keytrans: Support multiple auditors

Author: moiseev-signal

Cargo.lock

@@ -122,7 +122,6 @@ futures-util = "0.3"
 ghash = "0.5.0"
 heck = "0.5"
 hex = "0.4"
-hex-literal = "0.4.1"
 hickory-proto = "0.24.1"
 hkdf = "0.12"
 hmac = "0.12.0"

Cargo.toml

@@ -15,3 +15,5 @@ v0.71.0
 - net: Futures returned by ChatConnection.send() will now return more specific errors on failure
 
 - New SVR2 enclaves for staging and production.
+
+- keytrans: Support multiple auditors

RELEASE_NOTES.md

@@ -8,7 +8,9 @@ use std::time::SystemTime;
 use const_str::hex;
 use libsignal_bridge_macros::*;
 use libsignal_core::Aci;
-use libsignal_keytrans::{StoredAccountData, StoredMonitoringData, StoredTreeHead, TreeHead};
+use libsignal_keytrans::{
+    Signature, StoredAccountData, StoredMonitoringData, StoredTreeHead, TreeHead,
+};
 use libsignal_net::keytrans::SearchResult;
 use libsignal_protocol::IdentityKey;
 use uuid::Uuid;
@@ -28,7 +30,10 @@ fn TESTING_ChatSearchResult() -> SearchResult {
         tree_head: Some(TreeHead {
             tree_size: 42,
             timestamp: 42424242,
-            signature: vec![1, 2, 3],
+            signatures: vec![Signature {
+                auditor_public_key: vec![1, 2, 3],
+                signature: vec![4, 5, 6],
+            }],
         }),
         root: vec![42; 32],
     });

rust/bridge/shared/testing/src/keytrans.rs

@@ -28,7 +28,6 @@ prost-build = { workspace = true }
 assert_matches = { workspace = true }
 const-str = { workspace = true }
 criterion = { workspace = true }
-hex = { workspace = true }
 proptest = { workspace = true }
 test-case = { workspace = true }
 uuid = { workspace = true }

rust/keytrans/Cargo.toml

@@ -8,55 +8,52 @@ use std::time::{Duration, SystemTime};
 use const_str::hex;
 use criterion::{criterion_group, criterion_main, Criterion};
 use libsignal_keytrans::{
-    CondensedTreeSearchResponse, DeploymentMode, FullSearchResponse, FullTreeHead, KeyTransparency,
-    PublicConfig, SearchContext, SlimSearchRequest, VerifyingKey, VrfPublicKey,
+    ChatSearchResponse, DeploymentMode, FullSearchResponse, KeyTransparency, PublicConfig,
+    SearchContext, SlimSearchRequest, VerifyingKey, VrfPublicKey,
 };
 use prost::Message as _;
 
 fn bench_verify_search(c: &mut Criterion) {
     let sig_key = VerifyingKey::from_bytes(&hex!(
-        "12a21ad60d5a3978e19a3b0baa8c35c55a20e10d45f39e5cb34bf6e1b3cce432"
+        "ac0de1fd7f33552bbeb6ebc12b9d4ea10bf5f025c45073d3fb5f5648955a749e"
     ))
     .unwrap();
     let vrf_key = VrfPublicKey::try_from(hex!(
-        "1e71563470c1b8a6e0aadf280b6aa96f8ad064674e69b80292ee46d1ab655fcf"
+        "ec3a268237cf5c47115cf222405d5f90cc633ebe05caf82c0dd5acf9d341dadb"
     ))
     .unwrap();
     let auditor_key = VerifyingKey::from_bytes(&hex!(
         "1123b13ee32479ae6af5739e5d687b51559abf7684120511f68cde7a21a0e755"
     ))
     .unwrap();
-    let aci = uuid::uuid!("84fd7196-b3fa-4d4d-bbf8-8f1cdf2b7cea");
-    let request = SlimSearchRequest {
-        search_key: [b"a", aci.as_bytes().as_slice()].concat(),
-        version: None,
-    };
-    let condensed_response = {
-        let bytes = include_bytes!("../res/kt-search-response-condensed.dat");
-        CondensedTreeSearchResponse::decode(bytes.as_slice()).unwrap()
+    let aci = uuid::uuid!("90c979fd-eab4-4a08-b6da-69dedeab9b29");
+    let request = SlimSearchRequest::new([b"a", aci.as_bytes().as_slice()].concat());
+
+    let ChatSearchResponse {
+        tree_head: response_tree_head,
+        aci: condensed_response,
+        e164: _,
+        username_hash: _,
+    } = {
+        let bytes = include_bytes!("../res/chat_search_response.dat");
+        let mut response =
+            ChatSearchResponse::decode(bytes.as_slice()).expect("can decode chat response");
+
+        if let Some(head) = response.tree_head.as_mut() {
+            // we don't expect these fields to be present in the verification that follows
+            head.distinguished = vec![];
+            head.last = vec![];
+        }
+
+        response
     };
-    let response_tree_head = FullTreeHead::decode(
-        hex!([
-            "0a4c08f23710bbd4dfb897321a40385a",
-            "2eee61b2a0ef463251e8f0301389c3a3",
-            "34a0146bc6f2cb9b35938d9c16ba9922",
-            "3a651e963fab86e64e02484e49b5718d",
-            "d826aafe7c3e38dfe53226220603224e",
-            "0a4c08f23710e1d4e0b897321a40a973",
-            "dd2f6a412287f93b051bd7a5da9dc99b",
-            "61d86db8a25c861934e00ee6895097b5",
-            "5272f5f71de8b610b5da0b49fc263e0c",
-            "5e33cd3de26d3a9f98fd5d2aae06"
-        ])
-        .as_slice(),
-    )
-    .expect("valid test full tree head");
+    let response_tree_head = response_tree_head.as_ref().expect("has tree head");
     let response = FullSearchResponse {
-        condensed: condensed_response,
-        tree_head: &response_tree_head,
+        condensed: condensed_response.expect("has ACI condensed response"),
+        tree_head: response_tree_head,
     };
 
-    let valid_at = SystemTime::UNIX_EPOCH + Duration::from_secs(1724279958);
+    let valid_at = SystemTime::UNIX_EPOCH + Duration::from_secs(1746042060);
     let kt = KeyTransparency {
         config: PublicConfig {
             mode: DeploymentMode::ThirdPartyAuditing(auditor_key),

rust/keytrans/benches/verify.rs

@@ -0,0 +1 @@
+../../net/tests/data/chat_search_response.dat

rust/keytrans/res/chat_search_response.dat

@@ -20,10 +20,11 @@ use std::time::SystemTime;
 
 pub use ed25519_dalek::VerifyingKey;
 pub use proto::{
-    ChatMonitorResponse, CondensedTreeSearchResponse,
-    DistinguishedResponse as ChatDistinguishedResponse, FullTreeHead, MonitorKey, MonitorProof,
-    MonitorRequest, MonitorResponse, SearchResponse as ChatSearchResponse, StoredAccountData,
-    StoredMonitoringData, StoredTreeHead, TreeHead, UpdateRequest, UpdateResponse,
+    AuditorTreeHead as SingleSignatureTreeHead, ChatMonitorResponse, CondensedTreeSearchResponse,
+    DistinguishedResponse as ChatDistinguishedResponse, FullAuditorTreeHead, FullTreeHead,
+    MonitorKey, MonitorProof, MonitorRequest, MonitorResponse,
+    SearchResponse as ChatSearchResponse, Signature, StoredAccountData, StoredMonitoringData,
+    StoredTreeHead, TreeHead, UpdateRequest, UpdateResponse,
 };
 pub use verify::Error;
 use verify::{verify_distinguished, verify_monitor, verify_search};
@@ -342,3 +343,50 @@ impl From<AccountData> for StoredAccountData {
         }
     }
 }
+
+impl TreeHead {
+    /// Takes a tree head with multiple signatures and turns it into a more
+    /// conventional single-signature tree head struct which happens to be the
+    /// AuditorTreeHead a.k.a. SingleSignatureTreeHead.
+    /// The selection of the correct signature is based on the auditor public key
+    /// available from the config.
+    ///
+    /// Not all key transparency deployment modes have an auditor key, and it is
+    /// possible that the source tree head will not contain the matching one. In
+    /// both cases the function will return `None`, deciding whether to treat it an
+    /// error or not is left to the caller.
+    pub fn to_single_signature_tree_head(
+        &self,
+        config: &PublicConfig,
+    ) -> Option<SingleSignatureTreeHead> {
+        let TreeHead {
+            tree_size,
+            timestamp,
+            signatures,
+        } = self;
+        config
+            .mode
+            .get_associated_key()
+            .and_then(|auditor_key| {
+                signatures.iter().find(|sig| {
+                    sig.auditor_public_key.as_slice() == auditor_key.as_bytes().as_slice()
+                })
+            })
+            .map(|signature| SingleSignatureTreeHead {
+                tree_size: *tree_size,
+                timestamp: *timestamp,
+                signature: signature.signature.clone(),
+            })
+    }
+}
+
+impl FullTreeHead {
+    pub fn select_auditor_tree_head(
+        &self,
+        public_key: &VerifyingKey,
+    ) -> Option<&FullAuditorTreeHead> {
+        self.full_auditor_tree_heads
+            .iter()
+            .find(|full_head| full_head.public_key.as_slice() == public_key.as_bytes().as_slice())
+    }
+}

rust/keytrans/res/kt-search-response-condensed.dat

@@ -10,20 +10,35 @@ message PrefixProof {
   uint32 counter = 2;
 }
 
-// TreeHead contains the operator's signature on the most recent version of the
+// AuditorTreeHead contains an auditor's signature on its most recent view of the log.
+message AuditorTreeHead {
+  uint64 tree_size = 1;
+  int64 timestamp = 2;
+  bytes signature = 3;
+}
+
+// TreeHead contains the key transparency service operator's signature on the most recent version of the
 // log.
 message TreeHead {
   uint64 tree_size = 1;
   int64 timestamp = 2;
-  bytes signature = 3;
+  // The key transparency service operator provides one Signature object per auditor.
+  repeated Signature signatures = 3;
+}
+
+// The signature incorporates the auditor public key so the service provides one signature per auditor.
+message Signature {
+  bytes auditor_public_key = 1;
+  bytes signature = 2;
 }
 
-// AuditorTreeHead is provided to end-users when third-party auditing is used,
+// FullAuditorTreeHead is provided to end-users when third-party auditing is used,
 // as evidence that the log is behaving honestly.
-message AuditorTreeHead {
-  TreeHead tree_head = 1;
+message FullAuditorTreeHead {
+  AuditorTreeHead tree_head = 1;
   optional bytes root_value = 2;
   repeated bytes consistency = 3;
+  bytes public_key = 4;
 }
 
 // FullTreeHead wraps a basic TreeHead with additional information that may be
@@ -32,7 +47,7 @@ message FullTreeHead {
   TreeHead tree_head = 1;
   repeated bytes last = 2;
   repeated bytes distinguished = 3;
-  optional AuditorTreeHead auditor_tree_head = 4;
+  repeated FullAuditorTreeHead full_auditor_tree_heads = 4;
 }
 
 // ProofStep is the output of one step of a binary search through the log.
@@ -126,4 +141,4 @@ message MonitorResponse {
   FullTreeHead tree_head = 1;
   repeated MonitorProof proofs = 2;
   repeated bytes inclusion = 4;
-}
+}