RTCEncryptionManager: Joiner key rotation grace period #4911
+247
−24
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
BillCarsonFr
force-pushed
the
valere/rtc/encryption_mgr/rotate_joiner_with_grace
branch
from
cd3bde8 to
1e5efc3
Compare
BillCarsonFr
force-pushed
the
valere/rtc/encryption_mgr/rotate_joiner_with_grace
branch
from
1e5efc3 to
1d798cb
Compare
toger5
requested changes
Jul 16, 2025
Comment on lines
179
to
181
| const gracePeriod = 15_000; // 15 seconds | ||
| // initial rollout | ||
| encryptionManager.join(undefined); | ||
| encryptionManager.join({ keyRotationGracePeriodMs: gracePeriod }); |
There was a problem hiding this comment.
this we can just move into the join() method?
Since we use the object config the key is written out and the reason for the value is explained
Comment on lines
179
to
181
| const gracePeriod = 15_000; // 15 seconds | ||
| // initial rollout | ||
| encryptionManager.join(undefined); | ||
| encryptionManager.join({ keyRotationGracePeriodMs: gracePeriod }); |
There was a problem hiding this comment.
Suggested change
| const gracePeriod = 15_000; // 15 seconds | |
| // initial rollout | |
| encryptionManager.join(undefined); | |
| encryptionManager.join({ keyRotationGracePeriodMs: gracePeriod }); | |
| encryptionManager.join({ keyRotationGracePeriodMs: 15_000 }); |
Comment on lines
231
to
237
| const gracePeriod = 3_000; // 15 seconds | ||
| const useKeyDelay = 5_000; // 5 seconds | ||
| // initial rollout | ||
| encryptionManager.join({ | ||
| useKeyDelay, | ||
| keyRotationGracePeriodMs: gracePeriod, | ||
| }); |
There was a problem hiding this comment.
Suggested change
| const gracePeriod = 3_000; // 15 seconds | |
| const useKeyDelay = 5_000; // 5 seconds | |
| // initial rollout | |
| encryptionManager.join({ | |
| useKeyDelay, | |
| keyRotationGracePeriodMs: gracePeriod, | |
| }); | |
| // initial rollout | |
| encryptionManager.join({ | |
| useKeyDelay: 3_000, // 3 seconds | |
| keyRotationGracePeriodMs: 5_000, // 5 seconds | |
| }); |
The comment seemed wrong (3 vs 15 s)
|
|
||
| // A new member joins, that should trigger a key rotation. | ||
| members.push(aCallMembership("@carl:example.org", "CARLDEVICE")); | ||
| encryptionManager.onMembershipsUpdate([]); |
There was a problem hiding this comment.
Why can we just pass [] as the old memberships here?
There was a problem hiding this comment.
I am thinking of sth like:
const oldMembers = [...members];
members.push(aCallMembership("@carl:example.org", "CARLDEVICE"));
encryptionManager.onMembershipsUpdate(oldMembers);
Just to make sure the test env is more correct to the real world. Even if the curren impl also works with []
(also makes the test easier to read if we dont know exactly what the onMembershipsUpdate param means)
There was a problem hiding this comment.
I might as well deprecate it? as it is not used
| // A new member joins, within the grace period, but under the delay period | ||
| members.push(aCallMembership("@david:example.org", "DAVDEVICE")); | ||
| await jest.advanceTimersByTimeAsync(3_000); | ||
| encryptionManager.onMembershipsUpdate([]); |
There was a problem hiding this comment.
As above.
Shouldn't the old memberships be the correct prev memberships, so the test more properly represents a real world scenario?
| * Sometimes it is necessary to rotate the encryption key after a membership update. | ||
| * For performance reasons we might not want to rotate the key immediately but allow future memberships to use the same key. | ||
| * If 5 people join in a row in less than 5 seconds, we don't want to rotate the key for each of them. | ||
| * If 5 people leave in a row in less than 5 seconds, we don't want to rotate the key for each of them. |
There was a problem hiding this comment.
Suggested change
| * If 5 people leave in a row in less than 5 seconds, we don't want to rotate the key for each of them. | |
| * If 5 people leave in a row in less than 5 seconds, we don't want to rotate the key for each of them. | |
| * So we do share the key which was already used live for <5s to new joiners. This does result in a potential leak up to the configured time of call media. | |
| * This has to be considered when choosing a value for this property. |
| * | ||
| * The higher this value is, the better it is for existing members as they will have a smoother experience. | ||
| * But it impacts new joiners: They will always have to wait `useKeyDelay` before being able to decrypt the media | ||
| * (as it will be encrypted with the new key after the delay only), even if the key is already arrived before the delay. |
There was a problem hiding this comment.
Suggested change
| * (as it will be encrypted with the new key after the delay only), even if the key is already arrived before the delay. | |
| * (as it will be encrypted with the new key after the delay only), even if the key has already arrived before the delay. |
| /** | ||
| * The time to wait before using the outbound session after it has been distributed. | ||
| * This is to ensure that the key is delivered to all participants before it is used. | ||
| * When creating the first key, this is set to 0, so that the key can be used immediately. | ||
| */ | ||
| private delayRolloutTimeMillis = 1000; | ||
| private delayRolloutTimeMillis = 5000; |
There was a problem hiding this comment.
is this the same as useKeyDelay. If so we should rename one of them.
| * If it is lower, the current key will always be older than the grace period. | ||
| * @private | ||
| */ | ||
| private skipRotationGracePeriod = 10_000; |
There was a problem hiding this comment.
same here keyRotationGracePeriodMs
Comment on lines
116
to
+117
| this.delayRolloutTimeMillis = joinConfig?.useKeyDelay ?? 1000; | ||
| this.skipRotationGracePeriod = joinConfig?.keyRotationGracePeriodMs ?? 10_000; |
There was a problem hiding this comment.
This should totally be:
Suggested change
| this.delayRolloutTimeMillis = joinConfig?.useKeyDelay ?? 1000; | |
| this.skipRotationGracePeriod = joinConfig?.keyRotationGracePeriodMs ?? 10_000; | |
| this.useKeyDelay = joinConfig?.useKeyDelay ?? 1000; | |
| this.keyRotationGracePeriodMs = joinConfig?.keyRotationGracePeriodMs ?? 10_000; |
There was a problem hiding this comment.
Or the other names from this class
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes https://github.com/element-hq/voip-internal/issues/371
Checklist
public/exportedsymbols have accurate TSDoc documentation.