From fdad493840cbfe4ef9433aaf035298c54a491c0b Mon Sep 17 00:00:00 2001
From: Lukas Forst <lukas@forst.dev>
Date: Wed, 13 Jul 2022 17:45:43 +0200
Subject: [PATCH 1/3] allow isPrekey to validate last resort prekey

---
 src/main/java/com/wire/bots/cryptobox/CryptoBox.java  |  7 ++++---
 .../java/com/wire/bots/cryptobox/CryptoboxTest.java   | 11 ++++++++---
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/src/main/java/com/wire/bots/cryptobox/CryptoBox.java b/src/main/java/com/wire/bots/cryptobox/CryptoBox.java
index bf3450c..fef62f9 100644
--- a/src/main/java/com/wire/bots/cryptobox/CryptoBox.java
+++ b/src/main/java/com/wire/bots/cryptobox/CryptoBox.java
@@ -62,7 +62,8 @@ final public class CryptoBox implements ICryptobox {
     /**
      * The max ID of an ephemeral prekey generated by {@link #newPreKeys}.
      */
-    private static final int MAX_PREKEY_ID = 0xFFFE;
+    private static final int MAX_PREKEY_ID = 65_534;
+    private static final int LAST_RESORT_PREKEY_ID = MAX_PREKEY_ID + 1;
 
     private long ptr;
 
@@ -150,8 +151,8 @@ public static void isPrekey(PreKey preKey) throws CryptoException {
         errorOnNull(preKey.data, "preKey.data");
         errorOnNull(preKey.id, "preKey.id");
 
-        if (preKey.id < 0 || preKey.id > MAX_PREKEY_ID) {
-            throw new IllegalArgumentException("ID of the prekey must be between 0 and " + MAX_PREKEY_ID + "!");
+        if (preKey.id < 0 || preKey.id > LAST_RESORT_PREKEY_ID) {
+            throw new IllegalArgumentException("ID of the prekey must be 0 <= ID <= " + LAST_RESORT_PREKEY_ID + "!");
         }
 
         jniIsPreKey(preKey.data, preKey.id);
diff --git a/src/test/java/com/wire/bots/cryptobox/CryptoboxTest.java b/src/test/java/com/wire/bots/cryptobox/CryptoboxTest.java
index 08e1b7e..4924b5a 100644
--- a/src/test/java/com/wire/bots/cryptobox/CryptoboxTest.java
+++ b/src/test/java/com/wire/bots/cryptobox/CryptoboxTest.java
@@ -69,15 +69,18 @@ public void testAllGeneratedPrekeysAreValid() {
         for (PreKey key : aliceKeys) {
             Assertions.assertDoesNotThrow(() -> CryptoBox.isPrekey(key));
         }
+        // also check that last resort prekeys are validated correctly
+        Assertions.assertDoesNotThrow(() -> CryptoBox.isPrekey(bob.newLastPreKey()));
+        Assertions.assertDoesNotThrow(() -> CryptoBox.isPrekey(alice.newLastPreKey()));
     }
 
     @Test
     public void testIsPrekeyThrowsOnInvalidKey() throws Exception {
         // first generate prekeys
-        int maxPrekey = 0xFFFE;
+        int maxEphemeralPrekeyId = 65_534;
         Random rd = new Random();
         int prekeysCount = 100;
-        int randomStart = rd.nextInt(maxPrekey - prekeysCount);
+        int randomStart = rd.nextInt(maxEphemeralPrekeyId - prekeysCount);
         PreKey[] keys = bob.newPreKeys(randomStart, prekeysCount);
         Assertions.assertEquals(prekeysCount, keys.length);
 
@@ -85,6 +88,7 @@ public void testIsPrekeyThrowsOnInvalidKey() throws Exception {
         for (PreKey key : keys) {
             Assertions.assertDoesNotThrow(() -> CryptoBox.isPrekey(key));
         }
+
         // now we change random bytes which results in invalid prekeys
         for (PreKey key : keys) {
             byte[] bytes = key.data.clone();
@@ -94,7 +98,8 @@ public void testIsPrekeyThrowsOnInvalidKey() throws Exception {
 
         // also the IDs should be bound
         Assertions.assertThrows(IllegalArgumentException.class, () -> CryptoBox.isPrekey(new PreKey(-1, keys[0].data)));
-        Assertions.assertThrows(IllegalArgumentException.class, () -> CryptoBox.isPrekey(new PreKey(maxPrekey + 1, keys[0].data)));
+        // last ephemeral prekey is 65_534, 65_535 is the last resort and thus 65_536 must be invalid
+        Assertions.assertThrows(IllegalArgumentException.class, () -> CryptoBox.isPrekey(new PreKey(maxEphemeralPrekeyId + 2, keys[0].data)));
     }
 
     @Test

From d7c1f2df7aa160e56860d59ceaa45ee9626bcb15 Mon Sep 17 00:00:00 2001
From: Lukas Forst <lukas@forst.dev>
Date: Wed, 13 Jul 2022 17:46:20 +0200
Subject: [PATCH 2/3] fix pipeline for arm64

---
 .github/workflows/docker.yml         |  4 ++--
 .github/workflows/pr.yml             |  4 ++--
 .github/workflows/release-docker.yml | 16 ++--------------
 3 files changed, 6 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index b75be03..43bb0ec 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -13,7 +13,7 @@ on:
       runtime_image:
         required: true
         type: string
-      platform:
+      platforms:
         required: true
         type: string
     secrets:
@@ -78,7 +78,7 @@ jobs:
           target: cryptobox
           tags: ${{ inputs.cryptobox_image }}:latest, ${{ inputs.cryptobox_image }}:${{ env.RELEASE_VERSION }}
           labels: ${{ steps.docker_meta_cryptobox.outputs.labels }}
-          platforms: ${{ inputs.platform }}
+          platforms: ${{ inputs.platforms }}
           push: ${{ inputs.publish }}
 
       - name: Build Runtime
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
index 767f3fe..b69e124 100644
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@@ -16,7 +16,7 @@ jobs:
       publish: false
       cryptobox_image: wirebot/cryptobox
       runtime_image: wirebot/runtime
-      platform: linux/arm64
+      platforms: linux/arm64
     secrets:
       docker_password: ${{ secrets.DOCKERHUB_PASSWORD }}
       webhook: ${{ secrets.WEBHOOK_RELEASE }}
@@ -27,7 +27,7 @@ jobs:
       publish: false
       cryptobox_image: wirebot/cryptobox
       runtime_image: wirebot/runtime
-      platform: linux/amd64
+      platforms: linux/amd64
     secrets:
       docker_password: ${{ secrets.DOCKERHUB_PASSWORD }}
       webhook: ${{ secrets.WEBHOOK_RELEASE }}
diff --git a/.github/workflows/release-docker.yml b/.github/workflows/release-docker.yml
index df358ba..7d7d68d 100644
--- a/.github/workflows/release-docker.yml
+++ b/.github/workflows/release-docker.yml
@@ -14,26 +14,14 @@ jobs:
     secrets:
       webhook: ${{ secrets.WEBHOOK_RELEASE }}
 
-  release_docker_arm64:
+  release_docker:
     uses: ./.github/workflows/docker.yml
     needs: [ tests ]
     with:
       publish: true
       cryptobox_image: wirebot/cryptobox
       runtime_image: wirebot/runtime
-      platform: linux/arm64
-    secrets:
-      docker_password: ${{ secrets.DOCKERHUB_PASSWORD }}
-      webhook: ${{ secrets.WEBHOOK_RELEASE }}
-
-  release_docker_amd64:
-    uses: ./.github/workflows/docker.yml
-    needs: [ tests ]
-    with:
-      publish: true
-      cryptobox_image: wirebot/cryptobox
-      runtime_image: wirebot/runtime
-      platform: linux/amd64
+      platforms: linux/amd64, linux/arm64
     secrets:
       docker_password: ${{ secrets.DOCKERHUB_PASSWORD }}
       webhook: ${{ secrets.WEBHOOK_RELEASE }}

From 90be6f2f6c7d40f67fd9612fd0cc20aaed6af551 Mon Sep 17 00:00:00 2001
From: Lukas Forst <lukas@forst.dev>
Date: Wed, 13 Jul 2022 17:46:28 +0200
Subject: [PATCH 3/3] bump version

---
 README.md | 2 +-
 pom.xml   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index ae8378c..7ee4d35 100644
--- a/README.md
+++ b/README.md
@@ -8,6 +8,6 @@ See makefiles in [mk](mk) directory.
 <dependency>
   <groupId>com.wire</groupId>
   <artifactId>cryptobox4j</artifactId>
-  <version>1.1.2</version>
+  <version>1.1.3</version>
 </dependency>
 ```
diff --git a/pom.xml b/pom.xml
index c543409..43778ef 100644
--- a/pom.xml
+++ b/pom.xml
@@ -6,7 +6,7 @@
 
     <groupId>com.wire</groupId>
     <artifactId>cryptobox4j</artifactId>
-    <version>1.1.2</version>
+    <version>1.1.3</version>
 
     <name>Cryptobox4J</name>
     <description>CryptoBox for Wire Bots</description>