tests: Cross-signing keys support in E2EKeyReceiver

Have `E2EKeyReceiver` collect uploaded cross-signing keys, so that they can be
returned by `E2EKeyResponder`.

Author: richvdh

spec/integ/crypto/cross-signing.spec.ts

@@ -137,9 +137,9 @@ describe("cross-signing", () => {
             const authDict = { type: "test" };
             await bootstrapCrossSigning(authDict);
 
-            // check the cross-signing keys upload
-            expect(fetchMock.called("upload-keys")).toBeTruthy();
-            const [, keysOpts] = fetchMock.lastCall("upload-keys")!;
+            // check the cross-signing keys have been uploaded
+            expect(fetchMock.called("upload-cross-signing-keys")).toBeTruthy();
+            const [, keysOpts] = fetchMock.lastCall("upload-cross-signing-keys")!;
             const keysBody = JSON.parse(keysOpts!.body as string);
             expect(keysBody.auth).toEqual(authDict); // check uia dict was passed
             // there should be a key of each type
@@ -420,15 +420,18 @@ describe("cross-signing", () => {
             return new Promise<any>((resolve) => {
                 fetchMock.post(
                     {
-                        url: new RegExp("/_matrix/client/v3/keys/device_signing/upload"),
-                        name: "upload-keys",
+                        url: new URL(
+                            "/_matrix/client/v3/keys/device_signing/upload",
+                            aliceClient.getHomeserverUrl(),
+                        ).toString(),
+                        name: "upload-cross-signing-keys",
                     },
                     (url, options) => {
                         const content = JSON.parse(options.body as string);
                         resolve(content);
                         return {};
                     },
-                    // Override the routes define in `mockSetupCrossSigningRequests`
+                    // Override the route defined in E2EKeyReceiver
                     { overwriteRoutes: true },
                 );
             });

spec/integ/crypto/device-dehydration.spec.ts

@@ -181,7 +181,6 @@ async function initializeSecretStorage(
     const e2eKeyReceiver = new E2EKeyReceiver(homeserverUrl);
     const e2eKeyResponder = new E2EKeyResponder(homeserverUrl);
     e2eKeyResponder.addKeyReceiver(userId, e2eKeyReceiver);
-    fetchMock.post("path:/_matrix/client/v3/keys/device_signing/upload", {});
     fetchMock.post("path:/_matrix/client/v3/keys/signatures/upload", {});
     const accountData: Map<string, object> = new Map();
     fetchMock.get("glob:http://*/_matrix/client/v3/user/*/account_data/*", (url, opts) => {

spec/test-utils/E2EKeyReceiver.ts

@@ -14,11 +14,11 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-import debugFunc from "debug";
-import { type Debugger } from "debug";
+import debugFunc, { type Debugger } from "debug";
 import fetchMock from "fetch-mock-jest";
 
 import type { IDeviceKeys, IOneTimeKey } from "../../src/@types/crypto";
+import type { CrossSigningKeys } from "../../src";
 
 /** Interface implemented by classes that intercept `/keys/upload` requests from test clients to catch the uploaded keys
  *
@@ -55,14 +55,15 @@ export class E2EKeyReceiver implements IE2EKeyReceiver {
     private readonly debug: Debugger;
 
     private deviceKeys: IDeviceKeys | null = null;
+    private crossSigningKeys: CrossSigningKeys | null = null;
     private oneTimeKeys: Record<string, IOneTimeKey> = {};
     private readonly oneTimeKeysPromise: Promise<void>;
 
     /**
      * Construct a new E2EKeyReceiver.
      *
-     * It will immediately register an intercept of `/keys/uploads` requests for the given homeserverUrl.
-     * Only /upload requests made to this server will be intercepted: this allows a single test to use more than one
+     * It will immediately register an intercept of `/keys/uploads` and `/keys/device_signing/upload` requests for the given homeserverUrl.
+     * Only requests made to this server will be intercepted: this allows a single test to use more than one
      * client and have the keys collected separately.
      *
      * @param homeserverUrl - the Homeserver Url of the client under test.
@@ -77,6 +78,14 @@ export class E2EKeyReceiver implements IE2EKeyReceiver {
 
             fetchMock.post(new URL("/_matrix/client/v3/keys/upload", homeserverUrl).toString(), listener);
         });
+
+        fetchMock.post(
+            {
+                url: new URL("/_matrix/client/v3/keys/device_signing/upload", homeserverUrl).toString(),
+                name: "upload-cross-signing-keys",
+            },
+            (url, options) => this.onSigningKeyUploadRequest(options),
+        );
     }
 
     private async onKeyUploadRequest(onOnTimeKeysUploaded: () => void, options: RequestInit): Promise<object> {
@@ -113,6 +122,18 @@ export class E2EKeyReceiver implements IE2EKeyReceiver {
         };
     }
 
+    private async onSigningKeyUploadRequest(request: RequestInit): Promise<object> {
+        const content = JSON.parse(request.body as string);
+        if (this.crossSigningKeys) {
+            throw new Error("Application attempted to upload E2E cross-signing keys multiple times");
+        }
+        this.debug(`received cross-signing keys`);
+        // Remove UIA data
+        delete content["auth"];
+        this.crossSigningKeys = content;
+        return {};
+    }
+
     /** Get the uploaded Ed25519 key
      *
      * If device keys have not yet been uploaded, throws an error
@@ -150,6 +171,13 @@ export class E2EKeyReceiver implements IE2EKeyReceiver {
         return this.deviceKeys;
     }
 
+    /**
+     * If cross-signing keys have been uploaded, return them. Else return null.
+     */
+    public getUploadedCrossSigningKeys(): CrossSigningKeys | null {
+        return this.crossSigningKeys;
+    }
+
     /**
      * If one-time keys have already been uploaded, return them. Otherwise,
      * set up an expectation that the keys will be uploaded, and wait for

spec/test-utils/E2EKeyResponder.ts

@@ -17,7 +17,7 @@ limitations under the License.
 import fetchMock from "fetch-mock-jest";
 
 import { MapWithDefault } from "../../src/utils";
-import { type IDownloadKeyResult } from "../../src";
+import { type IDownloadKeyResult, type SigningKeys } from "../../src";
 import { type IDeviceKeys } from "../../src/@types/crypto";
 import { type E2EKeyReceiver } from "./E2EKeyReceiver";
 
@@ -50,35 +50,42 @@ export class E2EKeyResponder {
         const content = JSON.parse(options.body as string);
         const usersToReturn = Object.keys(content["device_keys"]);
         const response = {
-            device_keys: {} as { [userId: string]: any },
-            master_keys: {} as { [userId: string]: any },
-            self_signing_keys: {} as { [userId: string]: any },
-            user_signing_keys: {} as { [userId: string]: any },
-            failures: {} as { [serverName: string]: any },
-        };
+            device_keys: {},
+            master_keys: {},
+            self_signing_keys: {},
+            user_signing_keys: {},
+            failures: {},
+        } as IDownloadKeyResult;
         for (const user of usersToReturn) {
-            const userKeys = this.deviceKeysByUserByDevice.get(user);
-            if (userKeys !== undefined) {
-                response.device_keys[user] = Object.fromEntries(userKeys.entries());
-            }
-
+            // First see if we have an E2EKeyReceiver for this user, and if so, return any keys that have been uploaded
             const e2eKeyReceiver = this.e2eKeyReceiversByUser.get(user);
             if (e2eKeyReceiver !== undefined) {
                 const deviceKeys = e2eKeyReceiver.getUploadedDeviceKeys();
                 if (deviceKeys !== null) {
                     response.device_keys[user] ??= {};
                     response.device_keys[user][deviceKeys.device_id] = deviceKeys;
                 }
+                const crossSigningKeys = e2eKeyReceiver.getUploadedCrossSigningKeys();
+                if (crossSigningKeys !== null) {
+                    response.master_keys![user] = crossSigningKeys["master_key"];
+                    response.self_signing_keys![user] = crossSigningKeys["self_signing_key"] as SigningKeys;
+                }
             }
 
+            // Mix in any keys that have been added explicitly to this E2EKeyResponder.
+            const userKeys = this.deviceKeysByUserByDevice.get(user);
+            if (userKeys !== undefined) {
+                response.device_keys[user] ??= {};
+                Object.assign(response.device_keys[user], Object.fromEntries(userKeys.entries()));
+            }
             if (this.masterKeysByUser.hasOwnProperty(user)) {
-                response.master_keys[user] = this.masterKeysByUser[user];
+                response.master_keys![user] = this.masterKeysByUser[user];
             }
             if (this.selfSigningKeysByUser.hasOwnProperty(user)) {
-                response.self_signing_keys[user] = this.selfSigningKeysByUser[user];
+                response.self_signing_keys![user] = this.selfSigningKeysByUser[user];
             }
             if (this.userSigningKeysByUser.hasOwnProperty(user)) {
-                response.user_signing_keys[user] = this.userSigningKeysByUser[user];
+                response.user_signing_keys![user] = this.userSigningKeysByUser[user];
             }
         }
         return response;

spec/test-utils/mockEndpoints.ts

@@ -43,11 +43,10 @@ export function mockInitialApiRequests(homeserverUrl: string, userId: string = "
 }
 
 /**
- * Mock the requests needed to set up cross signing
+ * Mock the requests needed to set up cross signing, besides those provided by {@link E2EKeyReceiver}.
  *
  * Return 404 error for `GET _matrix/client/v3/user/:userId/account_data/:type` request
  * Return `{}` for `POST _matrix/client/v3/keys/signatures/upload` request (named `upload-sigs` for fetchMock check)
- * Return `{}` for `POST /_matrix/client/(unstable|v3)/keys/device_signing/upload` request (named `upload-keys` for fetchMock check)
  */
 export function mockSetupCrossSigningRequests(): void {
     // have account_data requests return an empty object
@@ -58,16 +57,6 @@ export function mockSetupCrossSigningRequests(): void {
 
     // we expect a request to upload signatures for our device ...
     fetchMock.post({ url: "path:/_matrix/client/v3/keys/signatures/upload", name: "upload-sigs" }, {});
-
-    // ... and one to upload the cross-signing keys (with UIA)
-    fetchMock.post(
-        // legacy crypto uses /unstable/; /v3/ is correct
-        {
-            url: new RegExp("/_matrix/client/(unstable|v3)/keys/device_signing/upload"),
-            name: "upload-keys",
-        },
-        {},
-    );
 }
 
 /**

spec/unit/rust-crypto/rust-crypto.spec.ts

@@ -1548,10 +1548,6 @@ describe("RustCrypto", () => {
             const e2eKeyReceiver = new E2EKeyReceiver("http://server");
             const e2eKeyResponder = new E2EKeyResponder("http://server");
             e2eKeyResponder.addKeyReceiver(TEST_USER, e2eKeyReceiver);
-            fetchMock.post("path:/_matrix/client/v3/keys/device_signing/upload", {
-                status: 200,
-                body: {},
-            });
             fetchMock.post("path:/_matrix/client/v3/keys/signatures/upload", {
                 status: 200,
                 body: {},
@@ -1793,10 +1789,6 @@ describe("RustCrypto", () => {
                     error: "Not found",
                 },
             });
-            fetchMock.post("path:/_matrix/client/v3/keys/device_signing/upload", {
-                status: 200,
-                body: {},
-            });
             fetchMock.post("path:/_matrix/client/v3/keys/signatures/upload", {
                 status: 200,
                 body: {},
@@ -1934,10 +1926,6 @@ describe("RustCrypto", () => {
                         error: "Not found",
                     },
                 });
-                fetchMock.post("path:/_matrix/client/v3/keys/device_signing/upload", {
-                    status: 200,
-                    body: {},
-                });
                 fetchMock.post("path:/_matrix/client/v3/keys/signatures/upload", {
                     status: 200,
                     body: {},