diff --git a/keyserver/src/responders/user-responders.js b/keyserver/src/responders/user-responders.js --- a/keyserver/src/responders/user-responders.js +++ b/keyserver/src/responders/user-responders.js @@ -1,5 +1,6 @@ // @flow +import olm from '@matrix-org/olm'; import invariant from 'invariant'; import { ErrorTypes, SiweMessage } from 'siwe'; import t from 'tcomb'; @@ -24,6 +25,7 @@ notificationTypeValues, logInActionSources, } from 'lib/types/account-types.js'; +import type { IdentityKeysBlob } from 'lib/types/crypto-types.js'; import type { CalendarQuery } from 'lib/types/entry-types.js'; import { defaultNumberPerThread } from 'lib/types/message-types.js'; import type { @@ -334,6 +336,25 @@ await validateInput(viewer, logInRequestInputValidator, input); const request: LogInRequest = input; + const { signedIdentityKeysBlob } = request; + if (signedIdentityKeysBlob) { + const identityKeys: IdentityKeysBlob = JSON.parse( + signedIdentityKeysBlob.payload, + ); + + await olm.init(); + const olmUtil = new olm.Utility(); + try { + olmUtil.ed25519_verify( + identityKeys.primaryIdentityPublicKeys.ed25519, + signedIdentityKeysBlob.payload, + signedIdentityKeysBlob.signature, + ); + } catch (e) { + throw new ServerError('invalid_signature'); + } + } + const calendarQuery = request.calendarQuery ? normalizeCalendarQuery(request.calendarQuery) : null; diff --git a/lib/types/account-types.js b/lib/types/account-types.js --- a/lib/types/account-types.js +++ b/lib/types/account-types.js @@ -124,6 +124,7 @@ +platformDetails: PlatformDetails, +watchedIDs: $ReadOnlyArray, +source?: LogInActionSource, + +signedIdentityKeysBlob?: SignedIdentityKeysBlob, }; export type LogInResponse = { diff --git a/lib/types/crypto-types.js b/lib/types/crypto-types.js --- a/lib/types/crypto-types.js +++ b/lib/types/crypto-types.js @@ -17,6 +17,11 @@ +notificationIdentityKeys: ?OLMIdentityKeys, }; +export type IdentityKeysBlob = { + +primaryIdentityPublicKeys: OLMIdentityKeys, + +notificationIdentityPublicKeys: OLMIdentityKeys, +}; + export type SignedIdentityKeysBlob = { +payload: string, +signature: string,