From 26c8540d035017b55fcb31b1b90054f6a2077dab Mon Sep 17 00:00:00 2001 From: Richard van der Hoff Date: Tue, 23 May 2017 09:24:18 +0100 Subject: [PATCH] Add in a "verify" slash command to confirm signing keys (#912) Allows users to send a text string via an alternative channel (like email or SMS) which Riot can leverage to confirm that the signing keys match. Effectively removes the tedium of checking keys until a better mechanism is completed. Signed-off-by: Kit Sczudlo --- src/SlashCommands.js | 55 +++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 54 insertions(+), 1 deletion(-) diff --git a/src/SlashCommands.js b/src/SlashCommands.js index 1ddcf4832d..ddba344e18 100644 --- a/src/SlashCommands.js +++ b/src/SlashCommands.js @@ -282,7 +282,60 @@ var commands = { } } return reject(this.getUsage()); - }) + }), + + // Verify a user, device, and pubkey tuple + verify: new Command("verify", " ", function(room_id, args) { + if (args) { + var matches = args.match(/^(\S+) +(\S+) +(\S+)$/); + if (matches) { + const userId = matches[1]; + const deviceId = matches[2]; + const fingerprint = matches[3]; + + const device = MatrixClientPeg.get().getStoredDevice(userId, deviceId); + if (!device) { + return reject(`Unknown (user, device) pair: (${userId}, ${deviceId})`); + } + + if (device.isVerified()) { + if (device.getFingerprint() === fingerprint) { + return reject(`Device already verified!`); + } else { + return reject(`WARNING: Device already verified, but keys do NOT MATCH!`); + } + } + + if (device.getFingerprint() === fingerprint) { + MatrixClientPeg.get().setDeviceVerified( + userId, deviceId, true + ); + + // Tell the user we verified everything! + const QuestionDialog = sdk.getComponent("dialogs.QuestionDialog"); + Modal.createDialog(QuestionDialog, { + title: "Verified key", + description: ( +
+

+ The signing key you provided matches the signing key you received + from { userId }'s device { deviceId }. Device marked as verified. +

+
+ ), + hasCancelButton: false, + }); + + return success(); + } else { + return reject(`WARNING: KEY VERIFICATION FAILED! The signing key for ${userId} and device + ${deviceId} is "${device.getFingerprint()}" which does not match the provided key + "${fingerprint}". This could mean your communications are being intercepted!`); + } + } + } + return reject(this.getUsage()); + }), }; // helpful aliases