Add new unidentified sender trust root

2026-05-30 15:14:14 +00:00 · 2025-09-18 19:33:02 +02:00 · 2025-09-18 19:33:02 +02:00 · 29dc873535
commit 29dc873535
parent 69d892e5b1
4 changed files with 14 additions and 8 deletions
--- a/lib/src/main/java/org/asamk/signal/manager/config/LiveConfig.java
+++ b/lib/src/main/java/org/asamk/signal/manager/config/LiveConfig.java
@ -27,6 +27,8 @@ class LiveConfig {

    private static final byte[] UNIDENTIFIED_SENDER_TRUST_ROOT = Base64.getDecoder()
            .decode("BXu6QIKVz5MA8gstzfOgRQGqyLqOwNKHL6INkv3IHWMF");
+    private static final byte[] UNIDENTIFIED_SENDER_TRUST_ROOT2 = Base64.getDecoder()
+            .decode("BUkY0I+9+oPgDCn4+Ac6Iu813yvqkDr/ga8DzLxFxuk6");
    private static final String CDSI_MRENCLAVE = "0f6fd79cdfdaa5b2e6337f534d3baf999318b0c462a7ac1f41297a3e4b424a57";
    private static final String SVR2_MRENCLAVE_LEGACY = "093be9ea32405e85ae28dbb48eb668aebeb7dbe29517b9b86ad4bec4dfe0e6a6";
    private static final String SVR2_MRENCLAVE = "29cd63c87bea751e3bfd0fbd401279192e2e5c99948b4ee9437eafc4968355fb";
@ -77,9 +79,10 @@ class LiveConfig {
                false);
    }

-    static ECPublicKey getUnidentifiedSenderTrustRoot() {
+    static List<ECPublicKey> getUnidentifiedSenderTrustRoots() {
        try {
-            return new ECPublicKey(UNIDENTIFIED_SENDER_TRUST_ROOT);
+            return List.of(new ECPublicKey(UNIDENTIFIED_SENDER_TRUST_ROOT),
+                    new ECPublicKey(UNIDENTIFIED_SENDER_TRUST_ROOT2));
        } catch (InvalidKeyException e) {
            throw new AssertionError(e);
        }
@ -89,7 +92,7 @@ class LiveConfig {
        return new ServiceEnvironmentConfig(LIVE,
                LIBSIGNAL_NET_ENV,
                createDefaultServiceConfiguration(interceptors),
-                getUnidentifiedSenderTrustRoot(),
+                getUnidentifiedSenderTrustRoots(),
                CDSI_MRENCLAVE,
                List.of(SVR2_MRENCLAVE, SVR2_MRENCLAVE_LEGACY));
    }
--- a/lib/src/main/java/org/asamk/signal/manager/config/ServiceEnvironmentConfig.java
+++ b/lib/src/main/java/org/asamk/signal/manager/config/ServiceEnvironmentConfig.java
@ -11,7 +11,7 @@ public record ServiceEnvironmentConfig(
        ServiceEnvironment type,
        Network.Environment netEnvironment,
        SignalServiceConfiguration signalServiceConfiguration,
-        ECPublicKey unidentifiedSenderTrustRoot,
+        List<ECPublicKey> unidentifiedSenderTrustRoots,
        String cdsiMrenclave,
        List<String> svr2Mrenclaves
 ) {}
--- a/lib/src/main/java/org/asamk/signal/manager/config/StagingConfig.java
+++ b/lib/src/main/java/org/asamk/signal/manager/config/StagingConfig.java
@ -27,6 +27,8 @@ class StagingConfig {

    private static final byte[] UNIDENTIFIED_SENDER_TRUST_ROOT = Base64.getDecoder()
            .decode("BbqY1DzohE4NUZoVF+L18oUPrK3kILllLEJh2UnPSsEx");
+    private static final byte[] UNIDENTIFIED_SENDER_TRUST_ROOT2 = Base64.getDecoder()
+            .decode("BYhU6tPjqP46KGZEzRs1OL4U39V5dlPJ/X09ha4rErkm");
    private static final String CDSI_MRENCLAVE = "0f6fd79cdfdaa5b2e6337f534d3baf999318b0c462a7ac1f41297a3e4b424a57";
    private static final String SVR2_MRENCLAVE_LEGACY = "2e8cefe6e3f389d8426adb24e9b7fb7adf10902c96f06f7bbcee36277711ed91";
    private static final String SVR2_MRENCLAVE = "a75542d82da9f6914a1e31f8a7407053b99cc99a0e7291d8fbd394253e19b036";
@ -77,9 +79,10 @@ class StagingConfig {
                false);
    }

-    static ECPublicKey getUnidentifiedSenderTrustRoot() {
+    static List<ECPublicKey> getUnidentifiedSenderTrustRoots() {
        try {
-            return new ECPublicKey(UNIDENTIFIED_SENDER_TRUST_ROOT);
+            return List.of(new ECPublicKey(UNIDENTIFIED_SENDER_TRUST_ROOT),
+                    new ECPublicKey(UNIDENTIFIED_SENDER_TRUST_ROOT2));
        } catch (InvalidKeyException e) {
            throw new AssertionError(e);
        }
@ -89,7 +92,7 @@ class StagingConfig {
        return new ServiceEnvironmentConfig(STAGING,
                LIBSIGNAL_NET_ENV,
                createDefaultServiceConfiguration(interceptors),
-                getUnidentifiedSenderTrustRoot(),
+                getUnidentifiedSenderTrustRoots(),
                CDSI_MRENCLAVE,
                List.of(SVR2_MRENCLAVE, SVR2_MRENCLAVE_LEGACY));
    }
--- a/lib/src/main/java/org/asamk/signal/manager/internal/SignalDependencies.java
+++ b/lib/src/main/java/org/asamk/signal/manager/internal/SignalDependencies.java
@ -356,7 +356,7 @@ public class SignalDependencies {
    }

    public SignalServiceCipher getCipher(ServiceIdType serviceIdType) {
-        final var certificateValidator = new CertificateValidator(serviceEnvironmentConfig.unidentifiedSenderTrustRoot());
+        final var certificateValidator = new CertificateValidator(serviceEnvironmentConfig.unidentifiedSenderTrustRoots());
        final var address = new SignalServiceAddress(credentialsProvider.getAci(), credentialsProvider.getE164());
        final var deviceId = credentialsProvider.getDeviceId();
        return new SignalServiceCipher(address,