UWPX-Client icon indicating copy to clipboard operation
UWPX-Client copied to clipboard
verified publisher icon UWPX

OMEMO Identity Key Signing does not match the Spec

Open COM8 opened this issue 3 years ago • 0 comments

Description

XEP-0384: OMEMO Encryption requires a EdDSA-compatible signature when signing Identity Keys. UWPX currently performs EdDSA with Curve25519 (Montgomery) based keys and not like mandated here by XEdDSA with Ed25519 (Twisted Edwards) keys.

Expected Behavior

We should use Ed25519 (Twisted Edwards) keys here.

Actual Behavior

https://github.com/UWPX/UWPX-Client/blob/21789901f43e77fc51c3789865f5186cad02d6fe/Omemo/Classes/KeyHelper.cs#L89-L100

Possible Fix

Convert the Curve25519 (Montgomery) based keys to Ed25519 (Twisted Edwards) before signing. This is defined in by the XEdDSA spec inside the calculate_key_pair call.

Steps to Reproduce

  1. Add an account
  2. Connect the account
  3. UWPX will publish an OMEMO bundle with an "invalid" signature.
  4. Other clients (!= UWPX):💥

Context

We can no send OMEMO encrypted messages to other XMPP clients like Kaidan, that follow the spec.

COM8 avatar Mar 30 '22 15:03 COM8