handle secret pushing on for key backups

- push backup key when we reset backup
- handle pushed backup key

Author: uhoreg

spec/integ/crypto/crypto.spec.ts

@@ -84,6 +84,7 @@ import {
     createOlmAccount,
     createOlmSession,
     encryptGroupSessionKey,
+    encryptOlmEvent,
     encryptMegolmEvent,
     encryptMegolmEventRawPlainText,
     establishOlmSession,
@@ -2311,4 +2312,107 @@ describe("crypto", () => {
             );
         }
     });
+
+    describe("secret pushing", () => {
+        it("should push a new backup key when a new backup key is set", async () => {
+            // setup: alice has another device, DEVICE_ID, which is verified
+            const crypto = aliceClient.getCrypto()!;
+            expectAliceKeyQuery(getTestKeysQueryResponse("@alice:localhost"));
+            await startClientAndAwaitFirstSync();
+            const devices = await aliceClient.getCrypto()!.getUserDeviceInfo(["@alice:localhost"]);
+            expect(devices.get("@alice:localhost")!.keys()).toContain("DEVICE_ID");
+            await crypto.setDeviceVerified("@alice:localhost", "DEVICE_ID");
+
+            expectAliceKeyClaim(getTestKeysClaimResponse("@alice:localhost"));
+
+            // when we set a new backup key
+            fetchMock.get("path:/_matrix/client/v3/room_keys/version", {
+                status: 404,
+                body: { errcode: "M_NOT_FOUND", error: "No current backup version." },
+            });
+            fetchMock.post("path:/_matrix/client/v3/room_keys/version", {
+                status: 200,
+                body: { version: "1" },
+            });
+            const secretPushPromise = new Promise<any>((resolve) => {
+                fetchMock.putOnce(new RegExp("/sendToDevice/m.room.encrypted/"), (callLog): RouteResponse => {
+                    const content = JSON.parse(callLog.options.body as string);
+                    resolve(content);
+                    return {};
+                });
+            });
+
+            await crypto.resetKeyBackup();
+
+            // we expect the other device to get a secret push
+            const content = await secretPushPromise;
+            const curve25519key = JSON.parse(testOlmAccount.identity_keys()).curve25519;
+            const ciphertext = content.messages["@alice:localhost"].DEVICE_ID.ciphertext[curve25519key];
+            const olmSession = new Olm.Session();
+            olmSession.create_inbound(testOlmAccount, ciphertext.body);
+            const decrypted = JSON.parse(olmSession.decrypt(0, ciphertext.body));
+            expect(decrypted.type).toBe("io.element.msc4385.secret.push");
+            expect(decrypted.content.name).toBe("m.megolm_backup.v1");
+        });
+
+        it("should receive pushed backup key", async () => {
+            // setup: alice has another device, DEVICE_ID, which is verified,
+            // and has a key backup set up and signed by DEVICE_ID
+            const crypto = aliceClient.getCrypto()!;
+            expectAliceKeyQuery(getTestKeysQueryResponse("@alice:localhost"));
+            fetchMock.get("path:/_matrix/client/v3/room_keys/version", testData.SIGNED_BACKUP_DATA);
+            await startClientAndAwaitFirstSync();
+            const devices = await aliceClient.getCrypto()!.getUserDeviceInfo(["@alice:localhost"]);
+            expect(devices.get("@alice:localhost")!.keys()).toContain("DEVICE_ID");
+            await crypto.setDeviceVerified("@alice:localhost", "DEVICE_ID");
+
+            expectAliceKeyClaim(getTestKeysClaimResponse("@alice:localhost"));
+
+            // after we push the backup key to alice...
+
+            const senderIdentityKeys = JSON.parse(testOlmAccount.identity_keys());
+            const aliceDeviceKeys = await crypto.getOwnDeviceKeys();
+            const p2pSession = await createOlmSession(testOlmAccount, keyReceiver);
+            const secretPush = encryptOlmEvent({
+                sender: "@alice:localhost",
+                senderKey: senderIdentityKeys.curve25519,
+                senderSigningKey: senderIdentityKeys.ed25519,
+                p2pSession,
+                recipient: "@alice:localhost",
+                recipientCurve25519Key: aliceDeviceKeys.curve25519,
+                recipientEd25519Key: aliceDeviceKeys.ed25519,
+                plaincontent: {
+                    secret: testData.BACKUP_DECRYPTION_KEY_BASE64,
+                    name: "m.megolm_backup.v1",
+                },
+                plaintype: "io.element.msc4385.secret.push",
+            });
+
+            const syncResponse = {
+                next_batch: 1,
+                to_device: {
+                    events: [secretPush],
+                },
+            };
+
+            const backupKeyReceivedPromise = new Promise<string>((resolve) => {
+                aliceClient.on(CryptoEvent.KeyBackupDecryptionKeyCached, resolve);
+            });
+            const keyBackupEnabledPromise = new Promise<void>((resolve) => {
+                aliceClient.on(CryptoEvent.KeyBackupStatus, (enabled) => {
+                    if (enabled) {
+                        resolve();
+                    }
+                });
+            });
+
+            syncResponder.sendOrQueueSyncResponse(syncResponse);
+            await syncPromise(aliceClient);
+
+            // alice should be using backup now
+            expect(await backupKeyReceivedPromise).toBe(testData.SIGNED_BACKUP_DATA.version);
+            await keyBackupEnabledPromise;
+            expect(await crypto.getActiveSessionBackupVersion()).toBe(testData.SIGNED_BACKUP_DATA.version);
+        });
+    });
 });

spec/unit/rust-crypto/rust-crypto.spec.ts

@@ -98,8 +98,11 @@ describe("initRustCrypto", () => {
         return {
             registerRoomKeyUpdatedCallback: vi.fn(),
             registerUserIdentityUpdatedCallback: vi.fn(),
-            getSecretsFromInbox: vi.fn().mockResolvedValue([]),
+            getPushedSecretsFromInbox: vi.fn().mockResolvedValue(new Set()),
+            getSecretsFromInbox: vi.fn().mockResolvedValue(new Set()),
+            deletePushedSecretsFromInbox: vi.fn(),
             deleteSecretsFromInbox: vi.fn(),
+            registerReceivePushedSecretCallback: vi.fn(),
             registerReceiveSecretCallback: vi.fn(),
             registerDevicesUpdatedCallback: vi.fn(),
             registerRoomKeysWithheldCallback: vi.fn(),
@@ -788,6 +791,7 @@ describe("RustCrypto", () => {
                 undefined,
                 secretStorage,
             );
+            vi.spyOn(rustCrypto, "pushSecretToVerifiedDevices").mockResolvedValue();
 
             async function createSecretStorageKey() {
                 return {
@@ -835,6 +839,7 @@ describe("RustCrypto", () => {
                 {} as CryptoCallbacks,
                 false,
             );
+            vi.spyOn(rustCrypto, "pushSecretToVerifiedDevices").mockResolvedValue();
 
             async function createSecretStorageKey() {
                 return {
@@ -2320,6 +2325,7 @@ describe("RustCrypto", () => {
             });
 
             const rustCrypto = await makeTestRustCrypto(makeMatrixHttpApi(), undefined, undefined, secretStorage);
+            vi.spyOn(rustCrypto, "pushSecretToVerifiedDevices").mockResolvedValue();
 
             // We have a key backup
             await waitFor(async () => expect(await rustCrypto.getActiveSessionBackupVersion()).not.toBeNull());

src/rust-crypto/backup.ts

@@ -161,7 +161,7 @@ export class RustBackupManager extends TypedEventEmitter<RustBackupCryptoEvents,
     /**
      * Handles a backup secret received event and store it if it matches the current backup version.
      *
-     * @param secret - The secret as received from a `m.secret.send` event for secret `m.megolm_backup.v1`.
+     * @param secret - The secret as received from a `m.secret.send` or `io.element.msc4385.secret.push` event for secret `m.megolm_backup.v1`.
      * @returns true if the secret is valid and has been stored, false otherwise.
      */
     public async handleBackupSecretReceived(secret: string): Promise<boolean> {

src/rust-crypto/index.ts

@@ -206,6 +206,13 @@ async function initOlmMachine(
         // Once we have all the values, we can safely clear the secret inbox.
         rustCrypto.checkSecrets(name),
     );
+    // Register a callback to be notified when a new secret is pushed to us, as for now only the key backup secret is supported (if the cross-signing secrets change, we should re-verify)
+    await olmMachine.registerReceivePushedSecretCallback(
+        async (name: string, _value: string) =>
+            // Instead of directly checking the secret value, we poll the inbox to get all values for that secret type.
+            // Once we have all the values, we can safely clear the secret inbox.
+            await rustCrypto.checkSecrets(name),
+    );
 
     // Tell the OlmMachine to think about its outgoing requests before we hand control back to the application.
     //

src/rust-crypto/rust-crypto.ts

@@ -1368,6 +1368,8 @@ export class RustCrypto extends TypedEventEmitter<RustCryptoEvents, CryptoEventH
     public async resetKeyBackup(): Promise<void> {
         const backupInfo = await this.backupManager.setupKeyBackup((o) => this.signObject(o));
 
+        await this.pushSecretToVerifiedDevices("m.megolm_backup.v1");
+
         // we want to store the private key in 4S
         // need to check if 4S is set up?
         if (await this.secretStorageHasAESKey()) {
@@ -2035,9 +2037,9 @@ export class RustCrypto extends TypedEventEmitter<RustCryptoEvents, CryptoEventH
     /**
      * Handles secret received from the rust secret inbox.
      *
-     * The gossipped secrets are received using the `m.secret.send` event type
-     * and are guaranteed to have been received over a 1-to-1 Olm
-     * Session from a verified device.
+     * The gossipped secrets are received using the `m.secret.send` or
+     * `io.element.msc4385.secret.push` event types and are guaranteed to have
+     * been received over a 1-to-1 Olm Session from a verified device.
      *
      * The only secret currently handled in this way is `m.megolm_backup.v1`.
      *
@@ -2065,6 +2067,7 @@ export class RustCrypto extends TypedEventEmitter<RustCryptoEvents, CryptoEventH
      */
     public async checkSecrets(name: string): Promise<void> {
         const pendingValues: Set<string> = await this.olmMachine.getSecretsFromInbox(name);
+        (await this.olmMachine.getPushedSecretsFromInbox(name)).forEach((value: string) => pendingValues.add(value));
         for (const value of pendingValues) {
             if (await this.handleSecretReceived(name, value)) {
                 // If we have a valid secret for that name there is no point of processing the other secrets values.
@@ -2075,6 +2078,7 @@ export class RustCrypto extends TypedEventEmitter<RustCryptoEvents, CryptoEventH
 
         // Important to call this after handling the secrets as good hygiene.
         await this.olmMachine.deleteSecretsFromInbox(name);
+        await this.olmMachine.deletePushedSecretsFromInbox(name);
     }
 
     /**
@@ -2182,6 +2186,20 @@ export class RustCrypto extends TypedEventEmitter<RustCryptoEvents, CryptoEventH
     public async getOwnIdentity(): Promise<RustSdkCryptoJs.OwnUserIdentity | undefined> {
         return await this.olmMachine.getIdentity(new RustSdkCryptoJs.UserId(this.userId));
     }
+
+    /**
+     * Push a secret to all of the current user's verified devices.
+     *
+     * <strong>This method is experimental and may change.</strong>
+     */
+    public async pushSecretToVerifiedDevices(name: string): Promise<void> {
+        const logger = new LogSpan(this.logger, "pushSecretToVerifiedDevices");
+        await this.keyClaimManager.ensureSessionsForUsers(logger, [new RustSdkCryptoJs.UserId(this.userId)]);
+        await this.olmMachine.pushSecretToVerifiedDevices(name);
+        this.outgoingRequestsManager.doProcessOutgoingRequests().catch((e) => {
+            this.logger.warn("onKeyVerificationRequest: Error processing outgoing requests", e);
+        });
+    }
 }
 
 class EventDecryptor {