Merge pull request #17 from wireapp/fix-prekey-validation

Allow validation of last resort prekey

.github/workflows/docker.yml

@@ -13,7 +13,7 @@ on:
       runtime_image:
         required: true
         type: string
-      platform:
+      platforms:
         required: true
         type: string
     secrets:
@@ -78,7 +78,7 @@ jobs:
           target: cryptobox
           tags: ${{ inputs.cryptobox_image }}:latest, ${{ inputs.cryptobox_image }}:${{ env.RELEASE_VERSION }}
           labels: ${{ steps.docker_meta_cryptobox.outputs.labels }}
-          platforms: ${{ inputs.platform }}
+          platforms: ${{ inputs.platforms }}
           push: ${{ inputs.publish }}
 
       - name: Build Runtime

.github/workflows/pr.yml

@@ -16,7 +16,7 @@ jobs:
       publish: false
       cryptobox_image: wirebot/cryptobox
       runtime_image: wirebot/runtime
-      platform: linux/arm64
+      platforms: linux/arm64
     secrets:
       docker_password: ${{ secrets.DOCKERHUB_PASSWORD }}
       webhook: ${{ secrets.WEBHOOK_RELEASE }}
@@ -27,7 +27,7 @@ jobs:
       publish: false
       cryptobox_image: wirebot/cryptobox
       runtime_image: wirebot/runtime
-      platform: linux/amd64
+      platforms: linux/amd64
     secrets:
       docker_password: ${{ secrets.DOCKERHUB_PASSWORD }}
       webhook: ${{ secrets.WEBHOOK_RELEASE }}

.github/workflows/release-docker.yml

@@ -14,26 +14,14 @@ jobs:
     secrets:
       webhook: ${{ secrets.WEBHOOK_RELEASE }}
 
-  release_docker_arm64:
+  release_docker:
     uses: ./.github/workflows/docker.yml
     needs: [ tests ]
     with:
       publish: true
       cryptobox_image: wirebot/cryptobox
       runtime_image: wirebot/runtime
-      platform: linux/arm64
-    secrets:
-      docker_password: ${{ secrets.DOCKERHUB_PASSWORD }}
-      webhook: ${{ secrets.WEBHOOK_RELEASE }}
-
-  release_docker_amd64:
-    uses: ./.github/workflows/docker.yml
-    needs: [ tests ]
-    with:
-      publish: true
-      cryptobox_image: wirebot/cryptobox
-      runtime_image: wirebot/runtime
-      platform: linux/amd64
+      platforms: linux/amd64, linux/arm64
     secrets:
       docker_password: ${{ secrets.DOCKERHUB_PASSWORD }}
       webhook: ${{ secrets.WEBHOOK_RELEASE }}

README.md

@@ -8,6 +8,6 @@ See makefiles in [mk](mk) directory.
 <dependency>
   <groupId>com.wire</groupId>
   <artifactId>cryptobox4j</artifactId>
-  <version>1.1.2</version>
+  <version>1.1.3</version>
 </dependency>
 ```

pom.xml

@@ -6,7 +6,7 @@
 
     <groupId>com.wire</groupId>
     <artifactId>cryptobox4j</artifactId>
-    <version>1.1.2</version>
+    <version>1.1.3</version>
 
     <name>Cryptobox4J</name>
     <description>CryptoBox for Wire Bots</description>

src/main/java/com/wire/bots/cryptobox/CryptoBox.java

@@ -62,7 +62,8 @@ final public class CryptoBox implements ICryptobox {
     /**
      * The max ID of an ephemeral prekey generated by {@link #newPreKeys}.
      */
-    private static final int MAX_PREKEY_ID = 0xFFFE;
+    private static final int MAX_PREKEY_ID = 65_534;
+    private static final int LAST_RESORT_PREKEY_ID = MAX_PREKEY_ID + 1;
 
     private long ptr;
 
@@ -150,8 +151,8 @@ public static void isPrekey(PreKey preKey) throws CryptoException {
         errorOnNull(preKey.data, "preKey.data");
         errorOnNull(preKey.id, "preKey.id");
 
-        if (preKey.id < 0 || preKey.id > MAX_PREKEY_ID) {
-            throw new IllegalArgumentException("ID of the prekey must be between 0 and " + MAX_PREKEY_ID + "!");
+        if (preKey.id < 0 || preKey.id > LAST_RESORT_PREKEY_ID) {
+            throw new IllegalArgumentException("ID of the prekey must be 0 <= ID <= " + LAST_RESORT_PREKEY_ID + "!");
         }
 
         jniIsPreKey(preKey.data, preKey.id);

src/test/java/com/wire/bots/cryptobox/CryptoboxTest.java

@@ -69,22 +69,26 @@ public void testAllGeneratedPrekeysAreValid() {
         for (PreKey key : aliceKeys) {
             Assertions.assertDoesNotThrow(() -> CryptoBox.isPrekey(key));
         }
+        // also check that last resort prekeys are validated correctly
+        Assertions.assertDoesNotThrow(() -> CryptoBox.isPrekey(bob.newLastPreKey()));
+        Assertions.assertDoesNotThrow(() -> CryptoBox.isPrekey(alice.newLastPreKey()));
     }
 
     @Test
     public void testIsPrekeyThrowsOnInvalidKey() throws Exception {
         // first generate prekeys
-        int maxPrekey = 0xFFFE;
+        int maxEphemeralPrekeyId = 65_534;
         Random rd = new Random();
         int prekeysCount = 100;
-        int randomStart = rd.nextInt(maxPrekey - prekeysCount);
+        int randomStart = rd.nextInt(maxEphemeralPrekeyId - prekeysCount);
         PreKey[] keys = bob.newPreKeys(randomStart, prekeysCount);
         Assertions.assertEquals(prekeysCount, keys.length);
 
         // check that all generated keys are valid
         for (PreKey key : keys) {
             Assertions.assertDoesNotThrow(() -> CryptoBox.isPrekey(key));
         }
+
         // now we change random bytes which results in invalid prekeys
         for (PreKey key : keys) {
             byte[] bytes = key.data.clone();
@@ -94,7 +98,8 @@ public void testIsPrekeyThrowsOnInvalidKey() throws Exception {
 
         // also the IDs should be bound
         Assertions.assertThrows(IllegalArgumentException.class, () -> CryptoBox.isPrekey(new PreKey(-1, keys[0].data)));
-        Assertions.assertThrows(IllegalArgumentException.class, () -> CryptoBox.isPrekey(new PreKey(maxPrekey + 1, keys[0].data)));
+        // last ephemeral prekey is 65_534, 65_535 is the last resort and thus 65_536 must be invalid
+        Assertions.assertThrows(IllegalArgumentException.class, () -> CryptoBox.isPrekey(new PreKey(maxEphemeralPrekeyId + 2, keys[0].data)));
     }
 
     @Test