Add utilities for generating and using recovery keys

Author: tulir

mautrix/client/api/modules/crypto.py

@@ -12,6 +12,8 @@
 from mautrix.types import (
     JSON,
     ClaimKeysResponse,
+    CrossSigningKeys,
+    CrossSigningUsage,
     DeviceID,
     DeviceKeys,
     EncryptionKeyAlgorithm,
@@ -122,6 +124,43 @@ async def upload_keys(
         except AttributeError as e:
             raise MatrixResponseError("Invalid `one_time_key_counts` field in response.") from e
 
+    async def upload_cross_signing_keys(
+        self,
+        keys: dict[CrossSigningUsage, CrossSigningKeys],
+        auth: dict[str, JSON] | None = None,
+    ) -> None:
+        await self.api.request(
+            Method.POST,
+            Path.v3.keys.device_signing.upload,
+            {f"{usage}_key": key.serialize() for usage, key in keys.items()}
+            | ({"auth": auth} if auth else {}),
+        )
+
+    async def upload_one_signature(
+        self,
+        user_id: UserID,
+        device_id: DeviceID,
+        keys: Union[DeviceKeys, CrossSigningKeys],
+    ) -> None:
+        await self.api.request(
+            Method.POST, Path.v3.keys.signatures.upload, {user_id: {device_id: keys.serialize()}}
+        )
+        # TODO check failures
+
+    async def upload_many_signatures(
+        self,
+        signatures: dict[UserID, dict[DeviceID, Union[DeviceKeys, CrossSigningKeys]]],
+    ) -> None:
+        await self.api.request(
+            Method.POST,
+            Path.v3.keys.signatures.upload,
+            {
+                user_id: {device_id: keys.serialize() for device_id, keys in devices.items()}
+                for user_id, devices in signatures.items()
+            },
+        )
+        # TODO check failures
+
     async def query_keys(
         self,
         device_keys: list[UserID] | set[UserID] | dict[UserID, list[DeviceID]],

mautrix/crypto/cross_signing.py

@@ -0,0 +1,169 @@
+# Copyright (c) 2025 Tulir Asokan
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+from ..types import (
+    JSON,
+    CrossSigner,
+    CrossSigningKeys,
+    CrossSigningUsage,
+    DeviceIdentity,
+    EventType,
+    KeyID,
+    UserID,
+)
+from .cross_signing_key import CrossSigningPrivateKeys, CrossSigningPublicKeys, CrossSigningSeeds
+from .device_lists import DeviceListMachine
+from .signature import sign_olm
+from .ssss import Key as SSSSKey
+
+
+class CrossSigningMachine(DeviceListMachine):
+    _cross_signing_public_keys: CrossSigningPublicKeys | None
+    _cross_signing_public_keys_fetched: bool
+    _cross_signing_private_keys: CrossSigningPrivateKeys | None
+
+    async def verify_with_recovery_key(self, recovery_key: str) -> None:
+        key_id, key_data = await self.ssss.get_default_key_data()
+        ssss_key = key_data.verify_recovery_key(key_id, recovery_key)
+        seeds = await self._fetch_cross_signing_keys_from_ssss(ssss_key)
+        self._import_cross_signing_keys(seeds)
+        await self.sign_own_device(self.own_identity)
+
+    def _import_cross_signing_keys(self, seeds: CrossSigningSeeds) -> None:
+        self._cross_signing_private_keys = seeds.to_keys()
+        self._cross_signing_public_keys = self._cross_signing_private_keys.public_keys
+
+    async def generate_recovery_key(
+        self, passphrase: str | None = None, seeds: CrossSigningSeeds | None = None
+    ) -> str:
+        seeds = seeds or CrossSigningSeeds.generate()
+        ssss_key = await self.ssss.generate_and_upload_key(passphrase)
+        await self._upload_cross_signing_keys_to_ssss(ssss_key, seeds)
+        await self._publish_cross_signing_keys(seeds.to_keys())
+        await self.ssss.set_default_key_id(ssss_key.id)
+        await self.sign_own_device(self.own_identity)
+        return ssss_key.recovery_key
+
+    async def _fetch_cross_signing_keys_from_ssss(self, key: SSSSKey) -> CrossSigningSeeds:
+        return CrossSigningSeeds(
+            master_key=await self.ssss.get_decrypted_account_data(
+                EventType.CROSS_SIGNING_MASTER, key
+            ),
+            user_signing_key=await self.ssss.get_decrypted_account_data(
+                EventType.CROSS_SIGNING_USER_SIGNING, key
+            ),
+            self_signing_key=await self.ssss.get_decrypted_account_data(
+                EventType.CROSS_SIGNING_SELF_SIGNING, key
+            ),
+        )
+
+    async def _upload_cross_signing_keys_to_ssss(
+        self, key: SSSSKey, seeds: CrossSigningSeeds
+    ) -> None:
+        await self.ssss.set_encrypted_account_data(
+            EventType.CROSS_SIGNING_MASTER, seeds.master_key, key
+        )
+        await self.ssss.set_encrypted_account_data(
+            EventType.CROSS_SIGNING_USER_SIGNING, seeds.user_signing_key, key
+        )
+        await self.ssss.set_encrypted_account_data(
+            EventType.CROSS_SIGNING_SELF_SIGNING, seeds.self_signing_key, key
+        )
+
+    async def get_own_cross_signing_public_keys(self) -> CrossSigningPublicKeys | None:
+        if self._cross_signing_public_keys or self._cross_signing_public_keys_fetched:
+            return self._cross_signing_public_keys
+        keys = await self.get_cross_signing_public_keys(self.client.mxid)
+        self._cross_signing_public_keys_fetched = True
+        if keys:
+            self._cross_signing_public_keys = keys
+        return keys
+
+    async def get_cross_signing_public_keys(
+        self, user_id: UserID
+    ) -> CrossSigningPublicKeys | None:
+        db_keys = await self.crypto_store.get_cross_signing_keys(user_id)
+        if CrossSigningUsage.MASTER not in db_keys:
+            await self._fetch_keys([user_id], include_untracked=True)
+            db_keys = await self.crypto_store.get_cross_signing_keys(user_id)
+        if CrossSigningUsage.MASTER not in db_keys:
+            return None
+        return CrossSigningPublicKeys(
+            master_key=db_keys[CrossSigningUsage.MASTER].key,
+            self_signing_key=(
+                db_keys[CrossSigningUsage.SELF].key if CrossSigningUsage.SELF in db_keys else None
+            ),
+            user_signing_key=(
+                db_keys[CrossSigningUsage.USER].key if CrossSigningUsage.USER in db_keys else None
+            ),
+        )
+
+    async def sign_own_device(self, device: DeviceIdentity) -> None:
+        full_keys = await self._get_full_device_keys(device)
+        ssk = self._cross_signing_private_keys.self_signing_key
+        signature = sign_olm(full_keys, ssk)
+        full_keys.signatures = {self.client.mxid: {KeyID.ed25519(ssk.public_key): signature}}
+        await self.client.upload_one_signature(device.user_id, device.device_id, full_keys)
+        await self.crypto_store.put_signature(
+            CrossSigner(device.user_id, device.signing_key),
+            CrossSigner(self.client.mxid, ssk.public_key),
+            signature,
+        )
+
+    async def _publish_cross_signing_keys(
+        self,
+        keys: CrossSigningPrivateKeys,
+        auth: dict[str, JSON] | None = None,
+    ) -> None:
+        public = keys.public_keys
+        master_key = CrossSigningKeys(
+            user_id=self.client.mxid,
+            usage=[CrossSigningUsage.MASTER],
+            keys={KeyID.ed25519(public.master_key): public.master_key},
+        )
+        master_key.signatures = {
+            self.client.mxid: {
+                KeyID.ed25519(self.client.device_id): sign_olm(master_key, self.account),
+            }
+        }
+        self_key = CrossSigningKeys(
+            user_id=self.client.mxid,
+            usage=[CrossSigningUsage.SELF],
+            keys={KeyID.ed25519(public.self_signing_key): public.self_signing_key},
+        )
+        self_key.signatures = {
+            self.client.mxid: {
+                KeyID.ed25519(public.master_key): sign_olm(self_key, keys.master_key),
+            }
+        }
+        user_key = CrossSigningKeys(
+            user_id=self.client.mxid,
+            usage=[CrossSigningUsage.USER],
+            keys={KeyID.ed25519(public.user_signing_key): public.user_signing_key},
+        )
+        user_key.signatures = {
+            self.client.mxid: {
+                KeyID.ed25519(public.master_key): sign_olm(user_key, keys.master_key),
+            }
+        }
+        await self.client.upload_cross_signing_keys(
+            keys={
+                CrossSigningUsage.MASTER: master_key,
+                CrossSigningUsage.SELF: self_key,
+                CrossSigningUsage.USER: user_key,
+            },
+            auth=auth,
+        )
+        await self.crypto_store.put_cross_signing_key(
+            self.client.mxid, CrossSigningUsage.MASTER, public.master_key
+        )
+        await self.crypto_store.put_cross_signing_key(
+            self.client.mxid, CrossSigningUsage.SELF, public.self_signing_key
+        )
+        await self.crypto_store.put_cross_signing_key(
+            self.client.mxid, CrossSigningUsage.USER, public.user_signing_key
+        )
+        self._cross_signing_private_keys = keys
+        self._cross_signing_public_keys = public

mautrix/crypto/cross_signing_key.py

@@ -0,0 +1,52 @@
+# Copyright (c) 2025 Tulir Asokan
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+from typing import NamedTuple
+
+import olm
+
+from mautrix.crypto.ssss.util import cryptorand
+from mautrix.types import SigningKey
+
+
+class CrossSigningPublicKeys(NamedTuple):
+    master_key: SigningKey
+    self_signing_key: SigningKey
+    user_signing_key: SigningKey
+
+
+class CrossSigningPrivateKeys(NamedTuple):
+    master_key: olm.PkSigning
+    self_signing_key: olm.PkSigning
+    user_signing_key: olm.PkSigning
+
+    @property
+    def public_keys(self) -> CrossSigningPublicKeys:
+        return CrossSigningPublicKeys(
+            master_key=self.master_key.public_key,
+            self_signing_key=self.self_signing_key.public_key,
+            user_signing_key=self.user_signing_key.public_key,
+        )
+
+
+class CrossSigningSeeds(NamedTuple):
+    master_key: bytes
+    self_signing_key: bytes
+    user_signing_key: bytes
+
+    def to_keys(self) -> CrossSigningPrivateKeys:
+        return CrossSigningPrivateKeys(
+            master_key=olm.PkSigning(self.master_key),
+            self_signing_key=olm.PkSigning(self.self_signing_key),
+            user_signing_key=olm.PkSigning(self.user_signing_key),
+        )
+
+    @classmethod
+    def generate(cls) -> "CrossSigningSeeds":
+        return cls(
+            master_key=cryptorand.read(32),
+            self_signing_key=cryptorand.read(32),
+            user_signing_key=cryptorand.read(32),
+        )

mautrix/crypto/device_lists.py

@@ -28,6 +28,18 @@
 
 
 class DeviceListMachine(BaseOlmMachine):
+    @property
+    def own_identity(self) -> DeviceIdentity:
+        return DeviceIdentity(
+            user_id=self.client.mxid,
+            device_id=self.client.device_id,
+            identity_key=self.account.identity_key,
+            signing_key=self.account.signing_key,
+            trust=TrustState.VERIFIED,
+            deleted=False,
+            name="",
+        )
+
     async def _fetch_keys(
         self, users: list[UserID], since: SyncToken = "", include_untracked: bool = False
     ) -> dict[UserID, dict[DeviceID, DeviceIdentity]]:
@@ -220,6 +232,12 @@ async def _store_cross_signing_keys(self, resp: QueryKeysResponse, user_id: User
                     else:
                         self.log.warning(f"Invalid signature from {signing_key_log} for {key_id}")
 
+    async def _get_full_device_keys(self, device: DeviceIdentity) -> DeviceKeys:
+        resp = await self.client.query_keys({device.user_id: [device.device_id]})
+        keys = resp.device_keys[device.user_id][device.device_id]
+        await self._validate_device(device.user_id, device.device_id, keys, device)
+        return keys
+
     async def get_or_fetch_device(
         self, user_id: UserID, device_id: DeviceID
     ) -> DeviceIdentity | None:

mautrix/crypto/machine.py

@@ -32,6 +32,7 @@
 from mautrix.util.logging import TraceLogger
 
 from .account import OlmAccount
+from .cross_signing import CrossSigningMachine
 from .decrypt_megolm import MegolmDecryptionMachine
 from .encrypt_megolm import MegolmEncryptionMachine
 from .key_request import KeyRequestingMachine
@@ -47,6 +48,7 @@ class OlmMachine(
     OlmUnwedgingMachine,
     KeySharingMachine,
     KeyRequestingMachine,
+    CrossSigningMachine,
 ):
     """
     OlmMachine is the main class for handling things related to Matrix end-to-end encryption with
@@ -99,6 +101,10 @@ def __init__(
         self._prev_unwedge = {}
         self._cs_fetch_attempted = set()
 
+        self._cross_signing_public_keys = None
+        self._cross_signing_public_keys_fetched = False
+        self._cross_signing_private_keys = None
+
         self.client.add_event_handler(
             cli.InternalEventType.DEVICE_OTK_COUNT, self.handle_otk_count, wait_sync=True
         )

mautrix/types/crypto.py

@@ -47,9 +47,9 @@ def curve25519(self) -> Optional[IdentityKey]:
 
 
 class CrossSigningUsage(ExtensibleEnum):
-    MASTER = "master"
-    SELF = "self_signing"
-    USER = "user_signing"
+    MASTER: "CrossSigningUsage" = "master"
+    SELF: "CrossSigningUsage" = "self_signing"
+    USER: "CrossSigningUsage" = "user_signing"
 
 
 @dataclass