Beispiel #1
0
        private void initializeSessionsV2(SessionState aliceSessionState, SessionState bobSessionState)
        {
            ECKeyPair       aliceIdentityKeyPair = Curve.generateKeyPair();
            IdentityKeyPair aliceIdentityKey     = new IdentityKeyPair(new IdentityKey(aliceIdentityKeyPair.getPublicKey()),
                                                                       aliceIdentityKeyPair.getPrivateKey());
            ECKeyPair aliceBaseKey      = Curve.generateKeyPair();
            ECKeyPair aliceEphemeralKey = Curve.generateKeyPair();

            ECKeyPair       bobIdentityKeyPair = Curve.generateKeyPair();
            IdentityKeyPair bobIdentityKey     = new IdentityKeyPair(new IdentityKey(bobIdentityKeyPair.getPublicKey()),
                                                                     bobIdentityKeyPair.getPrivateKey());
            ECKeyPair bobBaseKey      = Curve.generateKeyPair();
            ECKeyPair bobEphemeralKey = bobBaseKey;

            AliceAxolotlParameters aliceParameters = AliceAxolotlParameters.newBuilder()
                                                     .setOurIdentityKey(aliceIdentityKey)
                                                     .setOurBaseKey(aliceBaseKey)
                                                     .setTheirIdentityKey(bobIdentityKey.getPublicKey())
                                                     .setTheirSignedPreKey(bobEphemeralKey.getPublicKey())
                                                     .setTheirRatchetKey(bobEphemeralKey.getPublicKey())
                                                     .setTheirOneTimePreKey(May <ECPublicKey> .NoValue)
                                                     .create();

            BobAxolotlParameters bobParameters = BobAxolotlParameters.newBuilder()
                                                 .setOurIdentityKey(bobIdentityKey)
                                                 .setOurOneTimePreKey(May <ECKeyPair> .NoValue)
                                                 .setOurRatchetKey(bobEphemeralKey)
                                                 .setOurSignedPreKey(bobBaseKey)
                                                 .setTheirBaseKey(aliceBaseKey.getPublicKey())
                                                 .setTheirIdentityKey(aliceIdentityKey.getPublicKey())
                                                 .create();

            RatchetingSession.initializeSession(aliceSessionState, 2, aliceParameters);
            RatchetingSession.initializeSession(bobSessionState, 2, bobParameters);
        }
        /**
         * Build a new session from a {@link org.whispersystems.libaxolotl.state.PreKeyBundle} retrieved from
         * a server.
         *
         * @param preKey A PreKey for the destination recipient, retrieved from a server.
         * @throws InvalidKeyException when the {@link org.whispersystems.libaxolotl.state.PreKeyBundle} is
         *                             badly formatted.
         * @throws org.whispersystems.libaxolotl.UntrustedIdentityException when the sender's
         *                                                                  {@link IdentityKey} is not
         *                                                                  trusted.
         */
        public void process(PreKeyBundle preKey)
        {
            lock (SessionCipher.SESSION_LOCK)
            {
                if (!identityKeyStore.IsTrustedIdentity(remoteAddress.getName(), preKey.getIdentityKey()))
                {
                    throw new UntrustedIdentityException(remoteAddress.getName(), preKey.getIdentityKey());
                }

                if (preKey.getSignedPreKey() != null &&
                    !Curve.verifySignature(preKey.getIdentityKey().getPublicKey(),
                                           preKey.getSignedPreKey().serialize(),
                                           preKey.getSignedPreKeySignature()))
                {
                    throw new InvalidKeyException("Invalid signature on device key!");
                }

                if (preKey.getSignedPreKey() == null && preKey.getPreKey() == null)
                {
                    throw new InvalidKeyException("Both signed and unsigned prekeys are absent!");
                }

                bool              supportsV3        = preKey.getSignedPreKey() != null;
                SessionRecord     sessionRecord     = sessionStore.LoadSession(remoteAddress);
                ECKeyPair         ourBaseKey        = Curve.generateKeyPair();
                ECPublicKey       theirSignedPreKey = supportsV3 ? preKey.getSignedPreKey() : preKey.getPreKey();
                ECPublicKey       test = preKey.getPreKey(); // TODO: cleanup
                May <ECPublicKey> theirOneTimePreKey   = (test == null) ? May <ECPublicKey> .NoValue : new May <ECPublicKey>(test);
                May <uint>        theirOneTimePreKeyId = theirOneTimePreKey.HasValue ? new May <uint>(preKey.getPreKeyId()) :
                                                         May <uint> .NoValue;

                AliceAxolotlParameters.Builder parameters = AliceAxolotlParameters.newBuilder();

                parameters.setOurBaseKey(ourBaseKey)
                .setOurIdentityKey(identityKeyStore.GetIdentityKeyPair())
                .setTheirIdentityKey(preKey.getIdentityKey())
                .setTheirSignedPreKey(theirSignedPreKey)
                .setTheirRatchetKey(theirSignedPreKey)
                .setTheirOneTimePreKey(supportsV3 ? theirOneTimePreKey : May <ECPublicKey> .NoValue);

                if (!sessionRecord.isFresh())
                {
                    sessionRecord.archiveCurrentState();
                }

                RatchetingSession.initializeSession(sessionRecord.getSessionState(),
                                                    supportsV3 ? (uint)3 : 2,
                                                    parameters.create());

                sessionRecord.getSessionState().setUnacknowledgedPreKeyMessage(theirOneTimePreKeyId, preKey.getSignedPreKeyId(), ourBaseKey.getPublicKey());
                sessionRecord.getSessionState().setLocalRegistrationId(identityKeyStore.GetLocalRegistrationId());
                sessionRecord.getSessionState().setRemoteRegistrationId(preKey.getRegistrationId());
                sessionRecord.getSessionState().setAliceBaseKey(ourBaseKey.getPublicKey().serialize());

                sessionStore.StoreSession(remoteAddress, sessionRecord);
                identityKeyStore.SaveIdentity(remoteAddress.getName(), preKey.getIdentityKey());
            }
        }
        /// <summary>
        /// Build a new session from a {@link org.whispersystems.libsignal.state.PreKeyBundle} retrieved from
        /// a server.
        /// </summary>
        /// @param preKey A PreKey for the destination recipient, retrieved from a server.
        /// @throws InvalidKeyException when the {@link org.whispersystems.libsignal.state.PreKeyBundle} is
        ///                             badly formatted.
        /// @throws org.whispersystems.libsignal.UntrustedIdentityException when the sender's
        ///                                                                  {@link IdentityKey} is not
        ///                                                                  trusted.
        ///
        public void Process(PreKeyBundle preKey)
        {
            lock (SessionCipher.SessionLock)
            {
                if (!_identityKeyStore.IsTrustedIdentity(_remoteAddress, preKey.GetIdentityKey(), Direction.Sending))
                {
                    throw new UntrustedIdentityException(_remoteAddress.Name, preKey.GetIdentityKey());
                }

                if (preKey.GetSignedPreKey() != null &&
                    !Curve.VerifySignature(preKey.GetIdentityKey().GetPublicKey(),
                                           preKey.GetSignedPreKey().Serialize(),
                                           preKey.GetSignedPreKeySignature()))
                {
                    throw new InvalidKeyException("Invalid signature on device key!");
                }

                if (preKey.GetSignedPreKey() == null)
                {
                    throw new InvalidKeyException("No signed prekey!");
                }

                SessionRecord      sessionRecord     = _sessionStore.LoadSession(_remoteAddress);
                EcKeyPair          ourBaseKey        = Curve.GenerateKeyPair();
                IEcPublicKey       theirSignedPreKey = preKey.GetSignedPreKey();
                IEcPublicKey       test = preKey.GetPreKey();
                May <IEcPublicKey> theirOneTimePreKey   = (test == null) ? May <IEcPublicKey> .NoValue : new May <IEcPublicKey>(test);
                May <uint>         theirOneTimePreKeyId = theirOneTimePreKey.HasValue ? new May <uint>(preKey.GetPreKeyId()) :
                                                          May <uint> .NoValue;

                AliceSignalProtocolParameters.Builder parameters = AliceSignalProtocolParameters.NewBuilder();

                parameters.SetOurBaseKey(ourBaseKey)
                .SetOurIdentityKey(_identityKeyStore.GetIdentityKeyPair())
                .SetTheirIdentityKey(preKey.GetIdentityKey())
                .SetTheirSignedPreKey(theirSignedPreKey)
                .SetTheirRatchetKey(theirSignedPreKey)
                .SetTheirOneTimePreKey(theirOneTimePreKey);

                if (!sessionRecord.IsFresh())
                {
                    sessionRecord.ArchiveCurrentState();
                }

                RatchetingSession.InitializeSession(sessionRecord.GetSessionState(), parameters.Create());

                sessionRecord.GetSessionState().SetUnacknowledgedPreKeyMessage(theirOneTimePreKeyId, preKey.GetSignedPreKeyId(), ourBaseKey.GetPublicKey());
                sessionRecord.GetSessionState().SetLocalRegistrationId(_identityKeyStore.GetLocalRegistrationId());
                sessionRecord.GetSessionState().SetRemoteRegistrationId(preKey.GetRegistrationId());
                sessionRecord.GetSessionState().SetAliceBaseKey(ourBaseKey.GetPublicKey().Serialize());

                _identityKeyStore.SaveIdentity(_remoteAddress, preKey.GetIdentityKey());

                _sessionStore.StoreSession(_remoteAddress, sessionRecord);
            }
        }
Beispiel #4
0
        private KeyExchangeMessage ProcessInitiate(KeyExchangeMessage message)
        {
            uint          flags         = KeyExchangeMessage.RESPONSE_FLAG;
            SessionRecord sessionRecord = sessionStore.LoadSession(remoteAddress);

            if (message.GetVersion() >= 3 &&
                !Curve.VerifySignature(message.GetIdentityKey().GetPublicKey(),
                                       message.GetBaseKey().Serialize(),
                                       message.GetBaseKeySignature()))
            {
                throw new InvalidKeyException("Bad signature!");
            }

            SymmetricAxolotlParameters.Builder builder = SymmetricAxolotlParameters.NewBuilder();

            if (!sessionRecord.GetSessionState().HasPendingKeyExchange())
            {
                builder.SetOurIdentityKey(identityKeyStore.GetIdentityKeyPair())
                .SetOurBaseKey(Curve.GenerateKeyPair())
                .SetOurRatchetKey(Curve.GenerateKeyPair());
            }
            else
            {
                builder.SetOurIdentityKey(sessionRecord.GetSessionState().GetPendingKeyExchangeIdentityKey())
                .SetOurBaseKey(sessionRecord.GetSessionState().GetPendingKeyExchangeBaseKey())
                .SetOurRatchetKey(sessionRecord.GetSessionState().GetPendingKeyExchangeRatchetKey());
                flags |= KeyExchangeMessage.SIMULTAENOUS_INITIATE_FLAG;
            }

            builder.SetTheirBaseKey(message.GetBaseKey())
            .SetTheirRatchetKey(message.GetRatchetKey())
            .SetTheirIdentityKey(message.GetIdentityKey());

            SymmetricAxolotlParameters parameters = builder.Create();

            if (!sessionRecord.IsFresh())
            {
                sessionRecord.ArchiveCurrentState();
            }

            RatchetingSession.InitializeSession(sessionRecord.GetSessionState(),
                                                Math.Min(message.GetMaxVersion(), CipherTextMessage.CURRENT_VERSION),
                                                parameters);

            sessionStore.StoreSession(remoteAddress, sessionRecord);
            identityKeyStore.SaveIdentity(remoteAddress.GetName(), message.GetIdentityKey());

            byte[] baseKeySignature = Curve.CalculateSignature(parameters.GetOurIdentityKey().GetPrivateKey(),
                                                               parameters.GetOurBaseKey().GetPublicKey().Serialize());

            return(new KeyExchangeMessage(sessionRecord.GetSessionState().GetSessionVersion(),
                                          message.GetSequence(), flags,
                                          parameters.GetOurBaseKey().GetPublicKey(),
                                          baseKeySignature, parameters.GetOurRatchetKey().GetPublicKey(),
                                          parameters.GetOurIdentityKey().GetPublicKey()));
        }
        private KeyExchangeMessage processInitiate(KeyExchangeMessage message)
        {
            uint          flags         = KeyExchangeMessage.RESPONSE_FLAG;
            SessionRecord sessionRecord = sessionStore.LoadSession(remoteAddress);

            if (!Curve.verifySignature(message.getIdentityKey().getPublicKey(),
                                       message.getBaseKey().serialize(),
                                       message.getBaseKeySignature()))
            {
                throw new InvalidKeyException("Bad signature!");
            }

            SymmetricSignalProtocolParameters.Builder builder = SymmetricSignalProtocolParameters.newBuilder();

            if (!sessionRecord.getSessionState().hasPendingKeyExchange())
            {
                builder.setOurIdentityKey(identityKeyStore.GetIdentityKeyPair())
                .setOurBaseKey(Curve.generateKeyPair())
                .setOurRatchetKey(Curve.generateKeyPair());
            }
            else
            {
                builder.setOurIdentityKey(sessionRecord.getSessionState().getPendingKeyExchangeIdentityKey())
                .setOurBaseKey(sessionRecord.getSessionState().getPendingKeyExchangeBaseKey())
                .setOurRatchetKey(sessionRecord.getSessionState().getPendingKeyExchangeRatchetKey());
                flags |= KeyExchangeMessage.SIMULTAENOUS_INITIATE_FLAG;
            }

            builder.setTheirBaseKey(message.getBaseKey())
            .setTheirRatchetKey(message.getRatchetKey())
            .setTheirIdentityKey(message.getIdentityKey());

            SymmetricSignalProtocolParameters parameters = builder.create();

            if (!sessionRecord.isFresh())
            {
                sessionRecord.archiveCurrentState();
            }

            RatchetingSession.initializeSession(sessionRecord.getSessionState(),
                                                parameters);

            sessionStore.StoreSession(remoteAddress, sessionRecord);
            identityKeyStore.SaveIdentity(remoteAddress.getName(), message.getIdentityKey());

            byte[] baseKeySignature = Curve.calculateSignature(parameters.getOurIdentityKey().getPrivateKey(),
                                                               parameters.getOurBaseKey().getPublicKey().serialize());

            return(new KeyExchangeMessage(sessionRecord.getSessionState().getSessionVersion(),
                                          message.getSequence(), flags,
                                          parameters.getOurBaseKey().getPublicKey(),
                                          baseKeySignature, parameters.getOurRatchetKey().getPublicKey(),
                                          parameters.getOurIdentityKey().getPublicKey()));
        }
Beispiel #6
0
        private void ProcessResponse(KeyExchangeMessage message)
        {
            SessionRecord sessionRecord                  = sessionStore.LoadSession(remoteAddress);
            SessionState  sessionState                   = sessionRecord.GetSessionState();
            bool          hasPendingKeyExchange          = sessionState.HasPendingKeyExchange();
            bool          isSimultaneousInitiateResponse = message.IsResponseForSimultaneousInitiate();

            if (!hasPendingKeyExchange || sessionState.GetPendingKeyExchangeSequence() != message.GetSequence())
            {
                //Log.w(TAG, "No matching sequence for response. Is simultaneous initiate response: " + isSimultaneousInitiateResponse);
                if (!isSimultaneousInitiateResponse)
                {
                    throw new StaleKeyExchangeException();
                }
                else
                {
                    return;
                }
            }

            SymmetricAxolotlParameters.Builder parameters = SymmetricAxolotlParameters.NewBuilder();

            parameters.SetOurBaseKey(sessionRecord.GetSessionState().GetPendingKeyExchangeBaseKey())
            .SetOurRatchetKey(sessionRecord.GetSessionState().GetPendingKeyExchangeRatchetKey())
            .SetOurIdentityKey(sessionRecord.GetSessionState().GetPendingKeyExchangeIdentityKey())
            .SetTheirBaseKey(message.GetBaseKey())
            .SetTheirRatchetKey(message.GetRatchetKey())
            .SetTheirIdentityKey(message.GetIdentityKey());

            if (!sessionRecord.IsFresh())
            {
                sessionRecord.ArchiveCurrentState();
            }

            RatchetingSession.InitializeSession(sessionRecord.GetSessionState(),
                                                Math.Min(message.GetMaxVersion(), CipherTextMessage.CURRENT_VERSION),
                                                parameters.Create());

            if (sessionRecord.GetSessionState().GetSessionVersion() >= 3 &&
                !Curve.VerifySignature(message.GetIdentityKey().GetPublicKey(),
                                       message.GetBaseKey().Serialize(),
                                       message.GetBaseKeySignature()))
            {
                throw new InvalidKeyException("Base key signature doesn't match!");
            }

            sessionStore.StoreSession(remoteAddress, sessionRecord);
            identityKeyStore.SaveIdentity(remoteAddress.GetName(), message.GetIdentityKey());
        }
        private May <uint> processV3(SessionRecord sessionRecord, PreKeySignalMessage message)
        {
            if (sessionRecord.hasSessionState(message.getMessageVersion(), message.getBaseKey().serialize()))
            {
                Debug.WriteLine("We've already setup a session for this V3 message, letting bundled message fall through...");
                return(May <uint> .NoValue);
            }

            ECKeyPair ourSignedPreKey = signedPreKeyStore.LoadSignedPreKey(message.getSignedPreKeyId()).getKeyPair();

            BobSignalProtocolParameters.Builder parameters = BobSignalProtocolParameters.newBuilder();

            parameters.setTheirBaseKey(message.getBaseKey())
            .setTheirIdentityKey(message.getIdentityKey())
            .setOurIdentityKey(identityKeyStore.GetIdentityKeyPair())
            .setOurSignedPreKey(ourSignedPreKey)
            .setOurRatchetKey(ourSignedPreKey);

            if (message.getPreKeyId().HasValue)
            {
                parameters.setOurOneTimePreKey(new May <ECKeyPair>(preKeyStore.LoadPreKey(message.getPreKeyId().ForceGetValue()).getKeyPair()));
            }
            else
            {
                parameters.setOurOneTimePreKey(May <ECKeyPair> .NoValue);
            }

            if (!sessionRecord.isFresh())
            {
                sessionRecord.archiveCurrentState();
            }

            RatchetingSession.initializeSession(sessionRecord.getSessionState(), parameters.create());

            sessionRecord.getSessionState().setLocalRegistrationId(identityKeyStore.GetLocalRegistrationId());
            sessionRecord.getSessionState().setRemoteRegistrationId(message.getRegistrationId());
            sessionRecord.getSessionState().setAliceBaseKey(message.getBaseKey().serialize());

            if (message.getPreKeyId().HasValue&& message.getPreKeyId().ForceGetValue() != Medium.MAX_VALUE)
            {
                return(message.getPreKeyId());
            }
            else
            {
                return(May <uint> .NoValue);
            }
        }
Beispiel #8
0
        private May <uint> ProcessV3(SessionRecord sessionRecord, PreKeyWhisperMessage message)
        {
            if (sessionRecord.HasSessionState(message.GetMessageVersion(), message.GetBaseKey().Serialize()))
            {
                return(May <uint> .NoValue);
            }

            SignedPreKeyRecord signedPreKeyRecord = signedPreKeyStore.LoadSignedPreKey(message.GetSignedPreKeyId());
            ECKeyPair          ourSignedPreKey    = signedPreKeyRecord.GetKeyPair();

            BobAxolotlParameters.Builder parameters = BobAxolotlParameters.NewBuilder();

            parameters.SetTheirBaseKey(message.GetBaseKey())
            .SetTheirIdentityKey(message.GetIdentityKey())
            .SetOurIdentityKey(identityKeyStore.GetIdentityKeyPair())
            .SetOurSignedPreKey(ourSignedPreKey)
            .SetOurRatchetKey(ourSignedPreKey);

            if (message.GetPreKeyId().HasValue)
            {
                parameters.SetOurOneTimePreKey(new May <ECKeyPair>(preKeyStore.LoadPreKey(message.GetPreKeyId().ForceGetValue()).GetKeyPair()));
            }
            else
            {
                parameters.SetOurOneTimePreKey(May <ECKeyPair> .NoValue);
            }

            if (!sessionRecord.IsFresh())
            {
                sessionRecord.ArchiveCurrentState();
            }

            RatchetingSession.InitializeSession(sessionRecord.GetSessionState(), message.GetMessageVersion(), parameters.Create());

            sessionRecord.GetSessionState().SetLocalRegistrationId(identityKeyStore.GetLocalRegistrationId());
            sessionRecord.GetSessionState().SetRemoteRegistrationId(message.GetRegistrationId());
            sessionRecord.GetSessionState().SetAliceBaseKey(message.GetBaseKey().Serialize());

            if (message.GetPreKeyId().HasValue&& message.GetPreKeyId().ForceGetValue() != Medium.MAX_VALUE)
            {
                return(message.GetPreKeyId());
            }
            else
            {
                return(May <uint> .NoValue);
            }
        }
        private void processResponse(KeyExchangeMessage message)
        {
            SessionRecord sessionRecord                  = sessionStore.LoadSession(remoteAddress);
            SessionState  sessionState                   = sessionRecord.getSessionState();
            bool          hasPendingKeyExchange          = sessionState.hasPendingKeyExchange();
            bool          isSimultaneousInitiateResponse = message.isResponseForSimultaneousInitiate();

            if (!hasPendingKeyExchange || sessionState.getPendingKeyExchangeSequence() != message.getSequence())
            {
                Debug.WriteLine("No matching sequence for response. Is simultaneous initiate response: " + isSimultaneousInitiateResponse);
                if (!isSimultaneousInitiateResponse)
                {
                    throw new StaleKeyExchangeException();
                }
                else
                {
                    return;
                }
            }

            SymmetricSignalProtocolParameters.Builder parameters = SymmetricSignalProtocolParameters.newBuilder();

            parameters.setOurBaseKey(sessionRecord.getSessionState().getPendingKeyExchangeBaseKey())
            .setOurRatchetKey(sessionRecord.getSessionState().getPendingKeyExchangeRatchetKey())
            .setOurIdentityKey(sessionRecord.getSessionState().getPendingKeyExchangeIdentityKey())
            .setTheirBaseKey(message.getBaseKey())
            .setTheirRatchetKey(message.getRatchetKey())
            .setTheirIdentityKey(message.getIdentityKey());

            if (!sessionRecord.isFresh())
            {
                sessionRecord.archiveCurrentState();
            }

            RatchetingSession.initializeSession(sessionRecord.getSessionState(), parameters.create());

            if (!Curve.verifySignature(message.getIdentityKey().getPublicKey(),
                                       message.getBaseKey().serialize(),
                                       message.getBaseKeySignature()))
            {
                throw new InvalidKeyException("Base key signature doesn't match!");
            }

            sessionStore.StoreSession(remoteAddress, sessionRecord);
            identityKeyStore.SaveIdentity(remoteAddress.getName(), message.getIdentityKey());
        }
Beispiel #10
0
        private May <uint> processV2(SessionRecord sessionRecord, PreKeyWhisperMessage message)
        {
            if (!message.getPreKeyId().HasValue)
            {
                throw new InvalidKeyIdException("V2 message requires one time prekey id!");
            }

            if (!preKeyStore.ContainsPreKey(message.getPreKeyId().ForceGetValue()) &&
                sessionStore.ContainsSession(remoteAddress))
            {
                //Log.w(TAG, "We've already processed the prekey part of this V2 session, letting bundled message fall through...");
                return(May <uint> .NoValue); //May.absent();
            }

            ECKeyPair ourPreKey = preKeyStore.LoadPreKey(message.getPreKeyId().ForceGetValue()).getKeyPair();

            BobAxolotlParameters.Builder parameters = BobAxolotlParameters.newBuilder();

            parameters.setOurIdentityKey(identityKeyStore.GetIdentityKeyPair())
            .setOurSignedPreKey(ourPreKey)
            .setOurRatchetKey(ourPreKey)
            .setOurOneTimePreKey(May <ECKeyPair> .NoValue)             //absent
            .setTheirIdentityKey(message.getIdentityKey())
            .setTheirBaseKey(message.getBaseKey());

            if (!sessionRecord.isFresh())
            {
                sessionRecord.archiveCurrentState();
            }

            RatchetingSession.initializeSession(sessionRecord.getSessionState(), message.getMessageVersion(), parameters.create());

            sessionRecord.getSessionState().setLocalRegistrationId(identityKeyStore.GetLocalRegistrationId());
            sessionRecord.getSessionState().setRemoteRegistrationId(message.getRegistrationId());
            sessionRecord.getSessionState().setAliceBaseKey(message.getBaseKey().serialize());

            if (message.getPreKeyId().ForceGetValue() != Medium.MAX_VALUE)
            {
                return(message.getPreKeyId());
            }
            else
            {
                return(May <uint> .NoValue); // May.absent();
            }
        }
Beispiel #11
0
        private May <uint> ProcessV2(SessionRecord sessionRecord, PreKeyWhisperMessage message)
        {
            if (!message.GetPreKeyId().HasValue)
            {
                throw new InvalidKeyIdException("V2 message requires one time prekey id!");
            }

            if (!preKeyStore.ContainsPreKey(message.GetPreKeyId().ForceGetValue()) &&
                sessionStore.ContainsSession(remoteAddress))
            {
                return(May <uint> .NoValue);
            }

            ECKeyPair ourPreKey = preKeyStore.LoadPreKey(message.GetPreKeyId().ForceGetValue()).GetKeyPair();

            BobAxolotlParameters.Builder parameters = BobAxolotlParameters.NewBuilder();

            parameters.SetOurIdentityKey(identityKeyStore.GetIdentityKeyPair())
            .SetOurSignedPreKey(ourPreKey)
            .SetOurRatchetKey(ourPreKey)
            .SetOurOneTimePreKey(May <ECKeyPair> .NoValue)             //absent
            .SetTheirIdentityKey(message.GetIdentityKey())
            .SetTheirBaseKey(message.GetBaseKey());

            if (!sessionRecord.IsFresh())
            {
                sessionRecord.ArchiveCurrentState();
            }

            RatchetingSession.InitializeSession(sessionRecord.GetSessionState(), message.GetMessageVersion(), parameters.Create());

            sessionRecord.GetSessionState().SetLocalRegistrationId(identityKeyStore.GetLocalRegistrationId());
            sessionRecord.GetSessionState().SetRemoteRegistrationId(message.GetRegistrationId());
            sessionRecord.GetSessionState().SetAliceBaseKey(message.GetBaseKey().Serialize());

            if (message.GetPreKeyId().ForceGetValue() != Medium.MAX_VALUE)
            {
                return(message.GetPreKeyId());
            }
            else
            {
                return(May <uint> .NoValue); // May.absent();
            }
        }
        private void InitializeSessionsV3(SessionState aliceSessionState, SessionState bobSessionState)
        {
            EcKeyPair       aliceIdentityKeyPair = Curve.GenerateKeyPair();
            IdentityKeyPair aliceIdentityKey     = new IdentityKeyPair(new IdentityKey(aliceIdentityKeyPair.GetPublicKey()),
                                                                       aliceIdentityKeyPair.GetPrivateKey());
            EcKeyPair aliceBaseKey      = Curve.GenerateKeyPair();
            EcKeyPair aliceEphemeralKey = Curve.GenerateKeyPair();

            EcKeyPair alicePreKey = aliceBaseKey;

            EcKeyPair       bobIdentityKeyPair = Curve.GenerateKeyPair();
            IdentityKeyPair bobIdentityKey     = new IdentityKeyPair(new IdentityKey(bobIdentityKeyPair.GetPublicKey()),
                                                                     bobIdentityKeyPair.GetPrivateKey());
            EcKeyPair bobBaseKey      = Curve.GenerateKeyPair();
            EcKeyPair bobEphemeralKey = bobBaseKey;

            EcKeyPair bobPreKey = Curve.GenerateKeyPair();

            AliceSignalProtocolParameters aliceParameters = AliceSignalProtocolParameters.NewBuilder()
                                                            .SetOurBaseKey(aliceBaseKey)
                                                            .SetOurIdentityKey(aliceIdentityKey)
                                                            .SetTheirOneTimePreKey(May <IEcPublicKey> .NoValue)
                                                            .SetTheirRatchetKey(bobEphemeralKey.GetPublicKey())
                                                            .SetTheirSignedPreKey(bobBaseKey.GetPublicKey())
                                                            .SetTheirIdentityKey(bobIdentityKey.GetPublicKey())
                                                            .Create();

            BobSignalProtocolParameters bobParameters = BobSignalProtocolParameters.NewBuilder()
                                                        .SetOurRatchetKey(bobEphemeralKey)
                                                        .SetOurSignedPreKey(bobBaseKey)
                                                        .SetOurOneTimePreKey(May <EcKeyPair> .NoValue)
                                                        .SetOurIdentityKey(bobIdentityKey)
                                                        .SetTheirIdentityKey(aliceIdentityKey.GetPublicKey())
                                                        .SetTheirBaseKey(aliceBaseKey.GetPublicKey())
                                                        .Create();

            RatchetingSession.InitializeSession(aliceSessionState, aliceParameters);
            RatchetingSession.InitializeSession(bobSessionState, bobParameters);
        }
        public void testRatchetingSessionAsAlice()
        {
            byte[] bobPublic =
            {
                0x05, 0x2c, 0xb4, 0x97, 0x76,
                0xb8, 0x77, 0x02, 0x05, 0x74,
                0x5a, 0x3a, 0x6e, 0x24, 0xf5,
                0x79, 0xcd, 0xb4, 0xba, 0x7a,
                0x89, 0x04, 0x10, 0x05, 0x92,
                0x8e, 0xbb, 0xad, 0xc9, 0xc0,
                0x5a, 0xd4, 0x58
            };

            byte[] bobIdentityPublic =
            {
                0x05, 0xf1, 0xf4, 0x38, 0x74,
                0xf6, 0x96, 0x69, 0x56, 0xc2,
                0xdd, 0x47, 0x3f, 0x8f, 0xa1,
                0x5a, 0xde, 0xb7, 0x1d, 0x1c,
                0xb9, 0x91, 0xb2, 0x34, 0x16,
                0x92, 0x32, 0x4c, 0xef, 0xb1,
                0xc5, 0xe6, 0x26
            };

            byte[] aliceBasePublic =
            {
                0x05, 0x47, 0x2d, 0x1f, 0xb1,
                0xa9, 0x86, 0x2c, 0x3a, 0xf6,
                0xbe, 0xac, 0xa8, 0x92, 0x02,
                0x77, 0xe2, 0xb2, 0x6f, 0x4a,
                0x79, 0x21, 0x3e, 0xc7, 0xc9,
                0x06, 0xae, 0xb3, 0x5e, 0x03,
                0xcf, 0x89, 0x50
            };

            byte[] aliceBasePrivate =
            {
                0x11, 0xae, 0x7c, 0x64, 0xd1,
                0xe6, 0x1c, 0xd5, 0x96, 0xb7,
                0x6a, 0x0d, 0xb5, 0x01, 0x26,
                0x73, 0x39, 0x1c, 0xae, 0x66,
                0xed, 0xbf, 0xcf, 0x07, 0x3b,
                0x4d, 0xa8, 0x05, 0x16, 0xa4,
                0x74, 0x49
            };

            byte[] aliceEphemeralPublic =
            {
                0x05, 0x6c, 0x3e, 0x0d, 0x1f,
                0x52, 0x02, 0x83, 0xef, 0xcc,
                0x55, 0xfc, 0xa5, 0xe6, 0x70,
                0x75, 0xb9, 0x04, 0x00, 0x7f,
                0x18, 0x81, 0xd1, 0x51, 0xaf,
                0x76, 0xdf, 0x18, 0xc5, 0x1d,
                0x29, 0xd3, 0x4b
            };

            byte[] aliceEphemeralPrivate =
            {
                0xd1, 0xba, 0x38, 0xce, 0xa9,
                0x17, 0x43, 0xd3, 0x39, 0x39,
                0xc3, 0x3c, 0x84, 0x98, 0x65,
                0x09, 0x28, 0x01, 0x61, 0xb8,
                0xb6, 0x0f, 0xc7, 0x87, 0x0c,
                0x59, 0x9c, 0x1d, 0x46, 0x20,
                0x12, 0x48
            };

            byte[] aliceIdentityPublic =
            {
                0x05, 0xb4, 0xa8, 0x45, 0x56,
                0x60, 0xad, 0xa6, 0x5b, 0x40,
                0x10, 0x07, 0xf6, 0x15, 0xe6,
                0x54, 0x04, 0x17, 0x46, 0x43,
                0x2e, 0x33, 0x39, 0xc6, 0x87,
                0x51, 0x49, 0xbc, 0xee, 0xfc,
                0xb4, 0x2b, 0x4a
            };

            byte[] aliceIdentityPrivate =
            {
                0x90, 0x40, 0xf0, 0xd4, 0xe0,
                0x9c, 0xf3, 0x8f, 0x6d, 0xc7,
                0xc1, 0x37, 0x79, 0xc9, 0x08,
                0xc0, 0x15, 0xa1, 0xda, 0x4f,
                0xa7, 0x87, 0x37, 0xa0, 0x80,
                0xeb, 0x0a, 0x6f, 0x4f, 0x5f,
                0x8f, 0x58
            };

            byte[] receiverChain =
            {
                0xd2, 0x2f, 0xd5, 0x6d, 0x3f,
                0xec, 0x81, 0x9c, 0xf4, 0xc3,
                0xd5, 0x0c, 0x56, 0xed, 0xfb,
                0x1c, 0x28, 0x0a, 0x1b, 0x31,
                0x96, 0x45, 0x37, 0xf1, 0xd1,
                0x61, 0xe1, 0xc9, 0x31, 0x48,
                0xe3, 0x6b
            };

            IdentityKey     bobIdentityKey           = new IdentityKey(bobIdentityPublic, 0);
            ECPublicKey     bobEphemeralPublicKey    = Curve.decodePoint(bobPublic, 0);
            ECPublicKey     bobBasePublicKey         = bobEphemeralPublicKey;
            ECPublicKey     aliceBasePublicKey       = Curve.decodePoint(aliceBasePublic, 0);
            ECPrivateKey    aliceBasePrivateKey      = Curve.decodePrivatePoint(aliceBasePrivate);
            ECKeyPair       aliceBaseKey             = new ECKeyPair(aliceBasePublicKey, aliceBasePrivateKey);
            ECPublicKey     aliceEphemeralPublicKey  = Curve.decodePoint(aliceEphemeralPublic, 0);
            ECPrivateKey    aliceEphemeralPrivateKey = Curve.decodePrivatePoint(aliceEphemeralPrivate);
            ECKeyPair       aliceEphemeralKey        = new ECKeyPair(aliceEphemeralPublicKey, aliceEphemeralPrivateKey);
            IdentityKey     aliceIdentityPublicKey   = new IdentityKey(aliceIdentityPublic, 0);
            ECPrivateKey    aliceIdentityPrivateKey  = Curve.decodePrivatePoint(aliceIdentityPrivate);
            IdentityKeyPair aliceIdentityKey         = new IdentityKeyPair(aliceIdentityPublicKey, aliceIdentityPrivateKey);

            SessionState session = new SessionState();

            AliceAxolotlParameters parameters = AliceAxolotlParameters.newBuilder()
                                                .setOurBaseKey(aliceBaseKey)
                                                .setOurIdentityKey(aliceIdentityKey)
                                                .setTheirIdentityKey(bobIdentityKey)
                                                .setTheirSignedPreKey(bobBasePublicKey)
                                                .setTheirRatchetKey(bobEphemeralPublicKey)
                                                .setTheirOneTimePreKey(May <ECPublicKey> .NoValue)
                                                .create();

            RatchetingSession.initializeSession(session, 2, parameters);

            Assert.AreEqual(session.getLocalIdentityKey(), aliceIdentityKey.getPublicKey());
            Assert.AreEqual(session.getRemoteIdentityKey(), bobIdentityKey);
            CollectionAssert.AreEqual(session.getReceiverChainKey(bobEphemeralPublicKey).getKey(), receiverChain);
        }
        public void TestRatchetingSessionAsBob()
        {
            byte[] bobPublic = { (byte)0x05, (byte)0x2c, (byte)0xb4, (byte)0x97,
                                 (byte)0x76, (byte)0xb8, (byte)0x77, (byte)0x02,
                                 (byte)0x05, (byte)0x74, (byte)0x5a, (byte)0x3a,
                                 (byte)0x6e, (byte)0x24, (byte)0xf5, (byte)0x79,
                                 (byte)0xcd, (byte)0xb4, (byte)0xba, (byte)0x7a,
                                 (byte)0x89, (byte)0x04, (byte)0x10, (byte)0x05,
                                 (byte)0x92, (byte)0x8e, (byte)0xbb, (byte)0xad,
                                 (byte)0xc9, (byte)0xc0, (byte)0x5a, (byte)0xd4,
                                 (byte)0x58 };

            byte[] bobPrivate = { (byte)0xa1, (byte)0xca, (byte)0xb4, (byte)0x8f,
                                  (byte)0x7c, (byte)0x89, (byte)0x3f, (byte)0xaf,
                                  (byte)0xa9, (byte)0x88, (byte)0x0a, (byte)0x28,
                                  (byte)0xc3, (byte)0xb4, (byte)0x99, (byte)0x9d,
                                  (byte)0x28, (byte)0xd6, (byte)0x32, (byte)0x95,
                                  (byte)0x62, (byte)0xd2, (byte)0x7a, (byte)0x4e,
                                  (byte)0xa4, (byte)0xe2, (byte)0x2e, (byte)0x9f,
                                  (byte)0xf1, (byte)0xbd, (byte)0xd6, (byte)0x5a };

            byte[] bobIdentityPublic = { (byte)0x05, (byte)0xf1, (byte)0xf4, (byte)0x38,
                                         (byte)0x74, (byte)0xf6, (byte)0x96, (byte)0x69,
                                         (byte)0x56, (byte)0xc2, (byte)0xdd, (byte)0x47,
                                         (byte)0x3f, (byte)0x8f, (byte)0xa1, (byte)0x5a,
                                         (byte)0xde, (byte)0xb7, (byte)0x1d, (byte)0x1c,
                                         (byte)0xb9, (byte)0x91, (byte)0xb2, (byte)0x34,
                                         (byte)0x16, (byte)0x92, (byte)0x32, (byte)0x4c,
                                         (byte)0xef, (byte)0xb1, (byte)0xc5, (byte)0xe6,
                                         (byte)0x26 };

            byte[] bobIdentityPrivate = { (byte)0x48, (byte)0x75, (byte)0xcc, (byte)0x69,
                                          (byte)0xdd, (byte)0xf8, (byte)0xea, (byte)0x07,
                                          (byte)0x19, (byte)0xec, (byte)0x94, (byte)0x7d,
                                          (byte)0x61, (byte)0x08, (byte)0x11, (byte)0x35,
                                          (byte)0x86, (byte)0x8d, (byte)0x5f, (byte)0xd8,
                                          (byte)0x01, (byte)0xf0, (byte)0x2c, (byte)0x02,
                                          (byte)0x25, (byte)0xe5, (byte)0x16, (byte)0xdf,
                                          (byte)0x21, (byte)0x56, (byte)0x60, (byte)0x5e };

            byte[] aliceBasePublic = { (byte)0x05, (byte)0x47, (byte)0x2d, (byte)0x1f,
                                       (byte)0xb1, (byte)0xa9, (byte)0x86, (byte)0x2c,
                                       (byte)0x3a, (byte)0xf6, (byte)0xbe, (byte)0xac,
                                       (byte)0xa8, (byte)0x92, (byte)0x02, (byte)0x77,
                                       (byte)0xe2, (byte)0xb2, (byte)0x6f, (byte)0x4a,
                                       (byte)0x79, (byte)0x21, (byte)0x3e, (byte)0xc7,
                                       (byte)0xc9, (byte)0x06, (byte)0xae, (byte)0xb3,
                                       (byte)0x5e, (byte)0x03, (byte)0xcf, (byte)0x89,
                                       (byte)0x50 };

            byte[] aliceEphemeralPublic = { (byte)0x05, (byte)0x6c, (byte)0x3e, (byte)0x0d,
                                            (byte)0x1f, (byte)0x52, (byte)0x02, (byte)0x83,
                                            (byte)0xef, (byte)0xcc, (byte)0x55, (byte)0xfc,
                                            (byte)0xa5, (byte)0xe6, (byte)0x70, (byte)0x75,
                                            (byte)0xb9, (byte)0x04, (byte)0x00, (byte)0x7f,
                                            (byte)0x18, (byte)0x81, (byte)0xd1, (byte)0x51,
                                            (byte)0xaf, (byte)0x76, (byte)0xdf, (byte)0x18,
                                            (byte)0xc5, (byte)0x1d, (byte)0x29, (byte)0xd3,
                                            (byte)0x4b };

            byte[] aliceIdentityPublic = { (byte)0x05, (byte)0xb4, (byte)0xa8, (byte)0x45,
                                           (byte)0x56, (byte)0x60, (byte)0xad, (byte)0xa6,
                                           (byte)0x5b, (byte)0x40, (byte)0x10, (byte)0x07,
                                           (byte)0xf6, (byte)0x15, (byte)0xe6, (byte)0x54,
                                           (byte)0x04, (byte)0x17, (byte)0x46, (byte)0x43,
                                           (byte)0x2e, (byte)0x33, (byte)0x39, (byte)0xc6,
                                           (byte)0x87, (byte)0x51, (byte)0x49, (byte)0xbc,
                                           (byte)0xee, (byte)0xfc, (byte)0xb4, (byte)0x2b,
                                           (byte)0x4a };

            byte[] bobSignedPreKeyPublic = { (byte)0x05, (byte)0xac, (byte)0x24, (byte)0x8a, (byte)0x8f,
                                             (byte)0x26, (byte)0x3b, (byte)0xe6, (byte)0x86, (byte)0x35,
                                             (byte)0x76, (byte)0xeb, (byte)0x03, (byte)0x62, (byte)0xe2,
                                             (byte)0x8c, (byte)0x82, (byte)0x8f, (byte)0x01, (byte)0x07,
                                             (byte)0xa3, (byte)0x37, (byte)0x9d, (byte)0x34, (byte)0xba,
                                             (byte)0xb1, (byte)0x58, (byte)0x6b, (byte)0xf8, (byte)0xc7,
                                             (byte)0x70, (byte)0xcd, (byte)0x67 };

            byte[] bobSignedPreKeyPrivate = { (byte)0x58, (byte)0x39, (byte)0x00, (byte)0x13, (byte)0x1f,
                                              (byte)0xb7, (byte)0x27, (byte)0x99, (byte)0x8b, (byte)0x78,
                                              (byte)0x03, (byte)0xfe, (byte)0x6a, (byte)0xc2, (byte)0x2c,
                                              (byte)0xc5, (byte)0x91, (byte)0xf3, (byte)0x42, (byte)0xe4,
                                              (byte)0xe4, (byte)0x2a, (byte)0x8c, (byte)0x8d, (byte)0x5d,
                                              (byte)0x78, (byte)0x19, (byte)0x42, (byte)0x09, (byte)0xb8,
                                              (byte)0xd2, (byte)0x53 };

            byte[] senderChain = { (byte)0x97, (byte)0x97, (byte)0xca, (byte)0xca, (byte)0x53,
                                   (byte)0xc9, (byte)0x89, (byte)0xbb, (byte)0xe2, (byte)0x29,
                                   (byte)0xa4, (byte)0x0c, (byte)0xa7, (byte)0x72, (byte)0x70,
                                   (byte)0x10, (byte)0xeb, (byte)0x26, (byte)0x04, (byte)0xfc,
                                   (byte)0x14, (byte)0x94, (byte)0x5d, (byte)0x77, (byte)0x95,
                                   (byte)0x8a, (byte)0x0a, (byte)0xed, (byte)0xa0, (byte)0x88,
                                   (byte)0xb4, (byte)0x4d };

            IdentityKey     bobIdentityKeyPublic   = new IdentityKey(bobIdentityPublic, 0);
            IEcPrivateKey   bobIdentityKeyPrivate  = Curve.DecodePrivatePoint(bobIdentityPrivate);
            IdentityKeyPair bobIdentityKey         = new IdentityKeyPair(bobIdentityKeyPublic, bobIdentityKeyPrivate);
            IEcPublicKey    bobEphemeralPublicKey  = Curve.DecodePoint(bobPublic, 0);
            IEcPrivateKey   bobEphemeralPrivateKey = Curve.DecodePrivatePoint(bobPrivate);
            EcKeyPair       bobEphemeralKey        = new EcKeyPair(bobEphemeralPublicKey, bobEphemeralPrivateKey);
            EcKeyPair       bobBaseKey             = bobEphemeralKey;
            EcKeyPair       bobSignedPreKey        = new EcKeyPair(Curve.DecodePoint(bobSignedPreKeyPublic, 0), Curve.DecodePrivatePoint(bobSignedPreKeyPrivate));

            IEcPublicKey aliceBasePublicKey      = Curve.DecodePoint(aliceBasePublic, 0);
            IEcPublicKey aliceEphemeralPublicKey = Curve.DecodePoint(aliceEphemeralPublic, 0);
            IdentityKey  aliceIdentityPublicKey  = new IdentityKey(aliceIdentityPublic, 0);

            BobSignalProtocolParameters parameters = BobSignalProtocolParameters.NewBuilder()
                                                     .SetOurIdentityKey(bobIdentityKey)
                                                     .SetOurSignedPreKey(bobSignedPreKey)
                                                     .SetOurRatchetKey(bobEphemeralKey)
                                                     .SetOurOneTimePreKey(May <EcKeyPair> .NoValue)
                                                     .SetTheirIdentityKey(aliceIdentityPublicKey)
                                                     .SetTheirBaseKey(aliceBasePublicKey)
                                                     .Create();

            SessionState session = new SessionState();

            RatchetingSession.InitializeSession(session, parameters);

            Assert.AreEqual <IdentityKey>(session.GetLocalIdentityKey(), bobIdentityKey.GetPublicKey());
            Assert.AreEqual <IdentityKey>(session.GetRemoteIdentityKey(), aliceIdentityPublicKey);
            CollectionAssert.AreEqual(session.GetSenderChainKey().GetKey(), senderChain);
        }