From 58ba7dcc46f4f225e2a574ee8b6e502e24e759ae Mon Sep 17 00:00:00 2001
From: Neil Alexander <neilalexander@users.noreply.github.com>
Date: Thu, 5 Aug 2021 14:24:34 +0100
Subject: [PATCH] Try to verify when a key signs a device

---
 keyserver/internal/cross_signing.go | 26 +++++++++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)

diff --git a/keyserver/internal/cross_signing.go b/keyserver/internal/cross_signing.go
index 90dc7d91e..1617369f0 100644
--- a/keyserver/internal/cross_signing.go
+++ b/keyserver/internal/cross_signing.go
@@ -305,7 +305,7 @@ func (a *KeyInternalAPI) processSelfSignatures(
 				for originUserID, forOriginUserID := range sig.Signatures {
 					originDeviceKeys, ok := queryRes.DeviceKeys[originUserID]
 					if !ok {
-						continue
+						return fmt.Errorf("missing device keys for user %q", originUserID)
 					}
 
 					for originKeyID, originSig := range forOriginUserID {
@@ -336,9 +336,33 @@ func (a *KeyInternalAPI) processSelfSignatures(
 
 			case *gomatrixserverlib.DeviceKeys:
 				// The user is signing one of their devices with their self-signing key
+				// The QueryKeys response should contain the master key hopefully.
+				// First we need to marshal the blob back into JSON so we can verify
+				// it.
+				j, err := json.Marshal(sig)
+				if err != nil {
+					return fmt.Errorf("json.Marshal: %w", err)
+				}
 
 				for originUserID, forOriginUserID := range sig.Signatures {
 					for originKeyID, originSig := range forOriginUserID {
+						originMasterKeys, ok := queryRes.MasterKeys[originUserID]
+						if !ok {
+							return fmt.Errorf("missing master key for user %q", originUserID)
+						}
+
+						var originMasterKeyID gomatrixserverlib.KeyID
+						var originMasterKey gomatrixserverlib.Base64Bytes
+						for keyID, key := range originMasterKeys.Keys {
+							originMasterKeyID, originMasterKey = keyID, key
+							break
+						}
+
+						originMasterKeyPublic := ed25519.PublicKey(originMasterKey)
+
+						if err := gomatrixserverlib.VerifyJSON(originUserID, originMasterKeyID, originMasterKeyPublic, j); err != nil {
+							return fmt.Errorf("gomatrixserverlib.VerifyJSON: %w", err)
+						}
 
 						if err := a.DB.StoreCrossSigningSigsForTarget(
 							ctx, originUserID, originKeyID, targetUserID, targetKeyID, originSig,