v2.4.4

Fix SAS verification in encrypted DMs

.babelrc

@@ -1,5 +1,5 @@
 {
-    "presets": ["es2015"],
+    "presets": ["es2015", "es2016"],
     "plugins": [
         "transform-class-properties",
 

.gitignore

@@ -10,7 +10,6 @@ build/Release
 coverage
 lib-cov
 out
-reports
 /dist
 /lib
 /specbuild

CHANGELOG.md

@@ -1,3 +1,153 @@
+Changes in [2.4.4](https://github.com/matrix-org/matrix-js-sdk/releases/tag/v2.4.4) (2019-11-25)
+================================================================================================
+[Full Changelog](https://github.com/matrix-org/matrix-js-sdk/compare/v2.4.4-rc.1...v2.4.4)
+
+ * No changes since rc.1
+
+Changes in [2.4.4-rc.1](https://github.com/matrix-org/matrix-js-sdk/releases/tag/v2.4.4-rc.1) (2019-11-20)
+==========================================================================================================
+[Full Changelog](https://github.com/matrix-org/matrix-js-sdk/compare/v2.4.3...v2.4.4-rc.1)
+
+ * Fix SAS verification in encrypted DMs
+   [\#1077](https://github.com/matrix-org/matrix-js-sdk/pull/1077)
+ * Cross-signing / secret storage tweaks
+   [\#1078](https://github.com/matrix-org/matrix-js-sdk/pull/1078)
+ * Fix local trust for key backups
+   [\#1075](https://github.com/matrix-org/matrix-js-sdk/pull/1075)
+ * Add method to get last active timestamp in room
+   [\#1072](https://github.com/matrix-org/matrix-js-sdk/pull/1072)
+ * Check the right Synapse endpoint for determining admin capabilities
+   [\#1071](https://github.com/matrix-org/matrix-js-sdk/pull/1071)
+ * Cross Signing Support
+   [\#832](https://github.com/matrix-org/matrix-js-sdk/pull/832)
+ * Don't double cancel verification request
+   [\#1064](https://github.com/matrix-org/matrix-js-sdk/pull/1064)
+ * Support for verification requests in the timeline
+   [\#1067](https://github.com/matrix-org/matrix-js-sdk/pull/1067)
+ * Use stable API prefix for 3PID APIs when supported
+   [\#1066](https://github.com/matrix-org/matrix-js-sdk/pull/1066)
+ * Remove Jenkins scripts
+   [\#1063](https://github.com/matrix-org/matrix-js-sdk/pull/1063)
+
+Changes in [2.4.3](https://github.com/matrix-org/matrix-js-sdk/releases/tag/v2.4.3) (2019-11-04)
+================================================================================================
+[Full Changelog](https://github.com/matrix-org/matrix-js-sdk/compare/v2.4.3-rc.1...v2.4.3)
+
+ * No changes since rc.1
+
+Changes in [2.4.3-rc.1](https://github.com/matrix-org/matrix-js-sdk/releases/tag/v2.4.3-rc.1) (2019-10-30)
+==========================================================================================================
+[Full Changelog](https://github.com/matrix-org/matrix-js-sdk/compare/v2.4.2...v2.4.3-rc.1)
+
+ * fix the path in references to logger.js
+   [\#1056](https://github.com/matrix-org/matrix-js-sdk/pull/1056)
+ * verification in DMs
+   [\#1050](https://github.com/matrix-org/matrix-js-sdk/pull/1050)
+ * Properly documented the function possible returns
+   [\#1054](https://github.com/matrix-org/matrix-js-sdk/pull/1054)
+ * Downgrade to Bluebird 3.5.5 to fix Firefox
+   [\#1055](https://github.com/matrix-org/matrix-js-sdk/pull/1055)
+ * Upgrade safe deps to latest major version
+   [\#1053](https://github.com/matrix-org/matrix-js-sdk/pull/1053)
+ * Don't include .js in the import string.
+   [\#1052](https://github.com/matrix-org/matrix-js-sdk/pull/1052)
+
+Changes in [2.4.2](https://github.com/matrix-org/matrix-js-sdk/releases/tag/v2.4.2) (2019-10-18)
+================================================================================================
+[Full Changelog](https://github.com/matrix-org/matrix-js-sdk/compare/v2.4.2-rc.1...v2.4.2)
+
+ * No changes since v2.4.2-rc.1
+
+Changes in [2.4.2-rc.1](https://github.com/matrix-org/matrix-js-sdk/releases/tag/v2.4.2-rc.1) (2019-10-09)
+==========================================================================================================
+[Full Changelog](https://github.com/matrix-org/matrix-js-sdk/compare/v2.4.1...v2.4.2-rc.1)
+
+ * Log state of Olm sessions
+   [\#1047](https://github.com/matrix-org/matrix-js-sdk/pull/1047)
+ * Add method to get access to all timelines
+   [\#1048](https://github.com/matrix-org/matrix-js-sdk/pull/1048)
+
+Changes in [2.4.1](https://github.com/matrix-org/matrix-js-sdk/releases/tag/v2.4.1) (2019-10-01)
+================================================================================================
+[Full Changelog](https://github.com/matrix-org/matrix-js-sdk/compare/v2.4.0...v2.4.1)
+
+ * Upgrade deps
+   [\#1046](https://github.com/matrix-org/matrix-js-sdk/pull/1046)
+ * Ignore crypto events with no content
+   [\#1043](https://github.com/matrix-org/matrix-js-sdk/pull/1043)
+
+Changes in [2.4.0](https://github.com/matrix-org/matrix-js-sdk/releases/tag/v2.4.0) (2019-09-27)
+================================================================================================
+[Full Changelog](https://github.com/matrix-org/matrix-js-sdk/compare/v2.4.0-rc.1...v2.4.0)
+
+ * Clean Yarn cache during release
+   [\#1045](https://github.com/matrix-org/matrix-js-sdk/pull/1045)
+
+Changes in [2.4.0-rc.1](https://github.com/matrix-org/matrix-js-sdk/releases/tag/v2.4.0-rc.1) (2019-09-25)
+==========================================================================================================
+[Full Changelog](https://github.com/matrix-org/matrix-js-sdk/compare/v2.3.2...v2.4.0-rc.1)
+
+ * Remove id_server from creds for interactive auth
+   [\#1044](https://github.com/matrix-org/matrix-js-sdk/pull/1044)
+ * Remove IS details from requestToken to HS
+   [\#1041](https://github.com/matrix-org/matrix-js-sdk/pull/1041)
+ * Add support for sending MSISDN tokens to alternate URLs
+   [\#1040](https://github.com/matrix-org/matrix-js-sdk/pull/1040)
+ * Add separate 3PID add and bind APIs
+   [\#1038](https://github.com/matrix-org/matrix-js-sdk/pull/1038)
+ * Bump eslint-utils from 1.4.0 to 1.4.2
+   [\#1037](https://github.com/matrix-org/matrix-js-sdk/pull/1037)
+ * Handle WebRTC security errors as non-fatal
+   [\#1036](https://github.com/matrix-org/matrix-js-sdk/pull/1036)
+ * Check for r0.6.0 support in addition to unstable feature flags
+   [\#1035](https://github.com/matrix-org/matrix-js-sdk/pull/1035)
+ * Update room members on member event redaction
+   [\#1030](https://github.com/matrix-org/matrix-js-sdk/pull/1030)
+ * Support hidden read receipts
+   [\#1028](https://github.com/matrix-org/matrix-js-sdk/pull/1028)
+ * Do 3pid lookups in lowercase
+   [\#1029](https://github.com/matrix-org/matrix-js-sdk/pull/1029)
+ * Add Synapse admin functions for deactivating a user
+   [\#1027](https://github.com/matrix-org/matrix-js-sdk/pull/1027)
+ * Fix addPendingEvent with pending event order == chronological
+   [\#1026](https://github.com/matrix-org/matrix-js-sdk/pull/1026)
+ * Add AutoDiscovery.getRawClientConfig() for easy .well-known lookups
+   [\#1024](https://github.com/matrix-org/matrix-js-sdk/pull/1024)
+ * Don't convert errors to JSON if they are JSON already
+   [\#1025](https://github.com/matrix-org/matrix-js-sdk/pull/1025)
+ * Send id_access_token to HS for use in proxied IS requests
+   [\#1022](https://github.com/matrix-org/matrix-js-sdk/pull/1022)
+ * Clean up JSON handling in identity server requests
+   [\#1023](https://github.com/matrix-org/matrix-js-sdk/pull/1023)
+ * Use the v2 (hashed) lookup for identity server queries
+   [\#1021](https://github.com/matrix-org/matrix-js-sdk/pull/1021)
+ * Add getIdServer() & doesServerRequireIdServerParam()
+   [\#1018](https://github.com/matrix-org/matrix-js-sdk/pull/1018)
+ * Make requestToken endpoints work without ID Server
+   [\#1019](https://github.com/matrix-org/matrix-js-sdk/pull/1019)
+ * Fix setIdentityServer
+   [\#1016](https://github.com/matrix-org/matrix-js-sdk/pull/1016)
+ * Change ICE fallback server and make fallback opt-in
+   [\#1015](https://github.com/matrix-org/matrix-js-sdk/pull/1015)
+ * Throw an exception if trying to do an ID server request with no ID server
+   [\#1014](https://github.com/matrix-org/matrix-js-sdk/pull/1014)
+ * Add setIdentityServerUrl
+   [\#1013](https://github.com/matrix-org/matrix-js-sdk/pull/1013)
+ * Add matrix base API to report an event
+   [\#1011](https://github.com/matrix-org/matrix-js-sdk/pull/1011)
+ * Fix POST body for v2 IS requests
+   [\#1010](https://github.com/matrix-org/matrix-js-sdk/pull/1010)
+ * Add API for bulk lookup on the Identity Server
+   [\#1009](https://github.com/matrix-org/matrix-js-sdk/pull/1009)
+ * Remove deprecated authedRequestWithPrefix and requestWithPrefix
+   [\#1000](https://github.com/matrix-org/matrix-js-sdk/pull/1000)
+ * Add API for checking IS account info
+   [\#1007](https://github.com/matrix-org/matrix-js-sdk/pull/1007)
+ * Support rewriting push rules when our internal defaults change
+   [\#1006](https://github.com/matrix-org/matrix-js-sdk/pull/1006)
+ * Upgrade dependencies
+   [\#1005](https://github.com/matrix-org/matrix-js-sdk/pull/1005)
+
 Changes in [2.3.2](https://github.com/matrix-org/matrix-js-sdk/releases/tag/v2.3.2) (2019-09-16)
 ================================================================================================
 [Full Changelog](https://github.com/matrix-org/matrix-js-sdk/compare/v2.3.2-rc.1...v2.3.2)

README.md

@@ -322,13 +322,13 @@ To provide the Olm library in a browser application:
  
 To provide the Olm library in a node.js application:
 
- * ``yarn add https://packages.matrix.org/npm/olm/olm-3.0.0.tgz``
+ * ``yarn add https://packages.matrix.org/npm/olm/olm-3.1.4.tgz``
    (replace the URL with the latest version you want to use from
     https://packages.matrix.org/npm/olm/)
  * ``global.Olm = require('olm');`` *before* loading ``matrix-js-sdk``.
 
 If you want to package Olm as dependency for your node.js application, you can
-use ``yarn add https://packages.matrix.org/npm/olm/olm-3.0.0.tgz``. If your
+use ``yarn add https://packages.matrix.org/npm/olm/olm-3.1.4.tgz``. If your
 application also works without e2e crypto enabled, add ``--optional`` to mark it
 as an optional dependency.
 

jenkins.sh

@@ -1,36 +0,0 @@
-#!/bin/bash -l
-
-set -x
-
-export NVM_DIR="$HOME/.nvm"
-[ -s "$NVM_DIR/nvm.sh" ] && . "$NVM_DIR/nvm.sh"
-
-nvm use 10 || exit $?
-yarn install || exit $?
-
-RC=0
-
-function fail {
-    echo $@ >&2
-    RC=1
-}
-
-# don't use last time's test reports
-rm -rf reports coverage || exit $?
-
-yarn test || fail "yarn test finished with return code $?"
-
-yarn -s lint -f checkstyle > eslint.xml ||
-    fail "eslint finished with return code $?"
-
-# delete the old tarball, if it exists
-rm -f matrix-js-sdk-*.tgz
-
-# `yarn pack` doesn't seem to run scripts, however that seems okay here as we
-# just built as part of `install` above.
-yarn pack ||
-    fail "yarn pack finished with return code $?"
-
-yarn gendoc || fail "JSDoc failed with code $?"
-
-exit $RC

package.json

@@ -1,11 +1,11 @@
 {
   "name": "matrix-js-sdk",
-  "version": "2.3.2",
+  "version": "2.4.4",
   "description": "Matrix Client-Server SDK for Javascript",
   "main": "index.js",
   "scripts": {
     "test:build": "babel -s -d specbuild spec",
-    "test:run": "istanbul cover --report text --report cobertura --config .istanbul.yml -i \"lib/**/*.js\" node_modules/mocha/bin/_mocha -- --recursive specbuild --colors --reporter mocha-jenkins-reporter --reporter-options junit_report_path=reports/test-results.xml",
+    "test:run": "istanbul cover --report text --report cobertura --config .istanbul.yml -i \"lib/**/*.js\" node_modules/mocha/bin/_mocha -- --recursive specbuild --colors",
     "test:watch": "mocha --watch --compilers js:babel-core/register --recursive spec --colors",
     "test": "yarn test:build && yarn test:run",
     "check": "yarn test:build && _mocha --recursive specbuild --colors",
@@ -17,7 +17,7 @@
     "build": "babel -s -d lib src && rimraf dist && mkdir dist && browserify -d browser-index.js | exorcist dist/browser-matrix.js.map > dist/browser-matrix.js && terser -c -m -o dist/browser-matrix.min.js --source-map \"content='dist/browser-matrix.js.map'\" dist/browser-matrix.js",
     "dist": "yarn build",
     "watch": "watchify -d browser-index.js -o 'exorcist dist/browser-matrix.js.map > dist/browser-matrix.js' -v",
-    "lint": "eslint --max-warnings 101 src spec",
+    "lint": "eslint --max-warnings 93 src spec",
     "prepare": "yarn clean && yarn build && git rev-parse HEAD > git-revision.txt"
   },
   "repository": {
@@ -44,7 +44,6 @@
     "git-revision.txt",
     "index.js",
     "browser-index.js",
-    "jenkins.sh",
     "lib",
     "package.json",
     "release.sh",
@@ -54,11 +53,11 @@
   "dependencies": {
     "another-json": "^0.2.0",
     "babel-runtime": "^6.26.0",
-    "bluebird": "^3.5.0",
+    "bluebird": "3.5.5",
     "browser-request": "^0.3.3",
     "bs58": "^4.0.1",
     "content-type": "^1.0.2",
-    "loglevel": "1.6.1",
+    "loglevel": "^1.6.4",
     "qs": "^6.5.2",
     "request": "^2.88.0",
     "unhomoglyph": "^1.0.2"
@@ -70,24 +69,24 @@
     "babel-plugin-transform-class-properties": "^6.24.1",
     "babel-plugin-transform-runtime": "^6.23.0",
     "babel-preset-es2015": "^6.18.0",
+    "babel-preset-es2016": "^6.24.1",
     "browserify": "^16.2.3",
     "browserify-shim": "^3.8.13",
     "eslint": "^5.12.0",
     "eslint-config-google": "^0.7.1",
     "eslint-plugin-babel": "^5.3.0",
-    "exorcist": "^0.4.0",
+    "exorcist": "^1.0.1",
     "expect": "^1.20.2",
     "istanbul": "^0.4.5",
     "jsdoc": "^3.5.5",
     "lolex": "^1.5.2",
     "matrix-mock-request": "^1.2.3",
-    "mocha": "^5.2.0",
-    "mocha-jenkins-reporter": "^0.4.0",
-    "olm": "https://packages.matrix.org/npm/olm/olm-3.1.0.tgz",
-    "rimraf": "^2.5.4",
-    "source-map-support": "^0.4.11",
-    "sourceify": "^0.1.0",
-    "terser": "^4.0.0",
+    "mocha": "^6.2.1",
+    "olm": "https://packages.matrix.org/npm/olm/olm-3.1.4.tgz",
+    "rimraf": "^3.0.0",
+    "source-map-support": "^0.5.13",
+    "sourceify": "^1.0.0",
+    "terser": "^4.3.8",
     "watchify": "^3.11.1"
   },
   "browserify": {

release.sh

@@ -195,6 +195,11 @@ if [ $dodist -eq 0 ]; then
     pushd "$builddir"
     git clone "$projdir" .
     git checkout "$rel_branch"
+    # We use Git branch / commit dependencies for some packages, and Yarn seems
+    # to have a hard time getting that right. See also
+    # https://github.com/yarnpkg/yarn/issues/4734. As a workaround, we clean the
+    # global cache here to ensure we get the right thing.
+    yarn cache clean
     yarn install
     # We haven't tagged yet, so tell the dist script what version
     # it's building

spec/test-utils.js

@@ -242,3 +242,144 @@ module.exports.awaitDecryption = function(event) {
         });
     });
 };
+
+
+const HttpResponse = module.exports.HttpResponse = function(
+    httpLookups, acceptKeepalives, ignoreUnhandledSync,
+) {
+    this.httpLookups = httpLookups;
+    this.acceptKeepalives = acceptKeepalives === undefined ? true : acceptKeepalives;
+    this.ignoreUnhandledSync = ignoreUnhandledSync;
+    this.pendingLookup = null;
+};
+
+HttpResponse.prototype.request = function HttpResponse(
+    cb, method, path, qp, data, prefix,
+) {
+    if (path === HttpResponse.KEEP_ALIVE_PATH && this.acceptKeepalives) {
+        return Promise.resolve();
+    }
+    const next = this.httpLookups.shift();
+    const logLine = (
+        "MatrixClient[UT] RECV " + method + " " + path + "  " +
+            "EXPECT " + (next ? next.method : next) + " " + (next ? next.path : next)
+    );
+    logger.log(logLine);
+
+    if (!next) { // no more things to return
+        if (method === "GET" && path === "/sync" && this.ignoreUnhandledSync) {
+            logger.log("MatrixClient[UT] Ignoring.");
+            return Promise.defer().promise;
+        }
+        if (this.pendingLookup) {
+            if (this.pendingLookup.method === method
+                && this.pendingLookup.path === path) {
+                return this.pendingLookup.promise;
+            }
+            // >1 pending thing, and they are different, whine.
+            expect(false).toBe(
+                true, ">1 pending request. You should probably handle them. " +
+                    "PENDING: " + JSON.stringify(this.pendingLookup) + " JUST GOT: " +
+                    method + " " + path,
+            );
+        }
+        this.pendingLookup = {
+            promise: Promise.defer().promise,
+            method: method,
+            path: path,
+        };
+        return this.pendingLookup.promise;
+    }
+    if (next.path === path && next.method === method) {
+        logger.log(
+            "MatrixClient[UT] Matched. Returning " +
+                (next.error ? "BAD" : "GOOD") + " response",
+        );
+        if (next.expectBody) {
+            expect(next.expectBody).toEqual(data);
+        }
+        if (next.expectQueryParams) {
+            Object.keys(next.expectQueryParams).forEach(function(k) {
+                expect(qp[k]).toEqual(next.expectQueryParams[k]);
+            });
+        }
+
+        if (next.thenCall) {
+            process.nextTick(next.thenCall, 0); // next tick so we return first.
+        }
+
+        if (next.error) {
+            return Promise.reject({
+                errcode: next.error.errcode,
+                httpStatus: next.error.httpStatus,
+                name: next.error.errcode,
+                message: "Expected testing error",
+                data: next.error,
+            });
+        }
+        return Promise.resolve(next.data);
+    } else if (method === "GET" && path === "/sync" && this.ignoreUnhandledSync) {
+        logger.log("MatrixClient[UT] Ignoring.");
+        this.httpLookups.unshift(next);
+        return Promise.defer().promise;
+    }
+    expect(true).toBe(false, "Expected different request. " + logLine);
+    return Promise.defer().promise;
+};
+
+HttpResponse.KEEP_ALIVE_PATH = "/_matrix/client/versions";
+
+HttpResponse.PUSH_RULES_RESPONSE = {
+    method: "GET",
+    path: "/pushrules/",
+    data: {},
+};
+
+HttpResponse.USER_ID = "@alice:bar";
+
+HttpResponse.filterResponse = function(userId) {
+    const filterPath = "/user/" + encodeURIComponent(userId) + "/filter";
+    return {
+        method: "POST",
+        path: filterPath,
+        data: { filter_id: "f1lt3r" },
+    };
+};
+
+HttpResponse.SYNC_DATA = {
+    next_batch: "s_5_3",
+    presence: { events: [] },
+    rooms: {},
+};
+
+HttpResponse.SYNC_RESPONSE = {
+    method: "GET",
+    path: "/sync",
+    data: HttpResponse.SYNC_DATA,
+};
+
+HttpResponse.defaultResponses = function(userId) {
+    return [
+        HttpResponse.PUSH_RULES_RESPONSE,
+        HttpResponse.filterResponse(userId),
+        HttpResponse.SYNC_RESPONSE,
+    ];
+};
+
+module.exports.setHttpResponses = function setHttpResponses(
+    client, responses, acceptKeepalives, ignoreUnhandledSyncs,
+) {
+    const httpResponseObj = new HttpResponse(
+        responses, acceptKeepalives, ignoreUnhandledSyncs,
+    );
+
+    const httpReq = httpResponseObj.request.bind(httpResponseObj);
+    client._http = [
+        "authedRequest", "authedRequestWithPrefix", "getContentUri",
+        "request", "requestWithPrefix", "uploadContent",
+    ].reduce((r, k) => {r[k] = expect.createSpy(); return r;}, {});
+    client._http.authedRequest.andCall(httpReq);
+    client._http.authedRequestWithPrefix.andCall(httpReq);
+    client._http.requestWithPrefix.andCall(httpReq);
+    client._http.request.andCall(httpReq);
+};

spec/unit/crypto/backup.spec.js

@@ -29,6 +29,7 @@ import testUtils from '../../test-utils';
 import OlmDevice from '../../../lib/crypto/OlmDevice';
 import Crypto from '../../../lib/crypto';
 import logger from '../../../src/logger';
+import olmlib from '../../../lib/crypto/olmlib';
 
 const Olm = global.Olm;
 
@@ -83,6 +84,16 @@ const BACKUP_INFO = {
     },
 };
 
+const keys = {};
+
+function getCrossSigningKey(type) {
+    return keys[type];
+}
+
+function saveCrossSigningKeys(k) {
+    Object.assign(keys, k);
+}
+
 function makeTestClient(sessionStore, cryptoStore) {
     const scheduler = [
         "getQueueForEvent", "queueEvent", "removeEventFromQueue",
@@ -108,6 +119,7 @@ function makeTestClient(sessionStore, cryptoStore) {
         deviceId: "device",
         sessionStore: sessionStore,
         cryptoStore: cryptoStore,
+        cryptoCallbacks: { getCrossSigningKey, saveCrossSigningKeys },
     });
 }
 
@@ -296,6 +308,71 @@ describe("MegolmBackup", function() {
                 });
         });
 
+        it('signs backups with the cross-signing master key', async function() {
+            const groupSession = new Olm.OutboundGroupSession();
+            groupSession.create();
+            const ibGroupSession = new Olm.InboundGroupSession();
+            ibGroupSession.create(groupSession.session_key());
+
+            const client = makeTestClient(sessionStore, cryptoStore);
+
+            megolmDecryption = new MegolmDecryption({
+                userId: '@user:id',
+                crypto: mockCrypto,
+                olmDevice: olmDevice,
+                baseApis: client,
+                roomId: ROOM_ID,
+            });
+
+            megolmDecryption.olmlib = mockOlmLib;
+
+            await client.initCrypto();
+            let privateKeys;
+            client.uploadDeviceSigningKeys = async function(e) {return;};
+            client.uploadKeySignatures = async function(e) {return;};
+            client.on("crossSigning.saveCrossSigningKeys", function(e) {
+                privateKeys = e;
+            });
+            client.on("crossSigning.getKey", function(e) {
+                e.done(privateKeys[e.type]);
+            });
+            await client.resetCrossSigningKeys();
+            let numCalls = 0;
+            await new Promise(async (resolve, reject) => {
+                client._http.authedRequest = function(
+                    callback, method, path, queryParams, data, opts,
+                ) {
+                    ++numCalls;
+                    expect(numCalls).toBeLessThanOrEqualTo(1);
+                    if (numCalls >= 2) {
+                        // exit out of retry loop if there's something wrong
+                        reject(new Error("authedRequest called too many timmes"));
+                        return Promise.resolve({});
+                    }
+                    expect(method).toBe("POST");
+                    expect(path).toBe("/room_keys/version");
+                    try {
+                        // make sure auth_data is signed by the master key
+                        olmlib.pkVerify(
+                            data.auth_data, client.getCrossSigningId(), "@alice:bar",
+                        );
+                    } catch (e) {
+                        reject(e);
+                        return Promise.resolve({});
+                    }
+                    resolve();
+                    return Promise.resolve({});
+                };
+                await client.createKeyBackupVersion({
+                    algorithm: "m.megolm_backup.v1",
+                    auth_data: {
+                        public_key: "hSDwCYkwp1R0i33ctD73Wg2/Og0mOBr066SpjqqbTmo",
+                    },
+                });
+            });
+            expect(numCalls).toBe(1);
+        });
+
         it('retries when a backup fails', function() {
             const groupSession = new Olm.OutboundGroupSession();
             groupSession.create();

spec/unit/crypto/cross-signing.spec.js

@@ -0,0 +1,800 @@
+/*
+Copyright 2019 New Vector Ltd
+Copyright 2019 The Matrix.org Foundation C.I.C.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+import '../../olm-loader';
+
+import expect from 'expect';
+import anotherjson from 'another-json';
+
+import olmlib from '../../../lib/crypto/olmlib';
+
+import TestClient from '../../TestClient';
+
+import {HttpResponse, setHttpResponses} from '../../test-utils';
+
+async function makeTestClient(userInfo, options, keys) {
+    if (!keys) keys = {};
+
+    function getCrossSigningKey(type) {
+        return keys[type];
+    }
+
+    function saveCrossSigningKeys(k) {
+        Object.assign(keys, k);
+    }
+
+    if (!options) options = {};
+    options.cryptoCallbacks = Object.assign(
+        {}, { getCrossSigningKey, saveCrossSigningKeys }, options.cryptoCallbacks || {},
+    );
+    const client = (new TestClient(
+        userInfo.userId, userInfo.deviceId, undefined, undefined, options,
+    )).client;
+
+    await client.initCrypto();
+
+    return client;
+}
+
+describe("Cross Signing", function() {
+    if (!global.Olm) {
+        console.warn('Not running megolm backup unit tests: libolm not present');
+        return;
+    }
+
+    beforeEach(async function() {
+        await global.Olm.init();
+    });
+
+    it("should sign the master key with the device key", async function() {
+        const alice = await makeTestClient(
+            {userId: "@alice:example.com", deviceId: "Osborne2"},
+        );
+        alice.uploadDeviceSigningKeys = expect.createSpy()
+            .andCall(async (auth, keys) => {
+                await olmlib.verifySignature(
+                    alice._crypto._olmDevice, keys.master_key, "@alice:example.com",
+                    "Osborne2", alice._crypto._olmDevice.deviceEd25519Key,
+                );
+            });
+        alice.uploadKeySignatures = async () => {};
+        // set Alice's cross-signing key
+        await alice.resetCrossSigningKeys();
+        expect(alice.uploadDeviceSigningKeys).toHaveBeenCalled();
+    });
+
+    it("should upload a signature when a user is verified", async function() {
+        const alice = await makeTestClient(
+            {userId: "@alice:example.com", deviceId: "Osborne2"},
+        );
+        alice.uploadDeviceSigningKeys = async () => {};
+        alice.uploadKeySignatures = async () => {};
+        // set Alice's cross-signing key
+        await alice.resetCrossSigningKeys();
+        // Alice downloads Bob's device key
+        alice._crypto._deviceList.storeCrossSigningForUser("@bob:example.com", {
+            keys: {
+                master: {
+                    user_id: "@bob:example.com",
+                    usage: ["master"],
+                    keys: {
+                        "ed25519:bobs+master+pubkey": "bobs+master+pubkey",
+                    },
+                },
+            },
+        });
+        // Alice verifies Bob's key
+        const promise = new Promise((resolve, reject) => {
+            alice.uploadKeySignatures = (...args) => {
+                resolve(...args);
+            };
+        });
+        await alice.setDeviceVerified("@bob:example.com", "bobs+master+pubkey", true);
+        // Alice should send a signature of Bob's key to the server
+        await promise;
+    });
+
+    it("should get cross-signing keys from sync", async function() {
+        const masterKey = new Uint8Array([
+            0xda, 0x5a, 0x27, 0x60, 0xe3, 0x3a, 0xc5, 0x82,
+            0x9d, 0x12, 0xc3, 0xbe, 0xe8, 0xaa, 0xc2, 0xef,
+            0xae, 0xb1, 0x05, 0xc1, 0xe7, 0x62, 0x78, 0xa6,
+            0xd7, 0x1f, 0xf8, 0x2c, 0x51, 0x85, 0xf0, 0x1d,
+        ]);
+        const selfSigningKey = new Uint8Array([
+            0x1e, 0xf4, 0x01, 0x6d, 0x4f, 0xa1, 0x73, 0x66,
+            0x6b, 0xf8, 0x93, 0xf5, 0xb0, 0x4d, 0x17, 0xc0,
+            0x17, 0xb5, 0xa5, 0xf6, 0x59, 0x11, 0x8b, 0x49,
+            0x34, 0xf2, 0x4b, 0x64, 0x9b, 0x52, 0xf8, 0x5f,
+        ]);
+
+        const alice = await makeTestClient(
+            {userId: "@alice:example.com", deviceId: "Osborne2"},
+            {
+                cryptoCallbacks: {
+                    // will be called to sign our own device
+                    getCrossSigningKey: type => {
+                        if (type === 'master') {
+                            return masterKey;
+                        } else {
+                            return selfSigningKey;
+                        }
+                    },
+                },
+            },
+        );
+
+        const keyChangePromise = new Promise((resolve, reject) => {
+            alice.once("crossSigning.keysChanged", async (e) => {
+                resolve(e);
+                await alice.checkOwnCrossSigningTrust();
+            });
+        });
+
+        const uploadSigsPromise = new Promise((resolve, reject) => {
+            alice.uploadKeySignatures = expect.createSpy().andCall(async (content) => {
+                await olmlib.verifySignature(
+                    alice._crypto._olmDevice,
+                    content["@alice:example.com"][
+                        "nqOvzeuGWT/sRx3h7+MHoInYj3Uk2LD/unI9kDYcHwk"
+                    ],
+                    "@alice:example.com",
+                    "Osborne2", alice._crypto._olmDevice.deviceEd25519Key,
+                );
+                olmlib.pkVerify(
+                    content["@alice:example.com"]["Osborne2"],
+                    "EmkqvokUn8p+vQAGZitOk4PWjp7Ukp3txV2TbMPEiBQ",
+                    "@alice:example.com",
+                );
+                resolve();
+            });
+        });
+
+        const deviceInfo = alice._crypto._deviceList._devices["@alice:example.com"]
+            .Osborne2;
+        const aliceDevice = {
+            user_id: "@alice:example.com",
+            device_id: "Osborne2",
+        };
+        aliceDevice.keys = deviceInfo.keys;
+        aliceDevice.algorithms = deviceInfo.algorithms;
+        await alice._crypto._signObject(aliceDevice);
+        olmlib.pkSign(aliceDevice, selfSigningKey, "@alice:example.com");
+
+        // feed sync result that includes master key, ssk, device key
+        const responses = [
+            HttpResponse.PUSH_RULES_RESPONSE,
+            {
+                method: "POST",
+                path: "/keys/upload/Osborne2",
+                data: {
+                    one_time_key_counts: {
+                        curve25519: 100,
+                        signed_curve25519: 100,
+                    },
+                },
+            },
+            HttpResponse.filterResponse("@alice:example.com"),
+            {
+                method: "GET",
+                path: "/sync",
+                data: {
+                    next_batch: "abcdefg",
+                    device_lists: {
+                        changed: [
+                            "@alice:example.com",
+                            "@bob:example.com",
+                        ],
+                    },
+                },
+            },
+            {
+                method: "POST",
+                path: "/keys/query",
+                data: {
+                    "failures": {},
+                    "device_keys": {
+                        "@alice:example.com": {
+                            "Osborne2": aliceDevice,
+                        },
+                    },
+                    "master_keys": {
+                        "@alice:example.com": {
+                            user_id: "@alice:example.com",
+                            usage: ["master"],
+                            keys: {
+                                "ed25519:nqOvzeuGWT/sRx3h7+MHoInYj3Uk2LD/unI9kDYcHwk":
+                                "nqOvzeuGWT/sRx3h7+MHoInYj3Uk2LD/unI9kDYcHwk",
+                            },
+                        },
+                    },
+                    "self_signing_keys": {
+                        "@alice:example.com": {
+                            user_id: "@alice:example.com",
+                            usage: ["self-signing"],
+                            keys: {
+                                "ed25519:EmkqvokUn8p+vQAGZitOk4PWjp7Ukp3txV2TbMPEiBQ":
+                                "EmkqvokUn8p+vQAGZitOk4PWjp7Ukp3txV2TbMPEiBQ",
+                            },
+                            signatures: {
+                                "@alice:example.com": {
+                                    "ed25519:nqOvzeuGWT/sRx3h7+MHoInYj3Uk2LD/unI9kDYcHwk":
+                                    "Wqx/HXR851KIi8/u/UX+fbAMtq9Uj8sr8FsOcqrLfVYa6lAmbXs"
+                                    + "Vhfy4AlZ3dnEtjgZx0U0QDrghEn2eYBeOCA",
+                                },
+                            },
+                        },
+                    },
+                },
+            },
+            {
+                method: "POST",
+                path: "/keys/upload/Osborne2",
+                data: {
+                    one_time_key_counts: {
+                        curve25519: 100,
+                        signed_curve25519: 100,
+                    },
+                },
+            },
+        ];
+        setHttpResponses(alice, responses, true, true);
+
+        await alice.startClient();
+
+        // once ssk is confirmed, device key should be trusted
+        await keyChangePromise;
+        await uploadSigsPromise;
+
+        const aliceTrust = alice.checkUserTrust("@alice:example.com");
+        expect(aliceTrust.isCrossSigningVerified()).toBeTruthy();
+        expect(aliceTrust.isTofu()).toBeTruthy();
+        expect(aliceTrust.isVerified()).toBeTruthy();
+
+        const aliceDeviceTrust = alice.checkDeviceTrust("@alice:example.com", "Osborne2");
+        expect(aliceDeviceTrust.isCrossSigningVerified()).toBeTruthy();
+        expect(aliceDeviceTrust.isLocallyVerified()).toBeTruthy();
+        expect(aliceDeviceTrust.isTofu()).toBeTruthy();
+        expect(aliceDeviceTrust.isVerified()).toBeTruthy();
+    });
+
+    it("should use trust chain to determine device verification", async function() {
+        const alice = await makeTestClient(
+            {userId: "@alice:example.com", deviceId: "Osborne2"},
+        );
+        alice.uploadDeviceSigningKeys = async () => {};
+        alice.uploadKeySignatures = async () => {};
+        // set Alice's cross-signing key
+        await alice.resetCrossSigningKeys();
+        // Alice downloads Bob's ssk and device key
+        const bobMasterSigning = new global.Olm.PkSigning();
+        const bobMasterPrivkey = bobMasterSigning.generate_seed();
+        const bobMasterPubkey = bobMasterSigning.init_with_seed(bobMasterPrivkey);
+        const bobSigning = new global.Olm.PkSigning();
+        const bobPrivkey = bobSigning.generate_seed();
+        const bobPubkey = bobSigning.init_with_seed(bobPrivkey);
+        const bobSSK = {
+            user_id: "@bob:example.com",
+            usage: ["self_signing"],
+            keys: {
+                ["ed25519:" + bobPubkey]: bobPubkey,
+            },
+        };
+        const sskSig = bobMasterSigning.sign(anotherjson.stringify(bobSSK));
+        bobSSK.signatures = {
+            "@bob:example.com": {
+                ["ed25519:" + bobMasterPubkey]: sskSig,
+            },
+        };
+        alice._crypto._deviceList.storeCrossSigningForUser("@bob:example.com", {
+            keys: {
+                master: {
+                    user_id: "@bob:example.com",
+                    usage: ["master"],
+                    keys: {
+                        ["ed25519:" + bobMasterPubkey]: bobMasterPubkey,
+                    },
+                },
+                self_signing: bobSSK,
+            },
+            firstUse: 1,
+            unsigned: {},
+        });
+        const bobDevice = {
+            user_id: "@bob:example.com",
+            device_id: "Dynabook",
+            algorithms: ["m.olm.curve25519-aes-sha256", "m.megolm.v1.aes-sha"],
+            keys: {
+                "curve25519:Dynabook": "somePubkey",
+                "ed25519:Dynabook": "someOtherPubkey",
+            },
+        };
+        const sig = bobSigning.sign(anotherjson.stringify(bobDevice));
+        bobDevice.signatures = {
+            "@bob:example.com": {
+                ["ed25519:" + bobPubkey]: sig,
+            },
+        };
+        alice._crypto._deviceList.storeDevicesForUser("@bob:example.com", {
+            Dynabook: bobDevice,
+        });
+        // Bob's device key should be TOFU
+        const bobTrust = alice.checkUserTrust("@bob:example.com");
+        expect(bobTrust.isVerified()).toBeFalsy();
+        expect(bobTrust.isTofu()).toBeTruthy();
+
+        const bobDeviceTrust = alice.checkDeviceTrust("@bob:example.com", "Dynabook");
+        expect(bobDeviceTrust.isVerified()).toBeFalsy();
+        expect(bobDeviceTrust.isTofu()).toBeTruthy();
+
+        // Alice verifies Bob's SSK
+        alice.uploadKeySignatures = () => {};
+        await alice.setDeviceVerified("@bob:example.com", bobMasterPubkey, true);
+
+        // Bob's device key should be trusted
+        const bobTrust2 = alice.checkUserTrust("@bob:example.com");
+        expect(bobTrust2.isCrossSigningVerified()).toBeTruthy();
+        expect(bobTrust2.isTofu()).toBeTruthy();
+
+        const bobDeviceTrust2 = alice.checkDeviceTrust("@bob:example.com", "Dynabook");
+        expect(bobDeviceTrust2.isCrossSigningVerified()).toBeTruthy();
+        expect(bobDeviceTrust2.isLocallyVerified()).toBeFalsy();
+        expect(bobDeviceTrust2.isTofu()).toBeTruthy();
+    });
+
+    it("should trust signatures received from other devices", async function() {
+        const aliceKeys = {};
+        const alice = await makeTestClient(
+            {userId: "@alice:example.com", deviceId: "Osborne2"},
+            null,
+            aliceKeys,
+        );
+        alice._crypto._deviceList.startTrackingDeviceList("@bob:example.com");
+        alice._crypto._deviceList.stopTrackingAllDeviceLists = () => {};
+        alice.uploadDeviceSigningKeys = async () => {};
+        alice.uploadKeySignatures = async () => {};
+
+        // set Alice's cross-signing key
+        await alice.resetCrossSigningKeys();
+
+        const selfSigningKey = new Uint8Array([
+            0x1e, 0xf4, 0x01, 0x6d, 0x4f, 0xa1, 0x73, 0x66,
+            0x6b, 0xf8, 0x93, 0xf5, 0xb0, 0x4d, 0x17, 0xc0,
+            0x17, 0xb5, 0xa5, 0xf6, 0x59, 0x11, 0x8b, 0x49,
+            0x34, 0xf2, 0x4b, 0x64, 0x9b, 0x52, 0xf8, 0x5f,
+        ]);
+
+        const keyChangePromise = new Promise((resolve, reject) => {
+            alice._crypto._deviceList.once("userCrossSigningUpdated", (userId) => {
+                if (userId === "@bob:example.com") {
+                    resolve();
+                }
+            });
+        });
+
+        const deviceInfo = alice._crypto._deviceList._devices["@alice:example.com"]
+            .Osborne2;
+        const aliceDevice = {
+            user_id: "@alice:example.com",
+            device_id: "Osborne2",
+        };
+        aliceDevice.keys = deviceInfo.keys;
+        aliceDevice.algorithms = deviceInfo.algorithms;
+        await alice._crypto._signObject(aliceDevice);
+
+        const bobOlmAccount = new global.Olm.Account();
+        bobOlmAccount.create();
+        const bobKeys = JSON.parse(bobOlmAccount.identity_keys());
+        const bobDevice = {
+            user_id: "@bob:example.com",
+            device_id: "Dynabook",
+            algorithms: [olmlib.OLM_ALGORITHM, olmlib.MEGOLM_ALGORITHM],
+            keys: {
+                "ed25519:Dynabook": bobKeys.ed25519,
+                "curve25519:Dynabook": bobKeys.curve25519,
+            },
+        };
+        const deviceStr = anotherjson.stringify(bobDevice);
+        bobDevice.signatures = {
+            "@bob:example.com": {
+                "ed25519:Dynabook": bobOlmAccount.sign(deviceStr),
+            },
+        };
+        olmlib.pkSign(bobDevice, selfSigningKey, "@bob:example.com");
+
+        const bobMaster = {
+            user_id: "@bob:example.com",
+            usage: ["master"],
+            keys: {
+                "ed25519:nqOvzeuGWT/sRx3h7+MHoInYj3Uk2LD/unI9kDYcHwk":
+                "nqOvzeuGWT/sRx3h7+MHoInYj3Uk2LD/unI9kDYcHwk",
+            },
+        };
+        olmlib.pkSign(bobMaster, aliceKeys.user_signing, "@alice:example.com");
+
+        // Alice downloads Bob's keys
+        // - device key
+        // - ssk
+        // - master key signed by her usk (pretend that it was signed by another
+        //   of Alice's devices)
+        const responses = [
+            HttpResponse.PUSH_RULES_RESPONSE,
+            {
+                method: "POST",
+                path: "/keys/upload/Osborne2",
+                data: {
+                    one_time_key_counts: {
+                        curve25519: 100,
+                        signed_curve25519: 100,
+                    },
+                },
+            },
+            HttpResponse.filterResponse("@alice:example.com"),
+            {
+                method: "GET",
+                path: "/sync",
+                data: {
+                    next_batch: "abcdefg",
+                    device_lists: {
+                        changed: [
+                            "@bob:example.com",
+                        ],
+                    },
+                },
+            },
+            {
+                method: "POST",
+                path: "/keys/query",
+                data: {
+                    "failures": {},
+                    "device_keys": {
+                        "@alice:example.com": {
+                            "Osborne2": aliceDevice,
+                        },
+                        "@bob:example.com": {
+                            "Dynabook": bobDevice,
+                        },
+                    },
+                    "master_keys": {
+                        "@bob:example.com": bobMaster,
+                    },
+                    "self_signing_keys": {
+                        "@bob:example.com": {
+                            user_id: "@bob:example.com",
+                            usage: ["self-signing"],
+                            keys: {
+                                "ed25519:EmkqvokUn8p+vQAGZitOk4PWjp7Ukp3txV2TbMPEiBQ":
+                                "EmkqvokUn8p+vQAGZitOk4PWjp7Ukp3txV2TbMPEiBQ",
+                            },
+                            signatures: {
+                                "@bob:example.com": {
+                                    "ed25519:nqOvzeuGWT/sRx3h7+MHoInYj3Uk2LD/unI9kDYcHwk":
+                                    "2KLiufImvEbfJuAFvsaZD+PsL8ELWl7N1u9yr/9hZvwRghBfQMB"
+                                    + "LAI86b1kDV9+Cq1lt85ykReeCEzmTEPY2BQ",
+                                },
+                            },
+                        },
+                    },
+                },
+            },
+            {
+                method: "POST",
+                path: "/keys/upload/Osborne2",
+                data: {
+                    one_time_key_counts: {
+                        curve25519: 100,
+                        signed_curve25519: 100,
+                    },
+                },
+            },
+        ];
+        setHttpResponses(alice, responses);
+
+        await alice.startClient();
+
+        await keyChangePromise;
+
+        // Bob's device key should be trusted
+        const bobTrust = alice.checkUserTrust("@bob:example.com");
+        expect(bobTrust.isCrossSigningVerified()).toBeTruthy();
+        expect(bobTrust.isTofu()).toBeTruthy();
+
+        const bobDeviceTrust = alice.checkDeviceTrust("@bob:example.com", "Dynabook");
+        expect(bobDeviceTrust.isCrossSigningVerified()).toBeTruthy();
+        expect(bobDeviceTrust.isLocallyVerified()).toBeFalsy();
+        expect(bobDeviceTrust.isTofu()).toBeTruthy();
+    });
+
+    it("should dis-trust an unsigned device", async function() {
+        const alice = await makeTestClient(
+            {userId: "@alice:example.com", deviceId: "Osborne2"},
+        );
+        alice.uploadDeviceSigningKeys = async () => {};
+        alice.uploadKeySignatures = async () => {};
+        // set Alice's cross-signing key
+        await alice.resetCrossSigningKeys();
+        // Alice downloads Bob's ssk and device key
+        // (NOTE: device key is not signed by ssk)
+        const bobMasterSigning = new global.Olm.PkSigning();
+        const bobMasterPrivkey = bobMasterSigning.generate_seed();
+        const bobMasterPubkey = bobMasterSigning.init_with_seed(bobMasterPrivkey);
+        const bobSigning = new global.Olm.PkSigning();
+        const bobPrivkey = bobSigning.generate_seed();
+        const bobPubkey = bobSigning.init_with_seed(bobPrivkey);
+        const bobSSK = {
+            user_id: "@bob:example.com",
+            usage: ["self_signing"],
+            keys: {
+                ["ed25519:" + bobPubkey]: bobPubkey,
+            },
+        };
+        const sskSig = bobMasterSigning.sign(anotherjson.stringify(bobSSK));
+        bobSSK.signatures = {
+            "@bob:example.com": {
+                ["ed25519:" + bobMasterPubkey]: sskSig,
+            },
+        };
+        alice._crypto._deviceList.storeCrossSigningForUser("@bob:example.com", {
+            keys: {
+                master: {
+                    user_id: "@bob:example.com",
+                    usage: ["master"],
+                    keys: {
+                        ["ed25519:" + bobMasterPubkey]: bobMasterPubkey,
+                    },
+                },
+                self_signing: bobSSK,
+            },
+            firstUse: 1,
+            unsigned: {},
+        });
+        const bobDevice = {
+            user_id: "@bob:example.com",
+            device_id: "Dynabook",
+            algorithms: ["m.olm.curve25519-aes-sha256", "m.megolm.v1.aes-sha"],
+            keys: {
+                "curve25519:Dynabook": "somePubkey",
+                "ed25519:Dynabook": "someOtherPubkey",
+            },
+        };
+        alice._crypto._deviceList.storeDevicesForUser("@bob:example.com", {
+            Dynabook: bobDevice,
+        });
+        // Bob's device key should be untrusted
+        const bobDeviceTrust = alice.checkDeviceTrust("@bob:example.com", "Dynabook");
+        expect(bobDeviceTrust.isVerified()).toBeFalsy();
+        expect(bobDeviceTrust.isTofu()).toBeFalsy();
+
+        // Alice verifies Bob's SSK
+        await alice.setDeviceVerified("@bob:example.com", bobMasterPubkey, true);
+
+        // Bob's device key should be untrusted
+        const bobDeviceTrust2 = alice.checkDeviceTrust("@bob:example.com", "Dynabook");
+        expect(bobDeviceTrust2.isVerified()).toBeFalsy();
+        expect(bobDeviceTrust2.isTofu()).toBeFalsy();
+    });
+
+    it("should dis-trust a user when their ssk changes", async function() {
+        const alice = await makeTestClient(
+            {userId: "@alice:example.com", deviceId: "Osborne2"},
+        );
+        alice.uploadDeviceSigningKeys = async () => {};
+        alice.uploadKeySignatures = async () => {};
+        await alice.resetCrossSigningKeys();
+        // Alice downloads Bob's keys
+        const bobMasterSigning = new global.Olm.PkSigning();
+        const bobMasterPrivkey = bobMasterSigning.generate_seed();
+        const bobMasterPubkey = bobMasterSigning.init_with_seed(bobMasterPrivkey);
+        const bobSigning = new global.Olm.PkSigning();
+        const bobPrivkey = bobSigning.generate_seed();
+        const bobPubkey = bobSigning.init_with_seed(bobPrivkey);
+        const bobSSK = {
+            user_id: "@bob:example.com",
+            usage: ["self_signing"],
+            keys: {
+                ["ed25519:" + bobPubkey]: bobPubkey,
+            },
+        };
+        const sskSig = bobMasterSigning.sign(anotherjson.stringify(bobSSK));
+        bobSSK.signatures = {
+            "@bob:example.com": {
+                ["ed25519:" + bobMasterPubkey]: sskSig,
+            },
+        };
+        alice._crypto._deviceList.storeCrossSigningForUser("@bob:example.com", {
+            keys: {
+                master: {
+                    user_id: "@bob:example.com",
+                    usage: ["master"],
+                    keys: {
+                        ["ed25519:" + bobMasterPubkey]: bobMasterPubkey,
+                    },
+                },
+                self_signing: bobSSK,
+            },
+            firstUse: 1,
+            unsigned: {},
+        });
+        const bobDevice = {
+            user_id: "@bob:example.com",
+            device_id: "Dynabook",
+            algorithms: ["m.olm.curve25519-aes-sha256", "m.megolm.v1.aes-sha"],
+            keys: {
+                "curve25519:Dynabook": "somePubkey",
+                "ed25519:Dynabook": "someOtherPubkey",
+            },
+        };
+        const bobDeviceString = anotherjson.stringify(bobDevice);
+        const sig = bobSigning.sign(bobDeviceString);
+        bobDevice.signatures = {};
+        bobDevice.signatures["@bob:example.com"] = {};
+        bobDevice.signatures["@bob:example.com"]["ed25519:" + bobPubkey] = sig;
+        alice._crypto._deviceList.storeDevicesForUser("@bob:example.com", {
+            Dynabook: bobDevice,
+        });
+        // Alice verifies Bob's SSK
+        alice.uploadKeySignatures = () => {};
+        await alice.setDeviceVerified("@bob:example.com", bobMasterPubkey, true);
+
+        // Bob's device key should be trusted
+        const bobDeviceTrust = alice.checkDeviceTrust("@bob:example.com", "Dynabook");
+        expect(bobDeviceTrust.isVerified()).toBeTruthy();
+        expect(bobDeviceTrust.isTofu()).toBeTruthy();
+
+        // Alice downloads new SSK for Bob
+        const bobMasterSigning2 = new global.Olm.PkSigning();
+        const bobMasterPrivkey2 = bobMasterSigning2.generate_seed();
+        const bobMasterPubkey2 = bobMasterSigning2.init_with_seed(bobMasterPrivkey2);
+        const bobSigning2 = new global.Olm.PkSigning();
+        const bobPrivkey2 = bobSigning2.generate_seed();
+        const bobPubkey2 = bobSigning2.init_with_seed(bobPrivkey2);
+        const bobSSK2 = {
+            user_id: "@bob:example.com",
+            usage: ["self_signing"],
+            keys: {
+                ["ed25519:" + bobPubkey2]: bobPubkey2,
+            },
+        };
+        const sskSig2 = bobMasterSigning2.sign(anotherjson.stringify(bobSSK2));
+        bobSSK2.signatures = {
+            "@bob:example.com": {
+                ["ed25519:" + bobMasterPubkey2]: sskSig2,
+            },
+        };
+        alice._crypto._deviceList.storeCrossSigningForUser("@bob:example.com", {
+            keys: {
+                master: {
+                    user_id: "@bob:example.com",
+                    usage: ["master"],
+                    keys: {
+                        ["ed25519:" + bobMasterPubkey2]: bobMasterPubkey2,
+                    },
+                },
+                self_signing: bobSSK2,
+            },
+            firstUse: 0,
+            unsigned: {},
+        });
+        // Bob's and his device should be untrusted
+        const bobTrust = alice.checkUserTrust("@bob:example.com");
+        expect(bobTrust.isVerified()).toBeFalsy();
+        expect(bobTrust.isTofu()).toBeFalsy();
+
+        const bobDeviceTrust2 = alice.checkDeviceTrust("@bob:example.com", "Dynabook");
+        expect(bobDeviceTrust2.isVerified()).toBeFalsy();
+        expect(bobDeviceTrust2.isTofu()).toBeFalsy();
+
+        // Alice verifies Bob's SSK
+        alice.uploadKeySignatures = () => {};
+        await alice.setDeviceVerified("@bob:example.com", bobMasterPubkey2, true);
+
+        // Bob should be trusted but not his device
+        const bobTrust2 = alice.checkUserTrust("@bob:example.com");
+        expect(bobTrust2.isVerified()).toBeTruthy();
+
+        const bobDeviceTrust3 = alice.checkDeviceTrust("@bob:example.com", "Dynabook");
+        expect(bobDeviceTrust3.isVerified()).toBeFalsy();
+
+        // Alice gets new signature for device
+        const sig2 = bobSigning2.sign(bobDeviceString);
+        bobDevice.signatures["@bob:example.com"]["ed25519:" + bobPubkey2] = sig2;
+        alice._crypto._deviceList.storeDevicesForUser("@bob:example.com", {
+            Dynabook: bobDevice,
+        });
+
+        // Bob's device should be trusted again (but not TOFU)
+        const bobTrust3 = alice.checkUserTrust("@bob:example.com");
+        expect(bobTrust3.isVerified()).toBeTruthy();
+
+        const bobDeviceTrust4 = alice.checkDeviceTrust("@bob:example.com", "Dynabook");
+        expect(bobDeviceTrust4.isCrossSigningVerified()).toBeTruthy();
+    });
+
+    it("should offer to upgrade device verifications to cross-signing", async function() {
+        let upgradeResolveFunc;
+
+        const alice = await makeTestClient(
+            {userId: "@alice:example.com", deviceId: "Osborne2"},
+            {
+                cryptoCallbacks: {
+                    shouldUpgradeDeviceVerifications: (verifs) => {
+                        expect(verifs.users["@bob:example.com"]).toExist();
+                        upgradeResolveFunc();
+                        return ["@bob:example.com"];
+                    },
+                },
+            },
+        );
+        const bob = await makeTestClient(
+            {userId: "@bob:example.com", deviceId: "Dynabook"},
+        );
+
+        bob.uploadDeviceSigningKeys = async () => {};
+        bob.uploadKeySignatures = async () => {};
+        // set Bob's cross-signing key
+        await bob.resetCrossSigningKeys();
+        alice._crypto._deviceList.storeDevicesForUser("@bob:example.com", {
+            Dynabook: {
+                algorithms: ["m.olm.curve25519-aes-sha256", "m.megolm.v1.aes-sha"],
+                keys: {
+                    "curve25519:Dynabook": bob._crypto._olmDevice.deviceCurve25519Key,
+                    "ed25519:Dynabook": bob._crypto._olmDevice.deviceEd25519Key,
+                },
+                verified: 1,
+                known: true,
+            },
+        });
+        alice._crypto._deviceList.storeCrossSigningForUser(
+            "@bob:example.com",
+            bob._crypto._crossSigningInfo.toStorage(),
+        );
+
+        alice.uploadDeviceSigningKeys = async () => {};
+        alice.uploadKeySignatures = async () => {};
+        // when alice sets up cross-signing, she should notice that bob's
+        // cross-signing key is signed by his Dynabook, which alice has
+        // verified, and ask if the device verification should be upgraded to a
+        // cross-signing verification
+        let upgradePromise = new Promise((resolve) => {
+            upgradeResolveFunc = resolve;
+        });
+        await alice.resetCrossSigningKeys();
+        await upgradePromise;
+
+        const bobTrust = alice.checkUserTrust("@bob:example.com");
+        expect(bobTrust.isCrossSigningVerified()).toBeTruthy();
+        expect(bobTrust.isTofu()).toBeTruthy();
+
+        // "forget" that Bob is trusted
+        delete alice._crypto._deviceList._crossSigningInfo["@bob:example.com"]
+            .keys.master.signatures["@alice:example.com"];
+
+        const bobTrust2 = alice.checkUserTrust("@bob:example.com");
+        expect(bobTrust2.isCrossSigningVerified()).toBeFalsy();
+        expect(bobTrust2.isTofu()).toBeTruthy();
+
+        upgradePromise = new Promise((resolve) => {
+            upgradeResolveFunc = resolve;
+        });
+        alice._crypto._deviceList.emit("userCrossSigningUpdated", "@bob:example.com");
+        await upgradePromise;
+
+        const bobTrust3 = alice.checkUserTrust("@bob:example.com");
+        expect(bobTrust3.isCrossSigningVerified()).toBeTruthy();
+        expect(bobTrust3.isTofu()).toBeTruthy();
+    });
+});

spec/unit/crypto/secrets.spec.js

@@ -0,0 +1,248 @@
+/*
+Copyright 2019 The Matrix.org Foundation C.I.C.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+import '../../olm-loader';
+
+import expect from 'expect';
+import { MatrixEvent } from '../../../lib/models/event';
+import { SECRET_STORAGE_ALGORITHM_V1 } from '../../../lib/crypto/SecretStorage';
+
+import olmlib from '../../../lib/crypto/olmlib';
+
+import TestClient from '../../TestClient';
+import { makeTestClients } from './verification/util';
+
+async function makeTestClient(userInfo, options) {
+    const client = (new TestClient(
+        userInfo.userId, userInfo.deviceId, undefined, undefined, options,
+    )).client;
+
+    await client.initCrypto();
+
+    return client;
+}
+
+describe("Secrets", function() {
+    if (!global.Olm) {
+        console.warn('Not running megolm backup unit tests: libolm not present');
+        return;
+    }
+
+    beforeEach(async function() {
+        await global.Olm.init();
+    });
+
+    it("should store and retrieve a secret", async function() {
+        const decryption = new global.Olm.PkDecryption();
+        const pubkey = decryption.generate_key();
+        const privkey = decryption.get_private_key();
+
+        const signing = new global.Olm.PkSigning();
+        const signingKey = signing.generate_seed();
+        const signingPubKey = signing.init_with_seed(signingKey);
+
+        const signingkeyInfo = {
+            user_id: "@alice:example.com",
+            usage: ['master'],
+            keys: {
+                ['ed25519:' + signingPubKey]: signingPubKey,
+            },
+        };
+
+        const getKey = expect.createSpy().andCall(e => {
+            expect(Object.keys(e.keys)).toEqual(["abc"]);
+            return ['abc', privkey];
+        });
+
+        const alice = await makeTestClient(
+            {userId: "@alice:example.com", deviceId: "Osborne2"},
+            {
+                cryptoCallbacks: {
+                    getCrossSigningKey: t => signingKey,
+                    getSecretStorageKey: getKey,
+                },
+            },
+        );
+        alice._crypto._crossSigningInfo.setKeys({
+            master: signingkeyInfo,
+        });
+
+        const secretStorage = alice._crypto._secretStorage;
+
+        alice.setAccountData = async function(eventType, contents, callback) {
+            alice.store.storeAccountDataEvents([
+                new MatrixEvent({
+                    type: eventType,
+                    content: contents,
+                }),
+            ]);
+            if (callback) {
+                callback();
+            }
+        };
+
+        const keyAccountData = {
+            algorithm: SECRET_STORAGE_ALGORITHM_V1,
+            pubkey: pubkey,
+        };
+        await alice._crypto._crossSigningInfo.signObject(keyAccountData, 'master');
+
+        alice.store.storeAccountDataEvents([
+            new MatrixEvent({
+                type: "m.secret_storage.key.abc",
+                content: keyAccountData,
+            }),
+        ]);
+
+        expect(secretStorage.isStored("foo")).toBe(false);
+
+        await secretStorage.store("foo", "bar", ["abc"]);
+
+        expect(secretStorage.isStored("foo")).toBe(true);
+        expect(await secretStorage.get("foo")).toBe("bar");
+
+        expect(getKey).toHaveBeenCalled();
+    });
+
+    it("should throw if given a key that doesn't exist", async function() {
+        const alice = await makeTestClient(
+            {userId: "@alice:example.com", deviceId: "Osborne2"},
+        );
+
+        try {
+            await alice.storeSecret("foo", "bar", ["this secret does not exist"]);
+            // should be able to use expect(...).toThrow() but mocha still fails
+            // the test even when it throws for reasons I have no inclination to debug
+            expect(true).toBeFalsy();
+        } catch (e) {
+        }
+    });
+
+    it("should refuse to encrypt with zero keys", async function() {
+        const alice = await makeTestClient(
+            {userId: "@alice:example.com", deviceId: "Osborne2"},
+        );
+
+        try {
+            await alice.storeSecret("foo", "bar", []);
+            expect(true).toBeFalsy();
+        } catch (e) {
+        }
+    });
+
+    it("should encrypt with default key if keys is null", async function() {
+        let keys = {};
+        const alice = await makeTestClient(
+            {userId: "@alice:example.com", deviceId: "Osborne2"},
+            {
+                cryptoCallbacks: {
+                    getCrossSigningKey: t => keys[t],
+                    saveCrossSigningKeys: k => keys = k,
+                },
+            },
+        );
+        alice.setAccountData = async function(eventType, contents, callback) {
+            alice.store.storeAccountDataEvents([
+                new MatrixEvent({
+                    type: eventType,
+                    content: contents,
+                }),
+            ]);
+        };
+        alice.resetCrossSigningKeys();
+
+        const newKeyId = await alice.addSecretKey(
+            SECRET_STORAGE_ALGORITHM_V1,
+        );
+        // we don't await on this because it waits for the event to come down the sync
+        // which won't happen in the test setup
+        alice.setDefaultSecretStorageKeyId(newKeyId);
+        await alice.storeSecret("foo", "bar");
+
+        const accountData = alice.getAccountData('foo');
+        expect(accountData.getContent().encrypted).toBeTruthy();
+    });
+
+    it("should refuse to encrypt if no keys given and no default key", async function() {
+        const alice = await makeTestClient(
+            {userId: "@alice:example.com", deviceId: "Osborne2"},
+        );
+
+        try {
+            await alice.storeSecret("foo", "bar");
+            expect(true).toBeFalsy();
+        } catch (e) {
+        }
+    });
+
+    it("should request secrets from other clients", async function() {
+        const [osborne2, vax] = await makeTestClients(
+            [
+                {userId: "@alice:example.com", deviceId: "Osborne2"},
+                {userId: "@alice:example.com", deviceId: "VAX"},
+            ],
+            {
+                cryptoCallbacks: {
+                    onSecretRequested: e => {
+                        expect(e.name).toBe("foo");
+                        return "bar";
+                    },
+                },
+            },
+        );
+
+        const vaxDevice = vax.client._crypto._olmDevice;
+        const osborne2Device = osborne2.client._crypto._olmDevice;
+        const secretStorage = osborne2.client._crypto._secretStorage;
+
+        osborne2.client._crypto._deviceList.storeDevicesForUser("@alice:example.com", {
+            "VAX": {
+                user_id: "@alice:example.com",
+                device_id: "VAX",
+                algorithms: [olmlib.OLM_ALGORITHM, olmlib.MEGOLM_ALGORITHM],
+                keys: {
+                    "ed25519:VAX": vaxDevice.deviceEd25519Key,
+                    "curve25519:VAX": vaxDevice.deviceCurve25519Key,
+                },
+            },
+        });
+        vax.client._crypto._deviceList.storeDevicesForUser("@alice:example.com", {
+            "Osborne2": {
+                user_id: "@alice:example.com",
+                device_id: "Osborne2",
+                algorithms: [olmlib.OLM_ALGORITHM, olmlib.MEGOLM_ALGORITHM],
+                keys: {
+                    "ed25519:Osborne2": osborne2Device.deviceEd25519Key,
+                    "curve25519:Osborne2": osborne2Device.deviceCurve25519Key,
+                },
+            },
+        });
+
+        await osborne2Device.generateOneTimeKeys(1);
+        const otks = (await osborne2Device.getOneTimeKeys()).curve25519;
+        await osborne2Device.markKeysAsPublished();
+
+        await vax.client._crypto._olmDevice.createOutboundSession(
+            osborne2Device.deviceCurve25519Key,
+            Object.values(otks)[0],
+        );
+
+        const request = await secretStorage.request("foo", ["VAX"]);
+        const secret = await request.promise;
+
+        expect(secret).toBe("bar");
+    });
+});

spec/unit/crypto/verification/request.spec.js

@@ -51,7 +51,7 @@ describe("verification request", function() {
                 verificationMethods: [verificationMethods.SAS],
             },
         );
-        alice._crypto._deviceList.getRawStoredDevicesForUser = function() {
+        alice.client._crypto._deviceList.getRawStoredDevicesForUser = function() {
             return {
                 Dynabook: {
                     keys: {
@@ -60,20 +60,20 @@ describe("verification request", function() {
                 },
             };
         };
-        alice.downloadKeys = () => {
+        alice.client.downloadKeys = () => {
             return Promise.resolve();
         };
-        bob.downloadKeys = () => {
+        bob.client.downloadKeys = () => {
             return Promise.resolve();
         };
-        bob.on("crypto.verification.request", (request) => {
+        bob.client.on("crypto.verification.request", (request) => {
             const bobVerifier = request.beginKeyVerification(verificationMethods.SAS);
             bobVerifier.verify();
 
             // XXX: Private function access (but it's a test, so we're okay)
             bobVerifier._endTimer();
         });
-        const aliceVerifier = await alice.requestVerification("@bob:example.com");
+        const aliceVerifier = await alice.client.requestVerification("@bob:example.com");
         expect(aliceVerifier).toBeAn(SAS);
 
         // XXX: Private function access (but it's a test, so we're okay)

spec/unit/crypto/verification/sas.spec.js

@@ -22,6 +22,7 @@ try {
 }
 
 import expect from 'expect';
+import olmlib from '../../../../lib/crypto/olmlib';
 
 import sdk from '../../../..';
 
@@ -36,6 +37,9 @@ const MatrixEvent = sdk.MatrixEvent;
 
 import {makeTestClients} from './util';
 
+let ALICE_DEVICES;
+let BOB_DEVICES;
+
 describe("SAS verification", function() {
     if (!global.Olm) {
         logger.warn('Not running device verification unit tests: libolm not present');
@@ -81,38 +85,43 @@ describe("SAS verification", function() {
                 },
             );
 
-            alice.setDeviceVerified = expect.createSpy();
-            alice.getDeviceEd25519Key = () => {
-                return "alice+base64+ed25519+key";
-            };
-            alice.getStoredDevice = () => {
-                return DeviceInfo.fromStorage(
-                    {
-                        keys: {
-                            "ed25519:Dynabook": "bob+base64+ed25519+key",
-                        },
+            const aliceDevice = alice.client._crypto._olmDevice;
+            const bobDevice = bob.client._crypto._olmDevice;
+
+            ALICE_DEVICES = {
+                Osborne2: {
+                    user_id: "@alice:example.com",
+                    device_id: "Osborne2",
+                    algorithms: [olmlib.OLM_ALGORITHM, olmlib.MEGOLM_ALGORITHM],
+                    keys: {
+                        "ed25519:Osborne2": aliceDevice.deviceEd25519Key,
+                        "curve25519:Osborne2": aliceDevice.deviceCurve25519Key,
                     },
-                    "Dynabook",
-                );
+                },
             };
+
+            BOB_DEVICES = {
+                Dynabook: {
+                    user_id: "@bob:example.com",
+                    device_id: "Dynabook",
+                    algorithms: [olmlib.OLM_ALGORITHM, olmlib.MEGOLM_ALGORITHM],
+                    keys: {
+                        "ed25519:Dynabook": bobDevice.deviceEd25519Key,
+                        "curve25519:Dynabook": bobDevice.deviceCurve25519Key,
+                    },
+                },
+            };
+
+            alice.client._crypto._deviceList.storeDevicesForUser(
+                "@bob:example.com", BOB_DEVICES,
+            );
             alice.downloadKeys = () => {
                 return Promise.resolve();
             };
 
-            bob.setDeviceVerified = expect.createSpy();
-            bob.getStoredDevice = () => {
-                return DeviceInfo.fromStorage(
-                    {
-                        keys: {
-                            "ed25519:Osborne2": "alice+base64+ed25519+key",
-                        },
-                    },
-                    "Osborne2",
-                );
-            };
-            bob.getDeviceEd25519Key = () => {
-                return "bob+base64+ed25519+key";
-            };
+            bob.client._crypto._deviceList.storeDevicesForUser(
+                "@alice:example.com", ALICE_DEVICES,
+            );
             bob.downloadKeys = () => {
                 return Promise.resolve();
             };
@@ -121,7 +130,7 @@ describe("SAS verification", function() {
             bobSasEvent = null;
 
             bobPromise = new Promise((resolve, reject) => {
-                bob.on("crypto.verification.start", (verifier) => {
+                bob.client.on("crypto.verification.start", (verifier) => {
                     verifier.on("show_sas", (e) => {
                         if (!e.sas.emoji || !e.sas.decimal) {
                             e.cancel();
@@ -142,8 +151,8 @@ describe("SAS verification", function() {
                 });
             });
 
-            aliceVerifier = alice.beginKeyVerification(
-                verificationMethods.SAS, bob.getUserId(), bob.deviceId,
+            aliceVerifier = alice.client.beginKeyVerification(
+                verificationMethods.SAS, bob.client.getUserId(), bob.deviceId,
             );
             aliceVerifier.on("show_sas", (e) => {
                 if (!e.sas.emoji || !e.sas.decimal) {
@@ -165,66 +174,165 @@ describe("SAS verification", function() {
 
         it("should verify a key", async function() {
             let macMethod;
-            const origSendToDevice = alice.sendToDevice;
-            bob.sendToDevice = function(type, map) {
+            const origSendToDevice = alice.client.sendToDevice;
+            bob.client.sendToDevice = function(type, map) {
                 if (type === "m.key.verification.accept") {
-                    macMethod = map[alice.getUserId()][alice.deviceId]
+                    macMethod = map[alice.client.getUserId()][alice.client.deviceId]
                         .message_authentication_code;
                 }
                 return origSendToDevice.call(this, type, map);
             };
 
+            alice.httpBackend.when('POST', '/keys/query').respond(200, {
+                failures: {},
+                device_keys: {
+                    "@bob:example.com": BOB_DEVICES,
+                },
+            });
+            bob.httpBackend.when('POST', '/keys/query').respond(200, {
+                failures: {},
+                device_keys: {
+                    "@alice:example.com": ALICE_DEVICES,
+                },
+            });
+
             await Promise.all([
                 aliceVerifier.verify(),
                 bobPromise.then((verifier) => verifier.verify()),
+                alice.httpBackend.flush(),
+                bob.httpBackend.flush(),
             ]);
 
             // make sure that it uses the preferred method
             expect(macMethod).toBe("hkdf-hmac-sha256");
 
             // make sure Alice and Bob verified each other
-            expect(alice.setDeviceVerified)
-                .toHaveBeenCalledWith(bob.getUserId(), bob.deviceId);
-            expect(bob.setDeviceVerified)
-                .toHaveBeenCalledWith(alice.getUserId(), alice.deviceId);
+            const bobDevice
+                  = await alice.client.getStoredDevice("@bob:example.com", "Dynabook");
+            expect(bobDevice.isVerified()).toBeTruthy();
+            const aliceDevice
+                  = await bob.client.getStoredDevice("@alice:example.com", "Osborne2");
+            expect(aliceDevice.isVerified()).toBeTruthy();
         });
 
         it("should be able to verify using the old MAC", async function() {
             // pretend that Alice can only understand the old (incorrect) MAC,
             // and make sure that she can still verify with Bob
             let macMethod;
-            const origSendToDevice = alice.sendToDevice;
-            alice.sendToDevice = function(type, map) {
+            const origSendToDevice = alice.client.sendToDevice;
+            alice.client.sendToDevice = function(type, map) {
                 if (type === "m.key.verification.start") {
                     // Note: this modifies not only the message that Bob
                     // receives, but also the copy of the message that Alice
                     // has, since it is the same object.  If this does not
                     // happen, the verification will fail due to a hash
                     // commitment mismatch.
-                    map[bob.getUserId()][bob.deviceId]
+                    map[bob.client.getUserId()][bob.client.deviceId]
                         .message_authentication_codes = ['hmac-sha256'];
                 }
                 return origSendToDevice.call(this, type, map);
             };
-            bob.sendToDevice = function(type, map) {
+            bob.client.sendToDevice = function(type, map) {
                 if (type === "m.key.verification.accept") {
-                    macMethod = map[alice.getUserId()][alice.deviceId]
+                    macMethod = map[alice.client.getUserId()][alice.client.deviceId]
                         .message_authentication_code;
                 }
                 return origSendToDevice.call(this, type, map);
             };
 
+            alice.httpBackend.when('POST', '/keys/query').respond(200, {
+                failures: {},
+                device_keys: {
+                    "@bob:example.com": BOB_DEVICES,
+                },
+            });
+            bob.httpBackend.when('POST', '/keys/query').respond(200, {
+                failures: {},
+                device_keys: {
+                    "@alice:example.com": ALICE_DEVICES,
+                },
+            });
+
             await Promise.all([
                 aliceVerifier.verify(),
                 bobPromise.then((verifier) => verifier.verify()),
+                alice.httpBackend.flush(),
+                bob.httpBackend.flush(),
             ]);
 
             expect(macMethod).toBe("hmac-sha256");
 
-            expect(alice.setDeviceVerified)
-                .toHaveBeenCalledWith(bob.getUserId(), bob.deviceId);
-            expect(bob.setDeviceVerified)
-                .toHaveBeenCalledWith(alice.getUserId(), alice.deviceId);
+            const bobDevice
+                  = await alice.client.getStoredDevice("@bob:example.com", "Dynabook");
+            expect(bobDevice.isVerified()).toBeTruthy();
+            const aliceDevice
+                  = await bob.client.getStoredDevice("@alice:example.com", "Osborne2");
+            expect(aliceDevice.isVerified()).toBeTruthy();
+        });
+
+        it("should verify a cross-signing key", async function() {
+            alice.httpBackend.when('POST', '/keys/device_signing/upload').respond(
+                200, {},
+            );
+            alice.httpBackend.when('POST', '/keys/signatures/upload').respond(200, {});
+            alice.httpBackend.flush(undefined, 2);
+            await alice.client.resetCrossSigningKeys();
+            bob.httpBackend.when('POST', '/keys/device_signing/upload').respond(200, {});
+            bob.httpBackend.when('POST', '/keys/signatures/upload').respond(200, {});
+            bob.httpBackend.flush(undefined, 2);
+
+            await bob.client.resetCrossSigningKeys();
+
+            bob.client._crypto._deviceList.storeCrossSigningForUser(
+                "@alice:example.com", {
+                    keys: alice.client._crypto._crossSigningInfo.keys,
+                },
+            );
+
+            alice.httpBackend.when('POST', '/keys/query').respond(200, {
+                failures: {},
+                device_keys: {
+                    "@bob:example.com": BOB_DEVICES,
+                },
+            });
+            bob.httpBackend.when('POST', '/keys/query').respond(200, {
+                failures: {},
+                device_keys: {
+                    "@alice:example.com": ALICE_DEVICES,
+                },
+            });
+
+            const verifyProm = Promise.all([
+                aliceVerifier.verify(),
+                bobPromise.then((verifier) => {
+                    bob.httpBackend.when(
+                        'POST', '/keys/signatures/upload',
+                    ).respond(200, {});
+                    bob.httpBackend.flush(undefined, 2);
+                    return verifier.verify();
+                }),
+            ]);
+
+            await alice.httpBackend.flush(undefined, 1);
+            console.log("alice reqs flushed");
+
+            await verifyProm;
+
+            const bobDeviceTrust = alice.client.checkDeviceTrust(
+                "@bob:example.com", "Dynabook",
+            );
+            expect(bobDeviceTrust.isLocallyVerified()).toBeTruthy();
+            expect(bobDeviceTrust.isCrossSigningVerified()).toBeFalsy();
+
+            const aliceTrust = bob.client.checkUserTrust("@alice:example.com");
+            expect(aliceTrust.isCrossSigningVerified()).toBeTruthy();
+            expect(aliceTrust.isTofu()).toBeTruthy();
+
+            const aliceDeviceTrust = bob.client.checkDeviceTrust(
+                "@alice:example.com", "Osborne2",
+            );
+            expect(aliceDeviceTrust.isLocallyVerified()).toBeTruthy();
+            expect(aliceDeviceTrust.isCrossSigningVerified()).toBeFalsy();
         });
     });
 
@@ -238,17 +346,17 @@ describe("SAS verification", function() {
                 verificationMethods: [verificationMethods.SAS],
             },
         );
-        alice.setDeviceVerified = expect.createSpy();
-        alice.downloadKeys = () => {
+        alice.client.setDeviceVerified = expect.createSpy();
+        alice.client.downloadKeys = () => {
             return Promise.resolve();
         };
-        bob.setDeviceVerified = expect.createSpy();
-        bob.downloadKeys = () => {
+        bob.client.setDeviceVerified = expect.createSpy();
+        bob.client.downloadKeys = () => {
             return Promise.resolve();
         };
 
         const bobPromise = new Promise((resolve, reject) => {
-            bob.on("crypto.verification.start", (verifier) => {
+            bob.client.on("crypto.verification.start", (verifier) => {
                 verifier.on("show_sas", (e) => {
                     e.mismatch();
                 });
@@ -256,8 +364,8 @@ describe("SAS verification", function() {
             });
         });
 
-        const aliceVerifier = alice.beginKeyVerification(
-            verificationMethods.SAS, bob.getUserId(), bob.deviceId,
+        const aliceVerifier = alice.client.beginKeyVerification(
+            verificationMethods.SAS, bob.client.getUserId(), bob.client.deviceId,
         );
 
         const aliceSpy = expect.createSpy();
@@ -268,9 +376,132 @@ describe("SAS verification", function() {
         ]);
         expect(aliceSpy).toHaveBeenCalled();
         expect(bobSpy).toHaveBeenCalled();
-        expect(alice.setDeviceVerified)
+        expect(alice.client.setDeviceVerified)
             .toNotHaveBeenCalled();
-        expect(bob.setDeviceVerified)
+        expect(bob.client.setDeviceVerified)
             .toNotHaveBeenCalled();
     });
+
+    describe("verification in DM", function() {
+        let alice;
+        let bob;
+        let aliceSasEvent;
+        let bobSasEvent;
+        let aliceVerifier;
+        let bobPromise;
+
+        beforeEach(async function() {
+            [alice, bob] = await makeTestClients(
+                [
+                    {userId: "@alice:example.com", deviceId: "Osborne2"},
+                    {userId: "@bob:example.com", deviceId: "Dynabook"},
+                ],
+                {
+                    verificationMethods: [verificationMethods.SAS],
+                },
+            );
+
+            alice.client.setDeviceVerified = expect.createSpy();
+            alice.client.getDeviceEd25519Key = () => {
+                return "alice+base64+ed25519+key";
+            };
+            alice.client.getStoredDevice = () => {
+                return DeviceInfo.fromStorage(
+                    {
+                        keys: {
+                            "ed25519:Dynabook": "bob+base64+ed25519+key",
+                        },
+                    },
+                    "Dynabook",
+                );
+            };
+            alice.client.downloadKeys = () => {
+                return Promise.resolve();
+            };
+
+            bob.client.setDeviceVerified = expect.createSpy();
+            bob.client.getStoredDevice = () => {
+                return DeviceInfo.fromStorage(
+                    {
+                        keys: {
+                            "ed25519:Osborne2": "alice+base64+ed25519+key",
+                        },
+                    },
+                    "Osborne2",
+                );
+            };
+            bob.client.getDeviceEd25519Key = () => {
+                return "bob+base64+ed25519+key";
+            };
+            bob.client.downloadKeys = () => {
+                return Promise.resolve();
+            };
+
+            aliceSasEvent = null;
+            bobSasEvent = null;
+
+            bobPromise = new Promise((resolve, reject) => {
+                bob.client.on("event", async (event) => {
+                    const content = event.getContent();
+                    if (event.getType() === "m.room.message"
+                        && content.msgtype === "m.key.verification.request") {
+                        expect(content.methods).toInclude(SAS.NAME);
+                        expect(content.to).toBe(bob.client.getUserId());
+                        const verifier = bob.client.acceptVerificationDM(event, SAS.NAME);
+                        verifier.on("show_sas", (e) => {
+                            if (!e.sas.emoji || !e.sas.decimal) {
+                                e.cancel();
+                            } else if (!aliceSasEvent) {
+                                bobSasEvent = e;
+                            } else {
+                                try {
+                                    expect(e.sas).toEqual(aliceSasEvent.sas);
+                                    e.confirm();
+                                    aliceSasEvent.confirm();
+                                } catch (error) {
+                                    e.mismatch();
+                                    aliceSasEvent.mismatch();
+                                }
+                            }
+                        });
+                        await verifier.verify();
+                        resolve();
+                    }
+                });
+            });
+
+            aliceVerifier = await alice.client.requestVerificationDM(
+                bob.client.getUserId(), "!room_id", [verificationMethods.SAS],
+            );
+            aliceVerifier.on("show_sas", (e) => {
+                if (!e.sas.emoji || !e.sas.decimal) {
+                    e.cancel();
+                } else if (!bobSasEvent) {
+                    aliceSasEvent = e;
+                } else {
+                    try {
+                        expect(e.sas).toEqual(bobSasEvent.sas);
+                        e.confirm();
+                        bobSasEvent.confirm();
+                    } catch (error) {
+                        e.mismatch();
+                        bobSasEvent.mismatch();
+                    }
+                }
+            });
+        });
+
+        it("should verify a key", async function() {
+            await Promise.all([
+                aliceVerifier.verify(),
+                bobPromise,
+            ]);
+
+            // make sure Alice and Bob verified each other
+            expect(alice.client.setDeviceVerified)
+                .toHaveBeenCalledWith(bob.client.getUserId(), bob.client.deviceId);
+            expect(bob.client.setDeviceVerified)
+                .toHaveBeenCalledWith(alice.client.getUserId(), alice.client.deviceId);
+        });
+    });
 });

spec/unit/crypto/verification/util.js

@@ -33,31 +33,63 @@ export async function makeTestClients(userInfos, options) {
                             type: type,
                             content: msg,
                         });
-                        setTimeout(
-                            () => clientMap[userId][deviceId]
-                                .emit("toDeviceEvent", event),
-                            0,
-                        );
+                        const client = clientMap[userId][deviceId];
+                        if (event.isEncrypted()) {
+                            event.attemptDecryption(client._crypto)
+                                .then(() => client.emit("toDeviceEvent", event));
+                        } else {
+                            setTimeout(
+                                () => client.emit("toDeviceEvent", event),
+                                0,
+                            );
+                        }
                     }
                 }
             }
         }
     };
+    const sendEvent = function(room, type, content) {
+        // make up a unique ID as the event ID
+        const eventId = "$" + this.makeTxnId(); // eslint-disable-line babel/no-invalid-this
+        const event = new MatrixEvent({
+            sender: this.getUserId(), // eslint-disable-line babel/no-invalid-this
+            type: type,
+            content: content,
+            room_id: room,
+            event_id: eventId,
+        });
+        for (const tc of clients) {
+            setTimeout(
+                () => tc.client.emit("event", event),
+                0,
+            );
+        }
+
+        return {event_id: eventId};
+    };
 
     for (const userInfo of userInfos) {
-        const client = (new TestClient(
+        let keys = {};
+        if (!options) options = {};
+        if (!options.cryptoCallbacks) options.cryptoCallbacks = {};
+        if (!options.cryptoCallbacks.saveCrossSigningKeys) {
+            options.cryptoCallbacks.saveCrossSigningKeys = k => { keys = k; };
+            options.cryptoCallbacks.getCrossSigningKey = typ => keys[typ];
+        }
+        const testClient = new TestClient(
             userInfo.userId, userInfo.deviceId, undefined, undefined,
             options,
-        )).client;
+        );
         if (!(userInfo.userId in clientMap)) {
             clientMap[userInfo.userId] = {};
         }
-        clientMap[userInfo.userId][userInfo.deviceId] = client;
-        client.sendToDevice = sendToDevice;
-        clients.push(client);
+        clientMap[userInfo.userId][userInfo.deviceId] = testClient.client;
+        testClient.client.sendToDevice = sendToDevice;
+        testClient.client.sendEvent = sendEvent;
+        clients.push(testClient);
     }
 
-    await Promise.all(clients.map((client) => client.initCrypto()));
+    await Promise.all(clients.map((testClient) => testClient.client.initCrypto()));
 
     return clients;
 }

spec/unit/matrix-client.spec.js

@@ -154,12 +154,9 @@ describe("MatrixClient", function() {
         });
         // FIXME: We shouldn't be yanking _http like this.
         client._http = [
-            "authedRequest", "authedRequestWithPrefix", "getContentUri",
-            "request", "requestWithPrefix", "uploadContent",
+            "authedRequest", "getContentUri", "request", "uploadContent",
         ].reduce((r, k) => { r[k] = expect.createSpy(); return r; }, {});
         client._http.authedRequest.andCall(httpReq);
-        client._http.authedRequestWithPrefix.andCall(httpReq);
-        client._http.requestWithPrefix.andCall(httpReq);
         client._http.request.andCall(httpReq);
 
         // set reasonable working defaults
@@ -181,9 +178,6 @@ describe("MatrixClient", function() {
         client._http.authedRequest.andCall(function() {
             return Promise.defer().promise;
         });
-        client._http.authedRequestWithPrefix.andCall(function() {
-            return Promise.defer().promise;
-        });
     });
 
     it("should not POST /filter if a matching filter already exists", async function() {

src/autodiscovery.js

@@ -429,6 +429,26 @@ export class AutoDiscovery {
         return AutoDiscovery.fromDiscoveryConfig(wellknown.raw);
     }
 
+    /**
+     * Gets the raw discovery client configuration for the given domain name.
+     * Should only be used if there's no validation to be done on the resulting
+     * object, otherwise use findClientConfig().
+     * @param {string} domain The domain to get the client config for.
+     * @returns {Promise<object>} Resolves to the domain's client config. Can
+     * be an empty object.
+     */
+    static async getRawClientConfig(domain) {
+        if (!domain || typeof(domain) !== "string" || domain.length === 0) {
+            throw new Error("'domain' must be a string of non-zero length");
+        }
+
+        const response = await this._fetchWellKnownObject(
+            `https://${domain}/.well-known/matrix/client`,
+        );
+        if (!response) return {};
+        return response.raw || {};
+    }
+
     /**
      * Sanitizes a given URL to ensure it is either an HTTP or HTTP URL and
      * is suitable for the requirements laid out by .well-known auto discovery.

src/base-apis.js

@@ -63,6 +63,15 @@ function termsUrlForService(serviceType, baseUrl) {
  *
  * @param {string} opts.accessToken The access_token for this user.
  *
+ * @param {IdentityServerProvider} [opts.identityServer]
+ * Optional. A provider object with one function `getAccessToken`, which is a
+ * callback that returns a Promise<String> of an identity access token to supply
+ * with identity requests. If the object is unset, no access token will be
+ * supplied.
+ * See also https://github.com/vector-im/riot-web/issues/10615 which seeks to
+ * replace the previous approach of manual access tokens params with this
+ * callback throughout the SDK.
+ *
  * @param {Number=} opts.localTimeoutMs Optional. The default maximum amount of
  * time to wait before timing out HTTP requests. If not specified, there is no
  * timeout.
@@ -79,6 +88,7 @@ function MatrixBaseApis(opts) {
 
     this.baseUrl = opts.baseUrl;
     this.idBaseUrl = opts.idBaseUrl;
+    this.identityServer = opts.identityServer;
 
     const httpOpts = {
         baseUrl: opts.baseUrl,
@@ -117,6 +127,15 @@ MatrixBaseApis.prototype.getIdentityServerUrl = function(stripProto=false) {
     return this.idBaseUrl;
 };
 
+/**
+ * Set the Identity Server URL of this client
+ * @param {string} url New Identity Server URL
+ */
+MatrixBaseApis.prototype.setIdentityServerUrl = function(url) {
+    this.idBaseUrl = utils.ensureNoTrailingSlash(url);
+    this._http.setIdBaseUrl(this.idBaseUrl);
+};
+
 /**
  * Get the access token associated with this account.
  * @return {?String} The access_token or null
@@ -478,8 +497,10 @@ MatrixBaseApis.prototype.fetchRelations =
             $relationType: relationType,
             $eventType: eventType,
         });
-    const response = await this._http.authedRequestWithPrefix(
-        undefined, "GET", path, null, null, httpApi.PREFIX_UNSTABLE,
+    const response = await this._http.authedRequest(
+        undefined, "GET", path, null, null, {
+            prefix: httpApi.PREFIX_UNSTABLE,
+        },
     );
     return response;
 };
@@ -972,10 +993,13 @@ MatrixBaseApis.prototype.roomInitialSync = function(roomId, limit, callback) {
  * @param {string} rrEventId ID of the event tracked by the read receipt. This is here
  * for convenience because the RR and the RM are commonly updated at the same time as
  * each other. Optional.
+ * @param {object} opts Options for the read markers.
+ * @param {object} opts.hidden True to hide the read receipt from other users. <b>This
+ * property is currently unstable and may change in the future.</b>
  * @return {module:client.Promise} Resolves: the empty object, {}.
  */
 MatrixBaseApis.prototype.setRoomReadMarkersHttpRequest =
-                                function(roomId, rmEventId, rrEventId) {
+                                function(roomId, rmEventId, rrEventId, opts) {
     const path = utils.encodeUri("/rooms/$roomId/read_markers", {
         $roomId: roomId,
     });
@@ -983,6 +1007,7 @@ MatrixBaseApis.prototype.setRoomReadMarkersHttpRequest =
     const content = {
         "m.fully_read": rmEventId,
         "m.read": rrEventId,
+        "m.hidden": Boolean(opts ? opts.hidden : false),
     };
 
     return this._http.authedRequest(
@@ -1314,10 +1339,16 @@ MatrixBaseApis.prototype.getThreePids = function(callback) {
 };
 
 /**
+ * Add a 3PID to your homeserver account and optionally bind it to an identity
+ * server as well. An identity server is required as part of the `creds` object.
+ *
+ * This API is deprecated, and you should instead use `addThreePidOnly`
+ * for homeservers that support it.
+ *
  * @param {Object} creds
  * @param {boolean} bind
  * @param {module:client.callback} callback Optional.
- * @return {module:client.Promise} Resolves: TODO
+ * @return {module:client.Promise} Resolves: on success
  * @return {module:http-api.MatrixError} Rejects: with an error response.
  */
 MatrixBaseApis.prototype.addThreePid = function(creds, bind, callback) {
@@ -1331,6 +1362,75 @@ MatrixBaseApis.prototype.addThreePid = function(creds, bind, callback) {
     );
 };
 
+/**
+ * Add a 3PID to your homeserver account. This API does not use an identity
+ * server, as the homeserver is expected to handle 3PID ownership validation.
+ *
+ * You can check whether a homeserver supports this API via
+ * `doesServerSupportSeparateAddAndBind`.
+ *
+ * @param {Object} data A object with 3PID validation data from having called
+ * `account/3pid/<medium>/requestToken` on the homeserver.
+ * @return {module:client.Promise} Resolves: on success
+ * @return {module:http-api.MatrixError} Rejects: with an error response.
+ */
+MatrixBaseApis.prototype.addThreePidOnly = async function(data) {
+    const path = "/account/3pid/add";
+    const prefix = await this.isVersionSupported("r0.6.0") ?
+        httpApi.PREFIX_R0 : httpApi.PREFIX_UNSTABLE;
+    return this._http.authedRequest(
+        undefined, "POST", path, null, data, { prefix },
+    );
+};
+
+/**
+ * Bind a 3PID for discovery onto an identity server via the homeserver. The
+ * identity server handles 3PID ownership validation and the homeserver records
+ * the new binding to track where all 3PIDs for the account are bound.
+ *
+ * You can check whether a homeserver supports this API via
+ * `doesServerSupportSeparateAddAndBind`.
+ *
+ * @param {Object} data A object with 3PID validation data from having called
+ * `validate/<medium>/requestToken` on the identity server. It should also
+ * contain `id_server` and `id_access_token` fields as well.
+ * @return {module:client.Promise} Resolves: on success
+ * @return {module:http-api.MatrixError} Rejects: with an error response.
+ */
+MatrixBaseApis.prototype.bindThreePid = async function(data) {
+    const path = "/account/3pid/bind";
+    const prefix = await this.isVersionSupported("r0.6.0") ?
+        httpApi.PREFIX_R0 : httpApi.PREFIX_UNSTABLE;
+    return this._http.authedRequest(
+        undefined, "POST", path, null, data, { prefix },
+    );
+};
+
+/**
+ * Unbind a 3PID for discovery on an identity server via the homeserver. The
+ * homeserver removes its record of the binding to keep an updated record of
+ * where all 3PIDs for the account are bound.
+ *
+ * @param {string} medium The threepid medium (eg. 'email')
+ * @param {string} address The threepid address (eg. 'bob@example.com')
+ *        this must be as returned by getThreePids.
+ * @return {module:client.Promise} Resolves: on success
+ * @return {module:http-api.MatrixError} Rejects: with an error response.
+ */
+MatrixBaseApis.prototype.unbindThreePid = async function(medium, address) {
+    const path = "/account/3pid/unbind";
+    const data = {
+        medium,
+        address,
+        id_server: this.getIdentityServerUrl(true),
+    };
+    const prefix = await this.isVersionSupported("r0.6.0") ?
+        httpApi.PREFIX_R0 : httpApi.PREFIX_UNSTABLE;
+    return this._http.authedRequest(
+        undefined, "POST", path, null, data, { prefix },
+    );
+};
+
 /**
  * @param {string} medium The threepid medium (eg. 'email')
  * @param {string} address The threepid address (eg. 'bob@example.com')
@@ -1618,6 +1718,15 @@ MatrixBaseApis.prototype.uploadKeysRequest = function(content, opts, callback) {
     return this._http.authedRequest(callback, "POST", path, undefined, content);
 };
 
+MatrixBaseApis.prototype.uploadKeySignatures = function(content) {
+    return this._http.authedRequest(
+        undefined, "POST", '/keys/signatures/upload', undefined,
+        content, {
+            prefix: httpApi.PREFIX_UNSTABLE,
+        },
+    );
+};
+
 /**
  * Download device keys
  *
@@ -1702,6 +1811,14 @@ MatrixBaseApis.prototype.getKeyChanges = function(oldToken, newToken) {
     return this._http.authedRequest(undefined, "GET", path, qps, undefined);
 };
 
+MatrixBaseApis.prototype.uploadDeviceSigningKeys = function(auth, keys) {
+    const data = Object.assign({}, keys, {auth});
+    return this._http.authedRequest(
+        undefined, "POST", "/keys/device_signing/upload", undefined, data, {
+            prefix: httpApi.PREFIX_UNSTABLE,
+        },
+    );
+};
 
 // Identity Server Operations
 // ==========================
@@ -1720,6 +1837,10 @@ MatrixBaseApis.prototype.getKeyChanges = function(oldToken, newToken) {
  * @return {module:http-api.MatrixError} Rejects: with an error response.
  */
 MatrixBaseApis.prototype.registerWithIdentityServer = function(hsOpenIdToken) {
+    if (!this.idBaseUrl) {
+        throw new Error("No Identity Server base URL set");
+    }
+
     const uri = this.idBaseUrl + httpApi.PREFIX_IDENTITY_V2 + "/account/register";
     return this._http.requestOtherUrl(
         undefined, "POST", uri,
@@ -1728,10 +1849,11 @@ MatrixBaseApis.prototype.registerWithIdentityServer = function(hsOpenIdToken) {
 };
 
 /**
- * Requests an email verification token directly from an Identity Server.
+ * Requests an email verification token directly from an identity server.
  *
- * Note that the Homeserver offers APIs to proxy this API for specific
- * situations, allowing for better feedback to the user.
+ * This API is used as part of binding an email for discovery on an identity
+ * server. The validation data that results should be passed to the
+ * `bindThreePid` method to complete the binding process.
  *
  * @param {string} email The email address to request a token for
  * @param {string} clientSecret A secret binary string generated by the client.
@@ -1743,12 +1865,12 @@ MatrixBaseApis.prototype.registerWithIdentityServer = function(hsOpenIdToken) {
  * @param {string} nextLink Optional If specified, the client will be redirected
  *                 to this link after validation.
  * @param {module:client.callback} callback Optional.
- * @param {string} identityAccessToken The `access_token` field of the Identity
- * Server `/account/register` response (see {@link registerWithIdentityServer}).
+ * @param {string} identityAccessToken The `access_token` field of the identity
+ * server `/account/register` response (see {@link registerWithIdentityServer}).
  *
  * @return {module:client.Promise} Resolves: TODO
  * @return {module:http-api.MatrixError} Rejects: with an error response.
- * @throws Error if no Identity Server is set
+ * @throws Error if no identity server is set
  */
 MatrixBaseApis.prototype.requestEmailToken = async function(
     email,
@@ -1790,7 +1912,75 @@ MatrixBaseApis.prototype.requestEmailToken = async function(
 };
 
 /**
- * Submits an MSISDN token to the identity server
+ * Requests a MSISDN verification token directly from an identity server.
+ *
+ * This API is used as part of binding a MSISDN for discovery on an identity
+ * server. The validation data that results should be passed to the
+ * `bindThreePid` method to complete the binding process.
+ *
+ * @param {string} phoneCountry The ISO 3166-1 alpha-2 code for the country in
+ *                 which phoneNumber should be parsed relative to.
+ * @param {string} phoneNumber The phone number, in national or international
+ *                 format
+ * @param {string} clientSecret A secret binary string generated by the client.
+ *                 It is recommended this be around 16 ASCII characters.
+ * @param {number} sendAttempt If an identity server sees a duplicate request
+ *                 with the same sendAttempt, it will not send another SMS.
+ *                 To request another SMS to be sent, use a larger value for
+ *                 the sendAttempt param as was used in the previous request.
+ * @param {string} nextLink Optional If specified, the client will be redirected
+ *                 to this link after validation.
+ * @param {module:client.callback} callback Optional.
+ * @param {string} identityAccessToken The `access_token` field of the Identity
+ * Server `/account/register` response (see {@link registerWithIdentityServer}).
+ *
+ * @return {module:client.Promise} Resolves: TODO
+ * @return {module:http-api.MatrixError} Rejects: with an error response.
+ * @throws Error if no identity server is set
+ */
+MatrixBaseApis.prototype.requestMsisdnToken = async function(
+    phoneCountry,
+    phoneNumber,
+    clientSecret,
+    sendAttempt,
+    nextLink,
+    callback,
+    identityAccessToken,
+) {
+    const params = {
+        client_secret: clientSecret,
+        country: phoneCountry,
+        phone_number: phoneNumber,
+        send_attempt: sendAttempt,
+        next_link: nextLink,
+    };
+
+    try {
+        const response = await this._http.idServerRequest(
+            undefined, "POST", "/validate/msisdn/requestToken",
+            params, httpApi.PREFIX_IDENTITY_V2, identityAccessToken,
+        );
+        // TODO: Fold callback into above call once v1 path below is removed
+        if (callback) callback(null, response);
+        return response;
+    } catch (err) {
+        if (err.cors === "rejected" || err.httpStatus === 404) {
+            // Fall back to deprecated v1 API for now
+            // TODO: Remove this path once v2 is only supported version
+            // See https://github.com/vector-im/riot-web/issues/10443
+            logger.warn("IS doesn't support v2, falling back to deprecated v1");
+            return await this._http.idServerRequest(
+                callback, "POST", "/validate/msisdn/requestToken",
+                params, httpApi.PREFIX_IDENTITY_V1,
+            );
+        }
+        if (callback) callback(err);
+        throw err;
+    }
+};
+
+/**
+ * Submits a MSISDN token to the identity server
  *
  * This is used when submitting the code sent by SMS to a phone number.
  * The ID server has an equivalent API for email but the js-sdk does
@@ -1840,6 +2030,137 @@ MatrixBaseApis.prototype.submitMsisdnToken = async function(
     }
 };
 
+/**
+ * Submits a MSISDN token to an arbitrary URL.
+ *
+ * This is used when submitting the code sent by SMS to a phone number in the
+ * newer 3PID flow where the homeserver validates 3PID ownership (as part of
+ * `requestAdd3pidMsisdnToken`). The homeserver response may include a
+ * `submit_url` to specify where the token should be sent, and this helper can
+ * be used to pass the token to this URL.
+ *
+ * @param {string} url The URL to submit the token to
+ * @param {string} sid The sid given in the response to requestToken
+ * @param {string} clientSecret A secret binary string generated by the client.
+ *                 This must be the same value submitted in the requestToken call.
+ * @param {string} msisdnToken The MSISDN token, as enetered by the user.
+ *
+ * @return {module:client.Promise} Resolves: Object, currently with no parameters.
+ * @return {module:http-api.MatrixError} Rejects: with an error response.
+ */
+MatrixBaseApis.prototype.submitMsisdnTokenOtherUrl = function(
+    url,
+    sid,
+    clientSecret,
+    msisdnToken,
+) {
+    const params = {
+        sid: sid,
+        client_secret: clientSecret,
+        token: msisdnToken,
+    };
+
+    return this._http.requestOtherUrl(
+        undefined, "POST", url, undefined, params,
+    );
+};
+
+/**
+ * Gets the V2 hashing information from the identity server. Primarily useful for
+ * lookups.
+ * @param {string} identityAccessToken The access token for the identity server.
+ * @returns {Promise<object>} The hashing information for the identity server.
+ */
+MatrixBaseApis.prototype.getIdentityHashDetails = function(identityAccessToken) {
+    return this._http.idServerRequest(
+        undefined, "GET", "/hash_details",
+        null, httpApi.PREFIX_IDENTITY_V2, identityAccessToken,
+    );
+};
+
+/**
+ * Performs a hashed lookup of addresses against the identity server. This is
+ * only supported on identity servers which have at least the version 2 API.
+ * @param {Array<Array<string,string>>} addressPairs An array of 2 element arrays.
+ * The first element of each pair is the address, the second is the 3PID medium.
+ * Eg: ["email@example.org", "email"]
+ * @param {string} identityAccessToken The access token for the identity server.
+ * @returns {Promise<Array<{address, mxid}>>} A collection of address mappings to
+ * found MXIDs. Results where no user could be found will not be listed.
+ */
+MatrixBaseApis.prototype.identityHashedLookup = async function(
+    addressPairs, // [["email@example.org", "email"], ["10005550000", "msisdn"]]
+    identityAccessToken,
+) {
+    const params = {
+        // addresses: ["email@example.org", "10005550000"],
+        // algorithm: "sha256",
+        // pepper: "abc123"
+    };
+
+    // Get hash information first before trying to do a lookup
+    const hashes = await this.getIdentityHashDetails(identityAccessToken);
+    if (!hashes || !hashes['lookup_pepper'] || !hashes['algorithms']) {
+        throw new Error("Unsupported identity server: bad response");
+    }
+
+    params['pepper'] = hashes['lookup_pepper'];
+
+    const localMapping = {
+        // hashed identifier => plain text address
+        // For use in this function's return format
+    };
+
+    // When picking an algorithm, we pick the hashed over no hashes
+    if (hashes['algorithms'].includes('sha256')) {
+        // Abuse the olm hashing
+        const olmutil = new global.Olm.Utility();
+        params["addresses"] = addressPairs.map(p => {
+            const addr = p[0].toLowerCase(); // lowercase to get consistent hashes
+            const med = p[1].toLowerCase();
+            const hashed = olmutil.sha256(`${addr} ${med} ${params['pepper']}`)
+                .replace(/\+/g, '-').replace(/\//g, '_'); // URL-safe base64
+            // Map the hash to a known (case-sensitive) address. We use the case
+            // sensitive version because the caller might be expecting that.
+            localMapping[hashed] = p[0];
+            return hashed;
+        });
+        params["algorithm"] = "sha256";
+    } else if (hashes['algorithms'].includes('none')) {
+        params["addresses"] = addressPairs.map(p => {
+            const addr = p[0].toLowerCase(); // lowercase to get consistent hashes
+            const med = p[1].toLowerCase();
+            const unhashed = `${addr} ${med}`;
+            // Map the unhashed values to a known (case-sensitive) address. We use
+            // the case sensitive version because the caller might be expecting that.
+            localMapping[unhashed] = p[0];
+            return unhashed;
+        });
+        params["algorithm"] = "none";
+    } else {
+        throw new Error("Unsupported identity server: unknown hash algorithm");
+    }
+
+    const response = await this._http.idServerRequest(
+        undefined, "POST", "/lookup",
+        params, httpApi.PREFIX_IDENTITY_V2, identityAccessToken,
+    );
+
+    if (!response || !response['mappings']) return []; // no results
+
+    const foundAddresses = [/* {address: "plain@example.org", mxid} */];
+    for (const hashed of Object.keys(response['mappings'])) {
+        const mxid = response['mappings'][hashed];
+        const plainAddress = localMapping[hashed];
+        if (!plainAddress) {
+            throw new Error("Identity server returned more results than expected");
+        }
+
+        foundAddresses.push({address: plainAddress, mxid});
+    }
+    return foundAddresses;
+};
+
 /**
  * Looks up the public Matrix ID mapping for a given 3rd party
  * identifier from the Identity Server
@@ -1861,35 +2182,131 @@ MatrixBaseApis.prototype.lookupThreePid = async function(
     callback,
     identityAccessToken,
 ) {
-    const params = {
-        medium: medium,
-        address: address,
-    };
-
     try {
-        const response = await this._http.idServerRequest(
-            undefined, "GET", "/lookup",
-            params, httpApi.PREFIX_IDENTITY_V2, identityAccessToken,
+        // Note: we're using the V2 API by calling this function, but our
+        // function contract requires a V1 response. We therefore have to
+        // convert it manually.
+        const response = await this.identityHashedLookup(
+            [[address, medium]], identityAccessToken,
         );
+        const result = response.find(p => p.address === address);
+        if (!result) {
+            // TODO: Fold callback into above call once v1 path below is removed
+            if (callback) callback(null, {});
+            return {};
+        }
+
+        const mapping = {
+            address,
+            medium,
+            mxid: result.mxid,
+
+            // We can't reasonably fill these parameters:
+            // not_before
+            // not_after
+            // ts
+            // signatures
+        };
+
         // TODO: Fold callback into above call once v1 path below is removed
-        if (callback) callback(null, response);
-        return response;
+        if (callback) callback(null, mapping);
+        return mapping;
     } catch (err) {
         if (err.cors === "rejected" || err.httpStatus === 404) {
             // Fall back to deprecated v1 API for now
             // TODO: Remove this path once v2 is only supported version
             // See https://github.com/vector-im/riot-web/issues/10443
+            const params = {
+                medium: medium,
+                address: address,
+            };
             logger.warn("IS doesn't support v2, falling back to deprecated v1");
             return await this._http.idServerRequest(
                 callback, "GET", "/lookup",
                 params, httpApi.PREFIX_IDENTITY_V1,
             );
         }
-        if (callback) callback(err);
+        if (callback) callback(err, undefined);
         throw err;
     }
 };
 
+/**
+ * Looks up the public Matrix ID mappings for multiple 3PIDs.
+ *
+ * @param {Array.<Array.<string>>} query Array of arrays containing
+ * [medium, address]
+ * @param {string} identityAccessToken The `access_token` field of the Identity
+ * Server `/account/register` response (see {@link registerWithIdentityServer}).
+ *
+ * @return {module:client.Promise} Resolves: Lookup results from IS.
+ * @return {module:http-api.MatrixError} Rejects: with an error response.
+ */
+MatrixBaseApis.prototype.bulkLookupThreePids = async function(
+    query,
+    identityAccessToken,
+) {
+    try {
+        // Note: we're using the V2 API by calling this function, but our
+        // function contract requires a V1 response. We therefore have to
+        // convert it manually.
+        const response = await this.identityHashedLookup(
+            // We have to reverse the query order to get [address, medium] pairs
+            query.map(p => [p[1], p[0]]), identityAccessToken,
+        );
+
+        const v1results = [];
+        for (const mapping of response) {
+            const originalQuery = query.find(p => p[1] === mapping.address);
+            if (!originalQuery) {
+                throw new Error("Identity sever returned unexpected results");
+            }
+
+            v1results.push([
+                originalQuery[0], // medium
+                mapping.address,
+                mapping.mxid,
+            ]);
+        }
+
+        return {threepids: v1results};
+    } catch (err) {
+        if (err.cors === "rejected" || err.httpStatus === 404) {
+            // Fall back to deprecated v1 API for now
+            // TODO: Remove this path once v2 is only supported version
+            // See https://github.com/vector-im/riot-web/issues/10443
+            const params = {
+                threepids: query,
+            };
+            logger.warn("IS doesn't support v2, falling back to deprecated v1");
+            return await this._http.idServerRequest(
+                undefined, "POST", "/bulk_lookup", params,
+                httpApi.PREFIX_IDENTITY_V1, identityAccessToken,
+            );
+        }
+        throw err;
+    }
+};
+
+/**
+ * Get account info from the Identity Server. This is useful as a neutral check
+ * to verify that other APIs are likely to approve access by testing that the
+ * token is valid, terms have been agreed, etc.
+ *
+ * @param {string} identityAccessToken The `access_token` field of the Identity
+ * Server `/account/register` response (see {@link registerWithIdentityServer}).
+ *
+ * @return {module:client.Promise} Resolves: an object with account info.
+ * @return {module:http-api.MatrixError} Rejects: with an error response.
+ */
+MatrixBaseApis.prototype.getIdentityAccount = function(
+    identityAccessToken,
+) {
+    return this._http.idServerRequest(
+        undefined, "GET", "/account",
+        undefined, httpApi.PREFIX_IDENTITY_V2, identityAccessToken,
+    );
+};
 
 // Direct-to-device messaging
 // ==========================

src/client.js

@@ -46,12 +46,12 @@ const olmlib = require("./crypto/olmlib");
 
 import ReEmitter from './ReEmitter';
 import RoomList from './crypto/RoomList';
-import logger from '../src/logger';
+import logger from './logger';
 
 import Crypto from './crypto';
 import { isCryptoAvailable } from './crypto';
 import { encodeRecoveryKey, decodeRecoveryKey } from './crypto/recoverykey';
-import { keyForNewBackup, keyForExistingBackup } from './crypto/backup_password';
+import { keyFromPassphrase, keyFromAuthData } from './crypto/key_passphrase';
 import { randomString } from './randomstring';
 
 // Disable warnings for now: we use deprecated bluebird functions
@@ -108,6 +108,15 @@ function keyFromRecoverySession(session, decryptionKey) {
  *
  * @param {string} opts.userId The user ID for this user.
  *
+ * @param {IdentityServerProvider} [opts.identityServer]
+ * Optional. A provider object with one function `getAccessToken`, which is a
+ * callback that returns a Promise<String> of an identity access token to supply
+ * with identity requests. If the object is unset, no access token will be
+ * supplied.
+ * See also https://github.com/vector-im/riot-web/issues/10615 which seeks to
+ * replace the previous approach of manual access tokens params with this
+ * callback throughout the SDK.
+ *
  * @param {Object=} opts.store
  *    The data store used for sync data from the homeserver. If not specified,
  *    this client will not store any HTTP responses. The `createClient` helper
@@ -159,17 +168,79 @@ function keyFromRecoverySession(session, decryptionKey) {
  * that the application can handle.  Each element should be an item from {@link
  * module:crypto~verificationMethods verificationMethods}, or a class that
  * implements the {$link module:crypto/verification/Base verifier interface}.
+ *
+ * @param {boolean} [opts.forceTURN]
+ * Optional. Whether relaying calls through a TURN server should be forced.
+ *
+ * @param {boolean} [opts.fallbackICEServerAllowed]
+ * Optional. Whether to allow a fallback ICE server should be used for negotiating a
+ * WebRTC connection if the homeserver doesn't provide any servers. Defaults to false.
+ *
+ * @param {object} opts.cryptoCallbacks Optional. Callbacks for crypto and cross-signing.
+ *     The cross-signing API is currently UNSTABLE and may change without notice.
+ *
+ * @param {function} [opts.cryptoCallbacks.getCrossSigningKey]
+ * Optional (required for cross-signing). Function to call when a cross-signing private key is needed.
+ * Args:
+ *    {string} type The type of key needed.  Will be one of "master",
+ *      "self_signing", or "user_signing"
+ *    {Uint8Array} publicKey The public key matching the expected private key.
+ *        This can be passed to checkPrivateKey() along with the private key
+ *        in order to check that a given private key matches what is being
+ *        requested.
+ *   Should return a promise that resolves with the private key as a
+ *   UInt8Array or rejects with an error.
+ *
+ * @param {function} [opts.cryptoCallbacks.saveCrossSigningKeys]
+ * Optional (required for cross-signing). Called when new private keys
+ * for cross-signing need to be saved.
+ * Args:
+ *   {object} keys the private keys to save. Map of key name to private key
+ *       as a UInt8Array. The getPrivateKey callback above will be called
+ *       with the corresponding key name when the keys are required again.
+ *
+ * @param {function} [opts.cryptoCallbacks.shouldUpgradeDeviceVerifications]
+ * Optional. Called when there are device-to-device verifications that can be
+ * upgraded into cross-signing verifications.
+ * Args:
+ *   {object} users The users whose device verifications can be
+ *     upgraded to cross-signing verifications.  This will be a map of user IDs
+ *     to objects with the properties `devices` (array of the user's devices
+ *     that verified their cross-signing key), and `crossSigningInfo` (the
+ *     user's cross-signing information)
+ * Should return a promise which resolves with an array of the user IDs who
+ * should be cross-signed.
+ *
+ * @param {function} [opts.cryptoCallbacks.getSecretStorageKey]
+ * Optional. Function called when an encryption key for secret storage
+ *     is required. One or more keys will be described in the keys object.
+ *     The callback function should return with an array of:
+ *     [<key name>, <UInt8Array private key>] or null if it cannot provide
+ *     any of the keys.
+ * Args:
+ *   {object} keys Information about the keys:
+ *       {
+ *           <key name>: {
+ *               pubkey: {UInt8Array}
+ *           }
+ *       }
+ *
+ * @param {function} [opts.cryptoCallbacks.onSecretRequested]
+ * Optional. Function called when a request for a secret is received from another
+ * device.
+ * Args:
+ *   {string} name The name of the secret being requested.
+ *   {string} user_id (string) The user ID of the client requesting
+ *   {string} device_id The device ID of the client requesting the secret.
+ *   {string} request_id The ID of the request. Used to match a
+ *     corresponding `crypto.secrets.request_cancelled`. The request ID will be
+ *     unique per sender, device pair.
+ *   {DeviceTrustLevel} device_trust: The trust status of the device requesting
+ *     the secret as returned by {@link module:client~MatrixClient#checkDeviceTrust}.
  */
 function MatrixClient(opts) {
-    // Allow trailing slash in HS url
-    if (opts.baseUrl && opts.baseUrl.endsWith("/")) {
-        opts.baseUrl = opts.baseUrl.substr(0, opts.baseUrl.length - 1);
-    }
-
-    // Allow trailing slash in IS url
-    if (opts.idBaseUrl && opts.idBaseUrl.endsWith("/")) {
-        opts.idBaseUrl = opts.idBaseUrl.substr(0, opts.idBaseUrl.length - 1);
-    }
+    opts.baseUrl = utils.ensureNoTrailingSlash(opts.baseUrl);
+    opts.idBaseUrl = utils.ensureNoTrailingSlash(opts.idBaseUrl);
 
     MatrixBaseApis.call(this, opts);
 
@@ -226,8 +297,10 @@ function MatrixClient(opts) {
     this._cryptoStore = opts.cryptoStore;
     this._sessionStore = opts.sessionStore;
     this._verificationMethods = opts.verificationMethods;
+    this._cryptoCallbacks = opts.cryptoCallbacks;
 
     this._forceTURN = opts.forceTURN || false;
+    this._fallbackICEServerAllowed = opts.fallbackICEServerAllowed || false;
 
     // List of which rooms have encryption enabled: separate from crypto because
     // we still want to know which rooms are encrypted even if crypto is disabled:
@@ -237,7 +310,9 @@ function MatrixClient(opts) {
     // The pushprocessor caches useful things, so keep one and re-use it
     this._pushProcessor = new PushProcessor(this);
 
-    this._serverSupportsLazyLoading = null;
+    // Cache of the server's /versions response
+    // TODO: This should expire: https://github.com/matrix-org/matrix-js-sdk/issues/1020
+    this._serverVersionsCache = null;
 
     this._cachedCapabilities = null; // { capabilities: {}, lastUpdated: timestamp }
 
@@ -599,6 +674,10 @@ MatrixClient.prototype.initCrypto = async function() {
         "crypto.roomKeyRequest",
         "crypto.roomKeyRequestCancellation",
         "crypto.warning",
+        "crypto.devicesUpdated",
+        "deviceVerificationChanged",
+        "userVerificationChanged",
+        "crossSigning.keysChanged",
     ]);
 
     logger.log("Crypto: initialising crypto object...");
@@ -767,12 +846,45 @@ async function _setDeviceVerification(
     if (!client._crypto) {
         throw new Error("End-to-End encryption disabled");
     }
-    const dev = await client._crypto.setDeviceVerification(
+    await client._crypto.setDeviceVerification(
         userId, deviceId, verified, blocked, known,
     );
-    client.emit("deviceVerificationChanged", userId, deviceId, dev);
 }
 
+/**
+ * Request a key verification from another user, using a DM.
+ *
+ * @param {string} userId the user to request verification with
+ * @param {string} roomId the room to use for verification
+ * @param {Array} methods array of verification methods to use.  Defaults to
+ *    all known methods
+ *
+ * @returns {Promise<module:crypto/verification/Base>} resolves to a verifier
+ *    when the request is accepted by the other user
+ */
+MatrixClient.prototype.requestVerificationDM = function(userId, roomId, methods) {
+    if (this._crypto === null) {
+        throw new Error("End-to-end encryption disabled");
+    }
+    return this._crypto.requestVerificationDM(userId, roomId, methods);
+};
+
+/**
+ * Accept a key verification request from a DM.
+ *
+ * @param {module:models/event~MatrixEvent} event the verification request
+ * that is accepted
+ * @param {string} method the verification mmethod to use
+ *
+ * @returns {module:crypto/verification/Base} a verifier
+ */
+MatrixClient.prototype.acceptVerificationDM = function(event, method) {
+    if (this._crypto === null) {
+        throw new Error("End-to-end encryption disabled");
+    }
+    return this._crypto.acceptVerificationDM(event, method);
+};
+
 /**
  * Request a key verification from another user.
  *
@@ -834,6 +946,198 @@ MatrixClient.prototype.getGlobalBlacklistUnverifiedDevices = function() {
     return this._crypto.getGlobalBlacklistUnverifiedDevices();
 };
 
+/**
+ * Add methods that call the corresponding method in this._crypto
+ *
+ * @param {class} MatrixClient the class to add the method to
+ * @param {string} names the names of the methods to call
+ */
+function wrapCryptoFuncs(MatrixClient, names) {
+    for (const name of names) {
+        MatrixClient.prototype[name] = function(...args) {
+            if (!this._crypto) { // eslint-disable-line no-invalid-this
+                throw new Error("End-to-end encryption disabled");
+            }
+
+            return this._crypto[name](...args); // eslint-disable-line no-invalid-this
+        };
+    }
+}
+
+/**
+ * Check whether we already have cross-signing keys for the current user.
+ * The cross-signing API is currently UNSTABLE and may change without notice.
+ *
+ * @function module:client~MatrixClient#doesCrossSigningHaveKeys
+ * @return {boolean} Whether we have keys.
+ */
+
+ /**
+ * Generate new cross-signing keys.
+ * The cross-signing API is currently UNSTABLE and may change without notice.
+ *
+ * @function module:client~MatrixClient#resetCrossSigningKeys
+ * @param {object} authDict Auth data to supply for User-Interactive auth.
+ * @param {CrossSigningLevel} [level] the level of cross-signing to reset.  New
+ * keys will be created for the given level and below.  Defaults to
+ * regenerating all keys.
+ */
+
+/**
+ * Get the user's cross-signing key ID.
+ * The cross-signing API is currently UNSTABLE and may change without notice.
+ *
+ * @function module:client~MatrixClient#getCrossSigningId
+ * @param {string} [type=master] The type of key to get the ID of.  One of
+ *     "master", "self_signing", or "user_signing".  Defaults to "master".
+ *
+ * @returns {string} the key ID
+ */
+
+/**
+ * Get the cross signing information for a given user.
+ * The cross-signing API is currently UNSTABLE and may change without notice.
+ *
+ * @function module:client~MatrixClient#getStoredCrossSigningForUser
+ * @param {string} userId the user ID to get the cross-signing info for.
+ *
+ * @returns {CrossSigningInfo} the cross signing information for the user.
+ */
+
+/**
+ * Check whether a given user is trusted.
+ * The cross-signing API is currently UNSTABLE and may change without notice.
+ *
+ * @function module:client~MatrixClient#checkUserTrust
+ * @param {string} userId The ID of the user to check.
+ *
+ * @returns {UserTrustLevel}
+ */
+
+/**
+ * Check whether a given device is trusted.
+ * The cross-signing API is currently UNSTABLE and may change without notice.
+ *
+ * @function module:client~MatrixClient#checkDeviceTrust
+ * @param {string} userId The ID of the user whose devices is to be checked.
+ * @param {string} deviceId The ID of the device to check
+ *
+ * @returns {DeviceTrustLevel}
+ */
+
+wrapCryptoFuncs(MatrixClient, [
+    "doesCrossSigningHaveKeys",
+    "resetCrossSigningKeys",
+    "getCrossSigningId",
+    "getStoredCrossSigningForUser",
+    "checkUserTrust",
+    "checkDeviceTrust",
+    "checkOwnCrossSigningTrust",
+    "checkPrivateKey",
+]);
+
+/**
+ * Check if the sender of an event is verified
+ * The cross-signing API is currently UNSTABLE and may change without notice.
+ *
+ * @param {MatrixEvent} event event to be checked
+ *
+ * @returns {DeviceTrustLevel}
+ */
+MatrixClient.prototype.checkEventSenderTrust = async function(event) {
+    const device = await this.getEventSenderDeviceInfo(event);
+    if (!device) {
+        return 0;
+    }
+    return await this._crypto.checkDeviceTrust(event.getSender(), device.deviceId);
+};
+
+/**
+ * Add a key for encrypting secrets.
+ * The Secure Secret Storage API is currently UNSTABLE and may change without notice.
+ *
+ * @function module:client~MatrixClient#addSecretKey
+ * @param {string} algorithm the algorithm used by the key
+ * @param {object} opts the options for the algorithm.  The properties used
+ *     depend on the algorithm given.  This object may be modified to pass
+ *     information back about the key.
+ * @param {string} [keyName] the name of the key.  If not given, a random
+ *     name will be generated.
+ *
+ * @return {string} the name of the key
+ */
+
+/**
+ * Store an encrypted secret on the server
+ * The Secure Secret Storage API is currently UNSTABLE and may change without notice.
+ *
+ * @function module:client~MatrixClient#storeSecret
+ * @param {string} name The name of the secret
+ * @param {string} secret The secret contents.
+ * @param {Array} keys The IDs of the keys to use to encrypt the secret or null/undefined
+ *     to use the default (will throw if no default key is set).
+ */
+
+/**
+ * Get a secret from storage.
+ * The Secure Secret Storage API is currently UNSTABLE and may change without notice.
+ *
+ * @function module:client~MatrixClient#getSecret
+ * @param {string} name the name of the secret
+ *
+ * @return {string} the contents of the secret
+ */
+
+/**
+ * Check if a secret is stored on the server.
+ * The Secure Secret Storage API is currently UNSTABLE and may change without notice.
+ *
+ * @function module:client~MatrixClient#isSecretStored
+ * @param {string} name the name of the secret
+ * @param {boolean} checkKey check if the secret is encrypted by a trusted
+ *     key
+ *
+ * @return {boolean} whether or not the secret is stored
+ */
+
+/**
+ * Request a secret from another device.
+ * The Secure Secret Storage API is currently UNSTABLE and may change without notice.
+ *
+ * @function module:client~MatrixClient#requestSecret
+ * @param {string} name the name of the secret to request
+ * @param {string[]} devices the devices to request the secret from
+ *
+ * @return {string} the contents of the secret
+ */
+
+/**
+ * Get the current default key ID for encrypting secrets.
+ * The Secure Secret Storage API is currently UNSTABLE and may change without notice.
+ *
+ * @function module:client~MatrixClient#getDefaultSecretStorageKeyId
+ *
+ * @return {string} The default key ID or null if no default key ID is set
+ */
+
+/**
+ * Set the current default key ID for encrypting secrets.
+ * The Secure Secret Storage API is currently UNSTABLE and may change without notice.
+ *
+ * @function module:client~MatrixClient#setDefaultSecretStorageKeyId
+ * @param {string} keyId The new default key ID
+ */
+
+wrapCryptoFuncs(MatrixClient, [
+    "addSecretKey",
+    "storeSecret",
+    "getSecret",
+    "isSecretStored",
+    "requestSecret",
+    "getDefaultSecretStorageKeyId",
+    "setDefaultSecretStorageKeyId",
+]);
+
 /**
  * Get e2e information on the device that sent an event
  *
@@ -1085,7 +1389,7 @@ MatrixClient.prototype.prepareKeyBackupVersion = async function(password) {
         let publicKey;
         const authData = {};
         if (password) {
-            const keyInfo = await keyForNewBackup(password);
+            const keyInfo = await keyFromPassphrase(password);
             publicKey = decryption.init_with_private_key(keyInfo.key);
             authData.private_key_salt = keyInfo.salt;
             authData.private_key_iterations = keyInfo.iterations;
@@ -1112,7 +1416,7 @@ MatrixClient.prototype.prepareKeyBackupVersion = async function(password) {
  * @param {object} info Info object from prepareKeyBackupVersion
  * @returns {Promise<object>} Object with 'version' param indicating the version created
  */
-MatrixClient.prototype.createKeyBackupVersion = function(info) {
+MatrixClient.prototype.createKeyBackupVersion = async function(info) {
     if (this._crypto === null) {
         throw new Error("End-to-end encryption disabled");
     }
@@ -1121,19 +1425,27 @@ MatrixClient.prototype.createKeyBackupVersion = function(info) {
         algorithm: info.algorithm,
         auth_data: info.auth_data,
     };
-    return this._crypto._signObject(data.auth_data).then(() => {
-        return this._http.authedRequest(
-            undefined, "POST", "/room_keys/version", undefined, data,
-            {prefix: httpApi.PREFIX_UNSTABLE},
-        );
-    }).then((res) => {
-        this.enableKeyBackup({
-            algorithm: info.algorithm,
-            auth_data: info.auth_data,
-            version: res.version,
-        });
-        return res;
+
+    // Now sign the backup auth data. Do it as this device first because crypto._signObject
+    // is dumb and bluntly replaces the whole signatures block...
+    // this can probably go away very soon in favour of just signing with the SSK.
+    await this._crypto._signObject(data.auth_data);
+
+    if (this._crypto._crossSigningInfo.getId()) {
+        // now also sign the auth data with the master key
+        await this._crypto._crossSigningInfo.signObject(data.auth_data, "master");
+    }
+
+    const res = await this._http.authedRequest(
+        undefined, "POST", "/room_keys/version", undefined, data,
+        {prefix: httpApi.PREFIX_UNSTABLE},
+    );
+    this.enableKeyBackup({
+        algorithm: info.algorithm,
+        auth_data: info.auth_data,
+        version: res.version,
     });
+    return res;
 };
 
 MatrixClient.prototype.deleteKeyBackupVersion = function(version) {
@@ -1239,7 +1551,7 @@ MatrixClient.RESTORE_BACKUP_ERROR_BAD_KEY = 'RESTORE_BACKUP_ERROR_BAD_KEY';
 MatrixClient.prototype.restoreKeyBackupWithPassword = async function(
     password, targetRoomId, targetSessionId, backupInfo,
 ) {
-    const privKey = await keyForExistingBackup(backupInfo, password);
+    const privKey = await keyFromAuthData(backupInfo.auth_data, password);
     return this._restoreKeyBackup(
         privKey, targetRoomId, targetSessionId, backupInfo,
     );
@@ -1369,8 +1681,10 @@ MatrixClient.prototype.getGroups = function() {
  * @return {module:client.Promise} Resolves with an object containing the config.
  */
 MatrixClient.prototype.getMediaConfig = function(callback) {
-    return this._http.authedRequestWithPrefix(
-        callback, "GET", "/config", undefined, undefined, httpApi.PREFIX_MEDIA_R0,
+    return this._http.authedRequest(
+        callback, "GET", "/config", undefined, undefined, {
+            prefix: httpApi.PREFIX_MEDIA_R0,
+        },
     );
 };
 
@@ -2178,11 +2492,17 @@ MatrixClient.prototype.sendHtmlEmote = function(roomId, body, htmlBody, callback
  * Send a receipt.
  * @param {Event} event The event being acknowledged
  * @param {string} receiptType The kind of receipt e.g. "m.read"
+ * @param {object} opts Additional content to send alongside the receipt.
  * @param {module:client.callback} callback Optional.
  * @return {module:client.Promise} Resolves: TODO
  * @return {module:http-api.MatrixError} Rejects: with an error response.
  */
-MatrixClient.prototype.sendReceipt = function(event, receiptType, callback) {
+MatrixClient.prototype.sendReceipt = function(event, receiptType, opts, callback) {
+    if (typeof(opts) === 'function') {
+        callback = opts;
+        opts = {};
+    }
+
     if (this.isGuest()) {
         return Promise.resolve({}); // guests cannot send receipts so don't bother.
     }
@@ -2193,7 +2513,7 @@ MatrixClient.prototype.sendReceipt = function(event, receiptType, callback) {
         $eventId: event.getId(),
     });
     const promise = this._http.authedRequest(
-        callback, "POST", path, undefined, {},
+        callback, "POST", path, undefined, opts || {},
     );
 
     const room = this.getRoom(event.getRoomId());
@@ -2206,17 +2526,32 @@ MatrixClient.prototype.sendReceipt = function(event, receiptType, callback) {
 /**
  * Send a read receipt.
  * @param {Event} event The event that has been read.
+ * @param {object} opts The options for the read receipt.
+ * @param {boolean} opts.hidden True to prevent the receipt from being sent to
+ * other users and homeservers. Default false (send to everyone). <b>This
+ * property is unstable and may change in the future.</b>
  * @param {module:client.callback} callback Optional.
  * @return {module:client.Promise} Resolves: TODO
  * @return {module:http-api.MatrixError} Rejects: with an error response.
  */
-MatrixClient.prototype.sendReadReceipt = async function(event, callback) {
+MatrixClient.prototype.sendReadReceipt = async function(event, opts, callback) {
+    if (typeof(opts) === 'function') {
+        callback = opts;
+        opts = {};
+    }
+    if (!opts) opts = {};
+
     const eventId = event.getId();
     const room = this.getRoom(event.getRoomId());
     if (room && room.hasPendingEvent(eventId)) {
         throw new Error(`Cannot set read receipt to a pending event (${eventId})`);
     }
-    return this.sendReceipt(event, "m.read", callback);
+
+    const addlContent = {
+        "m.hidden": Boolean(opts.hidden),
+    };
+
+    return this.sendReceipt(event, "m.read", addlContent, callback);
 };
 
 /**
@@ -2229,9 +2564,14 @@ MatrixClient.prototype.sendReadReceipt = async function(event, callback) {
  * @param {string} rrEvent the event tracked by the read receipt. This is here for
  * convenience because the RR and the RM are commonly updated at the same time as each
  * other. The local echo of this receipt will be done if set. Optional.
+ * @param {object} opts Options for the read markers
+ * @param {object} opts.hidden True to hide the receipt from other users and homeservers.
+ * <b>This property is unstable and may change in the future.</b>
  * @return {module:client.Promise} Resolves: the empty object, {}.
  */
-MatrixClient.prototype.setRoomReadMarkers = async function(roomId, rmEventId, rrEvent) {
+MatrixClient.prototype.setRoomReadMarkers = async function(
+    roomId, rmEventId, rrEvent, opts,
+) {
     const room = this.getRoom(roomId);
     if (room && room.hasPendingEvent(rmEventId)) {
         throw new Error(`Cannot set read marker to a pending event (${rmEventId})`);
@@ -2249,7 +2589,7 @@ MatrixClient.prototype.setRoomReadMarkers = async function(roomId, rmEventId, rr
         }
     }
 
-    return this.setRoomReadMarkersHttpRequest(roomId, rmEventId, rrEventId);
+    return this.setRoomReadMarkersHttpRequest(roomId, rmEventId, rrEventId, opts);
 };
 
 /**
@@ -2275,11 +2615,13 @@ MatrixClient.prototype.getUrlPreview = function(url, ts, callback) {
     }
 
     const self = this;
-    return this._http.authedRequestWithPrefix(
+    return this._http.authedRequest(
         callback, "GET", "/preview_url", {
             url: url,
             ts: ts,
-        }, undefined, httpApi.PREFIX_MEDIA_R0,
+        }, undefined, {
+            prefix: httpApi.PREFIX_MEDIA_R0,
+        },
     ).then(function(response) {
         // TODO: expire cache occasionally
         self.urlPreviewCache[key] = response;
@@ -2431,7 +2773,12 @@ MatrixClient.prototype.inviteByEmail = function(roomId, email, callback) {
  * @return {module:client.Promise} Resolves: TODO
  * @return {module:http-api.MatrixError} Rejects: with an error response.
  */
-MatrixClient.prototype.inviteByThreePid = function(roomId, medium, address, callback) {
+MatrixClient.prototype.inviteByThreePid = async function(
+    roomId,
+    medium,
+    address,
+    callback,
+) {
     const path = utils.encodeUri(
         "/rooms/$roomId/invite",
         { $roomId: roomId },
@@ -2444,12 +2791,24 @@ MatrixClient.prototype.inviteByThreePid = function(roomId, medium, address, call
             errcode: "ORG.MATRIX.JSSDK_MISSING_PARAM",
         }));
     }
-
-    return this._http.authedRequest(callback, "POST", path, undefined, {
+    const params = {
         id_server: identityServerUrl,
         medium: medium,
         address: address,
-    });
+    };
+
+    if (
+        this.identityServer &&
+        this.identityServer.getAccessToken &&
+        await this.doesServerAcceptIdentityAccessToken()
+    ) {
+        const identityAccessToken = await this.identityServer.getAccessToken();
+        if (identityAccessToken) {
+            params.id_access_token = identityAccessToken;
+        }
+    }
+
+    return this._http.authedRequest(callback, "POST", path, undefined, params);
 };
 
 /**
@@ -3238,14 +3597,9 @@ MatrixClient.prototype.setGuestAccess = function(roomId, opts) {
 
 /**
  * Requests an email verification token for the purposes of registration.
- * This API proxies the Identity Server /validate/email/requestToken API,
- * adding registration-specific behaviour. Specifically, if an account with
- * the given email address already exists, it will either send an email
- * to the address informing them of this or return M_THREEPID_IN_USE
- * (which one is up to the Home Server).
- *
- * requestEmailToken calls the equivalent API directly on the ID server,
- * therefore bypassing the registration-specific logic.
+ * This API requests a token from the homeserver.
+ * The doesServerRequireIdServerParam() method can be used to determine if
+ * the server requires the id_server parameter to be provided.
  *
  * Parameters and return value are as for requestEmailToken
 
@@ -3270,8 +3624,9 @@ MatrixClient.prototype.requestRegisterEmailToken = function(email, clientSecret,
 
 /**
  * Requests a text message verification token for the purposes of registration.
- * This API proxies the Identity Server /validate/msisdn/requestToken API,
- * adding registration-specific behaviour, as with requestRegisterEmailToken.
+ * This API requests a token from the homeserver.
+ * The doesServerRequireIdServerParam() method can be used to determine if
+ * the server requires the id_server parameter to be provided.
  *
  * @param {string} phoneCountry The ISO 3166-1 alpha-2 code for the country in which
  *    phoneNumber should be parsed relative to.
@@ -3298,15 +3653,13 @@ MatrixClient.prototype.requestRegisterMsisdnToken = function(phoneCountry, phone
 /**
  * Requests an email verification token for the purposes of adding a
  * third party identifier to an account.
- * This API proxies the Identity Server /validate/email/requestToken API,
- * adding specific behaviour for the addition of email addresses to an
- * account. Specifically, if an account with
- * the given email address already exists, it will either send an email
- * to the address informing them of this or return M_THREEPID_IN_USE
- * (which one is up to the Home Server).
- *
- * requestEmailToken calls the equivalent API directly on the ID server,
- * therefore bypassing the email addition specific logic.
+ * This API requests a token from the homeserver.
+ * The doesServerRequireIdServerParam() method can be used to determine if
+ * the server requires the id_server parameter to be provided.
+ * If an account with the given email address already exists and is
+ * associated with an account other than the one the user is authed as,
+ * it will either send an email to the address informing them of this
+ * or return M_THREEPID_IN_USE (which one is up to the Home Server).
  *
  * @param {string} email As requestEmailToken
  * @param {string} clientSecret As requestEmailToken
@@ -3422,15 +3775,30 @@ MatrixClient.prototype.requestPasswordMsisdnToken = function(phoneCountry, phone
  * @param {object} params Parameters for the POST request
  * @return {module:client.Promise} Resolves: As requestEmailToken
  */
-MatrixClient.prototype._requestTokenFromEndpoint = function(endpoint, params) {
-    const id_server_url = url.parse(this.idBaseUrl);
-    if (id_server_url.host === null) {
-        throw new Error("Invalid ID server URL: " + this.idBaseUrl);
+MatrixClient.prototype._requestTokenFromEndpoint = async function(endpoint, params) {
+    const postParams = Object.assign({}, params);
+
+    // If the HS supports separate add and bind, then requestToken endpoints
+    // don't need an IS as they are all validated by the HS directly.
+    if (!await this.doesServerSupportSeparateAddAndBind() && this.idBaseUrl) {
+        const idServerUrl = url.parse(this.idBaseUrl);
+        if (!idServerUrl.host) {
+            throw new Error("Invalid ID server URL: " + this.idBaseUrl);
+        }
+        postParams.id_server = idServerUrl.host;
+
+        if (
+            this.identityServer &&
+            this.identityServer.getAccessToken &&
+            await this.doesServerAcceptIdentityAccessToken()
+        ) {
+            const identityAccessToken = await this.identityServer.getAccessToken();
+            if (identityAccessToken) {
+                postParams.id_access_token = identityAccessToken;
+            }
+        }
     }
 
-    const postParams = Object.assign({}, params, {
-        id_server: id_server_url.host,
-    });
     return this._http.request(
         undefined, "POST", endpoint, undefined,
         postParams,
@@ -3886,6 +4254,28 @@ MatrixClient.prototype.getTurnServers = function() {
     return this._turnServers || [];
 };
 
+/**
+ * Set whether to allow a fallback ICE server should be used for negotiating a
+ * WebRTC connection if the homeserver doesn't provide any servers. Defaults to
+ * false.
+ *
+ * @param {boolean} allow
+ */
+MatrixClient.prototype.setFallbackICEServerAllowed = function(allow) {
+    this._fallbackICEServerAllowed = allow;
+};
+
+/**
+ * Get whether to allow a fallback ICE server should be used for negotiating a
+ * WebRTC connection if the homeserver doesn't provide any servers. Defaults to
+ * false.
+ *
+ * @returns {boolean}
+ */
+MatrixClient.prototype.isFallbackICEServerAllowed = function() {
+    return this._fallbackICEServerAllowed;
+};
+
 // Synapse-specific APIs
 // =====================
 
@@ -3897,9 +4287,13 @@ MatrixClient.prototype.getTurnServers = function() {
  * @return {boolean} true if the user appears to be a Synapse administrator.
  */
 MatrixClient.prototype.isSynapseAdministrator = function() {
-    return this.whoisSynapseUser(this.getUserId())
-        .then(() => true)
-        .catch(() => false);
+    const path = utils.encodeUri(
+        "/_synapse/admin/v1/users/$userId/admin",
+        { $userId: this.getUserId() },
+    );
+    return this._http.authedRequest(
+        undefined, 'GET', path, undefined, undefined, {prefix: ''},
+    ).then(r => r['admin']); // pull out the specific boolean we want
 };
 
 /**
@@ -4066,13 +4460,14 @@ MatrixClient.prototype.stopClient = function() {
     global.clearTimeout(this._checkTurnServersTimeoutID);
 };
 
-/*
- * Query the server to see if it support members lazy loading
- * @return {Promise<boolean>} true if server supports lazy loading
+/**
+ * Get the API versions supported by the server, along with any
+ * unstable APIs it supports
+ * @return {Promise<object>} The server /versions response
  */
-MatrixClient.prototype.doesServerSupportLazyLoading = async function() {
-    if (this._serverSupportsLazyLoading === null) {
-        const response = await this._http.request(
+MatrixClient.prototype.getVersions = async function() {
+    if (this._serverVersionsCache === null) {
+        this._serverVersionsCache = await this._http.request(
             undefined, // callback
             "GET", "/_matrix/client/versions",
             undefined, // queryParams
@@ -4081,18 +4476,90 @@ MatrixClient.prototype.doesServerSupportLazyLoading = async function() {
                 prefix: '',
             },
         );
-
-        const versions = response["versions"];
-        const unstableFeatures = response["unstable_features"];
-
-        this._serverSupportsLazyLoading =
-            (versions && versions.includes("r0.5.0"))
-            || (unstableFeatures && unstableFeatures["m.lazy_load_members"]);
     }
-    return this._serverSupportsLazyLoading;
+    return this._serverVersionsCache;
 };
 
-/*
+/**
+ * Check if a particular spec version is supported by the server.
+ * @param {string} version The spec version (such as "r0.5.0") to check for.
+ * @return {Promise<bool>} Whether it is supported
+ */
+MatrixClient.prototype.isVersionSupported = async function(version) {
+    const { versions } = await this.getVersions();
+    return versions && versions.includes(version);
+};
+
+/**
+ * Query the server to see if it support members lazy loading
+ * @return {Promise<boolean>} true if server supports lazy loading
+ */
+MatrixClient.prototype.doesServerSupportLazyLoading = async function() {
+    const response = await this.getVersions();
+
+    const versions = response["versions"];
+    const unstableFeatures = response["unstable_features"];
+
+    return (versions && versions.includes("r0.5.0"))
+        || (unstableFeatures && unstableFeatures["m.lazy_load_members"]);
+};
+
+/**
+ * Query the server to see if the `id_server` parameter is required
+ * when registering with an 3pid, adding a 3pid or resetting password.
+ * @return {Promise<boolean>} true if id_server parameter is required
+ */
+MatrixClient.prototype.doesServerRequireIdServerParam = async function() {
+    const response = await this.getVersions();
+
+    const versions = response["versions"];
+
+    // Supporting r0.6.0 is the same as having the flag set to false
+    if (versions && versions.includes("r0.6.0")) {
+        return false;
+    }
+
+    const unstableFeatures = response["unstable_features"];
+    if (unstableFeatures["m.require_identity_server"] === undefined) {
+        return true;
+    } else {
+        return unstableFeatures["m.require_identity_server"];
+    }
+};
+
+/**
+ * Query the server to see if the `id_access_token` parameter can be safely
+ * passed to the homeserver. Some homeservers may trigger errors if they are not
+ * prepared for the new parameter.
+ * @return {Promise<boolean>} true if id_access_token can be sent
+ */
+MatrixClient.prototype.doesServerAcceptIdentityAccessToken = async function() {
+    const response = await this.getVersions();
+
+    const versions = response["versions"];
+    const unstableFeatures = response["unstable_features"];
+
+    return (versions && versions.includes("r0.6.0"))
+        || (unstableFeatures && unstableFeatures["m.id_access_token"]);
+};
+
+/**
+ * Query the server to see if it supports separate 3PID add and bind functions.
+ * This affects the sequence of API calls clients should use for these operations,
+ * so it's helpful to be able to check for support.
+ * @return {Promise<boolean>} true if separate functions are supported
+ */
+MatrixClient.prototype.doesServerSupportSeparateAddAndBind = async function() {
+    const response = await this.getVersions();
+
+    const versions = response["versions"];
+    const unstableFeatures = response["unstable_features"];
+
+    return (versions && versions.includes("r0.6.0"))
+        || (unstableFeatures && unstableFeatures["m.separate_add_and_bind"]);
+};
+
+/**
  * Get if lazy loading members is being used.
  * @return {boolean} Whether or not members are lazy loaded by this client
  */
@@ -4100,7 +4567,7 @@ MatrixClient.prototype.hasLazyLoadMembersEnabled = function() {
     return !!this._clientOpts.lazyLoadMembers;
 };
 
-/*
+/**
  * Set a function which is called when /sync returns a 'limited' response.
  * It is called with a room ID and returns a boolean. It should return 'true' if the SDK
  * can SAFELY remove events from this room. It may not be safe to remove events if there
@@ -4385,10 +4852,9 @@ function checkTurnServers(client) {
         }
     }, function(err) {
         logger.error("Failed to get TURN URIs");
-        client._checkTurnServersTimeoutID =
-            setTimeout(function() {
- checkTurnServers(client);
-}, 60000);
+        client._checkTurnServersTimeoutID = setTimeout(function() {
+            checkTurnServers(client);
+        }, 60000);
     });
 }
 
@@ -4674,6 +5140,32 @@ module.exports.CRYPTO_ENABLED = CRYPTO_ENABLED;
  * @param {module:crypto/deviceinfo} deviceInfo updated device information
  */
 
+/**
+ * Fires when the trust status of a user changes
+ * If userId is the userId of the logged in user, this indicated a change
+ * in the trust status of the cross-signing data on the account.
+ *
+ * The cross-signing API is currently UNSTABLE and may change without notice.
+ *
+ * @event module:client~MatrixClient#"userTrustStatusChanged"
+ * @param {string} userId the userId of the user in question
+ * @param {UserTrustLevel} trustLevel The new trust level of the user
+ */
+
+/**
+ * Fires when the user's cross-signing keys have changed or cross-signing
+ * has been enabled/disabled. The client can use getStoredCrossSigningForUser
+ * with the user ID of the logged in user to check if cross-signing is
+ * enabled on the account. If enabled, it can test whether the current key
+ * is trusted using with checkUserTrust with the user ID of the logged
+ * in user. The checkOwnCrossSigningTrust function may be used to reconcile
+ * the trust in the account key.
+ *
+ * The cross-signing API is currently UNSTABLE and may change without notice.
+ *
+ * @event module:client~MatrixClient#"crossSigning.keysChanged"
+ */
+
 /**
  * Fires whenever new user-scoped account_data is added.
  * @event module:client~MatrixClient#"accountData"
@@ -4731,6 +5223,21 @@ module.exports.CRYPTO_ENABLED = CRYPTO_ENABLED;
  *     perform the key verification
  */
 
+/**
+ * Fires when a secret request has been cancelled.  If the client is prompting
+ * the user to ask whether they want to share a secret, the prompt can be
+ * dismissed.
+ *
+ * The Secure Secret Storage API is currently UNSTABLE and may change without notice.
+ *
+ * @event module:client~MatrixClient#"crypto.secrets.requestCancelled"
+ * @param {object} data
+ * @param {string} data.user_id The user ID of the client that had requested the secret.
+ * @param {string} data.device_id The device ID of the client that had requested the
+ *     secret.
+ * @param {string} data.request_id The ID of the original request.
+ */
+
 // EventEmitter JSDocs
 
 /**

src/crypto/CrossSigning.js

@@ -0,0 +1,487 @@
+/*
+Copyright 2019 New Vector Ltd
+Copyright 2019 The Matrix.org Foundation C.I.C.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+/**
+ * Cross signing methods
+ * @module crypto/CrossSigning
+ */
+
+import {pkSign, pkVerify} from './olmlib';
+import {EventEmitter} from 'events';
+import logger from '../logger';
+
+function publicKeyFromKeyInfo(keyInfo) {
+    return Object.entries(keyInfo.keys)[0];
+}
+
+export class CrossSigningInfo extends EventEmitter {
+    /**
+     * Information about a user's cross-signing keys
+     *
+     * @class
+     *
+     * @param {string} userId the user that the information is about
+     * @param {object} callbacks Callbacks used to interact with the app
+     *     Requires getCrossSigningKey and saveCrossSigningKeys
+     */
+    constructor(userId, callbacks) {
+        super();
+
+        // you can't change the userId
+        Object.defineProperty(this, 'userId', {
+            enumerable: true,
+            value: userId,
+        });
+        this._callbacks = callbacks || {};
+        this.keys = {};
+        this.firstUse = true;
+    }
+
+    /**
+     * Calls the app callback to ask for a private key
+     * @param {string} type The key type ("master", "self_signing", or "user_signing")
+     * @param {Uint8Array} expectedPubkey The matching public key or undefined to use
+     *     the stored public key for the given key type.
+     */
+    async getCrossSigningKey(type, expectedPubkey) {
+        if (!this._callbacks.getCrossSigningKey) {
+            throw new Error("No getCrossSigningKey callback supplied");
+        }
+
+        if (expectedPubkey === undefined) {
+            expectedPubkey = this.getId(type);
+        }
+
+        const privkey = await this._callbacks.getCrossSigningKey(type, expectedPubkey);
+        if (!privkey) {
+            throw new Error(
+                "getCrossSigningKey callback for  " + type + " returned falsey",
+            );
+        }
+        const signing = new global.Olm.PkSigning();
+        const gotPubkey = signing.init_with_seed(privkey);
+        if (gotPubkey !== expectedPubkey) {
+            signing.free();
+            throw new Error(
+                "Key type " + type + " from getCrossSigningKey callback did not match",
+            );
+        } else {
+            return [gotPubkey, signing];
+        }
+    }
+
+    static fromStorage(obj, userId) {
+        const res = new CrossSigningInfo(userId);
+        for (const prop in obj) {
+            if (obj.hasOwnProperty(prop)) {
+                res[prop] = obj[prop];
+            }
+        }
+        return res;
+    }
+
+    toStorage() {
+        return {
+            keys: this.keys,
+            firstUse: this.firstUse,
+        };
+    }
+
+    hasKeys() {
+        return Object.keys(this.keys).length > 0;
+    }
+
+    /**
+     * Get the ID used to identify the user
+     *
+     * @param {string} type The type of key to get the ID of.  One of "master",
+     * "self_signing", or "user_signing".  Defaults to "master".
+     *
+     * @return {string} the ID
+     */
+    getId(type) {
+        type = type || "master";
+        if (!this.keys[type]) return null;
+        const keyInfo = this.keys[type];
+        return publicKeyFromKeyInfo(keyInfo)[1];
+    }
+
+
+    async resetKeys(level) {
+        if (!this._callbacks.saveCrossSigningKeys) {
+            throw new Error("No saveCrossSigningKeys callback supplied");
+        }
+
+        // If we're resetting the master key, we reset all keys
+        if (
+            level === undefined ||
+            level & CrossSigningLevel.MASTER ||
+            !this.keys.master
+        ) {
+            level = (
+                CrossSigningLevel.MASTER |
+                CrossSigningLevel.USER_SIGNING |
+                CrossSigningLevel.SELF_SIGNING
+            );
+        } else if (level === 0) {
+            return;
+        }
+
+        const privateKeys = {};
+        const keys = {};
+        let masterSigning;
+        let masterPub;
+
+        try {
+            if (level & CrossSigningLevel.MASTER) {
+                masterSigning = new global.Olm.PkSigning();
+                privateKeys.master = masterSigning.generate_seed();
+                masterPub = masterSigning.init_with_seed(privateKeys.master);
+                keys.master = {
+                    user_id: this.userId,
+                    usage: ['master'],
+                    keys: {
+                        ['ed25519:' + masterPub]: masterPub,
+                    },
+                };
+            } else {
+                [masterPub, masterSigning] = await this.getCrossSigningyKey("master");
+            }
+
+            if (level & CrossSigningLevel.SELF_SIGNING) {
+                const sskSigning = new global.Olm.PkSigning();
+                try {
+                    privateKeys.self_signing = sskSigning.generate_seed();
+                    const sskPub = sskSigning.init_with_seed(privateKeys.self_signing);
+                    keys.self_signing = {
+                        user_id: this.userId,
+                        usage: ['self_signing'],
+                        keys: {
+                            ['ed25519:' + sskPub]: sskPub,
+                        },
+                    };
+                    pkSign(keys.self_signing, masterSigning, this.userId, masterPub);
+                } finally {
+                    sskSigning.free();
+                }
+            }
+
+            if (level & CrossSigningLevel.USER_SIGNING) {
+                const uskSigning = new global.Olm.PkSigning();
+                try {
+                    privateKeys.user_signing = uskSigning.generate_seed();
+                    const uskPub = uskSigning.init_with_seed(privateKeys.user_signing);
+                    keys.user_signing = {
+                        user_id: this.userId,
+                        usage: ['user_signing'],
+                        keys: {
+                            ['ed25519:' + uskPub]: uskPub,
+                        },
+                    };
+                    pkSign(keys.user_signing, masterSigning, this.userId, masterPub);
+                } finally {
+                    uskSigning.free();
+                }
+            }
+
+            Object.assign(this.keys, keys);
+            this._callbacks.saveCrossSigningKeys(privateKeys);
+        } finally {
+            if (masterSigning) {
+                masterSigning.free();
+            }
+        }
+    }
+
+    setKeys(keys) {
+        const signingKeys = {};
+        if (keys.master) {
+            if (keys.master.user_id !== this.userId) {
+                const error = "Mismatched user ID " + keys.master.user_id +
+                      " in master key from " + this.userId;
+                logger.error(error);
+                throw new Error(error);
+            }
+            if (!this.keys.master) {
+                // this is the first key we've seen, so first-use is true
+                this.firstUse = true;
+            } else if (publicKeyFromKeyInfo(keys.master)[1] !== this.getId()) {
+                // this is a different key, so first-use is false
+                this.firstUse = false;
+            } // otherwise, same key, so no change
+            signingKeys.master = keys.master;
+        } else if (this.keys.master) {
+            signingKeys.master = this.keys.master;
+        } else {
+            throw new Error("Tried to set cross-signing keys without a master key");
+        }
+        const masterKey = publicKeyFromKeyInfo(signingKeys.master)[1];
+
+        // verify signatures
+        if (keys.user_signing) {
+            if (keys.user_signing.user_id !== this.userId) {
+                const error = "Mismatched user ID " + keys.master.user_id +
+                      " in user_signing key from " + this.userId;
+                logger.error(error);
+                throw new Error(error);
+            }
+            try {
+                pkVerify(keys.user_signing, masterKey, this.userId);
+            } catch (e) {
+                logger.error("invalid signature on user-signing key");
+                // FIXME: what do we want to do here?
+                throw e;
+            }
+        }
+        if (keys.self_signing) {
+            if (keys.self_signing.user_id !== this.userId) {
+                const error = "Mismatched user ID " + keys.master.user_id +
+                      " in self_signing key from " + this.userId;
+                logger.error(error);
+                throw new Error(error);
+            }
+            try {
+                pkVerify(keys.self_signing, masterKey, this.userId);
+            } catch (e) {
+                logger.error("invalid signature on self-signing key");
+                // FIXME: what do we want to do here?
+                throw e;
+            }
+        }
+
+        // if everything checks out, then save the keys
+        if (keys.master) {
+            this.keys.master = keys.master;
+            // if the master key is set, then the old self-signing and
+            // user-signing keys are obsolete
+            delete this.keys.self_signing;
+            delete this.keys.user_signing;
+        }
+        if (keys.self_signing) {
+            this.keys.self_signing = keys.self_signing;
+        }
+        if (keys.user_signing) {
+            this.keys.user_signing = keys.user_signing;
+        }
+    }
+
+    async signObject(data, type) {
+        if (!this.keys[type]) {
+            throw new Error(
+                "Attempted to sign with " + type + " key but no such key present",
+            );
+        }
+        const [pubkey, signing] = await this.getCrossSigningKey(type);
+        try {
+            pkSign(data, signing, this.userId, pubkey);
+            return data;
+        } finally {
+            signing.free();
+        }
+    }
+
+    async signUser(key) {
+        if (!this.keys.user_signing) {
+            return;
+        }
+        return this.signObject(key.keys.master, "user_signing");
+    }
+
+    async signDevice(userId, device) {
+        if (userId !== this.userId) {
+            throw new Error(
+                `Trying to sign ${userId}'s device; can only sign our own device`,
+            );
+        }
+        if (!this.keys.self_signing) {
+            return;
+        }
+        return this.signObject(
+            {
+                algorithms: device.algorithms,
+                keys: device.keys,
+                device_id: device.deviceId,
+                user_id: userId,
+            }, "self_signing",
+        );
+    }
+
+    /**
+     * Check whether a given user is trusted.
+     *
+     * @param {CrossSigningInfo} userCrossSigning Cross signing info for user
+     *
+     * @returns {UserTrustLevel}
+     */
+    checkUserTrust(userCrossSigning) {
+        // if we're checking our own key, then it's trusted if the master key
+        // and self-signing key match
+        if (this.userId === userCrossSigning.userId
+            && this.getId() && this.getId() === userCrossSigning.getId()
+            && this.getId("self_signing")
+            && this.getId("self_signing") === userCrossSigning.getId("self_signing")
+        ) {
+            return new UserTrustLevel(true, this.firstUse);
+        }
+
+        if (!this.keys.user_signing) {
+            // If there's no user signing key, they can't possibly be verified.
+            // They may be TOFU trusted though.
+            return new UserTrustLevel(false, userCrossSigning.firstUse);
+        }
+
+        let userTrusted;
+        const userMaster = userCrossSigning.keys.master;
+        const uskId = this.getId('user_signing');
+        try {
+            pkVerify(userMaster, uskId, this.userId);
+            userTrusted = true;
+        } catch (e) {
+            userTrusted = false;
+        }
+        return new UserTrustLevel(userTrusted, userCrossSigning.firstUse);
+    }
+
+    /**
+     * Check whether a given device is trusted.
+     *
+     * @param {CrossSigningInfo} userCrossSigning Cross signing info for user
+     * @param {module:crypto/deviceinfo} device The device to check
+     * @param {bool} localTrust Whether the device is trusted locally
+     *
+     * @returns {DeviceTrustLevel}
+     */
+    checkDeviceTrust(userCrossSigning, device, localTrust) {
+        const userTrust = this.checkUserTrust(userCrossSigning);
+
+        const userSSK = userCrossSigning.keys.self_signing;
+        if (!userSSK) {
+            // if the user has no self-signing key then we cannot make any
+            // trust assertions about this device from cross-signing
+            return new DeviceTrustLevel(false, false, localTrust);
+        }
+
+        const deviceObj = deviceToObject(device, userCrossSigning.userId);
+        try {
+            // if we can verify the user's SSK from their master key...
+            pkVerify(userSSK, userCrossSigning.getId(), userCrossSigning.userId);
+            // ...and this device's key from their SSK...
+            pkVerify(
+                deviceObj, publicKeyFromKeyInfo(userSSK)[1], userCrossSigning.userId,
+            );
+            // ...then we trust this device as much as far as we trust the user
+            return DeviceTrustLevel.fromUserTrustLevel(userTrust, localTrust);
+        } catch (e) {
+            return new DeviceTrustLevel(false, false, localTrust);
+        }
+    }
+}
+
+function deviceToObject(device, userId) {
+    return {
+        algorithms: device.algorithms,
+        keys: device.keys,
+        device_id: device.deviceId,
+        user_id: userId,
+        signatures: device.signatures,
+    };
+}
+
+export const CrossSigningLevel = {
+    MASTER: 4,
+    USER_SIGNING: 2,
+    SELF_SIGNING: 1,
+};
+
+/**
+ * Represents the ways in which we trust a user
+ */
+export class UserTrustLevel {
+    constructor(crossSigningVerified, tofu) {
+        this._crossSigningVerified = crossSigningVerified;
+        this._tofu = tofu;
+    }
+
+    /**
+     * @returns {bool} true if this user is verified via any means
+     */
+    isVerified() {
+        return this.isCrossSigningVerified();
+    }
+
+    /**
+     * @returns {bool} true if this user is verified via cross signing
+     */
+    isCrossSigningVerified() {
+        return this._crossSigningVerified;
+    }
+
+    /**
+     * @returns {bool} true if this user's key is trusted on first use
+     */
+    isTofu() {
+        return this._tofu;
+    }
+}
+
+/**
+ * Represents the ways in which we trust a device
+ */
+export class DeviceTrustLevel {
+    constructor(crossSigningVerified, tofu, localVerified) {
+        this._crossSigningVerified = crossSigningVerified;
+        this._tofu = tofu;
+        this._localVerified = localVerified;
+    }
+
+    static fromUserTrustLevel(userTrustLevel, localVerified) {
+        return new DeviceTrustLevel(
+            userTrustLevel._crossSigningVerified,
+            userTrustLevel._tofu,
+            localVerified,
+        );
+    }
+
+    /**
+     * @returns {bool} true if this device is verified via any means
+     */
+    isVerified() {
+        return this.isCrossSigningVerified() || this.isLocallyVerified();
+    }
+
+    /**
+     * @returns {bool} true if this device is verified via cross signing
+     */
+    isCrossSigningVerified() {
+        return this._crossSigningVerified;
+    }
+
+    /**
+     * @returns {bool} true if this device is verified locally
+     */
+    isLocallyVerified() {
+        return this._localVerified;
+    }
+
+    /**
+     * @returns {bool} true if this device is trusted from a user's key
+     * that is trusted on first use
+     */
+    isTofu() {
+        return this._tofu;
+    }
+}

src/crypto/DeviceList.js

@@ -1,6 +1,7 @@
 /*
 Copyright 2017 Vector Creations Ltd
 Copyright 2018, 2019 New Vector Ltd
+Copyright 2019 The Matrix.org Foundation C.I.C.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -23,9 +24,11 @@ limitations under the License.
  */
 
 import Promise from 'bluebird';
+import {EventEmitter} from 'events';
 
 import logger from '../logger';
 import DeviceInfo from './deviceinfo';
+import {CrossSigningInfo} from './CrossSigning';
 import olmlib from './olmlib';
 import IndexedDBCryptoStore from './store/indexeddb-crypto-store';
 
@@ -60,8 +63,10 @@ const TRACKING_STATUS_UP_TO_DATE = 3;
 /**
  * @alias module:crypto/DeviceList
  */
-export default class DeviceList {
+export default class DeviceList extends EventEmitter {
     constructor(baseApis, cryptoStore, olmDevice) {
+        super();
+
         this._cryptoStore = cryptoStore;
 
         // userId -> {
@@ -71,6 +76,11 @@ export default class DeviceList {
         // }
         this._devices = {};
 
+        // userId -> {
+        //     [key info]
+        // }
+        this._crossSigningInfo = {};
+
         // map of identity keys to the user who owns it
         this._userByIdentityKey = {};
 
@@ -111,6 +121,7 @@ export default class DeviceList {
             'readonly', [IndexedDBCryptoStore.STORE_DEVICE_DATA], (txn) => {
                 this._cryptoStore.getEndToEndDeviceData(txn, (deviceData) => {
                     this._devices = deviceData ? deviceData.devices : {},
+                    this._ssks = deviceData ? deviceData.self_signing_keys || {} : {};
                     this._deviceTrackingStatus = deviceData ?
                         deviceData.trackingStatus : {};
                     this._syncToken = deviceData ? deviceData.syncToken : null;
@@ -201,6 +212,7 @@ export default class DeviceList {
                     'readwrite', [IndexedDBCryptoStore.STORE_DEVICE_DATA], (txn) => {
                         this._cryptoStore.storeEndToEndDeviceData({
                             devices: this._devices,
+                            self_signing_keys: this._ssks,
                             trackingStatus: this._deviceTrackingStatus,
                             syncToken: this._syncToken,
                         }, txn);
@@ -334,6 +346,17 @@ export default class DeviceList {
         return this._devices[userId];
     }
 
+    getStoredCrossSigningForUser(userId) {
+        if (!this._crossSigningInfo[userId]) return null;
+
+        return CrossSigningInfo.fromStorage(this._crossSigningInfo[userId], userId);
+    }
+
+    storeCrossSigningForUser(userId, info) {
+        this._crossSigningInfo[userId] = info;
+        this._dirty = true;
+    }
+
     /**
      * Get the stored keys for a single device
      *
@@ -561,6 +584,10 @@ export default class DeviceList {
         }
     }
 
+    setRawStoredCrossSigningForUser(userId, info) {
+        this._crossSigningInfo[userId] = info;
+    }
+
     /**
      * Fire off download update requests for the given users, and update the
      * device list tracking status for them, and the
@@ -624,6 +651,7 @@ export default class DeviceList {
                 }
             });
             this.saveIfDirty();
+            this.emit("crypto.devicesUpdated", users);
         };
 
         return prom;
@@ -724,6 +752,9 @@ class DeviceListUpdateSerialiser {
             downloadUsers, opts,
         ).then((res) => {
             const dk = res.device_keys || {};
+            const masterKeys = res.master_keys || {};
+            const ssks = res.self_signing_keys || {};
+            const usks = res.user_signing_keys || {};
 
             // do each user in a separate promise, to avoid wedging the CPU
             // (https://github.com/vector-im/riot-web/issues/3158)
@@ -733,7 +764,13 @@ class DeviceListUpdateSerialiser {
             let prom = Promise.resolve();
             for (const userId of downloadUsers) {
                 prom = prom.delay(5).then(() => {
-                    return this._processQueryResponseForUser(userId, dk[userId]);
+                    return this._processQueryResponseForUser(
+                        userId, dk[userId], {
+                            master: masterKeys[userId],
+                            self_signing: ssks[userId],
+                            user_signing: usks[userId],
+                        },
+                    );
                 });
             }
 
@@ -757,30 +794,58 @@ class DeviceListUpdateSerialiser {
         return deferred.promise;
     }
 
-    async _processQueryResponseForUser(userId, response) {
-        logger.log('got keys for ' + userId + ':', response);
+    async _processQueryResponseForUser(
+        userId, dkResponse, crossSigningResponse, sskResponse,
+    ) {
+        logger.log('got device keys for ' + userId + ':', dkResponse);
+        logger.log('got cross-signing keys for ' + userId + ':', crossSigningResponse);
 
-        // map from deviceid -> deviceinfo for this user
-        const userStore = {};
-        const devs = this._deviceList.getRawStoredDevicesForUser(userId);
-        if (devs) {
-            Object.keys(devs).forEach((deviceId) => {
-                const d = DeviceInfo.fromStorage(devs[deviceId], deviceId);
-                userStore[deviceId] = d;
+        {
+            // map from deviceid -> deviceinfo for this user
+            const userStore = {};
+            const devs = this._deviceList.getRawStoredDevicesForUser(userId);
+            if (devs) {
+                Object.keys(devs).forEach((deviceId) => {
+                    const d = DeviceInfo.fromStorage(devs[deviceId], deviceId);
+                    userStore[deviceId] = d;
+                });
+            }
+
+            await _updateStoredDeviceKeysForUser(
+                this._olmDevice, userId, userStore, dkResponse || {},
+            );
+
+            // put the updates into the object that will be returned as our results
+            const storage = {};
+            Object.keys(userStore).forEach((deviceId) => {
+                storage[deviceId] = userStore[deviceId].toStorage();
             });
+
+            this._deviceList._setRawStoredDevicesForUser(userId, storage);
         }
 
-        await _updateStoredDeviceKeysForUser(
-            this._olmDevice, userId, userStore, response || {},
-        );
+        // now do the same for the cross-signing keys
+        {
+            // FIXME: should we be ignoring empty cross-signing responses, or
+            // should we be dropping the keys?
+            if (crossSigningResponse
+                && (crossSigningResponse.master || crossSigningResponse.self_signing
+                    || crossSigningResponse.user_signing)) {
+                const crossSigning
+                      = this._deviceList.getStoredCrossSigningForUser(userId)
+                      || new CrossSigningInfo(userId);
 
-        // put the updates into thr object that will be returned as our results
-        const storage = {};
-        Object.keys(userStore).forEach((deviceId) => {
-            storage[deviceId] = userStore[deviceId].toStorage();
-        });
+                crossSigning.setKeys(crossSigningResponse);
 
-        this._deviceList._setRawStoredDevicesForUser(userId, storage);
+                this._deviceList.setRawStoredCrossSigningForUser(
+                    userId, crossSigning.toStorage(),
+                );
+
+                // NB. Unlike most events in the js-sdk, this one is internal to the
+                // js-sdk and is not re-emitted
+                this._deviceList.emit('userCrossSigningUpdated', userId);
+            }
+        }
     }
 }
 
@@ -854,6 +919,7 @@ async function _storeDeviceKeys(_olmDevice, userStore, deviceResult) {
     }
 
     const unsigned = deviceResult.unsigned || {};
+    const signatures = deviceResult.signatures || {};
 
     try {
         await olmlib.verifySignature(_olmDevice, deviceResult, userId, deviceId, signKey);
@@ -886,5 +952,6 @@ async function _storeDeviceKeys(_olmDevice, userStore, deviceResult) {
     deviceStore.keys = deviceResult.keys || {};
     deviceStore.algorithms = deviceResult.algorithms || [];
     deviceStore.unsigned = unsigned;
+    deviceStore.signatures = signatures;
     return true;
 }

src/crypto/OlmDevice.js

@@ -594,6 +594,11 @@ OlmDevice.prototype.encryptMessage = async function(
         'readwrite', [IndexedDBCryptoStore.STORE_SESSIONS],
         (txn) => {
             this._getSession(theirDeviceIdentityKey, sessionId, txn, (sessionInfo) => {
+                const sessionDesc = sessionInfo.session.describe();
+                console.log(
+                    "Session ID " + sessionId + " to " +
+                    theirDeviceIdentityKey + ": " + sessionDesc,
+                );
                 res = sessionInfo.session.encrypt(payloadString);
                 this._saveSession(theirDeviceIdentityKey, sessionInfo, txn);
             });
@@ -621,6 +626,11 @@ OlmDevice.prototype.decryptMessage = async function(
         'readwrite', [IndexedDBCryptoStore.STORE_SESSIONS],
         (txn) => {
             this._getSession(theirDeviceIdentityKey, sessionId, txn, (sessionInfo) => {
+                const sessionDesc = sessionInfo.session.describe();
+                console.log(
+                    "Session ID " + sessionId + " to " +
+                    theirDeviceIdentityKey + ": " + sessionDesc,
+                );
                 payloadString = sessionInfo.session.decrypt(messageType, ciphertext);
                 sessionInfo.lastReceivedMessageTs = Date.now();
                 this._saveSession(theirDeviceIdentityKey, sessionInfo, txn);

src/crypto/SecretStorage.js

@@ -0,0 +1,529 @@
+/*
+Copyright 2019 The Matrix.org Foundation C.I.C.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+import {EventEmitter} from 'events';
+import logger from '../logger';
+import olmlib from './olmlib';
+import { randomString } from '../randomstring';
+import { keyFromPassphrase } from './key_passphrase';
+import { encodeRecoveryKey } from './recoverykey';
+import { pkVerify } from './olmlib';
+
+export const SECRET_STORAGE_ALGORITHM_V1 = "m.secret_storage.v1.curve25519-aes-sha2";
+
+/**
+ * Implements Secure Secret Storage and Sharing (MSC1946)
+ * @module crypto/SecretStorage
+ */
+export default class SecretStorage extends EventEmitter {
+    constructor(baseApis, cryptoCallbacks, crossSigningInfo) {
+        super();
+        this._baseApis = baseApis;
+        this._cryptoCallbacks = cryptoCallbacks;
+        this._crossSigningInfo = crossSigningInfo;
+        this._requests = {};
+        this._incomingRequests = {};
+    }
+
+    getDefaultKeyId() {
+        const defaultKeyEvent = this._baseApis.getAccountData(
+            'm.secret_storage.default_key',
+        );
+        if (!defaultKeyEvent) return null;
+        return defaultKeyEvent.getContent().key;
+    }
+
+    setDefaultKeyId(keyId) {
+        return new Promise((resolve) => {
+            const listener = (ev) => {
+                if (
+                    ev.getType() === 'm.secret_storage.default_key' &&
+                    ev.getContent().key === keyId
+                ) {
+                    this._baseApis.removeListener('accountData', listener);
+                    resolve();
+                }
+            };
+            this._baseApis.on('accountData', listener);
+
+            this._baseApis.setAccountData(
+                'm.secret_storage.default_key',
+                { key: keyId },
+            );
+        });
+    }
+
+    /**
+     * Add a key for encrypting secrets.
+     *
+     * @param {string} algorithm the algorithm used by the key.
+     * @param {object} opts the options for the algorithm.  The properties used
+     *     depend on the algorithm given.  This object may be modified to pass
+     *     information back about the key.
+     * @param {string} [keyId] the ID of the key.  If not given, a random
+     *     ID will be generated.
+     *
+     * @return {string} the ID of the key
+     */
+    async addKey(algorithm, opts, keyId) {
+        const keyData = {algorithm};
+
+        if (!opts) opts = {};
+
+        if (opts.name) {
+            keyData.name = opts.name;
+        }
+
+        switch (algorithm) {
+        case SECRET_STORAGE_ALGORITHM_V1:
+        {
+            const decryption = new global.Olm.PkDecryption();
+            try {
+                if (opts.passphrase) {
+                    const key = await keyFromPassphrase(opts.passphrase);
+                    keyData.passphrase = {
+                        algorithm: "m.pbkdf2",
+                        iterations: key.iterations,
+                        salt: key.salt,
+                    };
+                    opts.encodedkey = encodeRecoveryKey(key.key);
+                    keyData.pubkey = decryption.init_with_private_key(key.key);
+                } else if (opts.privkey) {
+                    keyData.pubkey = decryption.init_with_private_key(opts.privkey);
+                    opts.encodedkey = encodeRecoveryKey(opts.privkey);
+                } else {
+                    keyData.pubkey = decryption.generate_key();
+                    opts.encodedkey = encodeRecoveryKey(decryption.get_private_key());
+                }
+            } finally {
+                decryption.free();
+            }
+            break;
+        }
+        default:
+            throw new Error(`Unknown key algorithm ${opts.algorithm}`);
+        }
+
+        if (!keyId) {
+            do {
+                keyId = randomString(32);
+            } while (this._baseApis.getAccountData(`m.secret_storage.key.${keyId}`));
+        }
+
+        await this._crossSigningInfo.signObject(keyData, 'master');
+
+        await this._baseApis.setAccountData(
+            `m.secret_storage.key.${keyId}`, keyData,
+        );
+
+        return keyId;
+    }
+
+    // TODO: need a function to get all the secret keys
+
+    /**
+     * Store an encrypted secret on the server
+     *
+     * @param {string} name The name of the secret
+     * @param {string} secret The secret contents.
+     * @param {Array} keys The IDs of the keys to use to encrypt the secret
+     *     or null/undefined to use the default key.
+     */
+    async store(name, secret, keys) {
+        const encrypted = {};
+
+        if (!keys) {
+            const defaultKeyId = this.getDefaultKeyId();
+            if (!defaultKeyId) {
+                throw new Error("No keys specified and no default key present");
+            }
+            keys = [defaultKeyId];
+        }
+
+        if (keys.length === 0) {
+            throw new Error("Zero keys given to encrypt with!");
+        }
+
+        for (const keyId of keys) {
+            // get key information from key storage
+            const keyInfo = this._baseApis.getAccountData(
+                "m.secret_storage.key." + keyId,
+            );
+            if (!keyInfo) {
+                throw new Error("Unknown key: " + keyId);
+            }
+            const keyInfoContent = keyInfo.getContent();
+
+            // check signature of key info
+            pkVerify(
+                keyInfoContent,
+                this._crossSigningInfo.getId('master'),
+                this._crossSigningInfo.userId,
+            );
+
+            // encrypt secret, based on the algorithm
+            switch (keyInfoContent.algorithm) {
+            case SECRET_STORAGE_ALGORITHM_V1:
+            {
+                const encryption = new global.Olm.PkEncryption();
+                try {
+                    encryption.set_recipient_key(keyInfoContent.pubkey);
+                    encrypted[keyId] = encryption.encrypt(secret);
+                } finally {
+                    encryption.free();
+                }
+                break;
+            }
+            default:
+                logger.warn("unknown algorithm for secret storage key " + keyId
+                            + ": " + keyInfoContent.algorithm);
+                // do nothing if we don't understand the encryption algorithm
+            }
+        }
+
+        // save encrypted secret
+        await this._baseApis.setAccountData(name, {encrypted});
+    }
+
+    /**
+     * Get a secret from storage.
+     *
+     * @param {string} name the name of the secret
+     *
+     * @return {string} the contents of the secret
+     */
+    async get(name) {
+        const secretInfo = this._baseApis.getAccountData(name);
+        if (!secretInfo) {
+            return;
+        }
+
+        const secretContent = secretInfo.getContent();
+
+        if (!secretContent.encrypted) {
+            throw new Error("Content is not encrypted!");
+        }
+
+        // get possible keys to decrypt
+        const keys = {};
+        for (const keyId of Object.keys(secretContent.encrypted)) {
+            // get key information from key storage
+            const keyInfo = this._baseApis.getAccountData(
+                "m.secret_storage.key." + keyId,
+            ).getContent();
+            const encInfo = secretContent.encrypted[keyId];
+            switch (keyInfo.algorithm) {
+            case SECRET_STORAGE_ALGORITHM_V1:
+                if (keyInfo.pubkey && encInfo.ciphertext && encInfo.mac
+                    && encInfo.ephemeral) {
+                    keys[keyId] = keyInfo;
+                }
+                break;
+            default:
+                // do nothing if we don't understand the encryption algorithm
+            }
+        }
+
+        let keyId;
+        let decryption;
+        try {
+            // fetch private key from app
+            [keyId, decryption] = await this._getSecretStorageKey(keys);
+
+            // decrypt secret
+            const encInfo = secretContent.encrypted[keyId];
+            switch (keys[keyId].algorithm) {
+            case SECRET_STORAGE_ALGORITHM_V1:
+                return decryption.decrypt(
+                    encInfo.ephemeral, encInfo.mac, encInfo.ciphertext,
+                );
+            }
+        } finally {
+            if (decryption) decryption.free();
+        }
+    }
+
+    /**
+     * Check if a secret is stored on the server.
+     *
+     * @param {string} name the name of the secret
+     * @param {boolean} checkKey check if the secret is encrypted by a trusted key
+     *
+     * @return {boolean} whether or not the secret is stored
+     */
+    isStored(name, checkKey) {
+        // check if secret exists
+        const secretInfo = this._baseApis.getAccountData(name);
+        if (!secretInfo) {
+            return false;
+        }
+
+        if (checkKey === undefined) checkKey = true;
+
+        const secretContent = secretInfo.getContent();
+
+        if (!secretContent.encrypted) {
+            return false;
+        }
+
+        // check if secret is encrypted by a known/trusted secret and
+        // encryption looks sane
+        for (const keyId of Object.keys(secretContent.encrypted)) {
+            // get key information from key storage
+            const keyInfo = this._baseApis.getAccountData(
+                "m.secret_storage.key." + keyId,
+            ).getContent();
+            const encInfo = secretContent.encrypted[keyId];
+            if (checkKey) {
+                pkVerify(
+                    keyInfo,
+                    this._crossSigningInfo.getId('master'),
+                    this._crossSigningInfo.userId,
+                );
+            }
+            switch (keyInfo.algorithm) {
+            case SECRET_STORAGE_ALGORITHM_V1:
+                if (keyInfo.pubkey && encInfo.ciphertext && encInfo.mac
+                    && encInfo.ephemeral) {
+                    return true;
+                }
+                break;
+            default:
+                // do nothing if we don't understand the encryption algorithm
+            }
+        }
+        return false;
+    }
+
+    /**
+     * Request a secret from another device
+     *
+     * @param {string} name the name of the secret to request
+     * @param {string[]} devices the devices to request the secret from
+     *
+     * @return {string} the contents of the secret
+     */
+    request(name, devices) {
+        const requestId = this._baseApis.makeTxnId();
+
+        const requestControl = this._requests[requestId] = {
+            devices,
+        };
+        const promise = new Promise((resolve, reject) => {
+            requestControl.resolve = resolve;
+            requestControl.reject = reject;
+        });
+        const cancel = (reason) => {
+            // send cancellation event
+            const cancelData = {
+                action: "request_cancellation",
+                requesting_device_id: this._baseApis.deviceId,
+                request_id: requestId,
+            };
+            const toDevice = {};
+            for (const device of devices) {
+                toDevice[device] = cancelData;
+            }
+            this._baseApis.sendToDevice("m.secret.request", {
+                [this._baseApis.getUserId()]: toDevice,
+            });
+
+            // and reject the promise so that anyone waiting on it will be
+            // notified
+            requestControl.reject(new Error(reason || "Cancelled"));
+        };
+
+        // send request to devices
+        const requestData = {
+            name,
+            action: "request",
+            requesting_device_id: this._baseApis.deviceId,
+            request_id: requestId,
+        };
+        const toDevice = {};
+        for (const device of devices) {
+            toDevice[device] = requestData;
+        }
+        this._baseApis.sendToDevice("m.secret.request", {
+            [this._baseApis.getUserId()]: toDevice,
+        });
+
+        return {
+            request_id: requestId,
+            promise,
+            cancel,
+        };
+    }
+
+    async _onRequestReceived(event) {
+        const sender = event.getSender();
+        const content = event.getContent();
+        if (sender !== this._baseApis.getUserId()
+            || !(content.name && content.action
+                 && content.requesting_device_id && content.request_id)) {
+            // ignore requests from anyone else, for now
+            return;
+        }
+        const deviceId = content.requesting_device_id;
+        // check if it's a cancel
+        if (content.action === "request_cancellation") {
+            if (this._incomingRequests[deviceId]
+                && this._incomingRequests[deviceId][content.request_id]) {
+                logger.info("received request cancellation for secret (" + sender
+                            + ", " + deviceId + ", " + content.request_id + ")");
+                this.baseApis.emit("crypto.secrets.requestCancelled", {
+                    user_id: sender,
+                    device_id: deviceId,
+                    request_id: content.request_id,
+                });
+            }
+        } else if (content.action === "request") {
+            if (deviceId === this._baseApis.deviceId) {
+                // no point in trying to send ourself the secret
+                return;
+            }
+
+            // check if we have the secret
+            logger.info("received request for secret (" + sender
+                        + ", " + deviceId + ", " + content.request_id + ")");
+            if (!this._cryptoCallbacks.onSecretRequested) {
+                return;
+            }
+            const secret = await this._cryptoCallbacks.onSecretRequested({
+                user_id: sender,
+                device_id: deviceId,
+                request_id: content.request_id,
+                name: content.name,
+                device_trust: this._baseApis.checkDeviceTrust(sender, deviceId),
+            });
+            if (secret) {
+                const payload = {
+                    type: "m.secret.send",
+                    content: {
+                        request_id: content.request_id,
+                        secret: secret,
+                    },
+                };
+                const encryptedContent = {
+                    algorithm: olmlib.OLM_ALGORITHM,
+                    sender_key: this._baseApis._crypto._olmDevice.deviceCurve25519Key,
+                    ciphertext: {},
+                };
+                await olmlib.ensureOlmSessionsForDevices(
+                    this._baseApis._crypto._olmDevice,
+                    this._baseApis,
+                    {
+                        [sender]: [
+                            await this._baseApis.getStoredDevice(sender, deviceId),
+                        ],
+                    },
+                );
+                await olmlib.encryptMessageForDevice(
+                    encryptedContent.ciphertext,
+                    this._baseApis.getUserId(),
+                    this._baseApis.deviceId,
+                    this._baseApis._crypto._olmDevice,
+                    sender,
+                    this._baseApis._crypto.getStoredDevice(sender, deviceId),
+                    payload,
+                );
+                const contentMap = {
+                    [sender]: {
+                        [deviceId]: encryptedContent,
+                    },
+                };
+
+                this._baseApis.sendToDevice("m.room.encrypted", contentMap);
+            }
+        }
+    }
+
+    _onSecretReceived(event) {
+        if (event.getSender() !== this._baseApis.getUserId()) {
+            // we shouldn't be receiving secrets from anyone else, so ignore
+            // because someone could be trying to send us bogus data
+            return;
+        }
+        const content = event.getContent();
+        logger.log("got secret share for request ", content.request_id);
+        const requestControl = this._requests[content.request_id];
+        if (requestControl) {
+            // make sure that the device that sent it is one of the devices that
+            // we requested from
+            const deviceInfo = this._baseApis._crypto._deviceList.getDeviceByIdentityKey(
+                olmlib.OLM_ALGORITHM,
+                event.getSenderKey(),
+            );
+            if (!deviceInfo) {
+                logger.log(
+                    "secret share from unknown device with key", event.getSenderKey(),
+                );
+                return;
+            }
+            if (!requestControl.devices.includes(deviceInfo.deviceId)) {
+                logger.log("unsolicited secret share from device", deviceInfo.deviceId);
+                return;
+            }
+
+            requestControl.resolve(content.secret);
+        }
+    }
+
+    async _getSecretStorageKey(keys) {
+        if (!this._cryptoCallbacks.getSecretStorageKey) {
+            throw new Error("No getSecretStorageKey callback supplied");
+        }
+
+        const returned = await Promise.resolve(
+            this._cryptoCallbacks.getSecretStorageKey({keys}),
+        );
+
+        if (!returned) {
+            throw new Error("getSecretStorageKey callback returned falsey");
+        }
+        if (returned.length < 2) {
+            throw new Error("getSecretStorageKey callback returned invalid data");
+        }
+
+        const [keyId, privateKey] = returned;
+        if (!keys[keyId]) {
+            throw new Error("App returned unknown key from getSecretStorageKey!");
+        }
+
+        switch (keys[keyId].algorithm) {
+            case SECRET_STORAGE_ALGORITHM_V1:
+            {
+                const decryption = new global.Olm.PkDecryption();
+                let pubkey;
+                try {
+                    pubkey = decryption.init_with_private_key(privateKey);
+                } catch (e) {
+                    decryption.free();
+                    throw new Error("getSecretStorageKey callback returned invalid key");
+                }
+                if (pubkey !== keys[keyId].pubkey) {
+                    decryption.free();
+                    throw new Error(
+                        "getSecretStorageKey callback returned incorrect key",
+                    );
+                }
+                return [keyId, decryption];
+            }
+            default:
+                throw new Error("Unknown key type: " + keys[keyId].algorithm);
+        }
+    }
+}

src/crypto/algorithms/megolm.js

@@ -23,7 +23,7 @@ limitations under the License.
  */
 
 import Promise from 'bluebird';
-import logger from '../../../src/logger';
+import logger from '../../logger';
 
 const utils = require("../../utils");
 const olmlib = require("../olmlib");

src/crypto/deviceinfo.js

@@ -56,6 +56,7 @@ function DeviceInfo(deviceId) {
     this.verified = DeviceVerification.UNVERIFIED;
     this.known = false;
     this.unsigned = {};
+    this.signatures = {};
 }
 
 /**
@@ -88,6 +89,7 @@ DeviceInfo.prototype.toStorage = function() {
         verified: this.verified,
         known: this.known,
         unsigned: this.unsigned,
+        signatures: this.signatures,
     };
 };
 

src/crypto/index.js

@@ -2,6 +2,7 @@
 Copyright 2016 OpenMarket Ltd
 Copyright 2017 Vector Creations Ltd
 Copyright 2018-2019 New Vector Ltd
+Copyright 2019 The Matrix.org Foundation C.I.C.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -24,6 +25,7 @@ limitations under the License.
 const anotherjson = require('another-json');
 import Promise from 'bluebird';
 import {EventEmitter} from 'events';
+import ReEmitter from '../ReEmitter';
 
 import logger from '../logger';
 const utils = require("../utils");
@@ -34,6 +36,8 @@ const DeviceInfo = require("./deviceinfo");
 const DeviceVerification = DeviceInfo.DeviceVerification;
 const DeviceList = require('./DeviceList').default;
 import { randomString } from '../randomstring';
+import { CrossSigningInfo, UserTrustLevel, DeviceTrustLevel } from './CrossSigning';
+import SecretStorage from './SecretStorage';
 
 import OutgoingRoomKeyRequestManager from './OutgoingRoomKeyRequestManager';
 import IndexedDBCryptoStore from './store/indexeddb-crypto-store';
@@ -65,6 +69,30 @@ export function isCryptoAvailable() {
     return Boolean(global.Olm);
 }
 
+/* subscribes to timeline events / to_device events for SAS verification */
+function listenForEvents(client, roomId, listener) {
+    let isEncrypted = false;
+    if (roomId) {
+        isEncrypted = client.isRoomEncrypted(roomId);
+    }
+
+    if (isEncrypted) {
+        client.on("Event.decrypted", listener);
+    }
+    client.on("event", listener);
+    let subscribed = true;
+    return function() {
+        if (subscribed) {
+            if (isEncrypted) {
+                client.off("Event.decrypted", listener);
+            }
+            client.off("event", listener);
+            subscribed = false;
+        }
+        return null;
+    };
+}
+
 const MIN_FORCE_SESSION_INTERVAL_MS = 60 * 60 * 1000;
 const KEY_BACKUP_KEYS_PER_REQUEST = 200;
 
@@ -100,6 +128,10 @@ const KEY_BACKUP_KEYS_PER_REQUEST = 200;
  */
 export default function Crypto(baseApis, sessionStore, userId, deviceId,
     clientStore, cryptoStore, roomList, verificationMethods) {
+    this._onDeviceListUserCrossSigningUpdated =
+        this._onDeviceListUserCrossSigningUpdated.bind(this);
+
+    this._reEmitter = new ReEmitter(this);
     this._baseApis = baseApis;
     this._sessionStore = sessionStore;
     this._userId = userId;
@@ -138,6 +170,12 @@ export default function Crypto(baseApis, sessionStore, userId, deviceId,
     this._deviceList = new DeviceList(
         baseApis, cryptoStore, this._olmDevice,
     );
+    // XXX: This isn't removed at any point, but then none of the event listeners
+    // this class sets seem to be removed at any point... :/
+    this._deviceList.on(
+        'userCrossSigningUpdated', this._onDeviceListUserCrossSigningUpdated,
+    );
+    this._reEmitter.reEmit(this._deviceList, ["crypto.devicesUpdated"]);
 
     // the last time we did a check for the number of one-time-keys on the
     // server.
@@ -188,6 +226,14 @@ export default function Crypto(baseApis, sessionStore, userId, deviceId,
     this._lastNewSessionForced = {};
 
     this._verificationTransactions = new Map();
+
+    this._crossSigningInfo = new CrossSigningInfo(
+        userId, this._baseApis._cryptoCallbacks,
+    );
+
+    this._secretStorage = new SecretStorage(
+        baseApis, this._baseApis._cryptoCallbacks, this._crossSigningInfo,
+    );
 }
 utils.inherits(Crypto, EventEmitter);
 
@@ -236,10 +282,422 @@ Crypto.prototype.init = async function() {
         this._deviceList.saveIfDirty();
     }
 
+    await this._cryptoStore.doTxn(
+        'readonly', [IndexedDBCryptoStore.STORE_ACCOUNT],
+        (txn) => {
+            this._cryptoStore.getCrossSigningKeys(txn, (keys) => {
+                if (keys) {
+                    this._crossSigningInfo.setKeys(keys);
+                }
+            });
+        },
+    );
+    // make sure we are keeping track of our own devices
+    // (this is important for key backups & things)
+    this._deviceList.startTrackingDeviceList(this._userId);
+
     logger.log("Crypto: checking for key backup...");
     this._checkAndStartKeyBackup();
 };
 
+Crypto.prototype.addSecretKey = function(algorithm, opts, keyID) {
+    return this._secretStorage.addKey(algorithm, opts, keyID);
+};
+
+Crypto.prototype.storeSecret = function(name, secret, keys) {
+    return this._secretStorage.store(name, secret, keys);
+};
+
+Crypto.prototype.getSecret = function(name) {
+    return this._secretStorage.get(name);
+};
+
+Crypto.prototype.isSecretStored = function(name, checkKey) {
+    return this._secretStorage.isStored(name, checkKey);
+};
+
+Crypto.prototype.requestSecret = function(name, devices) {
+    if (!devices) {
+        devices = Object.keys(this._deviceList.getRawStoredDevicesForUser(this._userId));
+    }
+    return this._secretStorage.request(name, devices);
+};
+
+Crypto.prototype.getDefaultSecretStorageKeyId = function() {
+    return this._secretStorage.getDefaultKeyId();
+};
+
+Crypto.prototype.setDefaultSecretStorageKeyId = function(k) {
+    return this._secretStorage.setDefaultKeyId(k);
+};
+
+/**
+ * Checks that a given private key matches a given public key
+ * This can be used by the getCrossSigningKey callback to verify that the
+ * private key it is about to supply is the one that was requested.
+ *
+ * @param {Uint8Array} privateKey The private key
+ * @param {Uint8Array} expectedPublicKey The public key supplied by the getCrossSigningKey callback
+ * @returns {boolean} true if the key matches, otherwise false
+ */
+Crypto.prototype.checkPrivateKey = function(privateKey, expectedPublicKey) {
+    let signing = null;
+    try {
+        signing = new global.Olm.PkSigning();
+        const gotPubkey = signing.init_with_seed(privateKey);
+        // make sure it agrees with the given pubkey
+        return gotPubkey === expectedPublicKey;
+    } finally {
+        if (signing) signing.free();
+    }
+};
+
+/**
+ * Check whether we already have cross-signing keys for the current user.
+ *
+ * @return {boolean} Whether we have keys.
+ */
+Crypto.prototype.doesCrossSigningHaveKeys = function() {
+    return this._crossSigningInfo.hasKeys();
+};
+
+/**
+ * Generate new cross-signing keys.
+ *
+ * @param {object} authDict Auth data to supply for User-Interactive auth.
+ * @param {CrossSigningLevel} [level] the level of cross-signing to reset.  New
+ * keys will be created for the given level and below.  Defaults to
+ * regenerating all keys.
+ */
+Crypto.prototype.resetCrossSigningKeys = async function(authDict, level) {
+    await this._crossSigningInfo.resetKeys(level);
+    await this._signObject(this._crossSigningInfo.keys.master);
+    await this._cryptoStore.doTxn(
+        'readwrite', [IndexedDBCryptoStore.STORE_ACCOUNT],
+        (txn) => {
+            this._cryptoStore.storeCrossSigningKeys(txn, this._crossSigningInfo.keys);
+        },
+    );
+
+    // send keys to server
+    const keys = {};
+    for (const [name, key] of Object.entries(this._crossSigningInfo.keys)) {
+        keys[name + "_key"] = key;
+    }
+    await this._baseApis.uploadDeviceSigningKeys(authDict || {}, keys);
+    this._baseApis.emit("crossSigning.keysChanged", {});
+
+    // sign the current device with the new key, and upload to the server
+    const device = this._deviceList.getStoredDevice(this._userId, this._deviceId);
+    const signedDevice = await this._crossSigningInfo.signDevice(this._userId, device);
+    await this._baseApis.uploadKeySignatures({
+        [this._userId]: {
+            [this._deviceId]: signedDevice,
+        },
+    });
+
+    // check all users for signatures
+    // FIXME: do this in batches
+    const users = {};
+    for (const [userId, crossSigningInfo]
+         of Object.entries(this._deviceList._crossSigningInfo)) {
+        const upgradeInfo = await this._checkForDeviceVerificationUpgrade(
+            userId, CrossSigningInfo.fromStorage(crossSigningInfo, userId),
+        );
+        if (upgradeInfo) {
+            users[userId] = upgradeInfo;
+        }
+    }
+
+    const shouldUpgradeCb = (
+        this._baseApis._cryptoCallbacks.shouldUpgradeDeviceVerifications
+    );
+    if (Object.keys(users).length > 0 && shouldUpgradeCb) {
+        try {
+            const usersToUpgrade = await shouldUpgradeCb({users: users});
+            if (usersToUpgrade) {
+                for (const userId of usersToUpgrade) {
+                    if (userId in users) {
+                        await this._baseApis.setDeviceVerified(
+                            userId, users[userId].crossSigningInfo.getId(),
+                        );
+                    }
+                }
+            }
+        } catch (e) {
+            logger.log(
+                "shouldUpgradeDeviceVerifications threw an error: not upgrading", e,
+            );
+        }
+    }
+};
+
+/**
+ * Check if a user's cross-signing key is a candidate for upgrading from device
+ * verification.
+ *
+ * @param {string} userId the user whose cross-signing information is to be checked
+ * @param {object} crossSigningInfo the cross-signing information to check
+ */
+Crypto.prototype._checkForDeviceVerificationUpgrade = async function(
+    userId, crossSigningInfo,
+) {
+    // only upgrade if this is the first cross-signing key that we've seen for
+    // them, and if their cross-signing key isn't already verified
+    const trustLevel = this._crossSigningInfo.checkUserTrust(crossSigningInfo);
+    if (crossSigningInfo.firstUse && !trustLevel.verified) {
+        const devices = this._deviceList.getRawStoredDevicesForUser(userId);
+        const deviceIds = await this._checkForValidDeviceSignature(
+            userId, crossSigningInfo.keys.master, devices,
+        );
+        if (deviceIds.length) {
+            return {
+                devices: deviceIds.map(
+                    deviceId => DeviceInfo.fromStorage(devices[deviceId], deviceId),
+                ),
+                crossSigningInfo,
+            };
+        }
+    }
+};
+
+/**
+ * Check if the cross-signing key is signed by a verified device.
+ *
+ * @param {string} userId the user ID whose key is being checked
+ * @param {object} key the key that is being checked
+ * @param {object} devices the user's devices.  Should be a map from device ID
+ *     to device info
+ */
+Crypto.prototype._checkForValidDeviceSignature = async function(userId, key, devices) {
+    const deviceIds = [];
+    if (devices && key.signatures && key.signatures[userId]) {
+        for (const signame of Object.keys(key.signatures[userId])) {
+            const [, deviceId] = signame.split(':', 2);
+            if (deviceId in devices
+                && devices[deviceId].verified === DeviceVerification.VERIFIED) {
+                try {
+                    await olmlib.verifySignature(
+                        this._olmDevice,
+                        key,
+                        userId,
+                        deviceId,
+                        devices[deviceId].keys[signame],
+                    );
+                    deviceIds.push(deviceId);
+                } catch (e) {}
+            }
+        }
+    }
+    return deviceIds;
+};
+
+/**
+ * Get the user's cross-signing key ID.
+ *
+ * @param {string} [type=master] The type of key to get the ID of.  One of
+ *     "master", "self_signing", or "user_signing".  Defaults to "master".
+ *
+ * @returns {string} the key ID
+ */
+Crypto.prototype.getCrossSigningId = function(type) {
+    return this._crossSigningInfo.getId(type);
+};
+
+/**
+ * Get the cross signing information for a given user.
+ *
+ * @param {string} userId the user ID to get the cross-signing info for.
+ *
+ * @returns {CrossSigningInfo} the cross signing informmation for the user.
+ */
+Crypto.prototype.getStoredCrossSigningForUser = function(userId) {
+    return this._deviceList.getStoredCrossSigningForUser(userId);
+};
+
+/**
+ * Check whether a given user is trusted.
+ *
+ * @param {string} userId The ID of the user to check.
+ *
+ * @returns {UserTrustLevel}
+ */
+Crypto.prototype.checkUserTrust = function(userId) {
+    const userCrossSigning = this._deviceList.getStoredCrossSigningForUser(userId);
+    if (!userCrossSigning) {
+        return new UserTrustLevel(false, false);
+    }
+    return this._crossSigningInfo.checkUserTrust(userCrossSigning);
+};
+
+/**
+ * Check whether a given device is trusted.
+ *
+ * @param {string} userId The ID of the user whose devices is to be checked.
+ * @param {string} deviceId The ID of the device to check
+ *
+ * @returns {DeviceTrustLevel}
+ */
+Crypto.prototype.checkDeviceTrust = function(userId, deviceId) {
+    const device = this._deviceList.getStoredDevice(userId, deviceId);
+    const trustedLocally = device && device.isVerified();
+
+    const userCrossSigning = this._deviceList.getStoredCrossSigningForUser(userId);
+    if (device && userCrossSigning) {
+        return this._crossSigningInfo.checkDeviceTrust(
+            userCrossSigning, device, trustedLocally,
+        );
+    } else {
+        return new DeviceTrustLevel(false, false, trustedLocally);
+    }
+};
+
+/*
+ * Event handler for DeviceList's userNewDevices event
+ */
+Crypto.prototype._onDeviceListUserCrossSigningUpdated = async function(userId) {
+    if (userId === this._userId) {
+        // An update to our own cross-signing key.
+        // Get the new key first:
+        const newCrossSigning = this._deviceList.getStoredCrossSigningForUser(userId);
+        const seenPubkey = newCrossSigning ? newCrossSigning.getId() : null;
+        const currentPubkey = this._crossSigningInfo.getId();
+        const changed = currentPubkey !== seenPubkey;
+
+        if (currentPubkey && seenPubkey && !changed) {
+            // If it's not changed, just make sure everything is up to date
+            await this.checkOwnCrossSigningTrust();
+        } else {
+            this.emit("crossSigning.keysChanged", {});
+            // We'll now be in a state where cross-signing on the account is not trusted
+            // because our locally stored cross-signing keys will not match the ones
+            // on the server for our account. The app must call checkOwnCrossSigningTrust()
+            // to fix this.
+            // XXX: Do we need to do something to emit events saying every device has become
+            // untrusted?
+        }
+    } else {
+        await this._checkDeviceVerifications(userId);
+        this.emit("userTrustStatusChanged", userId, this.checkUserTrust(userId));
+    }
+};
+
+/*
+ * Check the copy of our cross-signing key that we have in the device list and
+ * see if we can get the private key. If so, mark it as trusted.
+ */
+Crypto.prototype.checkOwnCrossSigningTrust = async function() {
+    const userId = this._userId;
+
+    // If we see an update to our own master key, check it against the master
+    // key we have and, if it matches, mark it as verified
+
+    // First, get the new cross-signing info
+    const newCrossSigning = this._deviceList.getStoredCrossSigningForUser(userId);
+    if (!newCrossSigning) {
+        logger.error(
+            "Got cross-signing update event for user " + userId +
+            " but no new cross-signing information found!",
+        );
+        return;
+    }
+
+    const seenPubkey = newCrossSigning.getId();
+    const changed = this._crossSigningInfo.getId() !== seenPubkey;
+    if (changed) {
+        // try to get the private key if the master key changed
+        logger.info("Got new master key", seenPubkey);
+
+        let signing = null;
+        try {
+            const ret = await this._crossSigningInfo.getCrossSigningKey(
+                'master', seenPubkey,
+            );
+            signing = ret[1];
+        } finally {
+            signing.free();
+        }
+
+        logger.info("Got matching private key from callback for new public master key");
+    }
+
+    const oldSelfSigningId = this._crossSigningInfo.getId("self_signing");
+    const oldUserSigningId = this._crossSigningInfo.getId("user_signing");
+
+    // Update the version of our keys in our cross-signing object and the local store
+    this._crossSigningInfo.setKeys(newCrossSigning.keys);
+    await this._cryptoStore.doTxn(
+        'readwrite', [IndexedDBCryptoStore.STORE_ACCOUNT],
+        (txn) => {
+            this._cryptoStore.storeCrossSigningKeys(txn, this._crossSigningInfo.keys);
+        },
+    );
+
+    const keySignatures = {};
+
+    if (oldSelfSigningId !== newCrossSigning.getId("self_signing")) {
+        logger.info("Got new self-signing key", newCrossSigning.getId("self_signing"));
+
+        const device = this._deviceList.getStoredDevice(this._userId, this._deviceId);
+        const signedDevice = await this._crossSigningInfo.signDevice(
+            this._userId, device,
+        );
+        keySignatures[this._deviceId] = signedDevice;
+    }
+    if (oldUserSigningId !== newCrossSigning.getId("user_signing")) {
+        logger.info("Got new user-signing key", newCrossSigning.getId("user_signing"));
+    }
+
+    if (changed) {
+        await this._signObject(this._crossSigningInfo.keys.master);
+        keySignatures[this._crossSigningInfo.getId()]
+            = this._crossSigningInfo.keys.master;
+    }
+
+    if (Object.keys(keySignatures).length) {
+        await this._baseApis.uploadKeySignatures({[this._userId]: keySignatures});
+    }
+
+    this.emit("userTrustStatusChanged", userId, this.checkUserTrust(userId));
+
+    // Now we may be able to trust our key backup
+    await this.checkKeyBackup();
+    // FIXME: if we previously trusted the backup, should we automatically sign
+    // the backup with the new key (if not already signed)?
+};
+
+/**
+ * Check if the master key is signed by a verified device, and if so, prompt
+ * the application to mark it as verified.
+ *
+ * @param {string} userId the user ID whose key should be checked
+ */
+Crypto.prototype._checkDeviceVerifications = async function(userId) {
+    if (this._crossSigningInfo.keys.user_signing) {
+        const crossSigningInfo = this._deviceList.getStoredCrossSigningForUser(userId);
+        if (crossSigningInfo) {
+            const upgradeInfo = await this._checkForDeviceVerificationUpgrade(
+                userId, crossSigningInfo,
+            );
+            const shouldUpgradeCb = (
+                this._baseApis._cryptoCallbacks.shouldUpgradeDeviceVerifications
+            );
+            if (upgradeInfo && shouldUpgradeCb) {
+                const usersToUpgrade = await shouldUpgradeCb({
+                    users: {
+                        [userId]: upgradeInfo,
+                    },
+                });
+                if (usersToUpgrade.includes(userId)) {
+                    await this._baseApis.setDeviceVerified(
+                        userId, crossSigningInfo.getId(),
+                    );
+                }
+            }
+        }
+    }
+};
+
 /**
  * Check the server for an active key backup and
  * if one is present and has a valid signature from
@@ -362,7 +820,35 @@ Crypto.prototype.isKeyBackupTrusted = async function(backupInfo) {
             logger.log("Ignoring unknown signature type: " + keyIdParts[0]);
             continue;
         }
+        // Could be an SSK but just say this is the device ID for backwards compat
         const sigInfo = { deviceId: keyIdParts[1] }; // XXX: is this how we're supposed to get the device ID?
+
+        // first check to see if it's from our cross-signing key
+        const crossSigningId = this._crossSigningInfo.getId();
+        if (crossSigningId === keyId) {
+            sigInfo.cross_signing_key = crossSigningId;
+            try {
+                await olmlib.verifySignature(
+                    this._olmDevice,
+                    backupInfo.auth_data,
+                    this._userId,
+                    sigInfo.deviceId,
+                    crossSigningId,
+                );
+                sigInfo.valid = true;
+            } catch (e) {
+                logger.warning(
+                    "Bad signature from cross signing key " + crossSigningId, e,
+                );
+                sigInfo.valid = false;
+            }
+            ret.sigs.push(sigInfo);
+            continue;
+        }
+
+        // Now look for a sig from a device
+        // At some point this can probably go away and we'll just support
+        // it being signed by the SSK
         const device = this._deviceList.getStoredDevice(
             this._userId, sigInfo.deviceId,
         );
@@ -394,10 +880,15 @@ Crypto.prototype.isKeyBackupTrusted = async function(backupInfo) {
         ret.sigs.push(sigInfo);
     }
 
-    ret.usable = (
-        ret.sigs.some((s) => s.valid && s.device.isVerified()) ||
-        ret.trusted_locally
-    );
+    ret.usable = ret.sigs.some((s) => {
+        return (
+            s.valid && (
+                (s.device && s.device.isVerified()) ||
+                (s.cross_signing_key)
+            )
+        );
+    });
+    ret.usable |= ret.trusted_locally;
     return ret;
 };
 
@@ -493,7 +984,7 @@ Crypto.prototype.uploadDeviceKeys = function() {
     };
 
     return crypto._signObject(deviceKeys).then(() => {
-        crypto._baseApis.uploadKeysRequest({
+        return crypto._baseApis.uploadKeysRequest({
             device_keys: deviceKeys,
         }, {
             // for now, we set the device id explicitly, as we may not be using the
@@ -721,6 +1212,36 @@ Crypto.prototype.saveDeviceList = function(delay) {
 Crypto.prototype.setDeviceVerification = async function(
     userId, deviceId, verified, blocked, known,
 ) {
+    // get rid of any `undefined`s here so we can just check
+    // for null rather than null or undefined
+    if (verified === undefined) verified = null;
+    if (blocked === undefined) blocked = null;
+    if (known === undefined) known = null;
+
+    // Check if the 'device' is actually a cross signing key
+    // The js-sdk's verification treats cross-signing keys as devices
+    // and so uses this method to mark them verified.
+    const xsk = this._deviceList.getStoredCrossSigningForUser(userId);
+    if (xsk && xsk.getId() === deviceId) {
+        if (blocked !== null || known !== null) {
+            throw new Error("Cannot set blocked or known for a cross-signing key");
+        }
+        if (!verified) {
+            throw new Error("Cannot set a cross-signing key as unverified");
+        }
+        const device = await this._crossSigningInfo.signUser(xsk);
+        if (device) {
+            await this._baseApis.uploadKeySignatures({
+                [userId]: {
+                    [deviceId]: device,
+                },
+            });
+            // This will emit events when it comes back down the sync
+            // (we could do local echo to speed things up)
+        }
+        return device;
+    }
+
     const devices = this._deviceList.getRawStoredDevicesForUser(userId);
     if (!devices || !devices[deviceId]) {
         throw new Error("Unknown device " + userId + ":" + deviceId);
@@ -742,7 +1263,7 @@ Crypto.prototype.setDeviceVerification = async function(
     }
 
     let knownStatus = dev.known;
-    if (known !== null && known !== undefined) {
+    if (known !== null) {
         knownStatus = known;
     }
 
@@ -752,10 +1273,165 @@ Crypto.prototype.setDeviceVerification = async function(
         this._deviceList.storeDevicesForUser(userId, devices);
         this._deviceList.saveIfDirty();
     }
-    return DeviceInfo.fromStorage(dev, deviceId);
+
+    // do cross-signing
+    if (verified && userId === this._userId) {
+        const device = await this._crossSigningInfo.signDevice(
+            userId, DeviceInfo.fromStorage(dev, deviceId),
+        );
+        if (device) {
+            await this._baseApis.uploadKeySignatures({
+                [userId]: {
+                    [deviceId]: device,
+                },
+            });
+            // XXX: we'll need to wait for the device list to be updated
+        }
+    }
+
+    const deviceObj = DeviceInfo.fromStorage(dev, deviceId);
+    this.emit("deviceVerificationChanged", userId, deviceId, deviceObj);
+    return deviceObj;
 };
 
 
+function verificationEventHandler(target, userId, roomId, eventId) {
+    return function(event) {
+        // listen for events related to this verification
+        if (event.getRoomId() !== roomId
+            || event.getSender() !== userId) {
+            return;
+        }
+        // ignore events that haven't been decrypted yet.
+        // we also listen for undecrypted events, just in case
+        // the other side would be sending unencrypted events in an e2ee room
+        if (event.getType() === "m.room.encrypted") {
+            return;
+        }
+        const relatesTo = event.getRelation();
+        if (!relatesTo
+            || !relatesTo.rel_type
+            || relatesTo.rel_type !== "m.reference"
+            || !relatesTo.event_id
+            || relatesTo.event_id !== eventId) {
+            return;
+        }
+
+        // the event seems to be related to this verification, so pass it on to
+        // the verification handler
+        target.handleEvent(event);
+    };
+}
+
+Crypto.prototype.requestVerificationDM = async function(userId, roomId, methods) {
+    let methodMap;
+    if (methods) {
+        methodMap = new Map();
+        for (const method of methods) {
+            if (typeof method === "string") {
+                methodMap.set(method, defaultVerificationMethods[method]);
+            } else if (method.NAME) {
+                methodMap.set(method.NAME, method);
+            }
+        }
+    } else {
+        methodMap = this._baseApis._crypto._verificationMethods;
+    }
+
+    let eventId = undefined;
+    const listenPromise = new Promise((_resolve, _reject) => {
+        const listener = (event) => {
+            // listen for events related to this verification
+            if (event.getRoomId() !== roomId
+                || event.getSender() !== userId) {
+                return;
+            }
+            const relatesTo = event.getRelation();
+            if (!relatesTo || !relatesTo.rel_type
+                || relatesTo.rel_type !== "m.reference"
+                || !relatesTo.event_id
+                || relatesTo.event_id !== eventId) {
+                return;
+            }
+
+            const content = event.getContent();
+            // the event seems to be related to this verification
+            switch (event.getType()) {
+            case "m.key.verification.start": {
+                const verifier = new (methodMap.get(content.method))(
+                    this._baseApis, userId, content.from_device, eventId,
+                    roomId, event,
+                );
+                verifier.handler = verificationEventHandler(
+                    verifier, userId, roomId, eventId,
+                );
+                // this handler gets removed when the verification finishes
+                // (see the verify method of crypto/verification/Base.js)
+                const subscription =
+                    listenForEvents(this._baseApis, roomId, verifier.handler);
+                verifier.setEventsSubscription(subscription);
+                resolve(verifier);
+                break;
+            }
+            case "m.key.verification.cancel": {
+                reject(event);
+                break;
+            }
+            }
+        };
+        let initialResponseSubscription =
+            listenForEvents(this._baseApis, roomId, listener);
+
+        const resolve = (...args) => {
+            if (initialResponseSubscription) {
+                initialResponseSubscription = initialResponseSubscription();
+            }
+            _resolve(...args);
+        };
+        const reject = (...args) => {
+            if (initialResponseSubscription) {
+                initialResponseSubscription = initialResponseSubscription();
+            }
+            _reject(...args);
+        };
+    });
+
+    const res = await this._baseApis.sendEvent(
+        roomId, "m.room.message",
+        {
+            body: this._baseApis.getUserId() + " is requesting to verify " +
+                "your key, but your client does not support in-chat key " +
+                "verification.  You will need to use legacy key " +
+                "verification to verify keys.",
+            msgtype: "m.key.verification.request",
+            to: userId,
+            from_device: this._baseApis.getDeviceId(),
+            methods: [...methodMap.keys()],
+        },
+    );
+    eventId = res.event_id;
+
+    return listenPromise;
+};
+
+Crypto.prototype.acceptVerificationDM = function(event, Method) {
+    if (typeof(Method) === "string") {
+        Method = defaultVerificationMethods[Method];
+    }
+    const content = event.getContent();
+    const verifier = new Method(
+        this._baseApis, event.getSender(), content.from_device, event.getId(),
+        event.getRoomId(),
+    );
+    verifier.handler = verificationEventHandler(
+        verifier, event.getSender(), event.getRoomId(), event.getId(),
+    );
+    const subscription = listenForEvents(
+        this._baseApis, event.getRoomId(), verifier.handler);
+    verifier.setEventsSubscription(subscription);
+    return verifier;
+};
+
 Crypto.prototype.requestVerification = function(userId, methods, devices) {
     if (!methods) {
         // .keys() returns an iterator, so we need to explicitly turn it into an array
@@ -803,20 +1479,7 @@ Crypto.prototype.beginKeyVerification = function(
         this._verificationTransactions.set(userId, new Map());
     }
     transactionId = transactionId || randomString(32);
-    if (method instanceof Array) {
-        if (method.length !== 2
-            || !this._verificationMethods.has(method[0])
-            || !this._verificationMethods.has(method[1])) {
-            throw newUnknownMethodError();
-        }
-        /*
-        return new TwoPartVerification(
-            this._verificationMethods[method[0]],
-            this._verificationMethods[method[1]],
-            userId, deviceId, transactionId,
-        );
-        */
-    } else if (this._verificationMethods.has(method)) {
+    if (this._verificationMethods.has(method)) {
         const verifier = new (this._verificationMethods.get(method))(
             this._baseApis, userId, deviceId, transactionId,
         );
@@ -951,6 +1614,15 @@ Crypto.prototype.forceDiscardSession = function(roomId) {
  *   the device query is always inhibited as the members are not tracked.
  */
 Crypto.prototype.setRoomEncryption = async function(roomId, config, inhibitDeviceQuery) {
+    // ignore crypto events with no algorithm defined
+    // This will happen if a crypto event is redacted before we fetch the room state
+    // It would otherwise just throw later as an unknown algorithm would, but we may
+    // as well catch this here
+    if (!config.algorithm) {
+        console.log("Ignoring setRoomEncryption with no algorithm");
+        return;
+    }
+
     // if state is being replayed from storage, we might already have a configuration
     // for this room as they are persisted as well.
     // We just need to make sure the algorithm is initialized in this case.
@@ -1495,6 +2167,8 @@ Crypto.prototype.onSyncWillProcess = async function(syncData) {
         // at which point we'll start tracking all the users of that room.
         logger.log("Initial sync performed - resetting device tracking state");
         this._deviceList.stopTrackingAllDeviceLists();
+        // we always track our own device list (for key backups etc)
+        this._deviceList.startTrackingDeviceList(this._userId);
         this._roomDeviceTrackingState = {};
     }
 };
@@ -1608,6 +2282,10 @@ Crypto.prototype._onToDeviceEvent = function(event) {
             this._onRoomKeyEvent(event);
         } else if (event.getType() == "m.room_key_request") {
             this._onRoomKeyRequestEvent(event);
+        } else if (event.getType() === "m.secret.request") {
+            this._secretStorage._onRequestReceived(event);
+        } else if (event.getType() === "m.secret.send") {
+            this._secretStorage._onSecretReceived(event);
         } else if (event.getType() === "m.key.verification.request") {
             this._onKeyVerificationRequest(event);
         } else if (event.getType() === "m.key.verification.start") {
@@ -1817,22 +2495,6 @@ Crypto.prototype._onKeyVerificationStart = function(event) {
             transaction_id: content.transactionId,
         }));
         return;
-    } else if (content.next_method) {
-        if (!this._verificationMethods.has(content.next_method)) {
-            cancel(newUnknownMethodError({
-                transaction_id: content.transactionId,
-            }));
-            return;
-        } else {
-            /* TODO:
-            const verification = new TwoPartVerification(
-                this._verificationMethods[content.method],
-                this._verificationMethods[content.next_method],
-                userId, deviceId,
-            );
-            this.emit(verification.event_type, verification);
-            this.emit(verification.first.event_type, verification);*/
-        }
     } else {
         const verifier = new (this._verificationMethods.get(content.method))(
             this._baseApis, sender, deviceId, content.transaction_id,
@@ -1887,8 +2549,6 @@ Crypto.prototype._onKeyVerificationStart = function(event) {
 
                     handler.request.resolve(verifier);
                 }
-            } else {
-                // FIXME: make sure we're in a two-part verification, and the start matches the second part
             }
         }
         this._baseApis.emit("crypto.verification.start", verifier);
@@ -2284,11 +2944,17 @@ Crypto.prototype._getRoomDecryptor = function(roomId, algorithm) {
  * @param {Object} obj  Object to which we will add a 'signatures' property
  */
 Crypto.prototype._signObject = async function(obj) {
-    const sigs = {};
-    sigs[this._userId] = {};
+    const sigs = obj.signatures || {};
+    const unsigned = obj.unsigned;
+
+    delete obj.signatures;
+    delete obj.unsigned;
+
+    sigs[this._userId] = sigs[this._userId] || {};
     sigs[this._userId]["ed25519:" + this._deviceId] =
         await this._olmDevice.sign(anotherjson.stringify(obj));
     obj.signatures = sigs;
+    if (unsigned !== undefined) obj.unsigned = unsigned;
 };
 
 

src/crypto/key_passphrase.js

@@ -1,5 +1,6 @@
 /*
 Copyright 2018 New Vector Ltd
+Copyright 2019 The Matrix.org Foundation C.I.C.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -18,13 +19,11 @@ import { randomString } from '../randomstring';
 
 const DEFAULT_ITERATIONS = 500000;
 
-export async function keyForExistingBackup(backupData, password) {
+export async function keyFromAuthData(authData, password) {
     if (!global.Olm) {
         throw new Error("Olm is not available");
     }
 
-    const authData = backupData.auth_data;
-
     if (!authData.private_key_salt || !authData.private_key_iterations) {
         throw new Error(
             "Salt and/or iterations not found: " +
@@ -33,12 +32,12 @@ export async function keyForExistingBackup(backupData, password) {
     }
 
     return await deriveKey(
-        password, backupData.auth_data.private_key_salt,
-        backupData.auth_data.private_key_iterations,
+        password, authData.private_key_salt,
+        authData.private_key_iterations,
     );
 }
 
-export async function keyForNewBackup(password) {
+export async function keyFromPassphrase(password) {
     if (!global.Olm) {
         throw new Error("Olm is not available");
     }

src/crypto/olmlib.js

@@ -328,11 +328,74 @@ const _verifySignature = module.exports.verifySignature = async function(
 
     // prepare the canonical json: remove unsigned and signatures, and stringify with
     // anotherjson
-    delete obj.unsigned;
-    delete obj.signatures;
-    const json = anotherjson.stringify(obj);
+    const mangledObj = Object.assign({}, obj);
+    delete mangledObj.unsigned;
+    delete mangledObj.signatures;
+    const json = anotherjson.stringify(mangledObj);
 
     olmDevice.verifySignature(
         signingKey, json, signature,
     );
 };
+
+/**
+ * Sign a JSON object using public key cryptography
+ * @param {Object} obj Object to sign.  The object will be modified to include
+ *     the new signature
+ * @param {Olm.PkSigning|Uint8Array} key the signing object or the private key
+ * seed
+ * @param {string} userId The user ID who owns the signing key
+ * @param {string} pubkey The public key (ignored if key is a seed)
+ * @returns {string} the signature for the object
+ */
+module.exports.pkSign = function(obj, key, userId, pubkey) {
+    let createdKey = false;
+    if (key instanceof Uint8Array) {
+        const keyObj = new global.Olm.PkSigning();
+        pubkey = keyObj.init_with_seed(key);
+        key = keyObj;
+        createdKey = true;
+    }
+    const sigs = obj.signatures || {};
+    delete obj.signatures;
+    const unsigned = obj.unsigned;
+    if (obj.unsigned) delete obj.unsigned;
+    try {
+        const mysigs = sigs[userId] || {};
+        sigs[userId] = mysigs;
+
+        return mysigs['ed25519:' + pubkey] = key.sign(anotherjson.stringify(obj));
+    } finally {
+        obj.signatures = sigs;
+        if (unsigned) obj.unsigned = unsigned;
+        if (createdKey) {
+            key.free();
+        }
+    }
+};
+
+/**
+ * Verify a signed JSON object
+ * @param {Object} obj Object to verify
+ * @param {string} pubkey The public key to use to verify
+ * @param {string} userId The user ID who signed the object
+ */
+module.exports.pkVerify = function(obj, pubkey, userId) {
+    const keyId = "ed25519:" + pubkey;
+    if (!(obj.signatures && obj.signatures[userId] && obj.signatures[userId][keyId])) {
+        throw new Error("No signature");
+    }
+    const signature = obj.signatures[userId][keyId];
+    const util = new global.Olm.Utility();
+    const sigs = obj.signatures;
+    delete obj.signatures;
+    const unsigned = obj.unsigned;
+    if (obj.unsigned) delete obj.unsigned;
+    try {
+        util.ed25519_verify(pubkey, anotherjson.stringify(obj), signature);
+    } finally {
+        obj.signatures = sigs;
+        if (unsigned) obj.unsigned = unsigned;
+        util.free();
+    }
+};

src/crypto/store/indexeddb-crypto-store-backend.js

@@ -332,6 +332,23 @@ export class Backend {
         objectStore.put(newData, "-");
     }
 
+    getCrossSigningKeys(txn, func) {
+        const objectStore = txn.objectStore("account");
+        const getReq = objectStore.get("crossSigningKeys");
+        getReq.onsuccess = function() {
+            try {
+                func(getReq.result || null);
+            } catch (e) {
+                abortWithException(txn, e);
+            }
+        };
+    }
+
+    storeCrossSigningKeys(txn, keys) {
+        const objectStore = txn.objectStore("account");
+        objectStore.put(keys, "crossSigningKeys");
+    }
+
     // Olm Sessions
 
     countEndToEndSessions(txn, func) {

src/crypto/store/indexeddb-crypto-store.js

@@ -290,7 +290,7 @@ export default class IndexedDBCryptoStore {
         this._backendPromise.value().getAccount(txn, func);
     }
 
-    /*
+    /**
      * Write the account pickle to the store.
      * This requires an active transaction. See doTxn().
      *
@@ -301,6 +301,28 @@ export default class IndexedDBCryptoStore {
         this._backendPromise.value().storeAccount(txn, newData);
     }
 
+    /**
+     * Get the public part of the cross-signing keys (eg. self-signing key,
+     * user signing key).
+     *
+     * @param {*} txn An active transaction. See doTxn().
+     * @param {function(string)} func Called with the account keys object:
+     *        { key_type: base64 encoded seed } where key type = user_signing_key_seed or self_signing_key_seed
+     */
+    getCrossSigningKeys(txn, func) {
+        this._backendPromise.value().getCrossSigningKeys(txn, func);
+    }
+
+    /**
+     * Write the cross-signing keys back to the store
+     *
+     * @param {*} txn An active transaction. See doTxn().
+     * @param {string} keys keys object as getCrossSigningKeys()
+     */
+    storeCrossSigningKeys(txn, keys) {
+        this._backendPromise.value().storeCrossSigningKeys(txn, keys);
+    }
+
     // Olm sessions
 
     /**

src/crypto/store/localStorage-crypto-store.js

@@ -17,7 +17,7 @@ limitations under the License.
 import Promise from 'bluebird';
 
 import logger from '../../logger';
-import MemoryCryptoStore from './memory-crypto-store.js';
+import MemoryCryptoStore from './memory-crypto-store';
 
 /**
  * Internal module. Partial localStorage backed storage for e2e.
@@ -31,6 +31,7 @@ import MemoryCryptoStore from './memory-crypto-store.js';
 
 const E2E_PREFIX = "crypto.";
 const KEY_END_TO_END_ACCOUNT = E2E_PREFIX + "account";
+const KEY_CROSS_SIGNING_KEYS = E2E_PREFIX + "cross_signing_keys";
 const KEY_DEVICE_DATA = E2E_PREFIX + "device_data";
 const KEY_INBOUND_SESSION_PREFIX = E2E_PREFIX + "inboundgroupsessions/";
 const KEY_ROOMS_PREFIX = E2E_PREFIX + "rooms/";
@@ -284,6 +285,17 @@ export default class LocalStorageCryptoStore extends MemoryCryptoStore {
         );
     }
 
+    getCrossSigningKeys(txn, func) {
+        const keys = getJsonItem(this.store, KEY_CROSS_SIGNING_KEYS);
+        func(keys);
+    }
+
+    storeCrossSigningKeys(txn, keys) {
+        setJsonItem(
+            this.store, KEY_CROSS_SIGNING_KEYS, keys,
+        );
+    }
+
     doTxn(mode, stores, func) {
         return Promise.resolve(func(null));
     }

src/crypto/store/memory-crypto-store.js

@@ -33,6 +33,7 @@ export default class MemoryCryptoStore {
     constructor() {
         this._outgoingRoomKeyRequests = [];
         this._account = null;
+        this._crossSigningKeys = null;
 
         // Map of {devicekey -> {sessionId -> session pickle}}
         this._sessions = {};
@@ -234,6 +235,14 @@ export default class MemoryCryptoStore {
         this._account = newData;
     }
 
+    getCrossSigningKeys(txn, func) {
+        func(this._crossSigningKeys);
+    }
+
+    storeCrossSigningKeys(txn, keys) {
+        this._crossSigningKeys = keys;
+    }
+
     // Olm Sessions
 
     countEndToEndSessions(txn, func) {

src/crypto/verification/Base.js

@@ -22,6 +22,7 @@ limitations under the License.
 import {MatrixEvent} from '../../models/event';
 import {EventEmitter} from 'events';
 import logger from '../../logger';
+import DeviceInfo from '../deviceinfo';
 import {newTimeoutError} from "./Error";
 
 const timeoutException = new Error("Verification timed out");
@@ -47,42 +48,55 @@ export default class VerificationBase extends EventEmitter {
      *
      * @param {string} transactionId the transaction ID to be used when sending events
      *
-     * @param {object} startEvent the m.key.verification.start event that
+     * @param {string} [roomId] the room to use for verification
+     *
+     * @param {object} [startEvent] the m.key.verification.start event that
      * initiated this verification, if any
      *
-     * @param {object} request the key verification request object related to
+     * @param {object} [request] the key verification request object related to
      * this verification, if any
-     *
-     * @param {object} parent parent verification for this verification, if any
      */
-    constructor(baseApis, userId, deviceId, transactionId, startEvent, request, parent) {
+    constructor(baseApis, userId, deviceId, transactionId, roomId, startEvent, request) {
         super();
         this._baseApis = baseApis;
         this.userId = userId;
         this.deviceId = deviceId;
         this.transactionId = transactionId;
-        this.startEvent = startEvent;
-        this.request = request;
+        if (typeof(roomId) === "string" || roomId instanceof String) {
+            this.roomId = roomId;
+            this.startEvent = startEvent;
+            this.request = request;
+        } else {
+            // if room ID was omitted, but start event and request were not
+            this.startEvent= roomId;
+            this.request = startEvent;
+        }
         this.cancelled = false;
-        this._parent = parent;
         this._done = false;
         this._promise = null;
         this._transactionTimeoutTimer = null;
+        this._eventsSubscription = null;
 
         // At this point, the verification request was received so start the timeout timer.
         this._resetTimer();
+
+        if (this.roomId) {
+            this._sendWithTxnId = this._sendMessage;
+        } else {
+            this._sendWithTxnId = this._sendToDevice;
+        }
     }
 
     _resetTimer() {
-        console.log("Refreshing/starting the verification transaction timeout timer");
+        logger.info("Refreshing/starting the verification transaction timeout timer");
         if (this._transactionTimeoutTimer !== null) {
             clearTimeout(this._transactionTimeoutTimer);
         }
         this._transactionTimeoutTimer = setTimeout(() => {
-           if (!this._done && !this.cancelled) {
-               console.log("Triggering verification timeout");
-               this.cancel(timeoutException);
-           }
+            if (!this._done && !this.cancelled) {
+                logger.info("Triggering verification timeout");
+                this.cancel(timeoutException);
+            }
         }, 10 * 60 * 1000); // 10 minutes
     }
 
@@ -93,16 +107,57 @@ export default class VerificationBase extends EventEmitter {
         }
     }
 
+    _contentFromEventWithTxnId(event) {
+        if (this.roomId) {  // verification as timeline event
+            // ensure m.related_to is included in e2ee rooms
+            // as the field is excluded from encryption
+            const content = Object.assign({}, event.getContent());
+            content["m.relates_to"] = event.getRelation();
+            return content;
+        } else { // verification as to_device event
+            return event.getContent();
+        }
+    }
+
+    /* creates a content object with the transaction id added to it */
+    _contentWithTxnId(content) {
+        const copy = Object.assign({}, content);
+        if (this.roomId) { // verification as timeline event
+            copy["m.relates_to"] = {
+                rel_type: "m.reference",
+                event_id: this.transactionId,
+            };
+        } else { // verification as to_device event
+            copy.transaction_id = this.transactionId;
+        }
+        return copy;
+    }
+
+    _send(type, contentWithoutTxnId) {
+        const content = this._contentWithTxnId(contentWithoutTxnId);
+        return this._sendWithTxnId(type, content);
+    }
+
+    /* send a message to the other participant, using to-device messages
+     */
     _sendToDevice(type, content) {
         if (this._done) {
             return Promise.reject(new Error("Verification is already done"));
         }
-        content.transaction_id = this.transactionId;
         return this._baseApis.sendToDevice(type, {
             [this.userId]: { [this.deviceId]: content },
         });
     }
 
+    /* send a message to the other participant, using in-roomm messages
+     */
+    _sendMessage(type, content) {
+        if (this._done) {
+            return Promise.reject(new Error("Verification is already done"));
+        }
+        return this._baseApis.sendEvent(this.roomId, type, content);
+    }
+
     _waitForEvent(type) {
         if (this._done) {
             return Promise.reject(new Error("Verification is already done"));
@@ -122,12 +177,16 @@ export default class VerificationBase extends EventEmitter {
             this._rejectEvent = undefined;
             this._resetTimer();
             this._resolveEvent(e);
+        } else if (e.getType() === "m.key.verification.cancel") {
+            const reject = this._reject;
+            this._reject = undefined;
+            reject(new Error("Other side cancelled verification"));
         } else {
-            this._expectedEvent = undefined;
             const exception = new Error(
                 "Unexpected message: expecting " + this._expectedEvent
                     + " but got " + e.getType(),
             );
+            this._expectedEvent = undefined;
             if (this._rejectEvent) {
                 const reject = this._rejectEvent;
                 this._rejectEvent = undefined;
@@ -140,6 +199,10 @@ export default class VerificationBase extends EventEmitter {
     done() {
         this._endTimer(); // always kill the activity timer
         if (!this._done) {
+            if (this.roomId) {
+                // verification in DM requires a done message
+                this._send("m.key.verification.done", {});
+            }
             this._resolve();
         }
     }
@@ -153,7 +216,7 @@ export default class VerificationBase extends EventEmitter {
                 // cancelled by the other user)
                 if (e === timeoutException) {
                     const timeoutEvent = newTimeoutError();
-                    this._sendToDevice(timeoutEvent.getType(), timeoutEvent.getContent());
+                    this._send(timeoutEvent.getType(), timeoutEvent.getContent());
                 } else if (e instanceof MatrixEvent) {
                     const sender = e.getSender();
                     if (sender !== this.userId) {
@@ -163,9 +226,9 @@ export default class VerificationBase extends EventEmitter {
                             content.reason = content.reason || content.body
                                 || "Unknown reason";
                             content.transaction_id = this.transactionId;
-                            this._sendToDevice("m.key.verification.cancel", content);
+                            this._send("m.key.verification.cancel", content);
                         } else {
-                            this._sendToDevice("m.key.verification.cancel", {
+                            this._send("m.key.verification.cancel", {
                                 code: "m.unknown",
                                 reason: content.body || "Unknown reason",
                                 transaction_id: this.transactionId,
@@ -173,7 +236,7 @@ export default class VerificationBase extends EventEmitter {
                         }
                     }
                 } else {
-                    this._sendToDevice("m.key.verification.cancel", {
+                    this._send("m.key.verification.cancel", {
                         code: "m.unknown",
                         reason: e.toString(),
                         transaction_id: this.transactionId,
@@ -185,6 +248,12 @@ export default class VerificationBase extends EventEmitter {
                 // but no reject function. If cancel is called again, we'd error.
                 if (this._reject) this._reject(e);
             } else {
+                // unsubscribe from events, this happens in _reject usually but we don't have one here
+                if (this._eventsSubscription) {
+                    this._eventsSubscription = this._eventsSubscription();
+                }
+                // FIXME: this causes an "Uncaught promise" console message
+                // if nothing ends up chaining this promise.
                 this._promise = Promise.reject(e);
             }
             // Also emit a 'cancel' event that the app can listen for to detect cancellation
@@ -206,11 +275,23 @@ export default class VerificationBase extends EventEmitter {
             this._resolve = (...args) => {
                 this._done = true;
                 this._endTimer();
+                if (this.handler) {
+                    // these listeners are attached in Crypto.acceptVerificationDM
+                    if (this._eventsSubscription) {
+                        this._eventsSubscription = this._eventsSubscription();
+                    }
+                }
                 resolve(...args);
             };
             this._reject = (...args) => {
                 this._done = true;
                 this._endTimer();
+                if (this.handler) {
+                    // these listeners are attached in Crypto.acceptVerificationDM
+                    if (this._eventsSubscription) {
+                        this._eventsSubscription = this._eventsSubscription();
+                    }
+                }
                 reject(...args);
             };
         });
@@ -232,11 +313,24 @@ export default class VerificationBase extends EventEmitter {
         for (const [keyId, keyInfo] of Object.entries(keys)) {
             const deviceId = keyId.split(':', 2)[1];
             const device = await this._baseApis.getStoredDevice(userId, deviceId);
-            if (!device) {
-                logger.warn(`verification: Could not find device ${deviceId} to verify`);
-            } else {
+            if (device) {
                 await verifier(keyId, device, keyInfo);
                 verifiedDevices.push(deviceId);
+            } else {
+                const crossSigningInfo = this._baseApis._crypto._deviceList
+                      .getStoredCrossSigningForUser(userId);
+                if (crossSigningInfo && crossSigningInfo.getId() === deviceId) {
+                    await verifier(keyId, DeviceInfo.fromStorage({
+                        keys: {
+                            [keyId]: deviceId,
+                        },
+                    }, deviceId), keyInfo);
+                    verifiedDevices.push(deviceId);
+                } else {
+                    logger.warn(
+                        `verification: Could not find device ${deviceId} to verify`,
+                    );
+                }
             }
         }
 
@@ -250,4 +344,8 @@ export default class VerificationBase extends EventEmitter {
             await this._baseApis.setDeviceVerified(userId, deviceId);
         }
     }
+
+    setEventsSubscription(subscription) {
+        this._eventsSubscription = subscription;
+    }
 }

src/crypto/verification/SAS.js

@@ -205,7 +205,7 @@ export default class SAS extends Base {
     }
 
     async _doSendVerification() {
-        const initialMessage = {
+        const initialMessage = this._contentWithTxnId({
             method: SAS.NAME,
             from_device: this._baseApis.deviceId,
             key_agreement_protocols: KEY_AGREEMENT_LIST,
@@ -213,9 +213,10 @@ export default class SAS extends Base {
             message_authentication_codes: MAC_LIST,
             // FIXME: allow app to specify what SAS methods can be used
             short_authentication_string: SAS_LIST,
-            transaction_id: this.transactionId,
-        };
-        this._sendToDevice("m.key.verification.start", initialMessage);
+        });
+        // add the transaction id to the message beforehand because
+        // it needs to be included in the commitment hash later on
+        this._sendWithTxnId("m.key.verification.start", initialMessage);
 
 
         let e = await this._waitForEvent("m.key.verification.accept");
@@ -235,7 +236,7 @@ export default class SAS extends Base {
         const hashCommitment = content.commitment;
         const olmSAS = new global.Olm.SAS();
         try {
-            this._sendToDevice("m.key.verification.key", {
+            this._send("m.key.verification.key", {
                 key: olmSAS.get_pubkey(),
             });
 
@@ -280,7 +281,10 @@ export default class SAS extends Base {
     }
 
     async _doRespondVerification() {
-        let content = this.startEvent.getContent();
+        // as m.related_to is not included in the encrypted content in e2e rooms,
+        // we need to make sure it is added
+        let content = this._contentFromEventWithTxnId(this.startEvent);
+
         // Note: we intersect using our pre-made lists, rather than the sets,
         // so that the result will be in our order of preference.  Then
         // fetching the first element from the array will give our preferred
@@ -306,7 +310,7 @@ export default class SAS extends Base {
         const olmSAS = new global.Olm.SAS();
         try {
             const commitmentStr = olmSAS.get_pubkey() + anotherjson.stringify(content);
-            this._sendToDevice("m.key.verification.accept", {
+            this._send("m.key.verification.accept", {
                 key_agreement_protocol: keyAgreement,
                 hash: hashMethod,
                 message_authentication_code: macMethod,
@@ -320,7 +324,7 @@ export default class SAS extends Base {
             // FIXME: make sure event is properly formed
             content = e.getContent();
             olmSAS.set_their_key(content.key);
-            this._sendToDevice("m.key.verification.key", {
+            this._send("m.key.verification.key", {
                 key: olmSAS.get_pubkey(),
             });
 
@@ -354,22 +358,35 @@ export default class SAS extends Base {
     }
 
     _sendMAC(olmSAS, method) {
-        const keyId = `ed25519:${this._baseApis.deviceId}`;
         const mac = {};
+        const keyList = [];
         const baseInfo = "MATRIX_KEY_VERIFICATION_MAC"
               + this._baseApis.getUserId() + this._baseApis.deviceId
               + this.userId + this.deviceId
               + this.transactionId;
 
-        mac[keyId] = olmSAS[macMethods[method]](
+        const deviceKeyId = `ed25519:${this._baseApis.deviceId}`;
+        mac[deviceKeyId] = olmSAS[macMethods[method]](
             this._baseApis.getDeviceEd25519Key(),
-            baseInfo + keyId,
+            baseInfo + deviceKeyId,
         );
+        keyList.push(deviceKeyId);
+
+        const crossSigningId = this._baseApis.getCrossSigningId();
+        if (crossSigningId) {
+            const crossSigningKeyId = `ed25519:${crossSigningId}`;
+            mac[crossSigningKeyId] = olmSAS[macMethods[method]](
+                crossSigningId,
+                baseInfo + crossSigningKeyId,
+            );
+            keyList.push(crossSigningKeyId);
+        }
+
         const keys = olmSAS[macMethods[method]](
-            keyId,
+            keyList.sort().join(","),
             baseInfo + "KEY_IDS",
         );
-        this._sendToDevice("m.key.verification.mac", { mac, keys });
+        this._send("m.key.verification.mac", { mac, keys });
     }
 
     async _checkMAC(olmSAS, content, method) {

src/http-api.js

@@ -23,7 +23,7 @@ import Promise from 'bluebird';
 const parseContentType = require('content-type').parse;
 
 const utils = require("./utils");
-import logger from '../src/logger';
+import logger from './logger';
 
 // we use our own implementation of setTimeout, so that if we get suspended in
 // the middle of a /sync, we cancel the sync as soon as we awake, rather than
@@ -96,6 +96,13 @@ module.exports.MatrixHttpApi = function MatrixHttpApi(event_emitter, opts) {
 };
 
 module.exports.MatrixHttpApi.prototype = {
+    /**
+     * Sets the baase URL for the identity server
+     * @param {string} url The new base url
+     */
+    setIdBaseUrl: function(url) {
+        this.opts.idBaseUrl = url;
+    },
 
     /**
      * Get the content repository url with query parameters.
@@ -382,6 +389,10 @@ module.exports.MatrixHttpApi.prototype = {
         prefix,
         accessToken,
     ) {
+        if (!this.opts.idBaseUrl) {
+            throw new Error("No Identity Server base URL set");
+        }
+
         const fullUri = this.opts.idBaseUrl + prefix + path;
 
         if (callback !== undefined && !utils.isFunction(callback)) {
@@ -394,18 +405,17 @@ module.exports.MatrixHttpApi.prototype = {
             uri: fullUri,
             method: method,
             withCredentials: false,
-            json: false,
+            json: true, // we want a JSON response if we can
             _matrix_opts: this.opts,
+            headers: {},
         };
-        if (method == 'GET') {
+        if (method === 'GET') {
             opts.qs = params;
-        } else {
-            opts.form = params;
+        } else if (typeof params === "object") {
+            opts.json = params;
         }
         if (accessToken) {
-            opts.headers = {
-                Authorization: `Bearer ${accessToken}`,
-            };
+            opts.headers['Authorization'] = `Bearer ${accessToken}`;
         }
 
         const defer = Promise.defer();
@@ -413,12 +423,7 @@ module.exports.MatrixHttpApi.prototype = {
             opts,
             requestCallback(defer, callback, this.opts.onlyData),
         );
-        // ID server does not always take JSON, so we can't use requests' 'json'
-        // option as we do with the home server, but it does return JSON, so
-        // parse it manually
-        return defer.promise.then(function(response) {
-            return JSON.parse(response);
-        });
+        return defer.promise;
     },
 
     /**
@@ -543,76 +548,6 @@ module.exports.MatrixHttpApi.prototype = {
         );
     },
 
-    /**
-     * Perform an authorised request to the homeserver with a specific path
-     * prefix which overrides the default for this call only. Useful for hitting
-     * different Matrix Client-Server versions.
-     * @param {Function} callback Optional. The callback to invoke on
-     * success/failure. See the promise return values for more information.
-     * @param {string} method The HTTP method e.g. "GET".
-     * @param {string} path The HTTP path <b>after</b> the supplied prefix e.g.
-     * "/createRoom".
-     * @param {Object} queryParams A dict of query params (these will NOT be
-     * urlencoded).
-     * @param {Object} data The HTTP JSON body.
-     * @param {string} prefix The full prefix to use e.g.
-     * "/_matrix/client/v2_alpha".
-     * @param {Number=} localTimeoutMs The maximum amount of time to wait before
-     * timing out the request. If not specified, there is no timeout.
-     * @return {module:client.Promise} Resolves to <code>{data: {Object},
-     * headers: {Object}, code: {Number}}</code>.
-     * If <code>onlyData</code> is set, this will resolve to the <code>data</code>
-     * object only.
-     * @return {module:http-api.MatrixError} Rejects with an error if a problem
-     * occurred. This includes network problems and Matrix-specific error JSON.
-     *
-     * @deprecated prefer authedRequest with opts.prefix
-     */
-    authedRequestWithPrefix: function(callback, method, path, queryParams, data,
-                                      prefix, localTimeoutMs) {
-        return this.authedRequest(
-            callback, method, path, queryParams, data, {
-                localTimeoutMs: localTimeoutMs,
-                prefix: prefix,
-            },
-        );
-    },
-
-    /**
-     * Perform a request to the homeserver without any credentials but with a
-     * specific path prefix which overrides the default for this call only.
-     * Useful for hitting different Matrix Client-Server versions.
-     * @param {Function} callback Optional. The callback to invoke on
-     * success/failure. See the promise return values for more information.
-     * @param {string} method The HTTP method e.g. "GET".
-     * @param {string} path The HTTP path <b>after</b> the supplied prefix e.g.
-     * "/createRoom".
-     * @param {Object} queryParams A dict of query params (these will NOT be
-     * urlencoded).
-     * @param {Object} data The HTTP JSON body.
-     * @param {string} prefix The full prefix to use e.g.
-     * "/_matrix/client/v2_alpha".
-     * @param {Number=} localTimeoutMs The maximum amount of time to wait before
-     * timing out the request. If not specified, there is no timeout.
-     * @return {module:client.Promise} Resolves to <code>{data: {Object},
-     * headers: {Object}, code: {Number}}</code>.
-     * If <code>onlyData</code> is set, this will resolve to the <code>data</code>
-     * object only.
-     * @return {module:http-api.MatrixError} Rejects with an error if a problem
-     * occurred. This includes network problems and Matrix-specific error JSON.
-     *
-     * @deprecated prefer request with opts.prefix
-     */
-    requestWithPrefix: function(callback, method, path, queryParams, data, prefix,
-                                localTimeoutMs) {
-        return this.request(
-            callback, method, path, queryParams, data, {
-                localTimeoutMs: localTimeoutMs,
-                prefix: prefix,
-            },
-        );
-    },
-
     /**
      * Perform a request to an arbitrary URL.
      * @param {Function} callback Optional. The callback to invoke on
@@ -901,7 +836,8 @@ function parseErrorResponse(response, body) {
     let err;
     if (contentType) {
         if (contentType.type === 'application/json') {
-            err = new module.exports.MatrixError(JSON.parse(body));
+            const jsonBody = typeof(body) === 'object' ? body : JSON.parse(body);
+            err = new module.exports.MatrixError(jsonBody);
         } else if (contentType.type === 'text/plain') {
             err = new Error(`Server returned ${httpStatus} error: ${body}`);
         }

src/interactive-auth.js

@@ -22,7 +22,7 @@ import Promise from 'bluebird';
 const url = require("url");
 
 const utils = require("./utils");
-import logger from '../src/logger';
+import logger from './logger';
 
 const EMAIL_STAGE_TYPE = "m.login.email.identity";
 const MSISDN_STAGE_TYPE = "m.login.msisdn";
@@ -174,16 +174,19 @@ InteractiveAuth.prototype = {
             // The email can be validated out-of-band, but we need to provide the
             // creds so the HS can go & check it.
             if (this._emailSid) {
-                const idServerParsedUrl = url.parse(
-                    this._matrixClient.getIdentityServerUrl(),
-                );
+                const creds = {
+                    sid: this._emailSid,
+                    client_secret: this._clientSecret,
+                };
+                if (await this._matrixClient.doesServerRequireIdServerParam()) {
+                    const idServerParsedUrl = url.parse(
+                        this._matrixClient.getIdentityServerUrl(),
+                    );
+                    creds.id_server = idServerParsedUrl.host;
+                }
                 authDict = {
                     type: EMAIL_STAGE_TYPE,
-                    threepid_creds: {
-                        sid: this._emailSid,
-                        client_secret: this._clientSecret,
-                        id_server: idServerParsedUrl.host,
-                    },
+                    threepid_creds: creds,
                 };
             }
         }

src/models/event-timeline-set.js

@@ -21,7 +21,7 @@ const EventEmitter = require("events").EventEmitter;
 const utils = require("../utils");
 const EventTimeline = require("./event-timeline");
 import {EventStatus} from "./event";
-import logger from '../../src/logger';
+import logger from '../logger';
 import Relations from './relations';
 
 // var DEBUG = false;
@@ -92,6 +92,13 @@ function EventTimelineSet(room, opts) {
 }
 utils.inherits(EventTimelineSet, EventEmitter);
 
+/**
+ * Get all the timelines in this set
+ * @return {module:models/event-timeline~EventTimeline[]} the timelines in this set
+ */
+EventTimelineSet.prototype.getTimelines = function() {
+    return this._timelines;
+};
 /**
  * Get the filter object this timeline set is filtered on, if any
  * @return {?Filter} the optional filter for this timelineSet
@@ -688,9 +695,12 @@ EventTimelineSet.prototype.compareEventOrdering = function(eventId1, eventId2) {
  * The type of relation involved, such as "m.annotation", "m.reference", "m.replace", etc.
  * @param {String} eventType
  * The relation event's type, such as "m.reaction", etc.
+ * @throws If <code>eventId</code>, <code>relationType</code> or <code>eventType</code>
+ * are not valid.
  *
- * @returns {Relations}
- * A container for relation events.
+ * @returns {?Relations}
+ * A container for relation events or undefined if there are no relation events for
+ * the relationType.
  */
 EventTimelineSet.prototype.getRelationsForEvent = function(
     eventId, relationType, eventType,
@@ -782,20 +792,27 @@ EventTimelineSet.prototype.aggregateRelations = function(event) {
     }
     let relationsWithEventType = relationsWithRelType[eventType];
 
+    let isNewRelations = false;
+    let relatesToEvent;
     if (!relationsWithEventType) {
         relationsWithEventType = relationsWithRelType[eventType] = new Relations(
             relationType,
             eventType,
             this.room,
         );
-        const relatesToEvent = this.findEventById(relatesToEventId);
+        isNewRelations = true;
+        relatesToEvent = this.findEventById(relatesToEventId);
         if (relatesToEvent) {
             relationsWithEventType.setTargetEvent(relatesToEvent);
-            relatesToEvent.emit("Event.relationsCreated", relationType, eventType);
         }
     }
 
     relationsWithEventType.addEvent(event);
+
+    // only emit once event has been added to relations
+    if (isNewRelations && relatesToEvent) {
+        relatesToEvent.emit("Event.relationsCreated", relationType, eventType);
+    }
 };
 
 /**

src/models/event.js

@@ -24,7 +24,7 @@ limitations under the License.
 import Promise from 'bluebird';
 import {EventEmitter} from 'events';
 import utils from '../utils.js';
-import logger from '../../src/logger';
+import logger from '../logger';
 
 /**
  * Enum for event statuses.

src/models/relations.js

@@ -242,7 +242,7 @@ export default class Relations extends EventEmitter {
 
         redactedEvent.removeListener("Event.beforeRedaction", this._onBeforeRedaction);
 
-        this.emit("Relations.redaction");
+        this.emit("Relations.redaction", redactedEvent);
     }
 
     /**

src/models/room-state.js

@@ -21,7 +21,7 @@ const EventEmitter = require("events").EventEmitter;
 
 const utils = require("../utils");
 const RoomMember = require("./room-member");
-import logger from '../../src/logger';
+import logger from '../logger';
 
 // possible statuses for out-of-band member loading
 const OOB_STATUS_NOTSTARTED = 1;

src/models/room.js

@@ -30,7 +30,7 @@ const ContentRepo = require("../content-repo");
 const EventTimeline = require("./event-timeline");
 const EventTimelineSet = require("./event-timeline-set");
 
-import logger from '../../src/logger';
+import logger from '../logger';
 import ReEmitter from '../ReEmitter';
 
 // These constants are used as sane defaults when the homeserver doesn't support
@@ -380,6 +380,23 @@ Room.prototype.getLiveTimeline = function() {
     return this.getUnfilteredTimelineSet().getLiveTimeline();
 };
 
+
+/**
+ * Get the timestamp of the last message in the room
+ *
+ * @return {number} the timestamp of the last message in the room
+ */
+Room.prototype.getLastActiveTimestamp = function() {
+    const timeline = this.getLiveTimeline();
+    const events = timeline.getEvents();
+    if (events.length) {
+        const lastEvent = events[events.length - 1];
+        return lastEvent.getTs();
+    } else {
+        return Number.MIN_SAFE_INTEGER;
+    }
+};
+
 /**
  * @param {string} myUserId the user id for the logged in member
  * @return {string} the membership type (join | leave | invite) for the logged in user

src/realtime-callbacks.js

@@ -24,7 +24,7 @@ limitations under the License.
  */
 
 "use strict";
-import logger from '../src/logger';
+import logger from './logger';
 
 // we schedule a callback at least this often, to check if we've missed out on
 // some wall-clock time due to being suspended.

src/scheduler.js

@@ -21,7 +21,7 @@ limitations under the License.
  */
 const utils = require("./utils");
 import Promise from 'bluebird';
-import logger from '../src/logger';
+import logger from './logger';
 
 const DEBUG = false;  // set true to enable console logging.
 

src/store/indexeddb-local-backend.js

@@ -19,7 +19,7 @@ import Promise from 'bluebird';
 import SyncAccumulator from "../sync-accumulator";
 import utils from "../utils";
 import * as IndexedDBHelpers from "../indexeddb-helpers";
-import logger from '../../src/logger';
+import logger from '../logger';
 
 const VERSION = 3;
 

src/store/indexeddb-remote-backend.js

@@ -16,7 +16,7 @@ limitations under the License.
 */
 
 import Promise from 'bluebird';
-import logger from '../../src/logger';
+import logger from '../logger';
 
 /**
  * An IndexedDB store backend where the actual backend sits in a web

src/store/indexeddb-store-worker.js

@@ -17,7 +17,7 @@ limitations under the License.
 
 import Promise from 'bluebird';
 import LocalIndexedDBStoreBackend from "./indexeddb-local-backend.js";
-import logger from '../../src/logger';
+import logger from '../logger';
 
 /**
  * This class lives in the webworker and drives a LocalIndexedDBStoreBackend

src/store/indexeddb.js

@@ -25,7 +25,7 @@ import LocalIndexedDBStoreBackend from "./indexeddb-local-backend.js";
 import RemoteIndexedDBStoreBackend from "./indexeddb-remote-backend.js";
 import User from "../models/user";
 import {MatrixEvent} from "../models/event";
-import logger from '../../src/logger';
+import logger from '../logger';
 
 /**
  * This is an internal module. See {@link IndexedDBStore} for the public class.

src/sync-accumulator.js

@@ -21,7 +21,7 @@ limitations under the License.
  */
 
 import utils from "./utils";
-import logger from '../src/logger';
+import logger from './logger';
 
 
 /**

src/sync.js

@@ -33,7 +33,7 @@ const utils = require("./utils");
 const Filter = require("./filter");
 const EventTimeline = require("./models/event-timeline");
 const PushProcessor = require("./pushprocessor");
-import logger from '../src/logger';
+import logger from './logger';
 
 import {InvalidStoreError} from './errors';
 

src/timeline-window.js

@@ -19,7 +19,7 @@ limitations under the License.
 
 import Promise from 'bluebird';
 const EventTimeline = require("./models/event-timeline");
-import logger from '../src/logger';
+import logger from './logger';
 
 /**
  * @private

src/utils.js

@@ -1,5 +1,6 @@
 /*
 Copyright 2015, 2016 OpenMarket Ltd
+Copyright 2019 The Matrix.org Foundation C.I.C.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -699,3 +700,11 @@ module.exports.globToRegexp = function(glob, extended) {
     }
     return pat;
 };
+
+module.exports.ensureNoTrailingSlash = function(url) {
+    if (url && url.endsWith("/")) {
+        return url.substr(0, url.length - 1);
+    } else {
+        return url;
+    }
+};

src/webrtc/call.js

@@ -21,7 +21,7 @@ limitations under the License.
  */
 const utils = require("../utils");
 const EventEmitter = require("events").EventEmitter;
-import logger from '../../src/logger';
+import logger from '../logger';
 const DEBUG = true;  // set true to enable console logging.
 
 // events: hangup, error(err), replaced(call), state(state, oldState)
@@ -61,9 +61,9 @@ function MatrixCall(opts) {
     this.URL = opts.URL;
     // Array of Objects with urls, username, credential keys
     this.turnServers = opts.turnServers || [];
-    if (this.turnServers.length === 0) {
+    if (this.turnServers.length === 0 && this.client.isFallbackICEServerAllowed()) {
         this.turnServers.push({
-            urls: [MatrixCall.FALLBACK_STUN_SERVER],
+            urls: [MatrixCall.FALLBACK_ICE_SERVER],
         });
     }
     utils.forEach(this.turnServers, function(server) {
@@ -92,8 +92,8 @@ function MatrixCall(opts) {
 }
 /** The length of time a call can be ringing for. */
 MatrixCall.CALL_TIMEOUT_MS = 60000;
-/** The fallback server to use for STUN. */
-MatrixCall.FALLBACK_STUN_SERVER = 'stun:stun.l.google.com:19302';
+/** The fallback ICE server to use for STUN or TURN protocols. */
+MatrixCall.FALLBACK_ICE_SERVER = 'stun:turn.matrix.org';
 /** An error code when the local client failed to create an offer. */
 MatrixCall.ERR_LOCAL_OFFER_FAILED = "local_offer_failed";
 /**
@@ -665,7 +665,7 @@ MatrixCall.prototype._maybeGotUserMediaForAnswer = function(stream) {
         },
     };
     self.peerConn.createAnswer(function(description) {
-        debuglog("Created answer: " + description);
+        debuglog("Created answer: ", description);
         self.peerConn.setLocalDescription(description, function() {
             self._answerContent = {
                 version: 0,
@@ -754,7 +754,7 @@ MatrixCall.prototype._receivedAnswer = function(msg) {
  */
 MatrixCall.prototype._gotLocalOffer = function(description) {
     const self = this;
-    debuglog("Created offer: " + description);
+    debuglog("Created offer: ", description);
 
     if (self.state == 'ended') {
         debuglog("Ignoring newly created offer on call ID " + self.callId +
@@ -1217,24 +1217,9 @@ const _placeCallWithConstraints = function(self, constraints) {
 };
 
 const _createPeerConnection = function(self) {
-    let servers = self.turnServers;
-    if (self.webRtc.vendor === "mozilla") {
-        // modify turnServers struct to match what mozilla expects.
-        servers = [];
-        for (let i = 0; i < self.turnServers.length; i++) {
-            for (let j = 0; j < self.turnServers[i].urls.length; j++) {
-                servers.push({
-                    url: self.turnServers[i].urls[j],
-                    username: self.turnServers[i].username,
-                    credential: self.turnServers[i].credential,
-                });
-            }
-        }
-    }
-
     const pc = new self.webRtc.RtcPeerConnection({
         iceTransportPolicy: self.forceTURN ? 'relay' : undefined,
-        iceServers: servers,
+        iceServers: self.turnServers,
     });
     pc.oniceconnectionstatechange = hookCallback(self, self._onIceConnectionStateChanged);
     pc.onsignalingstatechange = hookCallback(self, self._onSignallingStateChanged);
@@ -1352,7 +1337,9 @@ module.exports.setVideoInput = function(deviceId) { videoInput = deviceId; };
  * @param {MatrixClient} client The client instance to use.
  * @param {string} roomId The room the call is in.
  * @param {Object?} options DEPRECATED optional options map.
- * @param {boolean} options.forceTURN DEPRECATED whether relay through TURN should be forced. This option is deprecated - use opts.forceTURN when creating the matrix client since it's only possible to set this option on outbound calls.
+ * @param {boolean} options.forceTURN DEPRECATED whether relay through TURN should be
+ * forced. This option is deprecated - use opts.forceTURN when creating the matrix client
+ * since it's only possible to set this option on outbound calls.
  * @return {MatrixCall} the call or null if the browser doesn't support calling.
  */
 module.exports.createNewMatrixCall = function(client, roomId, options) {
@@ -1383,24 +1370,36 @@ module.exports.createNewMatrixCall = function(client, roomId, options) {
             return getUserMedia.apply(w.navigator, arguments);
         };
     }
-    webRtc.RtcPeerConnection = (
-        w.RTCPeerConnection || w.webkitRTCPeerConnection || w.mozRTCPeerConnection
-    );
-    webRtc.RtcSessionDescription = (
-        w.RTCSessionDescription || w.webkitRTCSessionDescription ||
-        w.mozRTCSessionDescription
-    );
-    webRtc.RtcIceCandidate = (
-        w.RTCIceCandidate || w.webkitRTCIceCandidate || w.mozRTCIceCandidate
-    );
-    webRtc.vendor = null;
-    if (w.mozRTCPeerConnection) {
-        webRtc.vendor = "mozilla";
-    } else if (w.webkitRTCPeerConnection) {
-        webRtc.vendor = "webkit";
-    } else if (w.RTCPeerConnection) {
-        webRtc.vendor = "generic";
+
+    // Firefox throws on so little as accessing the RTCPeerConnection when operating in
+    // a secure mode. There's some information at https://bugzilla.mozilla.org/show_bug.cgi?id=1542616
+    // though the concern is that the browser throwing a SecurityError will brick the
+    // client creation process.
+    try {
+        webRtc.RtcPeerConnection = (
+            w.RTCPeerConnection || w.webkitRTCPeerConnection || w.mozRTCPeerConnection
+        );
+        webRtc.RtcSessionDescription = (
+            w.RTCSessionDescription || w.webkitRTCSessionDescription ||
+            w.mozRTCSessionDescription
+        );
+        webRtc.RtcIceCandidate = (
+            w.RTCIceCandidate || w.webkitRTCIceCandidate || w.mozRTCIceCandidate
+        );
+        webRtc.vendor = null;
+        if (w.mozRTCPeerConnection) {
+            webRtc.vendor = "mozilla";
+        } else if (w.webkitRTCPeerConnection) {
+            webRtc.vendor = "webkit";
+        } else if (w.RTCPeerConnection) {
+            webRtc.vendor = "generic";
+        }
+    } catch (e) {
+        logger.error("Failed to set up WebRTC object: possible browser interference?");
+        logger.error(e);
+        return null;
     }
+
     if (!webRtc.RtcIceCandidate || !webRtc.RtcSessionDescription ||
             !webRtc.RtcPeerConnection || !webRtc.getUserMedia) {
         return null; // WebRTC is not supported.