Implement AES backup algorithm (WIP need to check with valere the private key thing)

Author: ganfra

matrix-sdk-android/src/androidTest/java/org/matrix/android/sdk/internal/crypto/keysbackup/KeysBackupTest.kt

@@ -42,6 +42,7 @@ import org.matrix.android.sdk.api.session.crypto.keysbackup.KeysVersion
 import org.matrix.android.sdk.api.session.crypto.keysbackup.KeysVersionResult
 import org.matrix.android.sdk.api.session.crypto.keysbackup.MegolmBackupCreationInfo
 import org.matrix.android.sdk.api.session.crypto.keysbackup.MegolmBackupCurve25519AuthData
+import org.matrix.android.sdk.api.session.crypto.keysbackup.extractCurveKeyFromRecoveryKey
 import org.matrix.android.sdk.api.session.crypto.keysbackup.toKeysVersionResult
 import org.matrix.android.sdk.api.session.crypto.model.ImportRoomKeysResult
 import org.matrix.android.sdk.api.session.getRoom
@@ -321,7 +322,8 @@ class KeysBackupTest : InstrumentedTest {
                     put(cryptoTestData.roomId, roomKeysBackupData)
                 }
         )
-        val sessionsData = algorithm.decryptSessions(keyBackupCreationInfo.recoveryKey, keysBackupData)
+        algorithm.setRecoveryKey(keyBackupCreationInfo.recoveryKey)
+        val sessionsData = algorithm.decryptSessions(keysBackupData)
         val sessionData = sessionsData.firstOrNull()
         assertNotNull(sessionData)
         // - Compare the decrypted megolm key with the original one

matrix-sdk-android/src/main/java/org/matrix/android/sdk/internal/crypto/keysbackup/DefaultKeysBackupService.kt

@@ -29,6 +29,7 @@ import org.matrix.android.sdk.api.MatrixCallback
 import org.matrix.android.sdk.api.MatrixCoroutineDispatchers
 import org.matrix.android.sdk.api.auth.data.Credentials
 import org.matrix.android.sdk.api.crypto.MXCRYPTO_ALGORITHM_CURVE_25519_BACKUP
+import org.matrix.android.sdk.api.extensions.tryOrNull
 import org.matrix.android.sdk.api.failure.Failure
 import org.matrix.android.sdk.api.failure.MatrixError
 import org.matrix.android.sdk.api.listeners.ProgressListener
@@ -45,6 +46,7 @@ import org.matrix.android.sdk.api.session.crypto.keysbackup.MegolmBackupAuthData
 import org.matrix.android.sdk.api.session.crypto.keysbackup.MegolmBackupCreationInfo
 import org.matrix.android.sdk.api.session.crypto.keysbackup.SavedKeyBackupKeyInfo
 import org.matrix.android.sdk.api.session.crypto.keysbackup.computeRecoveryKey
+import org.matrix.android.sdk.api.session.crypto.keysbackup.extractCurveKeyFromRecoveryKey
 import org.matrix.android.sdk.api.session.crypto.keysbackup.toKeysVersionResult
 import org.matrix.android.sdk.api.session.crypto.model.ImportRoomKeysResult
 import org.matrix.android.sdk.api.util.JsonDict
@@ -630,8 +632,9 @@ internal class DefaultKeysBackupService @Inject constructor(
 
                 // Get backed up keys from the homeserver
                 val data = getKeys(sessionId, roomId, keysVersionResult.version)
+                algorithm?.setRecoveryKey(recoveryKey)
                 val sessionsData = withContext(coroutineDispatchers.computation) {
-                    algorithm?.decryptSessions(recoveryKey, data)
+                    algorithm?.decryptSessions(data)
                 }.orEmpty()
                 // Do not trigger a backup for them if they come from the backup version we are using
                 val backUp = keysVersionResult.version != keysBackupVersion?.version
@@ -998,7 +1001,8 @@ internal class DefaultKeysBackupService @Inject constructor(
     private fun isValidRecoveryKeyForKeysBackupVersion(recoveryKey: String, keysBackupData: KeysVersionResult): Boolean {
         return try {
             val algorithm = algorithmFactory.create(keysBackupData)
-            val isValid = algorithm.keyMatches(recoveryKey)
+            val privateKey = extractCurveKeyFromRecoveryKey(recoveryKey) ?: return false
+            val isValid = algorithm.keyMatches(privateKey)
             algorithm.release()
             isValid
         } catch (failure: Throwable) {
@@ -1133,7 +1137,8 @@ internal class DefaultKeysBackupService @Inject constructor(
                 // Gather data to send to the homeserver
                 // roomId -> sessionId -> MXKeyBackupData
                 val keysBackupData = KeysBackupData()
-
+                val recoveryKey = cryptoStore.getKeyBackupRecoveryKeyInfo()?.recoveryKey
+                algorithm?.setRecoveryKey(recoveryKey)
                 olmInboundGroupSessionWrappers.forEach { olmInboundGroupSessionWrapper ->
                     val roomId = olmInboundGroupSessionWrapper.roomId ?: return@forEach
                     val olmInboundGroupSession = olmInboundGroupSessionWrapper.session
@@ -1242,7 +1247,9 @@ internal class DefaultKeysBackupService @Inject constructor(
                 }
                 ?: return null
 
-        val sessionBackupData = algorithm?.encryptSession(sessionData) ?: return null
+        val sessionBackupData = tryOrNull {
+            algorithm?.encryptSession(sessionData)
+        } ?: return null
         return KeyBackupData(
                 firstMessageIndex = try {
                     olmInboundGroupSessionWrapper.session.firstKnownIndex
@@ -1265,6 +1272,10 @@ internal class DefaultKeysBackupService @Inject constructor(
         return sessionData.sharedHistory
     }
 
+    private fun getPrivateKey(): ByteArray {
+        return byteArrayOf()
+    }
+
     /* ==========================================================================================
      * For test only
      * ========================================================================================== */

matrix-sdk-android/src/main/java/org/matrix/android/sdk/internal/crypto/keysbackup/algorithm/KeysBackupAes256Algorithm.kt

@@ -20,15 +20,24 @@ import org.matrix.android.sdk.api.crypto.MXCRYPTO_ALGORITHM_AES_256_BACKUP
 import org.matrix.android.sdk.api.session.crypto.keysbackup.KeysVersionResult
 import org.matrix.android.sdk.api.session.crypto.keysbackup.MegolmBackupAes256AuthData
 import org.matrix.android.sdk.api.session.crypto.keysbackup.MegolmBackupAuthData
+import org.matrix.android.sdk.api.session.crypto.keysbackup.extractCurveKeyFromRecoveryKey
 import org.matrix.android.sdk.api.util.JsonDict
+import org.matrix.android.sdk.api.util.fromBase64
+import org.matrix.android.sdk.api.util.toBase64NoPadding
 import org.matrix.android.sdk.internal.crypto.MegolmSessionData
 import org.matrix.android.sdk.internal.crypto.keysbackup.model.rest.KeysBackupData
+import org.matrix.android.sdk.internal.crypto.tools.AesHmacSha2
+import org.matrix.olm.OlmException
+import timber.log.Timber
+import java.security.InvalidParameterException
+import java.util.Arrays
 
 internal class KeysBackupAes256Algorithm(keysVersions: KeysVersionResult) : KeysBackupAlgorithm {
 
-    override val untrusted: Boolean = true
+    override val untrusted: Boolean = false
 
     private val aesAuthData: MegolmBackupAes256AuthData
+    private var privateKey: ByteArray? = null
 
     init {
         if (keysVersions.algorithm != MXCRYPTO_ALGORITHM_AES_256_BACKUP) {
@@ -37,21 +46,92 @@ internal class KeysBackupAes256Algorithm(keysVersions: KeysVersionResult) : Keys
         aesAuthData = keysVersions.getAuthDataAsMegolmBackupAuthData() as MegolmBackupAes256AuthData
     }
 
+    override fun setRecoveryKey(recoveryKey: String?) {
+        privateKey = extractCurveKeyFromRecoveryKey(recoveryKey)
+    }
+
     override fun encryptSession(sessionData: MegolmSessionData): JsonDict? {
-        TODO("Not yet implemented")
+        val privateKey = privateKey
+        if (privateKey == null || !keyMatches(privateKey)) {
+            Timber.e("Key does not match")
+            throw IllegalStateException("Key does not match")
+        }
+        val encryptedSessionBackupData = try {
+            val sessionDataJson = sessionData.asBackupJson()
+            AesHmacSha2.encrypt(privateKey = privateKey, secretName = sessionData.sessionId ?: "", sessionDataJson)
+        } catch (e: OlmException) {
+            Timber.e(e, "Error while encrypting backup data.")
+            null
+        } ?: return null
+
+        return mapOf(
+                "ciphertext" to encryptedSessionBackupData.cipherRawBytes.toBase64NoPadding(),
+                "mac" to encryptedSessionBackupData.mac.toBase64NoPadding(),
+                "iv" to encryptedSessionBackupData.initializationVector.toBase64NoPadding()
+        )
     }
 
-    override fun decryptSessions(recoveryKey: String, data: KeysBackupData): List<MegolmSessionData> {
-        TODO("Not yet implemented")
+    override fun decryptSessions(data: KeysBackupData): List<MegolmSessionData> {
+        val privateKey = privateKey
+        if (privateKey == null || !keyMatches(privateKey)) {
+            Timber.e("Invalid recovery key for this keys version")
+            throw InvalidParameterException("Invalid recovery key")
+        }
+        val sessionsData = ArrayList<MegolmSessionData>()
+        // Restore that data
+        var sessionsFromHsCount = 0
+        for ((roomIdLoop, backupData) in data.roomIdToRoomKeysBackupData) {
+            for ((sessionIdLoop, keyBackupData) in backupData.sessionIdToKeyBackupData) {
+                sessionsFromHsCount++
+                val sessionData = decryptSession(keyBackupData.sessionData, sessionIdLoop, roomIdLoop, privateKey)
+                sessionData?.let {
+                    sessionsData.add(it)
+                }
+            }
+        }
+        Timber.v(
+                "Decrypted ${sessionsData.size} keys out of $sessionsFromHsCount from the backup store on the homeserver"
+        )
+        return sessionsData
+    }
+
+    private fun decryptSession(sessionData: JsonDict, sessionId: String, roomId: String, privateKey: ByteArray): MegolmSessionData? {
+
+        val cipherRawBytes = sessionData["ciphertext"]?.toString()?.fromBase64() ?: return null
+        val mac = sessionData["mac"]?.toString()?.fromBase64() ?: throw IllegalStateException("Bad mac")
+        val iv = sessionData["iv"]?.toString()?.fromBase64() ?: ByteArray(16)
+
+        val encryptionInfo = AesHmacSha2.EncryptionInfo(
+                cipherRawBytes = cipherRawBytes,
+                mac = mac,
+                initializationVector = iv
+        )
+        return try {
+            val decrypted = AesHmacSha2.decrypt(privateKey, sessionId, encryptionInfo)
+            createMegolmSessionData(decrypted, sessionId, roomId)
+        } catch (e: Exception) {
+            Timber.e(e, "Exception while decrypting")
+            null
+        }
     }
 
     override fun release() {
-        TODO("Not yet implemented")
+        privateKey?.apply {
+            Arrays.fill(this, 0)
+        }
+        privateKey = null
     }
 
     override val authData: MegolmBackupAuthData = aesAuthData
 
-    override fun keyMatches(key: String): Boolean {
-        TODO("Not yet implemented")
+    override fun keyMatches(privateKey: ByteArray): Boolean {
+        return if (aesAuthData.mac != null) {
+            val keyCheckMac = AesHmacSha2.calculateKeyCheck(privateKey, aesAuthData.iv).mac
+            val authDataMac = aesAuthData.mac.fromBase64()
+            return keyCheckMac.contentEquals(authDataMac)
+        } else {
+            // if we have no information, we have to assume the key is right
+            true
+        }
     }
 }

matrix-sdk-android/src/main/java/org/matrix/android/sdk/internal/crypto/keysbackup/algorithm/KeysBackupAlgorithm.kt

@@ -20,13 +20,43 @@ import org.matrix.android.sdk.api.session.crypto.keysbackup.MegolmBackupAuthData
 import org.matrix.android.sdk.api.util.JsonDict
 import org.matrix.android.sdk.internal.crypto.MegolmSessionData
 import org.matrix.android.sdk.internal.crypto.keysbackup.model.rest.KeysBackupData
+import org.matrix.android.sdk.internal.di.MoshiProvider
 
 internal interface KeysBackupAlgorithm {
+
     val authData: MegolmBackupAuthData
     val untrusted: Boolean
 
+    fun setRecoveryKey(recoveryKey: String?)
     fun encryptSession(sessionData: MegolmSessionData): JsonDict?
-    fun decryptSessions(recoveryKey: String, data: KeysBackupData): List<MegolmSessionData>
-    fun keyMatches(key: String): Boolean
+    fun decryptSessions(data: KeysBackupData): List<MegolmSessionData>
+    fun keyMatches(privateKey: ByteArray): Boolean
     fun release()
 }
+
+internal fun KeysBackupAlgorithm.createMegolmSessionData(decrypted: String, sessionId: String, roomId: String): MegolmSessionData? {
+    val moshi = MoshiProvider.providesMoshi()
+    val adapter = moshi.adapter(MegolmSessionData::class.java)
+    val sessionBackupData: MegolmSessionData = adapter.fromJson(decrypted) ?: return null
+    return sessionBackupData.copy(
+            sessionId = sessionId,
+            roomId = roomId,
+            untrusted = untrusted
+    )
+}
+
+internal fun MegolmSessionData.asBackupJson(): String {
+    val sessionBackupData = mapOf(
+            "algorithm" to algorithm,
+            "sender_key" to senderKey,
+            "sender_claimed_keys" to senderClaimedKeys,
+            "forwarding_curve25519_key_chain" to (forwardingCurve25519KeyChain.orEmpty()),
+            "session_key" to sessionKey,
+            "org.matrix.msc3061.shared_history" to sharedHistory,
+            "untrusted" to untrusted
+    )
+    return MoshiProvider.providesMoshi()
+            .adapter(Map::class.java)
+            .toJson(sessionBackupData)
+}
+