Save the key backup key to 4S during bootstrapCrossSigning (#4542)

* Save the key backup key to secret storage When setting up secret storage, if we have a key backup key in cache (like we do for the cross signing secrets). * Add test * Get the key directly from the olmMachine saves converting it needlessly into a buffer to turn it back into a base64 string * Overwrite backup keyin storage if different * Fix test * Add integ test * Test failure case for sonar * Unused import * Missed return * Also check active backup version
2025-08-07 23:02:56 +03:00 · 2024-12-12 15:03:19 +00:00
parent d1de32ea27
commit a0502c5ee5
3 changed files with 182 additions and 1 deletions
--- a/src/rust-crypto/rust-crypto.ts
+++ b/src/rust-crypto/rust-crypto.ts
@@ -843,11 +843,53 @@ export class RustCrypto extends TypedEventEmitter<RustCryptoEvents, CryptoEventH
            await this.secretStorage.store("m.cross_signing.self_signing", crossSigningPrivateKeys.self_signing_key);
        }

-        if (setupNewKeyBackup) {
+        // likewise with the key backup key: if we have one, store it in secret storage (if it's not already there)
+        // also don't bother storing it if we're about to set up a new backup
+        if (!setupNewKeyBackup) {
+            await this.saveBackupKeyToStorage();
+        } else {
            await this.resetKeyBackup();
        }
    }

+    /**
+     * If we have a backup key for the current, trusted backup in cache,
+     * and we have secret storage active, save it to secret storage.
+     */
+    private async saveBackupKeyToStorage(): Promise<void> {
+        const keyBackupInfo = await this.backupManager.getServerBackupInfo();
+        if (!keyBackupInfo || !keyBackupInfo.version) {
+            logger.info("Not saving backup key to secret storage: no backup info");
+            return;
+        }
+
+        const activeBackupVersion = await this.backupManager.getActiveBackupVersion();
+        if (!activeBackupVersion || activeBackupVersion !== keyBackupInfo.version) {
+            logger.info("Not saving backup key to secret storage: backup keys do not match active backup version");
+            return;
+        }
+
+        const backupKeys: RustSdkCryptoJs.BackupKeys = await this.olmMachine.getBackupKeys();
+        if (!backupKeys.decryptionKey) {
+            logger.info("Not saving backup key to secret storage: no backup key");
+            return;
+        }
+
+        if (!decryptionKeyMatchesKeyBackupInfo(backupKeys.decryptionKey, keyBackupInfo)) {
+            logger.info("Not saving backup key to secret storage: decryption key does not match backup info");
+            return;
+        }
+
+        const backupKeyFromStorage = await this.secretStorage.get("m.megolm_backup.v1");
+        const backupKeyBase64 = backupKeys.decryptionKey.toBase64();
+
+        // The backup version that the key corresponds to isn't saved in 4S so if it's different, we must assume
+        // it's stale and overwrite.
+        if (backupKeyFromStorage !== backupKeyBase64) {
+            await this.secretStorage.store("m.megolm_backup.v1", backupKeyBase64);
+        }
+    }
+
    /**
     * Add the secretStorage key to the secret storage
     * - The secret storage key must have the `keyInfo` field filled