Replace keysProved and keysClaimed

These terms were somewhat confusing (and, in the case of megolm, misleading),
so replace them with explicit senderCurve25519Key and claimedEd25519Key fields.

src/crypto/OlmDevice.js

@@ -750,7 +750,7 @@ OlmDevice.prototype.importInboundGroupSession = function(data) {
  *
  * @return {null} the sessionId is unknown
  *
- * @return {{result: string, keysProved: Object<string, string>, keysClaimed:
+ * @return {{result: string, senderKey: string, keysClaimed:
  *    Object<string, string>}} result
  */
 OlmDevice.prototype.decryptGroupMessage = function(
@@ -777,17 +777,13 @@ OlmDevice.prototype.decryptGroupMessage = function(
             self._inboundGroupSessionMessageIndexes[messageIndexKey] = true;
         }
 
-        // the sender must have had the senderKey to persuade us to save the
-        // session.
-        const keysProved = {curve25519: senderKey};
-
         self._saveInboundGroupSession(
             roomId, senderKey, sessionId, session, keysClaimed,
         );
         return {
             result: plaintext,
             keysClaimed: keysClaimed,
-            keysProved: keysProved,
+            senderKey: senderKey,
         };
     }
 

src/crypto/algorithms/megolm.js

@@ -592,7 +592,7 @@ MegolmDecryption.prototype._decryptEvent = function(event, requestKeysOnFail) {
         );
     }
 
-    event.setClearData(payload, res.keysProved, res.keysClaimed);
+    event.setClearData(payload, res.senderKey, res.keysClaimed.ed25519);
 };
 
 MegolmDecryption.prototype._requestKeysForEvent = function(event) {

src/crypto/algorithms/olm.js

@@ -222,7 +222,8 @@ OlmDecryption.prototype.decryptEvent = function(event) {
         );
     }
 
-    event.setClearData(payload, {curve25519: deviceKey}, payload.keys || {});
+    const claimedKeys = payload.keys || {};
+    event.setClearData(payload, deviceKey, claimedKeys.ed25519 || null);
 };
 
 

src/crypto/index.js

@@ -558,7 +558,7 @@ Crypto.prototype.getEventSenderDeviceInfo = function(event) {
     //
     // (see https://github.com/vector-im/vector-web/issues/2215)
 
-    const claimedKey = event.getKeysClaimed().ed25519;
+    const claimedKey = event.getClaimedEd25519Key();
     if (!claimedKey) {
         console.warn("Event " + event.getId() + " claims no ed25519 key: " +
                      "cannot verify sending device");
@@ -765,18 +765,15 @@ Crypto.prototype.encryptEventIfNeeded = function(event, room) {
         return null;
     }
 
-    // We can claim and prove ownership of all our device keys in the local
-    // echo of the event since we know that all the local echos come from
-    // this device.
-    const myKeys = {
-        curve25519: this._olmDevice.deviceCurve25519Key,
-        ed25519: this._olmDevice.deviceEd25519Key,
-    };
-
     return alg.encryptMessage(
         room, event.getType(), event.getContent(),
-    ).then(function(encryptedContent) {
+    ).then((encryptedContent) => {
-        event.makeEncrypted("m.room.encrypted", encryptedContent, myKeys);
+        event.makeEncrypted(
+            "m.room.encrypted",
+            encryptedContent,
+            this._olmDevice.deviceCurve25519Key,
+            this._olmDevice.deviceEd25519Key,
+        );
     });
 };
 

src/models/event.js

@@ -112,8 +112,16 @@ module.exports.MatrixEvent = function MatrixEvent(
         new Date(this.event.origin_server_ts) : null;
 
     this._clearEvent = {};
-    this._keysProved = {};
+
-    this._keysClaimed = {};
+    /* curve25519 key which we believe belongs to the sender of the event. See
+     * getSenderKey()
+     */
+    this._senderCurve25519Key = null;
+
+    /* ed25519 key which the sender of this event (for olm) or the creator of
+     * the megolm session (for megolm) claims to own. See getClaimedEd25519Key()
+     */
+    this._claimedEd25519Key = null;
 };
 utils.inherits(module.exports.MatrixEvent, EventEmitter);
 
@@ -261,9 +269,18 @@ utils.extend(module.exports.MatrixEvent.prototype, {
      * <tt>"m.room.encrypted"</tt>
      *
      * @param {object} crypto_content raw 'content' for the encrypted event.
-     * @param {object} keys The local keys claimed and proved by this event.
+     *
+     * @param {string} senderCurve25519Key curve25519 key to record for the
+     *   sender of this event.
+     *   See {@link module:models/event.MatrixEvent#getSenderKey}.
+     *
+     * @param {string} claimedEd25519Key claimed ed25519 key to record for the
+     *   sender if this event.
+     *   See {@link module:models/event.MatrixEvent#getClaimedEd25519Key}
      */
-    makeEncrypted: function(crypto_type, crypto_content, keys) {
+    makeEncrypted: function(
+        crypto_type, crypto_content, senderCurve25519Key, claimedEd25519Key,
+    ) {
         // keep the plain-text data for 'view source'
         this._clearEvent = {
             type: this.event.type,
@@ -271,8 +288,8 @@ utils.extend(module.exports.MatrixEvent.prototype, {
         };
         this.event.type = crypto_type;
         this.event.content = crypto_content;
-        this._keysProved = keys;
+        this._senderCurve25519Key = senderCurve25519Key;
-        this._keysClaimed = keys;
+        this._claimedEd25519Key = claimedEd25519Key;
     },
 
     /**
@@ -287,16 +304,16 @@ utils.extend(module.exports.MatrixEvent.prototype, {
      * @param {Object} clearEvent The plaintext payload for the event
      *     (typically containing <tt>type</tt> and <tt>content</tt> fields).
      *
-     * @param {Object=} keysProved Keys owned by the sender of this event.
+     * @param {string=} senderCurve25519Key Key owned by the sender of this event.
-     *    See {@link module:models/event.MatrixEvent#getKeysProved}.
+     *    See {@link module:models/event.MatrixEvent#getSenderKey}.
      *
-     * @param {Object=} keysClaimed Keys the sender of this event claims.
+     * @param {string=} claimedEd25519Key ed25519 key claimed by the sender of
-     *    See {@link module:models/event.MatrixEvent#getKeysClaimed}.
+     *    this event. See {@link module:models/event.MatrixEvent#getClaimedEd25519Key}.
      */
-    setClearData: function(clearEvent, keysProved, keysClaimed) {
+    setClearData: function(clearEvent, senderCurve25519Key, claimedEd25519Key) {
         this._clearEvent = clearEvent;
-        this._keysProved = keysProved || {};
+        this._senderCurve25519Key = senderCurve25519Key || null;
-        this._keysClaimed = keysClaimed || {};
+        this._claimedEd25519Key = claimedEd25519Key || null;
         this.emit("Event.decrypted", this);
     },
 
@@ -309,37 +326,54 @@ utils.extend(module.exports.MatrixEvent.prototype, {
     },
 
     /**
-     * The curve25519 key that sent this event
+     * The curve25519 key for the device that we think sent this event
+     *
+     * For an Olm-encrypted event, this is inferred directly from the DH
+     * exchange at the start of the session: the curve25519 key is involved in
+     * the DH exchange, so only a device which holds the private part of that
+     * key can establish such a session.
+     *
+     * For a megolm-encrypted event, it is inferred from the Olm message which
+     * established the megolm session
+     *
      * @return {string}
      */
     getSenderKey: function() {
-        return this.getKeysProved().curve25519 || null;
+        return this._senderCurve25519Key;
-    },
-
-    /**
-     * The keys that must have been owned by the sender of this encrypted event.
-     * <p>
-     * These don't necessarily have to come from this event itself, but may be
-     * implied by the cryptographic session.
-     *
-     * @return {Object<string, string>}
-     */
-    getKeysProved: function() {
-        return this._keysProved;
     },
 
     /**
      * The additional keys the sender of this encrypted event claims to possess.
-     * <p>
+     *
-     * These don't necessarily have to come from this event itself, but may be
+     * Just a wrapper for #getClaimedEd25519Key (q.v.)
-     * implied by the cryptographic session.
-     * For example megolm messages don't claim keys directly, but instead
-     * inherit a claim from the olm message that established the session.
      *
      * @return {Object<string, string>}
      */
     getKeysClaimed: function() {
-        return this._keysClaimed;
+        return {
+            ed25519: this._claimedEd25519Key,
+        };
+    },
+
+    /**
+     * Get the ed25519 the sender of this event claims to own.
+     *
+     * For Olm messages, this claim is encoded directly in the plaintext of the
+     * event itself. For megolm messages, it is implied by the m.room_key event
+     * which established the megolm session.
+     *
+     * Until we download the device list of the sender, it's just a claim: the
+     * device list gives a proof that the owner of the curve25519 key used for
+     * this event (and returned by #getSenderKey) also owns the ed25519 key by
+     * signing the public curve25519 key with the ed25519 key.
+     *
+     * In general, applications should not use this method directly, but should
+     * instead use MatrixClient.getEventSenderDeviceInfo.
+     *
+     * @return {string}
+     */
+    getClaimedEd25519Key: function() {
+        return this._claimedEd25519Key;
     },
 
     getUnsigned: function() {