Merge pull request #1144 from matrix-org/dbkr/key_backup_resign

Sign key backup with cross-signing key on upgrade

src/crypto/index.js

@@ -28,6 +28,7 @@ import ReEmitter from '../ReEmitter';
 
 import logger from '../logger';
 const utils = require("../utils");
+const httpApi = require("../http-api");
 const OlmDevice = require("./OlmDevice");
 const olmlib = require("./olmlib");
 const algorithms = require("./algorithms");
@@ -418,6 +419,25 @@ Crypto.prototype.bootstrapSecretStorage = async function({
                 // Add an entry for the backup key in SSSS as a 'passthrough' key
                 // (ie. the secret is the key itself).
                 this._secretStorage.storePassthrough('m.megolm_backup.v1', newKeyId);
+
+                // if this key backup is trusted, sign it with the cross signing key
+                // so the key backup can be trusted via cross-signing.
+                const backupSigStatus = await this.checkKeyBackup(keyBackupInfo);
+                if (backupSigStatus.trustInfo.usable) {
+                    console.log("Adding cross signing signature to key backup");
+                    await this._crossSigningInfo.signObject(
+                        keyBackupInfo.auth_data, "master",
+                    );
+                    await this._baseApis._http.authedRequest(
+                        undefined, "PUT", "/room_keys/version/" + keyBackupInfo.version,
+                        undefined, keyBackupInfo,
+                        {prefix: httpApi.PREFIX_UNSTABLE},
+                    );
+                } else {
+                    console.log(
+                        "Key backup is NOT TRUSTED: NOT adding cross signing signature",
+                    );
+                }
             } else {
                 logger.log("Secret storage default key not found, creating new key");
                 const keyOptions = await createSecretStorageKey();