1package eu.siacs.conversations.crypto.axolotl;
2
3import android.os.Bundle;
4import android.security.KeyChain;
5import android.support.annotation.NonNull;
6import android.support.annotation.Nullable;
7import android.util.Log;
8import android.util.Pair;
9
10import org.bouncycastle.jce.provider.BouncyCastleProvider;
11import org.whispersystems.libsignal.SignalProtocolAddress;
12import org.whispersystems.libsignal.IdentityKey;
13import org.whispersystems.libsignal.IdentityKeyPair;
14import org.whispersystems.libsignal.InvalidKeyException;
15import org.whispersystems.libsignal.InvalidKeyIdException;
16import org.whispersystems.libsignal.SessionBuilder;
17import org.whispersystems.libsignal.UntrustedIdentityException;
18import org.whispersystems.libsignal.ecc.ECPublicKey;
19import org.whispersystems.libsignal.state.PreKeyBundle;
20import org.whispersystems.libsignal.state.PreKeyRecord;
21import org.whispersystems.libsignal.state.SignedPreKeyRecord;
22import org.whispersystems.libsignal.util.KeyHelper;
23
24import java.security.PrivateKey;
25import java.security.Security;
26import java.security.Signature;
27import java.security.cert.X509Certificate;
28import java.util.ArrayList;
29import java.util.Arrays;
30import java.util.Collection;
31import java.util.Collections;
32import java.util.HashMap;
33import java.util.HashSet;
34import java.util.Iterator;
35import java.util.List;
36import java.util.Map;
37import java.util.Random;
38import java.util.Set;
39import java.util.concurrent.atomic.AtomicBoolean;
40
41import eu.siacs.conversations.Config;
42import eu.siacs.conversations.entities.Account;
43import eu.siacs.conversations.entities.Contact;
44import eu.siacs.conversations.entities.Conversation;
45import eu.siacs.conversations.entities.Message;
46import eu.siacs.conversations.parser.IqParser;
47import eu.siacs.conversations.services.XmppConnectionService;
48import eu.siacs.conversations.utils.CryptoHelper;
49import eu.siacs.conversations.utils.SerialSingleThreadExecutor;
50import eu.siacs.conversations.xml.Element;
51import eu.siacs.conversations.xml.Namespace;
52import eu.siacs.conversations.xmpp.OnAdvancedStreamFeaturesLoaded;
53import eu.siacs.conversations.xmpp.OnIqPacketReceived;
54import eu.siacs.conversations.xmpp.jid.InvalidJidException;
55import eu.siacs.conversations.xmpp.jid.Jid;
56import eu.siacs.conversations.xmpp.pep.PublishOptions;
57import eu.siacs.conversations.xmpp.stanzas.IqPacket;
58
59public class AxolotlService implements OnAdvancedStreamFeaturesLoaded {
60
61 public static final String PEP_PREFIX = "eu.siacs.conversations.axolotl";
62 public static final String PEP_DEVICE_LIST = PEP_PREFIX + ".devicelist";
63 public static final String PEP_DEVICE_LIST_NOTIFY = PEP_DEVICE_LIST + "+notify";
64 public static final String PEP_BUNDLES = PEP_PREFIX + ".bundles";
65 public static final String PEP_VERIFICATION = PEP_PREFIX + ".verification";
66
67 public static final String LOGPREFIX = "AxolotlService";
68
69 public static final int NUM_KEYS_TO_PUBLISH = 100;
70 public static final int publishTriesThreshold = 3;
71
72 private final Account account;
73 private final XmppConnectionService mXmppConnectionService;
74 private final SQLiteAxolotlStore axolotlStore;
75 private final SessionMap sessions;
76 private final Map<Jid, Set<Integer>> deviceIds;
77 private final Map<String, XmppAxolotlMessage> messageCache;
78 private final FetchStatusMap fetchStatusMap;
79 private final HashMap<Jid,List<OnDeviceIdsFetched>> fetchDeviceIdsMap = new HashMap<>();
80 private final SerialSingleThreadExecutor executor;
81 private int numPublishTriesOnEmptyPep = 0;
82 private boolean pepBroken = false;
83
84 private AtomicBoolean ownPushPending = new AtomicBoolean(false);
85 private AtomicBoolean changeAccessMode = new AtomicBoolean(false);
86
87 @Override
88 public void onAdvancedStreamFeaturesAvailable(Account account) {
89 if (Config.supportOmemo()
90 && account.getXmppConnection() != null
91 && account.getXmppConnection().getFeatures().pep()) {
92 publishBundlesIfNeeded(true, false);
93 } else {
94 Log.d(Config.LOGTAG,account.getJid().toBareJid()+": skipping OMEMO initialization");
95 }
96 }
97
98 public boolean fetchMapHasErrors(List<Jid> jids) {
99 for(Jid jid : jids) {
100 if (deviceIds.get(jid) != null) {
101 for (Integer foreignId : this.deviceIds.get(jid)) {
102 SignalProtocolAddress address = new SignalProtocolAddress(jid.toPreppedString(), foreignId);
103 if (fetchStatusMap.getAll(address.getName()).containsValue(FetchStatus.ERROR)) {
104 return true;
105 }
106 }
107 }
108 }
109 return false;
110 }
111
112 public void preVerifyFingerprint(Contact contact, String fingerprint) {
113 axolotlStore.preVerifyFingerprint(contact.getAccount(), contact.getJid().toBareJid().toPreppedString(), fingerprint);
114 }
115
116 public void preVerifyFingerprint(Account account, String fingerprint) {
117 axolotlStore.preVerifyFingerprint(account, account.getJid().toBareJid().toPreppedString(), fingerprint);
118 }
119
120 public boolean hasVerifiedKeys(String name) {
121 for(XmppAxolotlSession session : this.sessions.getAll(name).values()) {
122 if (session.getTrust().isVerified()) {
123 return true;
124 }
125 }
126 return false;
127 }
128
129 private static class AxolotlAddressMap<T> {
130 protected Map<String, Map<Integer, T>> map;
131 protected final Object MAP_LOCK = new Object();
132
133 public AxolotlAddressMap() {
134 this.map = new HashMap<>();
135 }
136
137 public void put(SignalProtocolAddress address, T value) {
138 synchronized (MAP_LOCK) {
139 Map<Integer, T> devices = map.get(address.getName());
140 if (devices == null) {
141 devices = new HashMap<>();
142 map.put(address.getName(), devices);
143 }
144 devices.put(address.getDeviceId(), value);
145 }
146 }
147
148 public T get(SignalProtocolAddress address) {
149 synchronized (MAP_LOCK) {
150 Map<Integer, T> devices = map.get(address.getName());
151 if (devices == null) {
152 return null;
153 }
154 return devices.get(address.getDeviceId());
155 }
156 }
157
158 public Map<Integer, T> getAll(String name) {
159 synchronized (MAP_LOCK) {
160 Map<Integer, T> devices = map.get(name);
161 if (devices == null) {
162 return new HashMap<>();
163 }
164 return devices;
165 }
166 }
167
168 public boolean hasAny(SignalProtocolAddress address) {
169 synchronized (MAP_LOCK) {
170 Map<Integer, T> devices = map.get(address.getName());
171 return devices != null && !devices.isEmpty();
172 }
173 }
174
175 public void clear() {
176 map.clear();
177 }
178
179 }
180
181 private static class SessionMap extends AxolotlAddressMap<XmppAxolotlSession> {
182 private final XmppConnectionService xmppConnectionService;
183 private final Account account;
184
185 public SessionMap(XmppConnectionService service, SQLiteAxolotlStore store, Account account) {
186 super();
187 this.xmppConnectionService = service;
188 this.account = account;
189 this.fillMap(store);
190 }
191
192 private void putDevicesForJid(String bareJid, List<Integer> deviceIds, SQLiteAxolotlStore store) {
193 for (Integer deviceId : deviceIds) {
194 SignalProtocolAddress axolotlAddress = new SignalProtocolAddress(bareJid, deviceId);
195 IdentityKey identityKey = store.loadSession(axolotlAddress).getSessionState().getRemoteIdentityKey();
196 if(Config.X509_VERIFICATION) {
197 X509Certificate certificate = store.getFingerprintCertificate(CryptoHelper.bytesToHex(identityKey.getPublicKey().serialize()));
198 if (certificate != null) {
199 Bundle information = CryptoHelper.extractCertificateInformation(certificate);
200 try {
201 final String cn = information.getString("subject_cn");
202 final Jid jid = Jid.fromString(bareJid);
203 Log.d(Config.LOGTAG,"setting common name for "+jid+" to "+cn);
204 account.getRoster().getContact(jid).setCommonName(cn);
205 } catch (final InvalidJidException ignored) {
206 //ignored
207 }
208 }
209 }
210 this.put(axolotlAddress, new XmppAxolotlSession(account, store, axolotlAddress, identityKey));
211 }
212 }
213
214 private void fillMap(SQLiteAxolotlStore store) {
215 List<Integer> deviceIds = store.getSubDeviceSessions(account.getJid().toBareJid().toPreppedString());
216 putDevicesForJid(account.getJid().toBareJid().toPreppedString(), deviceIds, store);
217 for (String address : store.getKnownAddresses()) {
218 deviceIds = store.getSubDeviceSessions(address);
219 putDevicesForJid(address, deviceIds, store);
220 }
221
222 }
223
224 @Override
225 public void put(SignalProtocolAddress address, XmppAxolotlSession value) {
226 super.put(address, value);
227 value.setNotFresh();
228 xmppConnectionService.syncRosterToDisk(account); //TODO why?
229 }
230
231 public void put(XmppAxolotlSession session) {
232 this.put(session.getRemoteAddress(), session);
233 }
234 }
235
236 public enum FetchStatus {
237 PENDING,
238 SUCCESS,
239 SUCCESS_VERIFIED,
240 TIMEOUT,
241 SUCCESS_TRUSTED,
242 ERROR
243 }
244
245 private static class FetchStatusMap extends AxolotlAddressMap<FetchStatus> {
246
247 public void clearErrorFor(Jid jid) {
248 synchronized (MAP_LOCK) {
249 Map<Integer, FetchStatus> devices = this.map.get(jid.toBareJid().toPreppedString());
250 if (devices == null) {
251 return;
252 }
253 for(Map.Entry<Integer, FetchStatus> entry : devices.entrySet()) {
254 if (entry.getValue() == FetchStatus.ERROR) {
255 Log.d(Config.LOGTAG,"resetting error for "+jid.toBareJid()+"("+entry.getKey()+")");
256 entry.setValue(FetchStatus.TIMEOUT);
257 }
258 }
259 }
260 }
261 }
262
263 public static String getLogprefix(Account account) {
264 return LOGPREFIX + " (" + account.getJid().toBareJid().toString() + "): ";
265 }
266
267 public AxolotlService(Account account, XmppConnectionService connectionService) {
268 if (Security.getProvider("BC") == null) {
269 Security.addProvider(new BouncyCastleProvider());
270 }
271 this.mXmppConnectionService = connectionService;
272 this.account = account;
273 this.axolotlStore = new SQLiteAxolotlStore(this.account, this.mXmppConnectionService);
274 this.deviceIds = new HashMap<>();
275 this.messageCache = new HashMap<>();
276 this.sessions = new SessionMap(mXmppConnectionService, axolotlStore, account);
277 this.fetchStatusMap = new FetchStatusMap();
278 this.executor = new SerialSingleThreadExecutor();
279 }
280
281 public String getOwnFingerprint() {
282 return CryptoHelper.bytesToHex(axolotlStore.getIdentityKeyPair().getPublicKey().serialize());
283 }
284
285 public Set<IdentityKey> getKeysWithTrust(FingerprintStatus status) {
286 return axolotlStore.getContactKeysWithTrust(account.getJid().toBareJid().toPreppedString(), status);
287 }
288
289 public Set<IdentityKey> getKeysWithTrust(FingerprintStatus status, Jid jid) {
290 return axolotlStore.getContactKeysWithTrust(jid.toBareJid().toPreppedString(), status);
291 }
292
293 public Set<IdentityKey> getKeysWithTrust(FingerprintStatus status, List<Jid> jids) {
294 Set<IdentityKey> keys = new HashSet<>();
295 for(Jid jid : jids) {
296 keys.addAll(axolotlStore.getContactKeysWithTrust(jid.toPreppedString(), status));
297 }
298 return keys;
299 }
300
301 public long getNumTrustedKeys(Jid jid) {
302 return axolotlStore.getContactNumTrustedKeys(jid.toBareJid().toPreppedString());
303 }
304
305 public boolean anyTargetHasNoTrustedKeys(List<Jid> jids) {
306 for(Jid jid : jids) {
307 if (axolotlStore.getContactNumTrustedKeys(jid.toBareJid().toPreppedString()) == 0) {
308 return true;
309 }
310 }
311 return false;
312 }
313
314 private SignalProtocolAddress getAddressForJid(Jid jid) {
315 return new SignalProtocolAddress(jid.toPreppedString(), 0);
316 }
317
318 public Collection<XmppAxolotlSession> findOwnSessions() {
319 SignalProtocolAddress ownAddress = getAddressForJid(account.getJid().toBareJid());
320 ArrayList<XmppAxolotlSession> s = new ArrayList<>(this.sessions.getAll(ownAddress.getName()).values());
321 Collections.sort(s);
322 return s;
323 }
324
325
326
327 public Collection<XmppAxolotlSession> findSessionsForContact(Contact contact) {
328 SignalProtocolAddress contactAddress = getAddressForJid(contact.getJid());
329 ArrayList<XmppAxolotlSession> s = new ArrayList<>(this.sessions.getAll(contactAddress.getName()).values());
330 Collections.sort(s);
331 return s;
332 }
333
334 private Set<XmppAxolotlSession> findSessionsForConversation(Conversation conversation) {
335 HashSet<XmppAxolotlSession> sessions = new HashSet<>();
336 for(Jid jid : conversation.getAcceptedCryptoTargets()) {
337 sessions.addAll(this.sessions.getAll(getAddressForJid(jid).getName()).values());
338 }
339 return sessions;
340 }
341
342 private boolean hasAny(Jid jid) {
343 return sessions.hasAny(getAddressForJid(jid));
344 }
345
346 public boolean isPepBroken() {
347 return this.pepBroken;
348 }
349
350 public void resetBrokenness() {
351 this.pepBroken = false;
352 numPublishTriesOnEmptyPep = 0;
353 }
354
355 public void clearErrorsInFetchStatusMap(Jid jid) {
356 fetchStatusMap.clearErrorFor(jid);
357 }
358
359 public void regenerateKeys(boolean wipeOther) {
360 axolotlStore.regenerate();
361 sessions.clear();
362 fetchStatusMap.clear();
363 fetchDeviceIdsMap.clear();
364 publishBundlesIfNeeded(true, wipeOther);
365 }
366
367 public int getOwnDeviceId() {
368 return axolotlStore.getLocalRegistrationId();
369 }
370
371 public SignalProtocolAddress getOwnAxolotlAddress() {
372 return new SignalProtocolAddress(account.getJid().toBareJid().toPreppedString(),getOwnDeviceId());
373 }
374
375 public Set<Integer> getOwnDeviceIds() {
376 return this.deviceIds.get(account.getJid().toBareJid());
377 }
378
379 public void registerDevices(final Jid jid, @NonNull final Set<Integer> deviceIds) {
380 boolean me = jid.toBareJid().equals(account.getJid().toBareJid());
381 if (me && ownPushPending.getAndSet(false)) {
382 Log.d(Config.LOGTAG,account.getJid().toBareJid()+": ignoring own device update because of pending push");
383 return;
384 }
385 boolean needsPublishing = me && !deviceIds.contains(getOwnDeviceId());
386 if (me) {
387 deviceIds.remove(getOwnDeviceId());
388 }
389 Set<Integer> expiredDevices = new HashSet<>(axolotlStore.getSubDeviceSessions(jid.toBareJid().toPreppedString()));
390 expiredDevices.removeAll(deviceIds);
391 for (Integer deviceId : expiredDevices) {
392 SignalProtocolAddress address = new SignalProtocolAddress(jid.toBareJid().toPreppedString(), deviceId);
393 XmppAxolotlSession session = sessions.get(address);
394 if (session != null && session.getFingerprint() != null) {
395 if (session.getTrust().isActive()) {
396 session.setTrust(session.getTrust().toInactive());
397 }
398 }
399 }
400 Set<Integer> newDevices = new HashSet<>(deviceIds);
401 for (Integer deviceId : newDevices) {
402 SignalProtocolAddress address = new SignalProtocolAddress(jid.toBareJid().toPreppedString(), deviceId);
403 XmppAxolotlSession session = sessions.get(address);
404 if (session != null && session.getFingerprint() != null) {
405 if (!session.getTrust().isActive()) {
406 Log.d(Config.LOGTAG,"reactivating device with fingerprint "+session.getFingerprint());
407 session.setTrust(session.getTrust().toActive());
408 }
409 }
410 }
411 if (me) {
412 if (Config.OMEMO_AUTO_EXPIRY != 0) {
413 needsPublishing |= deviceIds.removeAll(getExpiredDevices());
414 }
415 needsPublishing |= this.changeAccessMode.get();
416 for (Integer deviceId : deviceIds) {
417 SignalProtocolAddress ownDeviceAddress = new SignalProtocolAddress(jid.toBareJid().toPreppedString(), deviceId);
418 if (sessions.get(ownDeviceAddress) == null) {
419 FetchStatus status = fetchStatusMap.get(ownDeviceAddress);
420 if (status == null || status == FetchStatus.TIMEOUT) {
421 fetchStatusMap.put(ownDeviceAddress, FetchStatus.PENDING);
422 this.buildSessionFromPEP(ownDeviceAddress);
423 }
424 }
425 }
426 if (needsPublishing) {
427 publishOwnDeviceId(deviceIds);
428 }
429 }
430 this.deviceIds.put(jid, deviceIds);
431 mXmppConnectionService.updateConversationUi(); //update the lock icon
432 mXmppConnectionService.keyStatusUpdated(null);
433 }
434
435 public void wipeOtherPepDevices() {
436 if (pepBroken) {
437 Log.d(Config.LOGTAG, getLogprefix(account) + "wipeOtherPepDevices called, but PEP is broken. Ignoring... ");
438 return;
439 }
440 Set<Integer> deviceIds = new HashSet<>();
441 deviceIds.add(getOwnDeviceId());
442 publishDeviceIdsAndRefineAccessModel(deviceIds);
443 }
444
445 public void distrustFingerprint(final String fingerprint) {
446 final String fp = fingerprint.replaceAll("\\s", "");
447 final FingerprintStatus fingerprintStatus = axolotlStore.getFingerprintStatus(fp);
448 axolotlStore.setFingerprintStatus(fp,fingerprintStatus.toUntrusted());
449 }
450
451 public void publishOwnDeviceIdIfNeeded() {
452 if (pepBroken) {
453 Log.d(Config.LOGTAG, getLogprefix(account) + "publishOwnDeviceIdIfNeeded called, but PEP is broken. Ignoring... ");
454 return;
455 }
456 IqPacket packet = mXmppConnectionService.getIqGenerator().retrieveDeviceIds(account.getJid().toBareJid());
457 mXmppConnectionService.sendIqPacket(account, packet, new OnIqPacketReceived() {
458 @Override
459 public void onIqPacketReceived(Account account, IqPacket packet) {
460 if (packet.getType() == IqPacket.TYPE.TIMEOUT) {
461 Log.d(Config.LOGTAG, getLogprefix(account) + "Timeout received while retrieving own Device Ids.");
462 } else {
463 Element item = mXmppConnectionService.getIqParser().getItem(packet);
464 Set<Integer> deviceIds = mXmppConnectionService.getIqParser().deviceIds(item);
465 Log.d(Config.LOGTAG,account.getJid().toBareJid()+": retrieved own device list: "+deviceIds);
466 registerDevices(account.getJid().toBareJid(),deviceIds);
467 }
468 }
469 });
470 }
471
472 private Set<Integer> getExpiredDevices() {
473 Set<Integer> devices = new HashSet<>();
474 for(XmppAxolotlSession session : findOwnSessions()) {
475 if (session.getTrust().isActive()) {
476 long diff = System.currentTimeMillis() - session.getTrust().getLastActivation();
477 if (diff > Config.OMEMO_AUTO_EXPIRY) {
478 long lastMessageDiff = System.currentTimeMillis() - mXmppConnectionService.databaseBackend.getLastTimeFingerprintUsed(account,session.getFingerprint());
479 long hours = Math.round(lastMessageDiff/(1000*60.0*60.0));
480 if (lastMessageDiff > Config.OMEMO_AUTO_EXPIRY) {
481 devices.add(session.getRemoteAddress().getDeviceId());
482 session.setTrust(session.getTrust().toInactive());
483 Log.d(Config.LOGTAG,account.getJid().toBareJid()+": added own device " + session.getFingerprint() + " to list of expired devices. Last message received "+hours+" hours ago");
484 } else {
485 Log.d(Config.LOGTAG,account.getJid().toBareJid()+": own device "+session.getFingerprint()+" was active "+hours+" hours ago");
486 }
487 }
488 }
489 }
490 return devices;
491 }
492
493 public void publishOwnDeviceId(Set<Integer> deviceIds) {
494 Set<Integer> deviceIdsCopy = new HashSet<>(deviceIds);
495 Log.d(Config.LOGTAG, AxolotlService.getLogprefix(account) + "publishing own device ids");
496 if (deviceIdsCopy.isEmpty()) {
497 if (numPublishTriesOnEmptyPep >= publishTriesThreshold) {
498 Log.w(Config.LOGTAG, getLogprefix(account) + "Own device publish attempt threshold exceeded, aborting...");
499 pepBroken = true;
500 return;
501 } else {
502 numPublishTriesOnEmptyPep++;
503 Log.w(Config.LOGTAG, getLogprefix(account) + "Own device list empty, attempting to publish (try " + numPublishTriesOnEmptyPep + ")");
504 }
505 } else {
506 numPublishTriesOnEmptyPep = 0;
507 }
508 deviceIdsCopy.add(getOwnDeviceId());
509 publishDeviceIdsAndRefineAccessModel(deviceIdsCopy);
510 }
511
512 private void publishDeviceIdsAndRefineAccessModel(Set<Integer> ids) {
513 publishDeviceIdsAndRefineAccessModel(ids,true);
514 }
515
516 private void publishDeviceIdsAndRefineAccessModel(final Set<Integer> ids, final boolean firstAttempt) {
517 final Bundle publishOptions = account.getXmppConnection().getFeatures().pepPublishOptions() ? PublishOptions.openAccess() : null;
518 IqPacket publish = mXmppConnectionService.getIqGenerator().publishDeviceIds(ids, publishOptions);
519 ownPushPending.set(true);
520 mXmppConnectionService.sendIqPacket(account, publish, new OnIqPacketReceived() {
521 @Override
522 public void onIqPacketReceived(Account account, IqPacket packet) {
523 Element error = packet.getType() == IqPacket.TYPE.ERROR ? packet.findChild("error") : null;
524 if (firstAttempt && error != null && error.hasChild("precondition-not-met",Namespace.PUBSUB_ERROR)) {
525 Log.d(Config.LOGTAG,account.getJid().toBareJid()+": precondition wasn't met for device list. pushing node configuration");
526 mXmppConnectionService.pushNodeConfiguration(account, AxolotlService.PEP_DEVICE_LIST, publishOptions, new XmppConnectionService.OnConfigurationPushed() {
527 @Override
528 public void onPushSucceeded() {
529 publishDeviceIdsAndRefineAccessModel(ids, false);
530 }
531
532 @Override
533 public void onPushFailed() {
534 publishDeviceIdsAndRefineAccessModel(ids, false);
535 }
536 });
537 } else {
538 if (AxolotlService.this.changeAccessMode.compareAndSet(true,false)) {
539 Log.d(Config.LOGTAG,account.getJid().toBareJid()+": done changing access mode");
540 account.setOption(Account.OPTION_REQURIES_ACCESS_MODE_CHANGE,false);
541 mXmppConnectionService.databaseBackend.updateAccount(account);
542 }
543 ownPushPending.set(false);
544 if (packet.getType() == IqPacket.TYPE.ERROR) {
545 pepBroken = true;
546 Log.d(Config.LOGTAG, getLogprefix(account) + "Error received while publishing own device id" + packet.findChild("error"));
547 }
548 }
549 }
550 });
551 }
552
553 public void publishDeviceVerificationAndBundle(final SignedPreKeyRecord signedPreKeyRecord,
554 final Set<PreKeyRecord> preKeyRecords,
555 final boolean announceAfter,
556 final boolean wipe) {
557 try {
558 IdentityKey axolotlPublicKey = axolotlStore.getIdentityKeyPair().getPublicKey();
559 PrivateKey x509PrivateKey = KeyChain.getPrivateKey(mXmppConnectionService, account.getPrivateKeyAlias());
560 X509Certificate[] chain = KeyChain.getCertificateChain(mXmppConnectionService, account.getPrivateKeyAlias());
561 Signature verifier = Signature.getInstance("sha256WithRSA");
562 verifier.initSign(x509PrivateKey,mXmppConnectionService.getRNG());
563 verifier.update(axolotlPublicKey.serialize());
564 byte[] signature = verifier.sign();
565 IqPacket packet = mXmppConnectionService.getIqGenerator().publishVerification(signature, chain, getOwnDeviceId());
566 Log.d(Config.LOGTAG, AxolotlService.getLogprefix(account) + ": publish verification for device "+getOwnDeviceId());
567 mXmppConnectionService.sendIqPacket(account, packet, new OnIqPacketReceived() {
568 @Override
569 public void onIqPacketReceived(final Account account, IqPacket packet) {
570 String node = AxolotlService.PEP_VERIFICATION+":"+getOwnDeviceId();
571 mXmppConnectionService.pushNodeConfiguration(account, node, PublishOptions.openAccess(), new XmppConnectionService.OnConfigurationPushed() {
572 @Override
573 public void onPushSucceeded() {
574 Log.d(Config.LOGTAG,getLogprefix(account) + "configured verification node to be world readable");
575 publishDeviceBundle(signedPreKeyRecord, preKeyRecords, announceAfter, wipe);
576 }
577
578 @Override
579 public void onPushFailed() {
580 Log.d(Config.LOGTAG,getLogprefix(account) + "unable to set access model on verification node");
581 publishDeviceBundle(signedPreKeyRecord, preKeyRecords, announceAfter, wipe);
582 }
583 });
584 }
585 });
586 } catch (Exception e) {
587 e.printStackTrace();
588 }
589 }
590
591 public void publishBundlesIfNeeded(final boolean announce, final boolean wipe) {
592 if (pepBroken) {
593 Log.d(Config.LOGTAG, getLogprefix(account) + "publishBundlesIfNeeded called, but PEP is broken. Ignoring... ");
594 return;
595 }
596 this.changeAccessMode.set(account.isOptionSet(Account.OPTION_REQURIES_ACCESS_MODE_CHANGE) && account.getXmppConnection().getFeatures().pepPublishOptions());
597 if (this.changeAccessMode.get()) {
598 Log.d(Config.LOGTAG, account.getJid().toBareJid() + ": server gained publish-options capabilities. changing access model");
599 }
600 IqPacket packet = mXmppConnectionService.getIqGenerator().retrieveBundlesForDevice(account.getJid().toBareJid(), getOwnDeviceId());
601 mXmppConnectionService.sendIqPacket(account, packet, new OnIqPacketReceived() {
602 @Override
603 public void onIqPacketReceived(Account account, IqPacket packet) {
604
605 if (packet.getType() == IqPacket.TYPE.TIMEOUT) {
606 return; //ignore timeout. do nothing
607 }
608
609 if (packet.getType() == IqPacket.TYPE.ERROR) {
610 Element error = packet.findChild("error");
611 if (error == null || !error.hasChild("item-not-found")) {
612 pepBroken = true;
613 Log.w(Config.LOGTAG, AxolotlService.getLogprefix(account) + "request for device bundles came back with something other than item-not-found" + packet);
614 return;
615 }
616 }
617
618 PreKeyBundle bundle = mXmppConnectionService.getIqParser().bundle(packet);
619 Map<Integer, ECPublicKey> keys = mXmppConnectionService.getIqParser().preKeyPublics(packet);
620 boolean flush = false;
621 if (bundle == null) {
622 Log.w(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Received invalid bundle:" + packet);
623 bundle = new PreKeyBundle(-1, -1, -1, null, -1, null, null, null);
624 flush = true;
625 }
626 if (keys == null) {
627 Log.w(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Received invalid prekeys:" + packet);
628 }
629 try {
630 boolean changed = false;
631 // Validate IdentityKey
632 IdentityKeyPair identityKeyPair = axolotlStore.getIdentityKeyPair();
633 if (flush || !identityKeyPair.getPublicKey().equals(bundle.getIdentityKey())) {
634 Log.i(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Adding own IdentityKey " + identityKeyPair.getPublicKey() + " to PEP.");
635 changed = true;
636 }
637
638 // Validate signedPreKeyRecord + ID
639 SignedPreKeyRecord signedPreKeyRecord;
640 int numSignedPreKeys = axolotlStore.getSignedPreKeysCount();
641 try {
642 signedPreKeyRecord = axolotlStore.loadSignedPreKey(bundle.getSignedPreKeyId());
643 if (flush
644 || !bundle.getSignedPreKey().equals(signedPreKeyRecord.getKeyPair().getPublicKey())
645 || !Arrays.equals(bundle.getSignedPreKeySignature(), signedPreKeyRecord.getSignature())) {
646 Log.i(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Adding new signedPreKey with ID " + (numSignedPreKeys + 1) + " to PEP.");
647 signedPreKeyRecord = KeyHelper.generateSignedPreKey(identityKeyPair, numSignedPreKeys + 1);
648 axolotlStore.storeSignedPreKey(signedPreKeyRecord.getId(), signedPreKeyRecord);
649 changed = true;
650 }
651 } catch (InvalidKeyIdException e) {
652 Log.i(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Adding new signedPreKey with ID " + (numSignedPreKeys + 1) + " to PEP.");
653 signedPreKeyRecord = KeyHelper.generateSignedPreKey(identityKeyPair, numSignedPreKeys + 1);
654 axolotlStore.storeSignedPreKey(signedPreKeyRecord.getId(), signedPreKeyRecord);
655 changed = true;
656 }
657
658 // Validate PreKeys
659 Set<PreKeyRecord> preKeyRecords = new HashSet<>();
660 if (keys != null) {
661 for (Integer id : keys.keySet()) {
662 try {
663 PreKeyRecord preKeyRecord = axolotlStore.loadPreKey(id);
664 if (preKeyRecord.getKeyPair().getPublicKey().equals(keys.get(id))) {
665 preKeyRecords.add(preKeyRecord);
666 }
667 } catch (InvalidKeyIdException ignored) {
668 }
669 }
670 }
671 int newKeys = NUM_KEYS_TO_PUBLISH - preKeyRecords.size();
672 if (newKeys > 0) {
673 List<PreKeyRecord> newRecords = KeyHelper.generatePreKeys(
674 axolotlStore.getCurrentPreKeyId() + 1, newKeys);
675 preKeyRecords.addAll(newRecords);
676 for (PreKeyRecord record : newRecords) {
677 axolotlStore.storePreKey(record.getId(), record);
678 }
679 changed = true;
680 Log.i(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Adding " + newKeys + " new preKeys to PEP.");
681 }
682
683
684 if (changed || changeAccessMode.get()) {
685 if (account.getPrivateKeyAlias() != null && Config.X509_VERIFICATION) {
686 mXmppConnectionService.publishDisplayName(account);
687 publishDeviceVerificationAndBundle(signedPreKeyRecord, preKeyRecords, announce, wipe);
688 } else {
689 publishDeviceBundle(signedPreKeyRecord, preKeyRecords, announce, wipe);
690 }
691 } else {
692 Log.d(Config.LOGTAG, getLogprefix(account) + "Bundle " + getOwnDeviceId() + " in PEP was current");
693 if (wipe) {
694 wipeOtherPepDevices();
695 } else if (announce) {
696 Log.d(Config.LOGTAG, getLogprefix(account) + "Announcing device " + getOwnDeviceId());
697 publishOwnDeviceIdIfNeeded();
698 }
699 }
700 } catch (InvalidKeyException e) {
701 Log.e(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Failed to publish bundle " + getOwnDeviceId() + ", reason: " + e.getMessage());
702 }
703 }
704 });
705 }
706
707 private void publishDeviceBundle(SignedPreKeyRecord signedPreKeyRecord,
708 Set<PreKeyRecord> preKeyRecords,
709 final boolean announceAfter,
710 final boolean wipe) {
711 publishDeviceBundle(signedPreKeyRecord,preKeyRecords,announceAfter,wipe,true);
712 }
713
714 private void publishDeviceBundle(final SignedPreKeyRecord signedPreKeyRecord,
715 final Set<PreKeyRecord> preKeyRecords,
716 final boolean announceAfter,
717 final boolean wipe,
718 final boolean firstAttempt) {
719 final Bundle publishOptions = account.getXmppConnection().getFeatures().pepPublishOptions() ? PublishOptions.openAccess() : null;
720 IqPacket publish = mXmppConnectionService.getIqGenerator().publishBundles(
721 signedPreKeyRecord, axolotlStore.getIdentityKeyPair().getPublicKey(),
722 preKeyRecords, getOwnDeviceId(),publishOptions);
723 Log.d(Config.LOGTAG, AxolotlService.getLogprefix(account) + ": Bundle " + getOwnDeviceId() + " in PEP not current. Publishing...");
724 mXmppConnectionService.sendIqPacket(account, publish, new OnIqPacketReceived() {
725 @Override
726 public void onIqPacketReceived(final Account account, IqPacket packet) {
727 Element error = packet.getType() == IqPacket.TYPE.ERROR ? packet.findChild("error") : null;
728 if (firstAttempt && error != null && error.hasChild("precondition-not-met", Namespace.PUBSUB_ERROR)) {
729 Log.d(Config.LOGTAG,account.getJid().toBareJid()+": precondition wasn't met for bundle. pushing node configuration");
730 final String node = AxolotlService.PEP_BUNDLES + ":" + getOwnDeviceId();
731 mXmppConnectionService.pushNodeConfiguration(account, node, publishOptions, new XmppConnectionService.OnConfigurationPushed() {
732 @Override
733 public void onPushSucceeded() {
734 publishDeviceBundle(signedPreKeyRecord,preKeyRecords, announceAfter, wipe, false);
735 }
736
737 @Override
738 public void onPushFailed() {
739 publishDeviceBundle(signedPreKeyRecord,preKeyRecords, announceAfter, wipe, false);
740 }
741 });
742 } else if (packet.getType() == IqPacket.TYPE.RESULT) {
743 Log.d(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Successfully published bundle. ");
744 if (wipe) {
745 wipeOtherPepDevices();
746 } else if (announceAfter) {
747 Log.d(Config.LOGTAG, getLogprefix(account) + "Announcing device " + getOwnDeviceId());
748 publishOwnDeviceIdIfNeeded();
749 }
750 } else if (packet.getType() == IqPacket.TYPE.ERROR) {
751 pepBroken = true;
752 Log.d(Config.LOGTAG, getLogprefix(account) + "Error received while publishing bundle: " + packet.findChild("error"));
753 }
754 }
755 });
756 }
757
758 public enum AxolotlCapability {
759 FULL,
760 MISSING_PRESENCE,
761 MISSING_KEYS,
762 WRONG_CONFIGURATION,
763 NO_MEMBERS
764 }
765
766 public boolean isConversationAxolotlCapable(Conversation conversation) {
767 return isConversationAxolotlCapableDetailed(conversation).first == AxolotlCapability.FULL;
768 }
769
770 public Pair<AxolotlCapability,Jid> isConversationAxolotlCapableDetailed(Conversation conversation) {
771 if (conversation.getMode() == Conversation.MODE_SINGLE
772 || (conversation.getMucOptions().membersOnly() && conversation.getMucOptions().nonanonymous())) {
773 final List<Jid> jids = getCryptoTargets(conversation);
774 for(Jid jid : jids) {
775 if (!hasAny(jid) && (!deviceIds.containsKey(jid) || deviceIds.get(jid).isEmpty())) {
776 if (conversation.getAccount().getRoster().getContact(jid).mutualPresenceSubscription()) {
777 return new Pair<>(AxolotlCapability.MISSING_KEYS,jid);
778 } else {
779 return new Pair<>(AxolotlCapability.MISSING_PRESENCE,jid);
780 }
781 }
782 }
783 if (jids.size() > 0) {
784 return new Pair<>(AxolotlCapability.FULL, null);
785 } else {
786 return new Pair<>(AxolotlCapability.NO_MEMBERS, null);
787 }
788 } else {
789 return new Pair<>(AxolotlCapability.WRONG_CONFIGURATION, null);
790 }
791 }
792
793 public List<Jid> getCryptoTargets(Conversation conversation) {
794 final List<Jid> jids;
795 if (conversation.getMode() == Conversation.MODE_SINGLE) {
796 jids = new ArrayList<>();
797 jids.add(conversation.getJid().toBareJid());
798 } else {
799 jids = conversation.getMucOptions().getMembers();
800 }
801 return jids;
802 }
803
804 public FingerprintStatus getFingerprintTrust(String fingerprint) {
805 return axolotlStore.getFingerprintStatus(fingerprint);
806 }
807
808 public X509Certificate getFingerprintCertificate(String fingerprint) {
809 return axolotlStore.getFingerprintCertificate(fingerprint);
810 }
811
812 public void setFingerprintTrust(String fingerprint, FingerprintStatus status) {
813 axolotlStore.setFingerprintStatus(fingerprint, status);
814 }
815
816 private void verifySessionWithPEP(final XmppAxolotlSession session) {
817 Log.d(Config.LOGTAG, "trying to verify fresh session (" + session.getRemoteAddress().getName() + ") with pep");
818 final SignalProtocolAddress address = session.getRemoteAddress();
819 final IdentityKey identityKey = session.getIdentityKey();
820 try {
821 IqPacket packet = mXmppConnectionService.getIqGenerator().retrieveVerificationForDevice(Jid.fromString(address.getName()), address.getDeviceId());
822 mXmppConnectionService.sendIqPacket(account, packet, new OnIqPacketReceived() {
823 @Override
824 public void onIqPacketReceived(Account account, IqPacket packet) {
825 Pair<X509Certificate[],byte[]> verification = mXmppConnectionService.getIqParser().verification(packet);
826 if (verification != null) {
827 try {
828 Signature verifier = Signature.getInstance("sha256WithRSA");
829 verifier.initVerify(verification.first[0]);
830 verifier.update(identityKey.serialize());
831 if (verifier.verify(verification.second)) {
832 try {
833 mXmppConnectionService.getMemorizingTrustManager().getNonInteractive().checkClientTrusted(verification.first, "RSA");
834 String fingerprint = session.getFingerprint();
835 Log.d(Config.LOGTAG, "verified session with x.509 signature. fingerprint was: "+fingerprint);
836 setFingerprintTrust(fingerprint, FingerprintStatus.createActiveVerified(true));
837 axolotlStore.setFingerprintCertificate(fingerprint, verification.first[0]);
838 fetchStatusMap.put(address, FetchStatus.SUCCESS_VERIFIED);
839 Bundle information = CryptoHelper.extractCertificateInformation(verification.first[0]);
840 try {
841 final String cn = information.getString("subject_cn");
842 final Jid jid = Jid.fromString(address.getName());
843 Log.d(Config.LOGTAG,"setting common name for "+jid+" to "+cn);
844 account.getRoster().getContact(jid).setCommonName(cn);
845 } catch (final InvalidJidException ignored) {
846 //ignored
847 }
848 finishBuildingSessionsFromPEP(address);
849 return;
850 } catch (Exception e) {
851 Log.d(Config.LOGTAG,"could not verify certificate");
852 }
853 }
854 } catch (Exception e) {
855 Log.d(Config.LOGTAG, "error during verification " + e.getMessage());
856 }
857 } else {
858 Log.d(Config.LOGTAG,"no verification found");
859 }
860 fetchStatusMap.put(address, FetchStatus.SUCCESS);
861 finishBuildingSessionsFromPEP(address);
862 }
863 });
864 } catch (InvalidJidException e) {
865 fetchStatusMap.put(address, FetchStatus.SUCCESS);
866 finishBuildingSessionsFromPEP(address);
867 }
868 }
869
870 private final Set<Integer> PREVIOUSLY_REMOVED_FROM_ANNOUNCEMENT = new HashSet<>();
871
872 private void finishBuildingSessionsFromPEP(final SignalProtocolAddress address) {
873 SignalProtocolAddress ownAddress = new SignalProtocolAddress(account.getJid().toBareJid().toPreppedString(), 0);
874 Map<Integer, FetchStatus> own = fetchStatusMap.getAll(ownAddress.getName());
875 Map<Integer, FetchStatus> remote = fetchStatusMap.getAll(address.getName());
876 if (!own.containsValue(FetchStatus.PENDING) && !remote.containsValue(FetchStatus.PENDING)) {
877 FetchStatus report = null;
878 if (own.containsValue(FetchStatus.SUCCESS) || remote.containsValue(FetchStatus.SUCCESS)) {
879 report = FetchStatus.SUCCESS;
880 } else if (own.containsValue(FetchStatus.SUCCESS_VERIFIED) || remote.containsValue(FetchStatus.SUCCESS_VERIFIED)) {
881 report = FetchStatus.SUCCESS_VERIFIED;
882 } else if (own.containsValue(FetchStatus.SUCCESS_TRUSTED) || remote.containsValue(FetchStatus.SUCCESS_TRUSTED)) {
883 report = FetchStatus.SUCCESS_TRUSTED;
884 } else if (own.containsValue(FetchStatus.ERROR) || remote.containsValue(FetchStatus.ERROR)) {
885 report = FetchStatus.ERROR;
886 }
887 mXmppConnectionService.keyStatusUpdated(report);
888 }
889 if (Config.REMOVE_BROKEN_DEVICES) {
890 Set<Integer> ownDeviceIds = new HashSet<>(getOwnDeviceIds());
891 boolean publish = false;
892 for (Map.Entry<Integer, FetchStatus> entry : own.entrySet()) {
893 int id = entry.getKey();
894 if (entry.getValue() == FetchStatus.ERROR && PREVIOUSLY_REMOVED_FROM_ANNOUNCEMENT.add(id) && ownDeviceIds.remove(id)) {
895 publish = true;
896 Log.d(Config.LOGTAG, account.getJid().toBareJid() + ": error fetching own device with id " + id + ". removing from announcement");
897 }
898 }
899 if (publish) {
900 publishOwnDeviceId(ownDeviceIds);
901 }
902 }
903 }
904
905 public boolean hasEmptyDeviceList(Jid jid) {
906 return !hasAny(jid) && (!deviceIds.containsKey(jid) || deviceIds.get(jid).isEmpty());
907 }
908
909 public interface OnDeviceIdsFetched {
910 void fetched(Jid jid, Set<Integer> deviceIds);
911 }
912
913 public interface OnMultipleDeviceIdFetched {
914 void fetched();
915 }
916
917 public void fetchDeviceIds(final Jid jid) {
918 fetchDeviceIds(jid,null);
919 }
920
921 public void fetchDeviceIds(final Jid jid, OnDeviceIdsFetched callback) {
922 synchronized (this.fetchDeviceIdsMap) {
923 List<OnDeviceIdsFetched> callbacks = this.fetchDeviceIdsMap.get(jid);
924 if (callbacks != null) {
925 if (callback != null) {
926 callbacks.add(callback);
927 }
928 Log.d(Config.LOGTAG,account.getJid().toBareJid()+": fetching device ids for "+jid+" already running. adding callback");
929 } else {
930 callbacks = new ArrayList<>();
931 if (callback != null) {
932 callbacks.add(callback);
933 }
934 this.fetchDeviceIdsMap.put(jid,callbacks);
935 Log.d(Config.LOGTAG,account.getJid().toBareJid()+": fetching device ids for " + jid);
936 IqPacket packet = mXmppConnectionService.getIqGenerator().retrieveDeviceIds(jid);
937 mXmppConnectionService.sendIqPacket(account, packet, new OnIqPacketReceived() {
938 @Override
939 public void onIqPacketReceived(Account account, IqPacket packet) {
940 synchronized (fetchDeviceIdsMap) {
941 List<OnDeviceIdsFetched> callbacks = fetchDeviceIdsMap.remove(jid);
942 if (packet.getType() == IqPacket.TYPE.RESULT) {
943 Element item = mXmppConnectionService.getIqParser().getItem(packet);
944 Set<Integer> deviceIds = mXmppConnectionService.getIqParser().deviceIds(item);
945 registerDevices(jid, deviceIds);
946 if (callbacks != null) {
947 for(OnDeviceIdsFetched callback : callbacks) {
948 callback.fetched(jid, deviceIds);
949 }
950 }
951 } else {
952 Log.d(Config.LOGTAG, packet.toString());
953 if (callbacks != null) {
954 for(OnDeviceIdsFetched callback : callbacks) {
955 callback.fetched(jid, null);
956 }
957 }
958 }
959 }
960 }
961 });
962 }
963 }
964 }
965
966 private void fetchDeviceIds(List<Jid> jids, final OnMultipleDeviceIdFetched callback) {
967 final ArrayList<Jid> unfinishedJids = new ArrayList<>(jids);
968 synchronized (unfinishedJids) {
969 for (Jid jid : unfinishedJids) {
970 fetchDeviceIds(jid, new OnDeviceIdsFetched() {
971 @Override
972 public void fetched(Jid jid, Set<Integer> deviceIds) {
973 synchronized (unfinishedJids) {
974 unfinishedJids.remove(jid);
975 if (unfinishedJids.size() == 0 && callback != null) {
976 callback.fetched();
977 }
978 }
979 }
980 });
981 }
982 }
983 }
984
985 private void buildSessionFromPEP(final SignalProtocolAddress address) {
986 Log.i(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Building new session for " + address.toString());
987 if (address.equals(getOwnAxolotlAddress())) {
988 throw new AssertionError("We should NEVER build a session with ourselves. What happened here?!");
989 }
990
991 try {
992 IqPacket bundlesPacket = mXmppConnectionService.getIqGenerator().retrieveBundlesForDevice(
993 Jid.fromString(address.getName()), address.getDeviceId());
994 Log.d(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Retrieving bundle: " + bundlesPacket);
995 mXmppConnectionService.sendIqPacket(account, bundlesPacket, new OnIqPacketReceived() {
996
997 @Override
998 public void onIqPacketReceived(Account account, IqPacket packet) {
999 if (packet.getType() == IqPacket.TYPE.TIMEOUT) {
1000 fetchStatusMap.put(address, FetchStatus.TIMEOUT);
1001 } else if (packet.getType() == IqPacket.TYPE.RESULT) {
1002 Log.d(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Received preKey IQ packet, processing...");
1003 final IqParser parser = mXmppConnectionService.getIqParser();
1004 final List<PreKeyBundle> preKeyBundleList = parser.preKeys(packet);
1005 final PreKeyBundle bundle = parser.bundle(packet);
1006 if (preKeyBundleList.isEmpty() || bundle == null) {
1007 Log.e(Config.LOGTAG, AxolotlService.getLogprefix(account) + "preKey IQ packet invalid: " + packet);
1008 fetchStatusMap.put(address, FetchStatus.ERROR);
1009 finishBuildingSessionsFromPEP(address);
1010 return;
1011 }
1012 Random random = new Random();
1013 final PreKeyBundle preKey = preKeyBundleList.get(random.nextInt(preKeyBundleList.size()));
1014 if (preKey == null) {
1015 //should never happen
1016 fetchStatusMap.put(address, FetchStatus.ERROR);
1017 finishBuildingSessionsFromPEP(address);
1018 return;
1019 }
1020
1021 final PreKeyBundle preKeyBundle = new PreKeyBundle(0, address.getDeviceId(),
1022 preKey.getPreKeyId(), preKey.getPreKey(),
1023 bundle.getSignedPreKeyId(), bundle.getSignedPreKey(),
1024 bundle.getSignedPreKeySignature(), bundle.getIdentityKey());
1025
1026 try {
1027 SessionBuilder builder = new SessionBuilder(axolotlStore, address);
1028 builder.process(preKeyBundle);
1029 XmppAxolotlSession session = new XmppAxolotlSession(account, axolotlStore, address, bundle.getIdentityKey());
1030 sessions.put(address, session);
1031 if (Config.X509_VERIFICATION) {
1032 verifySessionWithPEP(session);
1033 } else {
1034 FingerprintStatus status = getFingerprintTrust(CryptoHelper.bytesToHex(bundle.getIdentityKey().getPublicKey().serialize()));
1035 FetchStatus fetchStatus;
1036 if (status != null && status.isVerified()) {
1037 fetchStatus = FetchStatus.SUCCESS_VERIFIED;
1038 } else if (status != null && status.isTrusted()) {
1039 fetchStatus = FetchStatus.SUCCESS_TRUSTED;
1040 } else {
1041 fetchStatus = FetchStatus.SUCCESS;
1042 }
1043 fetchStatusMap.put(address, fetchStatus);
1044 finishBuildingSessionsFromPEP(address);
1045 }
1046 } catch (UntrustedIdentityException | InvalidKeyException e) {
1047 Log.e(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Error building session for " + address + ": "
1048 + e.getClass().getName() + ", " + e.getMessage());
1049 fetchStatusMap.put(address, FetchStatus.ERROR);
1050 finishBuildingSessionsFromPEP(address);
1051 }
1052 } else {
1053 fetchStatusMap.put(address, FetchStatus.ERROR);
1054 Log.d(Config.LOGTAG, getLogprefix(account) + "Error received while building session:" + packet.findChild("error"));
1055 finishBuildingSessionsFromPEP(address);
1056 }
1057 }
1058 });
1059 } catch (InvalidJidException e) {
1060 Log.e(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Got address with invalid jid: " + address.getName());
1061 }
1062 }
1063
1064 public Set<SignalProtocolAddress> findDevicesWithoutSession(final Conversation conversation) {
1065 Set<SignalProtocolAddress> addresses = new HashSet<>();
1066 for(Jid jid : getCryptoTargets(conversation)) {
1067 Log.d(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Finding devices without session for " + jid);
1068 if (deviceIds.get(jid) != null) {
1069 for (Integer foreignId : this.deviceIds.get(jid)) {
1070 SignalProtocolAddress address = new SignalProtocolAddress(jid.toPreppedString(), foreignId);
1071 if (sessions.get(address) == null) {
1072 IdentityKey identityKey = axolotlStore.loadSession(address).getSessionState().getRemoteIdentityKey();
1073 if (identityKey != null) {
1074 Log.d(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Already have session for " + address.toString() + ", adding to cache...");
1075 XmppAxolotlSession session = new XmppAxolotlSession(account, axolotlStore, address, identityKey);
1076 sessions.put(address, session);
1077 } else {
1078 Log.d(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Found device " + jid + ":" + foreignId);
1079 if (fetchStatusMap.get(address) != FetchStatus.ERROR) {
1080 addresses.add(address);
1081 } else {
1082 Log.d(Config.LOGTAG, getLogprefix(account) + "skipping over " + address + " because it's broken");
1083 }
1084 }
1085 }
1086 }
1087 } else {
1088 Log.w(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Have no target devices in PEP!");
1089 }
1090 }
1091 if (deviceIds.get(account.getJid().toBareJid()) != null) {
1092 for (Integer ownId : this.deviceIds.get(account.getJid().toBareJid())) {
1093 SignalProtocolAddress address = new SignalProtocolAddress(account.getJid().toBareJid().toPreppedString(), ownId);
1094 if (sessions.get(address) == null) {
1095 IdentityKey identityKey = axolotlStore.loadSession(address).getSessionState().getRemoteIdentityKey();
1096 if (identityKey != null) {
1097 Log.d(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Already have session for " + address.toString() + ", adding to cache...");
1098 XmppAxolotlSession session = new XmppAxolotlSession(account, axolotlStore, address, identityKey);
1099 sessions.put(address, session);
1100 } else {
1101 Log.d(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Found device " + account.getJid().toBareJid() + ":" + ownId);
1102 if (fetchStatusMap.get(address) != FetchStatus.ERROR) {
1103 addresses.add(address);
1104 } else {
1105 Log.d(Config.LOGTAG,getLogprefix(account)+"skipping over "+address+" because it's broken");
1106 }
1107 }
1108 }
1109 }
1110 }
1111
1112 return addresses;
1113 }
1114
1115 public boolean createSessionsIfNeeded(final Conversation conversation) {
1116 final List<Jid> jidsWithEmptyDeviceList = getCryptoTargets(conversation);
1117 for(Iterator<Jid> iterator = jidsWithEmptyDeviceList.iterator(); iterator.hasNext();) {
1118 final Jid jid = iterator.next();
1119 if (!hasEmptyDeviceList(jid)) {
1120 iterator.remove();
1121 }
1122 }
1123 Log.d(Config.LOGTAG,account.getJid().toBareJid()+": createSessionsIfNeeded() - jids with empty device list: "+jidsWithEmptyDeviceList);
1124 if (jidsWithEmptyDeviceList.size() > 0) {
1125 fetchDeviceIds(jidsWithEmptyDeviceList, new OnMultipleDeviceIdFetched() {
1126 @Override
1127 public void fetched() {
1128 createSessionsIfNeededActual(conversation);
1129 }
1130 });
1131 return true;
1132 } else {
1133 return createSessionsIfNeededActual(conversation);
1134 }
1135 }
1136
1137 private boolean createSessionsIfNeededActual(final Conversation conversation) {
1138 Log.i(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Creating axolotl sessions if needed...");
1139 boolean newSessions = false;
1140 Set<SignalProtocolAddress> addresses = findDevicesWithoutSession(conversation);
1141 for (SignalProtocolAddress address : addresses) {
1142 Log.d(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Processing device: " + address.toString());
1143 FetchStatus status = fetchStatusMap.get(address);
1144 if (status == null || status == FetchStatus.TIMEOUT) {
1145 fetchStatusMap.put(address, FetchStatus.PENDING);
1146 this.buildSessionFromPEP(address);
1147 newSessions = true;
1148 } else if (status == FetchStatus.PENDING) {
1149 newSessions = true;
1150 } else {
1151 Log.d(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Already fetching bundle for " + address.toString());
1152 }
1153 }
1154
1155 return newSessions;
1156 }
1157
1158 public boolean trustedSessionVerified(final Conversation conversation) {
1159 Set<XmppAxolotlSession> sessions = findSessionsForConversation(conversation);
1160 sessions.addAll(findOwnSessions());
1161 boolean verified = false;
1162 for(XmppAxolotlSession session : sessions) {
1163 if (session.getTrust().isTrustedAndActive()) {
1164 if (session.getTrust().getTrust() == FingerprintStatus.Trust.VERIFIED_X509) {
1165 verified = true;
1166 } else {
1167 return false;
1168 }
1169 }
1170 }
1171 return verified;
1172 }
1173
1174 public boolean hasPendingKeyFetches(Account account, List<Jid> jids) {
1175 SignalProtocolAddress ownAddress = new SignalProtocolAddress(account.getJid().toBareJid().toPreppedString(), 0);
1176 if (fetchStatusMap.getAll(ownAddress.getName()).containsValue(FetchStatus.PENDING)) {
1177 return true;
1178 }
1179 synchronized (this.fetchDeviceIdsMap) {
1180 for (Jid jid : jids) {
1181 SignalProtocolAddress foreignAddress = new SignalProtocolAddress(jid.toBareJid().toPreppedString(), 0);
1182 if (fetchStatusMap.getAll(foreignAddress.getName()).containsValue(FetchStatus.PENDING) || this.fetchDeviceIdsMap.containsKey(jid)) {
1183 return true;
1184 }
1185 }
1186 }
1187 return false;
1188 }
1189
1190 @Nullable
1191 private boolean buildHeader(XmppAxolotlMessage axolotlMessage, Conversation conversation) {
1192 Set<XmppAxolotlSession> remoteSessions = findSessionsForConversation(conversation);
1193 Collection<XmppAxolotlSession> ownSessions = findOwnSessions();
1194 if (remoteSessions.isEmpty()) {
1195 return false;
1196 }
1197 for (XmppAxolotlSession session : remoteSessions) {
1198 axolotlMessage.addDevice(session);
1199 }
1200 for (XmppAxolotlSession session : ownSessions) {
1201 axolotlMessage.addDevice(session);
1202 }
1203
1204 return true;
1205 }
1206
1207 @Nullable
1208 public XmppAxolotlMessage encrypt(Message message) {
1209 final XmppAxolotlMessage axolotlMessage = new XmppAxolotlMessage(account.getJid().toBareJid(), getOwnDeviceId());
1210 final String content;
1211 if (message.hasFileOnRemoteHost()) {
1212 content = message.getFileParams().url.toString();
1213 } else {
1214 content = message.getBody();
1215 }
1216 try {
1217 axolotlMessage.encrypt(content);
1218 } catch (CryptoFailedException e) {
1219 Log.w(Config.LOGTAG, getLogprefix(account) + "Failed to encrypt message: " + e.getMessage());
1220 return null;
1221 }
1222 if (!buildHeader(axolotlMessage,message.getConversation())) {
1223 return null;
1224 }
1225
1226 return axolotlMessage;
1227 }
1228
1229 public void preparePayloadMessage(final Message message, final boolean delay) {
1230 executor.execute(new Runnable() {
1231 @Override
1232 public void run() {
1233 XmppAxolotlMessage axolotlMessage = encrypt(message);
1234 if (axolotlMessage == null) {
1235 mXmppConnectionService.markMessage(message, Message.STATUS_SEND_FAILED);
1236 //mXmppConnectionService.updateConversationUi();
1237 } else {
1238 Log.d(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Generated message, caching: " + message.getUuid());
1239 messageCache.put(message.getUuid(), axolotlMessage);
1240 mXmppConnectionService.resendMessage(message, delay);
1241 }
1242 }
1243 });
1244 }
1245
1246 public void prepareKeyTransportMessage(final Conversation conversation, final OnMessageCreatedCallback onMessageCreatedCallback) {
1247 executor.execute(new Runnable() {
1248 @Override
1249 public void run() {
1250 final XmppAxolotlMessage axolotlMessage = new XmppAxolotlMessage(account.getJid().toBareJid(), getOwnDeviceId());
1251 if (buildHeader(axolotlMessage,conversation)) {
1252 onMessageCreatedCallback.run(axolotlMessage);
1253 } else {
1254 onMessageCreatedCallback.run(null);
1255 }
1256 }
1257 });
1258 }
1259
1260 public XmppAxolotlMessage fetchAxolotlMessageFromCache(Message message) {
1261 XmppAxolotlMessage axolotlMessage = messageCache.get(message.getUuid());
1262 if (axolotlMessage != null) {
1263 Log.d(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Cache hit: " + message.getUuid());
1264 messageCache.remove(message.getUuid());
1265 } else {
1266 Log.d(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Cache miss: " + message.getUuid());
1267 }
1268 return axolotlMessage;
1269 }
1270
1271 private XmppAxolotlSession recreateUncachedSession(SignalProtocolAddress address) {
1272 IdentityKey identityKey = axolotlStore.loadSession(address).getSessionState().getRemoteIdentityKey();
1273 return (identityKey != null)
1274 ? new XmppAxolotlSession(account, axolotlStore, address, identityKey)
1275 : null;
1276 }
1277
1278 private XmppAxolotlSession getReceivingSession(XmppAxolotlMessage message) {
1279 SignalProtocolAddress senderAddress = new SignalProtocolAddress(message.getFrom().toPreppedString(),
1280 message.getSenderDeviceId());
1281 XmppAxolotlSession session = sessions.get(senderAddress);
1282 if (session == null) {
1283 Log.d(Config.LOGTAG, AxolotlService.getLogprefix(account) + "Account: " + account.getJid() + " No axolotl session found while parsing received message " + message);
1284 session = recreateUncachedSession(senderAddress);
1285 if (session == null) {
1286 session = new XmppAxolotlSession(account, axolotlStore, senderAddress);
1287 }
1288 }
1289 return session;
1290 }
1291
1292 public XmppAxolotlMessage.XmppAxolotlPlaintextMessage processReceivingPayloadMessage(XmppAxolotlMessage message) {
1293 XmppAxolotlMessage.XmppAxolotlPlaintextMessage plaintextMessage = null;
1294
1295 XmppAxolotlSession session = getReceivingSession(message);
1296 try {
1297 plaintextMessage = message.decrypt(session, getOwnDeviceId());
1298 Integer preKeyId = session.getPreKeyId();
1299 if (preKeyId != null) {
1300 publishBundlesIfNeeded(false, false);
1301 session.resetPreKeyId();
1302 }
1303 } catch (CryptoFailedException e) {
1304 Log.w(Config.LOGTAG, getLogprefix(account) + "Failed to decrypt message from "+message.getFrom()+": " + e.getMessage());
1305 }
1306
1307 if (session.isFresh() && plaintextMessage != null) {
1308 putFreshSession(session);
1309 }
1310
1311 return plaintextMessage;
1312 }
1313
1314 public XmppAxolotlMessage.XmppAxolotlKeyTransportMessage processReceivingKeyTransportMessage(XmppAxolotlMessage message) {
1315 XmppAxolotlMessage.XmppAxolotlKeyTransportMessage keyTransportMessage;
1316
1317 XmppAxolotlSession session = getReceivingSession(message);
1318 try {
1319 keyTransportMessage = message.getParameters(session, getOwnDeviceId());
1320 } catch (CryptoFailedException e) {
1321 Log.d(Config.LOGTAG,"could not decrypt keyTransport message "+e.getMessage());
1322 keyTransportMessage = null;
1323 }
1324
1325 if (session.isFresh() && keyTransportMessage != null) {
1326 putFreshSession(session);
1327 }
1328
1329 return keyTransportMessage;
1330 }
1331
1332 private void putFreshSession(XmppAxolotlSession session) {
1333 Log.d(Config.LOGTAG,"put fresh session");
1334 sessions.put(session);
1335 if (Config.X509_VERIFICATION) {
1336 if (session.getIdentityKey() != null) {
1337 verifySessionWithPEP(session);
1338 } else {
1339 Log.e(Config.LOGTAG,account.getJid().toBareJid()+": identity key was empty after reloading for x509 verification");
1340 }
1341 }
1342 }
1343}