Add support for AuthCredentialAsPni with pniAsServiceId=true

Update to libsignal 0.30.0, and add a new query param to /v1/certificate/auth/group, "pniAsServiceId=true", that uses the new encoding of PNIs in zkgroup rather than encoding PNIs the same way as ACIs, as we have been doing. Also includes all the adjustments for the libsignal 0.30.0 update.
2026-04-20 14:18:04 +01:00 · 2023-07-20 15:09:35 -07:00
parent 705fb93e45
commit 7a5dcc700e
6 changed files with 90 additions and 39 deletions
--- a/service/src/main/java/org/whispersystems/textsecuregcm/controllers/CallLinkController.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/controllers/CallLinkController.java
@@ -4,6 +4,7 @@ import com.codahale.metrics.annotation.Timed;
 import io.dropwizard.auth.Auth;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
+import org.signal.libsignal.protocol.ServiceId;
 import org.signal.libsignal.zkgroup.GenericServerSecretParams;
 import org.signal.libsignal.zkgroup.InvalidInputException;
 import org.signal.libsignal.zkgroup.calllinks.CreateCallLinkCredentialRequest;
@@ -68,7 +69,7 @@ public class CallLinkController {
    }

    return new CreateCallLinkCredential(
-        createCallLinkCredentialRequest.issueCredential(auth.getAccount().getUuid(), truncatedDayTimestamp, genericServerSecretParams).serialize(),
+        createCallLinkCredentialRequest.issueCredential(new ServiceId.Aci(auth.getAccount().getUuid()), truncatedDayTimestamp, genericServerSecretParams).serialize(),
        truncatedDayTimestamp.getEpochSecond()
    );
  }
--- a/service/src/main/java/org/whispersystems/textsecuregcm/controllers/CertificateController.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/controllers/CertificateController.java
@@ -32,6 +32,8 @@ import javax.ws.rs.WebApplicationException;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;

+import org.signal.libsignal.protocol.ServiceId;
+import org.signal.libsignal.zkgroup.auth.AuthCredentialWithPniResponse;
 import org.signal.libsignal.zkgroup.auth.ServerZkAuthOperations;
 import org.signal.libsignal.zkgroup.calllinks.CallLinkAuthCredentialResponse;
 import org.signal.libsignal.zkgroup.GenericServerSecretParams;
@@ -92,7 +94,8 @@ public class CertificateController {
  public GroupCredentials getGroupAuthenticationCredentials(
      @Auth AuthenticatedAccount auth,
      @QueryParam("redemptionStartSeconds") int startSeconds,
-      @QueryParam("redemptionEndSeconds") int endSeconds) {
+      @QueryParam("redemptionEndSeconds") int endSeconds,
+      @QueryParam("pniAsServiceId") boolean pniAsServiceId) {

    final Instant startOfDay = clock.instant().truncatedTo(ChronoUnit.DAYS);
    final Instant redemptionStart = Instant.ofEpochSecond(startSeconds);
@@ -112,12 +115,18 @@ public class CertificateController {

    Instant redemption = redemptionStart;

-    UUID aci = auth.getAccount().getUuid();
-    UUID pni = auth.getAccount().getPhoneNumberIdentifier();
+    ServiceId.Aci aci = new ServiceId.Aci(auth.getAccount().getUuid());
+    ServiceId.Pni pni = new ServiceId.Pni(auth.getAccount().getPhoneNumberIdentifier());

    while (!redemption.isAfter(redemptionEnd)) {
+      AuthCredentialWithPniResponse authCredentialWithPni;
+      if (pniAsServiceId) {
+        authCredentialWithPni = serverZkAuthOperations.issueAuthCredentialWithPniAsServiceId(aci, pni, redemption);
+      } else {
+        authCredentialWithPni = serverZkAuthOperations.issueAuthCredentialWithPniAsAci(aci, pni, redemption);
+      }
      credentials.add(new GroupCredentials.GroupCredential(
-          serverZkAuthOperations.issueAuthCredentialWithPni(aci, pni, redemption).serialize(),
+          authCredentialWithPni.serialize(),
          (int) redemption.getEpochSecond()));

      callLinkAuthCredentials.add(new GroupCredentials.CallLinkAuthCredential(
@@ -128,6 +137,6 @@ public class CertificateController {
    }


-    return new GroupCredentials(credentials, callLinkAuthCredentials, pni);
+    return new GroupCredentials(credentials, callLinkAuthCredentials, pni.getRawUUID());
  }
 }
--- a/service/src/main/java/org/whispersystems/textsecuregcm/controllers/ProfileController.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/controllers/ProfileController.java
@@ -65,6 +65,7 @@ import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
 import org.apache.commons.lang3.StringUtils;
 import org.signal.libsignal.protocol.IdentityKey;
+import org.signal.libsignal.protocol.ServiceId;
 import org.signal.libsignal.zkgroup.InvalidInputException;
 import org.signal.libsignal.zkgroup.VerificationFailedException;
 import org.signal.libsignal.zkgroup.profiles.ExpiringProfileKeyCredentialResponse;
@@ -401,7 +402,7 @@ public class ProfileController {
      final ContainerRequestContext containerRequestContext) {

    final ExpiringProfileKeyCredentialResponse expiringProfileKeyCredentialResponse = profilesManager.get(account.getUuid(), version)
-        .map(profile -> getExpiringProfileKeyCredentialResponse(encodedCredentialRequest, profile, account.getUuid(), expiration))
+        .map(profile -> getExpiringProfileKeyCredentialResponse(encodedCredentialRequest, profile, new ServiceId.Aci(account.getUuid()), expiration))
        .orElse(null);

    return new ExpiringProfileKeyCredentialProfileResponse(
@@ -465,7 +466,7 @@ public class ProfileController {
  private ExpiringProfileKeyCredentialResponse getExpiringProfileKeyCredentialResponse(
      final String encodedCredentialRequest,
      final VersionedProfile profile,
-      final UUID accountIdentifier,
+      final ServiceId.Aci accountIdentifier,
      final Instant expiration) {

    try {