Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Re-register first-party endpoints when the private gateway's certificate changes #175

Closed
gnarea opened this issue Nov 24, 2021 · 2 comments · Fixed by #218
Closed

Re-register first-party endpoints when the private gateway's certificate changes #175

gnarea opened this issue Nov 24, 2021 · 2 comments · Fixed by #218
Assignees
@sdsantos
Labels
released

Comments

@gnarea
Copy link
Member

gnarea commented Nov 24, 2021
edited
Loading

What to do with old certificates

Old certificates should continue to be used in all calls to parcel.validate(). The old (yet valid) certificates should be passed as trustedCertificates, along with the new certificate.

Old certificates should only be deleted after they expire (e,g., once a day, when the app starts). However, expired certificates must not be included in the trustedCertificates above.

What to do with the new certificate

The new certificate should be used in all calls to parcel.serialize() and issueDeliveryAuthorization(). This shouldn't require code any further code changes, but I'm documenting this requirement to make sure we don't change the code inadvertently.

Related issues
@gnarea gnarea changed the title Re-register with private gateway to get new certificate Re-register endpoints when the private gateway's certificate changes Jan 5, 2022
@gnarea gnarea mentioned this issue Jan 5, 2022
Closed
@gnarea gnarea changed the title Re-register endpoints when the private gateway's certificate changes Re-register first-party endpoints when the private gateway's certificate changes Jan 6, 2022
@Filmaluco Filmaluco self-assigned this Mar 1, 2022
@gnarea gnarea mentioned this issue Mar 2, 2022
Closed
@sdsantos
Copy link
Collaborator

sdsantos commented Apr 12, 2022
edited
Loading

  • Use all valid 1st party certificates to validate incoming messages, instead of just the latest (ReceiveMessages#getNonceSigners)
  • Delete expired 1st party certificates on library setup, in the background (Awala#setUp)
  • Re-register first-party endpoints when notified
  • Integrate the function to reissue+send PDAs (FirstPartyEndpoint.reissuePDAs())

@gnarea gnarea mentioned this issue Apr 13, 2022
Merged
kodiakhq bot pushed a commit that referenced this issue Apr 14, 2022
@gnarea
feat: Re-issue/send PDAs when first-party endpoint certificates are r…
6d62572 
…enewed (#212)

Fixes #185. It's also worth highlighting the following:

- It introduces the instance method `FirstPartyEndpoint.authorizeIndefinitely()`, which is like `FirstPartyEndpoint.issueAuthorization()`, except that it tracks which 3rd party endpoints are authorised in order to renew their PDAs automatically.
  - For example, Awala Ping will continue to use `FirstPartyEndpoint.issueAuthorization()` but Letro will use `FirstPartyEndpoint.authorizeIndefinitely()`.
  - To stop renewing an _indefinite PDA_, it's enough to delete the respective 1st or 3rd party endpoint.
- This PR introduces the concept of "channel" (e.g., `ChannelManager`), which exists in the Awala protocol suite and refers to an established communication channel between two endpoints (which is end-to-end encrypted and where both are mutually authorised to send messages to each other).
- Because #175 isn't implemented yet, I haven't actually integrated the function to reissue+send PDAs (`FirstPartyEndpoint.reissuePDAs()`). This should be done as part of #175.
- This PR integrates `CertificationPath` from the core Awala lib, which effectively duplicates the existing `AuthorizationBundle` data class. Once this PR is merged, I'll create a separate PR to replace the remaining uses of `AuthorizationBundle`.

# Review notes

Of things that I'm likely to have got wrong here, I'd rank highly the use of `SharedPreferences` and coroutines (esp. where I have to specify a context explicitly), so please pay special attention to those.
This was referenced Apr 14, 2022
Merged
Merged
@sdsantos sdsantos assigned sdsantos and unassigned Filmaluco Apr 19, 2022
@kodiakhq kodiakhq bot closed this as completed in #218 Apr 19, 2022
kodiakhq bot pushed a commit that referenced this issue Apr 19, 2022
@sdsantos
feat: Re-register endpoints when gateway certificate changes (#218)
7e7dc30 
Closes #175
@github-actions
Copy link

🎉 This issue has been resolved in version 1.10.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

kodiakhq bot pushed a commit that referenced this issue Apr 20, 2022
@sdsantos
feat: Use new certificate store on First-Party Endpoints (#213)
bad9585 
Related with #175
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sdsantos sdsantos

Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: Re-register endpoints when gateway certificate changes relaycorp/awala-endpoint-android
3 participants
@sdsantos @gnarea @Filmaluco