Upload key package before publishing identity updates (#962)

### TL;DR Implements parts of xmtp/xmtp-node-go#399 - Uses `UploadKeyPackage` instead of `RegisterInstallation` so we can deprecate the register installation endpoint - Uploads key package _before_ publishing the identity updates for new installations. This ensures that any installation seen in an identity update must have a matching key package. - No longer checks the lifetime of key packages when verifying ## AI Assisted Summary ### What changed? - Removed expiration checks and set expiration to 0 in MLS validation service - Updated the client registration process to register identity before applying signature request - Renamed `register_installation` to `upload_key_package` in API client calls - Removed lifetime validity checks from key package verification
xmtp · Aug 15, 2024 · 26b1fe5 · 26b1fe5
1 parent 44924a2
commit 26b1fe5
Show file tree

Hide file tree

Showing 6 changed files with 50 additions and 91 deletions.
diff --git a/mls_validation_service/src/handlers.rs b/mls_validation_service/src/handlers.rs
@@ -198,7 +198,8 @@ async fn validate_inbox_id_key_package(
         error_message: "".into(),
         credential: Some(kp.credential),
         installation_public_key: kp.installation_public_key,
-        expiration: kp.inner.life_time().not_after(),
+        // We are deprecating the expiration field and key package lifetimes, so stop checking for its existence
+        expiration: 0,
     })
 }
 
@@ -377,7 +378,7 @@ fn validate_key_package(key_package_bytes: Vec<u8>) -> Result<ValidateKeyPackage
         installation_id: verified_key_package.installation_id(),
         account_address: verified_key_package.account_address,
         credential_identity_bytes: basic_credential.identity().to_vec(),
-        expiration: verified_key_package.inner.life_time().not_after(),
+        expiration: 0,
     })
 }
 

diff --git a/xmtp_api_grpc_gateway/Cargo.lock b/xmtp_api_grpc_gateway/Cargo.lock
diff --git a/xmtp_mls/src/client.rs b/xmtp_mls/src/client.rs
@@ -419,24 +419,21 @@ where
             .collect())
     }
 
-    /// Register the identity with the network
-    /// Callers should always check the result of [`text_to_sign`](Self::text_to_sign) before invoking this function.
-    ///
-    /// If `text_to_sign` returns `None`, then the wallet signature is not required and this function can be called with `None`.
-    ///
-    /// If `text_to_sign` returns `Some`, then the caller should sign the text with their wallet and pass the signature to this function.
+    /// Upload a Key Package to the network and publish the signed identity update
+    /// from the provided SignatureRequest
     pub async fn register_identity(
         &self,
         signature_request: SignatureRequest,
     ) -> Result<(), ClientError> {
         log::info!("registering identity");
-        self.apply_signature_request(signature_request).await?;
-        let connection = self.store().conn()?;
-        let provider = self.mls_provider(connection);
+        // Register the identity before applying the signature request
+        let provider = self.mls_provider(self.store().conn()?);
         self.identity()
             .register(&provider, &self.api_client)
             .await?;
 
+        self.apply_signature_request(signature_request).await?;
+
         Ok(())
     }
 

diff --git a/xmtp_mls/src/identity.rs b/xmtp_mls/src/identity.rs
@@ -269,9 +269,8 @@ impl Identity {
                     .await?,
                 ))
                 .await?;
-            let identity_update = signature_request.build_identity_update()?;
-            api_client.publish_identity_update(identity_update).await?;
 
+            // Make sure to register the identity before applying the signature request
             let identity = Self {
                 inbox_id: inbox_id.clone(),
                 installation_keys: signature_keys,
@@ -281,6 +280,9 @@ impl Identity {
 
             identity.register(provider, api_client).await?;
 
+            let identity_update = signature_request.build_identity_update()?;
+            api_client.publish_identity_update(identity_update).await?;
+
             Ok(identity)
         } else {
             if inbox_id != generate_inbox_id(&address, &nonce) {
@@ -424,7 +426,7 @@ impl Identity {
         }
         let kp = self.new_key_package(provider)?;
         let kp_bytes = kp.tls_serialize_detached()?;
-        api_client.register_installation(kp_bytes, true).await?;
+        api_client.upload_key_package(kp_bytes, true).await?;
 
         Ok(StoredIdentity::from(self).store(provider.conn_ref())?)
     }

diff --git a/xmtp_mls/src/verified_key_package.rs b/xmtp_mls/src/verified_key_package.rs
@@ -70,9 +70,6 @@ impl VerifiedKeyPackage {
                 ),
             );
         }
-        if !kp.life_time().is_valid() {
-            return Err(KeyPackageVerificationError::InvalidLifetime);
-        }
 
         Ok(Self::new(kp, account_address))
     }

diff --git a/xmtp_mls/src/verified_key_package_v2.rs b/xmtp_mls/src/verified_key_package_v2.rs
@@ -75,10 +75,6 @@ impl TryFrom<KeyPackage> for VerifiedKeyPackageV2 {
         let pub_key_bytes = leaf_node.signature_key().as_slice().to_vec();
         let credential = MlsCredential::decode(basic_credential.identity())?;
 
-        if !kp.life_time().is_valid() {
-            return Err(KeyPackageVerificationError::InvalidLifetime);
-        }
-
         Ok(Self::new(kp, credential, pub_key_bytes))
     }
 }