-
Notifications
You must be signed in to change notification settings - Fork 11.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
refactor!: Room's Key ID generation #33329
Conversation
🦋 Changeset detectedLatest commit: f7d8aeb The changes in this PR will be included in the next version bump. This PR includes changesets to release 33 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
Looks like this PR is ready to merge! 🎉 |
|
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## release-7.0.0 #33329 +/- ##
==============================================
Coverage 75.32% 75.32%
==============================================
Files 383 383
Lines 19383 19383
Branches 4980 4980
==============================================
Hits 14601 14601
Misses 4212 4212
Partials 570 570
Flags with carried forward coverage won't be shown. Click here to find out more. |
fab0eda
to
528f198
Compare
abe1570
to
e9bbdbd
Compare
989ebd9
to
0ba5073
Compare
e9bbdbd
to
cb512e1
Compare
0323e70
to
08cc7d8
Compare
cb512e1
to
335ae33
Compare
08cc7d8
to
5089689
Compare
50abbe6
to
bf02ce5
Compare
e2eKeyId
instead of derive it from encoded keye2eKeyId
instead of derive it from encoded key
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Congrats @KevLehman every problem that we discussed in not related with this code.
e2eKeyId
instead of derive it from encoded keyCo-authored-by: Hugo Costa <[email protected]> Co-authored-by: Guilherme Gazzo <[email protected]>
Co-authored-by: Hugo Costa <[email protected]> Co-authored-by: Guilherme Gazzo <[email protected]>
Co-authored-by: Hugo Costa <[email protected]> Co-authored-by: Guilherme Gazzo <[email protected]>
Co-authored-by: Hugo Costa <[email protected]> Co-authored-by: Guilherme Gazzo <[email protected]>
Co-authored-by: Hugo Costa <[email protected]> Co-authored-by: Guilherme Gazzo <[email protected]>
Co-authored-by: Hugo Costa <[email protected]> Co-authored-by: Guilherme Gazzo <[email protected]>
Co-authored-by: Hugo Costa <[email protected]> Co-authored-by: Guilherme Gazzo <[email protected]>
Co-authored-by: Hugo Costa <[email protected]> Co-authored-by: Guilherme Gazzo <[email protected]>
Co-authored-by: Hugo Costa <[email protected]> Co-authored-by: Guilherme Gazzo <[email protected]>
Co-authored-by: Hugo Costa <[email protected]> Co-authored-by: Guilherme Gazzo <[email protected]>
Co-authored-by: Hugo Costa <[email protected]> Co-authored-by: Guilherme Gazzo <[email protected]>
Co-authored-by: Hugo Costa <[email protected]> Co-authored-by: Guilherme Gazzo <[email protected]>
Co-authored-by: Hugo Costa <[email protected]> Co-authored-by: Guilherme Gazzo <[email protected]>
Co-authored-by: Hugo Costa <[email protected]> Co-authored-by: Guilherme Gazzo <[email protected]>
Co-authored-by: Hugo Costa <[email protected]> Co-authored-by: Guilherme Gazzo <[email protected]>
Proposed changes (including videos or screenshots)
Our current way of generating the e2eRoomKeyId is flawed. Our current steps are:
exportJWKKey
, this produces an object similar to this:Since after stringify/encoding the object above, the first 12 chars would be the string
{"alg": "A
which encoded iseyJhbGciOiJB
, and then this is defined as the "room key id"We currently don't use this value for anything that would require it to be random or "secure". We just use it to "identify" the key. However, since a room only has 1 key, it didn't matter if a key was actually "different", system would think it was "the key" for the room.
This would cause the client to try to decrypt the message and failing (if the key was actually different) as all the keys produced the same identifier.
This PR introduces a change in this keyID mechanism, creating an SHA-256 hash of the exported session key, and then taking the first 12 characters of the hash. Current rooms with current keys will continue to work as they should, as we now will use the
keyID
stored in the room object instead of calculating it from the key everytime.Issue(s)
https://rocketchat.atlassian.net/browse/E2EE2-68
Steps to test or reproduce
Further comments