public static final ECKeyPair VALID_PNI_IDENTITY_KEY_PAIR = Curve.generateKeyPair();
+  public static final IdentityKey VALID_PNI_IDENTITY = new IdentityKey(VALID_PNI_IDENTITY_KEY_PAIR.getPublicKey());
 
   public static AccountsManager ACCOUNTS_MANAGER       = mock(AccountsManager.class);
   public static Account         VALID_ACCOUNT          = mock(Account.class        );
@@ -179,6 +183,7 @@ public class AuthHelper {
     when(VALID_ACCOUNT_3.isIdentifiedBy(new PniServiceIdentifier(VALID_PNI_3))).thenReturn(true);
 
     when(VALID_ACCOUNT.getIdentityKey(IdentityType.ACI)).thenReturn(VALID_IDENTITY);
+    when(VALID_ACCOUNT.getIdentityKey(IdentityType.PNI)).thenReturn(VALID_PNI_IDENTITY);
 
     reset(ACCOUNTS_MANAGER);