feat(e2ee) add ExternallyManagedKeyHandler

JitsiConference.js

@@ -3694,6 +3694,17 @@ JitsiConference.prototype.toggleE2EE = function(enabled) {
     this._e2eEncryption.setEnabled(enabled);
 };
 
+/**
+ * Sets the key and index for End-to-End encryption.
+ *
+ * @param {CryptoKey} [keyInfo.encryptionKey] - encryption key.
+ * @param {Number} [keyInfo.index] - the index of the encryption key.
+ * @returns {void}
+ */
+JitsiConference.prototype.setMediaEncryptionKey = function(keyInfo) {
+    this._e2eEncryption.setEncryptionKey(keyInfo);
+};
+
 /**
  * Returns <tt>true</tt> if lobby support is enabled in the backend.
  *

modules/e2ee/Context.js

@@ -37,9 +37,9 @@ const RATCHET_WINDOW_SIZE = 8;
  */
 export class Context {
     /**
-     * @param {string} id - local muc resourcepart
+     * @param {Object} options
      */
-    constructor(id) {
+    constructor({ sharedKey = false } = {}) {
         // An array (ring) of keys that we use for sending and receiving.
         this._cryptoKeyRing = new Array(KEYRING_SIZE);
 
@@ -48,7 +48,7 @@ export class Context {
 
         this._sendCounts = new Map();
 
-        this._id = id;
+        this._sharedKey = sharedKey;
     }
 
     /**
@@ -57,18 +57,20 @@ export class Context {
      * @param {Uint8Array|false} key bytes. Pass false to disable.
      * @param {Number} keyIndex
      */
-    async setKey(keyBytes, keyIndex) {
-        let newKey;
+    async setKey(key, keyIndex = -1) {
+        let newKey = false;
 
-        if (keyBytes) {
-            const material = await importKey(keyBytes);
+        if (key) {
+            if (this._sharedKey) {
+                newKey = key;
+            } else {
+                const material = await importKey(key);
 
-            newKey = await deriveKeys(material);
-        } else {
-            newKey = false;
+                newKey = await deriveKeys(material);
+            }
         }
-        this._currentKeyIndex = keyIndex % this._cryptoKeyRing.length;
-        this._setKeys(newKey);
+
+        this._setKeys(newKey, keyIndex);
     }
 
     /**
@@ -80,10 +82,11 @@ export class Context {
      */
     _setKeys(keys, keyIndex = -1) {
         if (keyIndex >= 0) {
-            this._cryptoKeyRing[keyIndex] = keys;
-        } else {
-            this._cryptoKeyRing[this._currentKeyIndex] = keys;
+            this._currentKeyIndex = keyIndex % this._cryptoKeyRing.length;
         }
+
+        this._cryptoKeyRing[this._currentKeyIndex] = keys;
+
         this._sendCount = BigInt(0); // eslint-disable-line new-cap
     }
 
@@ -251,6 +254,10 @@ export class Context {
 
             encodedFrame.data = newData;
         } catch (error) {
+            if (this._sharedKey) {
+                return encodedFrame;
+            }
+
             if (ratchetCount < RATCHET_WINDOW_SIZE) {
                 material = await importKey(await ratchet(material));
 
@@ -265,12 +272,12 @@ export class Context {
                     ratchetCount + 1);
             }
 
-            /*
-               Since the key it is first send and only afterwards actually used for encrypting, there were
-               situations when the decrypting failed due to the fact that the received frame was not encrypted
-               yet and ratcheting, of course, did not solve the problem. So if we fail RATCHET_WINDOW_SIZE times,
-               we come back to the initial key.
-            */
+            /**
+             * Since the key it is first send and only afterwards actually used for encrypting, there were
+             * situations when the decrypting failed due to the fact that the received frame was not encrypted
+             * yet and ratcheting, of course, did not solve the problem. So if we fail RATCHET_WINDOW_SIZE times,
+             * we come back to the initial key.
+             */
             this._setKeys(initialKey);
 
             // TODO: notify the application about error status.

modules/e2ee/E2EEContext.js

@@ -23,8 +23,9 @@ const kJitsiE2EE = Symbol('kJitsiE2EE');
 export default class E2EEcontext {
     /**
      * Build a new E2EE context instance, which will be used in a given conference.
+     * @param {boolean} [options.sharedKey] - whether there is a uniques key shared amoung all participants.
      */
-    constructor() {
+    constructor({ sharedKey } = {}) {
         // Determine the URL for the worker script. Relative URLs are relative to
         // the entry point, not the script that launches the worker.
         let baseUrl = '';
@@ -44,7 +45,13 @@ export default class E2EEcontext {
         const blobUrl = window.URL.createObjectURL(workerBlob);
 
         this._worker = new Worker(blobUrl, { name: 'E2EE Worker' });
+
         this._worker.onerror = e => logger.error(e);
+
+        this._worker.postMessage({
+            operation: 'initialize',
+            sharedKey
+        });
     }
 
     /**
@@ -60,6 +67,16 @@ export default class E2EEcontext {
         });
     }
 
+    /**
+     * Cleans up all state associated with all participants in the conference. This is needed when disabling e2ee.
+     *
+     */
+    cleanupAll() {
+        this._worker.postMessage({
+            operation: 'cleanupAll'
+        });
+    }
+
     /**
      * Handles the given {@code RTCRtpReceiver} by creating a {@code TransformStream} which will inject
      * a frame decoder.
@@ -136,9 +153,9 @@ export default class E2EEcontext {
     setKey(participantId, key, keyIndex) {
         this._worker.postMessage({
             operation: 'setKey',
-            participantId,
             key,
-            keyIndex
+            keyIndex,
+            participantId
         });
     }
 }

modules/e2ee/E2EEncryption.js

@@ -1,25 +1,11 @@
-/* global __filename */
-
-import { getLogger } from 'jitsi-meet-logger';
-import debounce from 'lodash.debounce';
-
-import * as JitsiConferenceEvents from '../../JitsiConferenceEvents';
-import RTCEvents from '../../service/RTC/RTCEvents';
 import browser from '../browser';
-import Deferred from '../util/Deferred';
 
-import E2EEContext from './E2EEContext';
+import { ExternallyManagedKeyHandler } from './ExternallyManagedKeyHandler';
+import { ManagedKeyHandler } from './ManagedKeyHandler';
 import { OlmAdapter } from './OlmAdapter';
-import { importKey, ratchet } from './crypto-utils';
-
-const logger = getLogger(__filename);
-
-// Period which we'll wait before updating / rotating our keys when a participant
-// joins or leaves.
-const DEBOUNCE_PERIOD = 5000;
 
 /**
- * This module integrates {@link E2EEContext} with {@link JitsiConference} in order to enable E2E encryption.
+ * This module integrates {@link KeyHandler} with {@link JitsiConference} in order to enable E2E encryption.
  */
 export class E2EEncryption {
     /**
@@ -27,66 +13,15 @@ export class E2EEncryption {
      * @param {JitsiConference} conference - The conference instance for which E2E encryption is to be enabled.
      */
     constructor(conference) {
-        this.conference = conference;
-
-        this._conferenceJoined = false;
-        this._enabled = false;
-        this._key = undefined;
-        this._enabling = undefined;
-
-        this._e2eeCtx = new E2EEContext();
-        this._olmAdapter = new OlmAdapter(conference);
-
-        // Debounce key rotation / ratcheting to avoid a storm of messages.
-        this._ratchetKey = debounce(this._ratchetKeyImpl, DEBOUNCE_PERIOD);
-        this._rotateKey = debounce(this._rotateKeyImpl, DEBOUNCE_PERIOD);
-
-        // Participant join / leave operations. Used for key advancement / rotation.
-        //
+        const { e2ee = {} } = conference.options.config;
 
-        this.conference.on(
-            JitsiConferenceEvents.CONFERENCE_JOINED,
-            () => {
-                this._conferenceJoined = true;
-            });
-        this.conference.on(
-            JitsiConferenceEvents.PARTICIPANT_PROPERTY_CHANGED,
-            this._onParticipantPropertyChanged.bind(this));
-        this.conference.on(
-            JitsiConferenceEvents.USER_JOINED,
-            this._onParticipantJoined.bind(this));
-        this.conference.on(
-            JitsiConferenceEvents.USER_LEFT,
-            this._onParticipantLeft.bind(this));
+        this._externallyManaged = e2ee.externallyManagedKey;
 
-        // Conference media events in order to attach the encryptor / decryptor.
-        // FIXME add events to TraceablePeerConnection which will allow to see when there's new receiver or sender
-        // added instead of shenanigans around conference track events and track muted.
-        //
-
-        this.conference.on(
-            JitsiConferenceEvents._MEDIA_SESSION_STARTED,
-            this._onMediaSessionStarted.bind(this));
-        this.conference.on(
-            JitsiConferenceEvents.TRACK_ADDED,
-            track => track.isLocal() && this._onLocalTrackAdded(track));
-        this.conference.rtc.on(
-            RTCEvents.REMOTE_TRACK_ADDED,
-            (track, tpc) => this._setupReceiverE2EEForTrack(tpc, track));
-        this.conference.on(
-            JitsiConferenceEvents.TRACK_MUTE_CHANGED,
-            this._trackMuteChanged.bind(this));
-
-        // Olm signalling events.
-        this._olmAdapter.on(
-            OlmAdapter.events.OLM_ID_KEY_READY,
-            this._onOlmIdKeyReady.bind(this));
-        this._olmAdapter.on(
-            OlmAdapter.events.PARTICIPANT_E2EE_CHANNEL_READY,
-            this._onParticipantE2EEChannelReady.bind(this));
-        this._olmAdapter.on(
-            OlmAdapter.events.PARTICIPANT_KEY_UPDATED,
-            this._onParticipantKeyUpdated.bind(this));
+        if (this._externallyManaged) {
+            this._keyHandler = new ExternallyManagedKeyHandler(conference);
+        } else {
+            this._keyHandler = new ManagedKeyHandler(conference);
+        }
     }
 
     /**
@@ -96,10 +31,15 @@ export class E2EEncryption {
      * @returns {boolean}
      */
     static isSupported(config) {
+        const { e2ee = {} } = config;
+
+        if (!e2ee.externallyManagedKey && !OlmAdapter.isSupported()) {
+            return false;
+        }
+
         return !(config.testing && config.testing.disableE2EE)
             && (browser.supportsInsertableStreams()
-                || (config.enableEncodedTransformSupport && browser.supportsEncodedTransform()))
-            && OlmAdapter.isSupported();
+                || (config.enableEncodedTransformSupport && browser.supportsEncodedTransform()));
     }
 
     /**
@@ -108,7 +48,7 @@ export class E2EEncryption {
      * @returns {boolean}
      */
     isEnabled() {
-        return this._enabled;
+        return this._keyHandler.isEnabled();
     }
 
     /**
@@ -118,238 +58,17 @@ export class E2EEncryption {
      * @returns {void}
      */
     async setEnabled(enabled) {
-        if (enabled === this._enabled) {
-            return;
-        }
-
-        this._enabling && await this._enabling;
-
-        this._enabling = new Deferred();
-
-        this._enabled = enabled;
-
-        if (enabled) {
-            await this._olmAdapter.initSessions();
-        } else {
-            for (const participant of this.conference.getParticipants()) {
-                this._e2eeCtx.cleanup(participant.getId());
-            }
-            this._olmAdapter.clearAllParticipantsSessions();
-        }
-
-        this.conference.setLocalParticipantProperty('e2ee.enabled', enabled);
-
-        this.conference._restartMediaSessions();
-
-        // Generate a random key in case we are enabling.
-        this._key = enabled ? this._generateKey() : false;
-
-        // Send it to others using the E2EE olm channel.
-        const index = await this._olmAdapter.updateKey(this._key);
-
-        // Set our key so we begin encrypting.
-        this._e2eeCtx.setKey(this.conference.myUserId(), this._key, index);
-
-        this._enabling.resolve();
-    }
-
-    /**
-     * Generates a new 256 bit random key.
-     *
-     * @returns {Uint8Array}
-     * @private
-     */
-    _generateKey() {
-        return window.crypto.getRandomValues(new Uint8Array(32));
-    }
-
-    /**
-     * Setup E2EE on the new track that has been added to the conference, apply it on all the open peerconnections.
-     * @param {JitsiLocalTrack} track - the new track that's being added to the conference.
-     * @private
-     */
-    _onLocalTrackAdded(track) {
-        for (const session of this.conference._getMediaSessions()) {
-            this._setupSenderE2EEForTrack(session, track);
-        }
-    }
-
-    /**
-     * Setups E2E encryption for the new session.
-     * @param {JingleSessionPC} session - the new media session.
-     * @private
-     */
-    _onMediaSessionStarted(session) {
-        const localTracks = this.conference.getLocalTracks();
-
-        for (const track of localTracks) {
-            this._setupSenderE2EEForTrack(session, track);
-        }
-    }
-
-    /**
-     * Publushes our own Olmn id key in presence.
-     * @private
-     */
-    _onOlmIdKeyReady(idKey) {
-        logger.debug(`Olm id key ready: ${idKey}`);
-
-        // Publish it in presence.
-        this.conference.setLocalParticipantProperty('e2ee.idKey', idKey);
-    }
-
-    /**
-     * Advances (using ratcheting) the current key when a new participant joins the conference.
-     * @private
-     */
-    _onParticipantJoined() {
-        if (this._conferenceJoined && this._enabled) {
-            this._ratchetKey();
-        }
-    }
-
-    /**
-     * Rotates the current key when a participant leaves the conference.
-     * @private
-     */
-    _onParticipantLeft(id) {
-        this._e2eeCtx.cleanup(id);
-
-        if (this._enabled) {
-            this._rotateKey();
-        }
-    }
-
-    /**
-     * Event posted when the E2EE signalling channel has been established with the given participant.
-     * @private
-     */
-    _onParticipantE2EEChannelReady(id) {
-        logger.debug(`E2EE channel with participant ${id} is ready`);
-    }
-
-    /**
-     * Handles an update in a participant's key.
-     *
-     * @param {string} id - The participant ID.
-     * @param {Uint8Array | boolean} key - The new key for the participant.
-     * @param {Number} index - The new key's index.
-     * @private
-     */
-    _onParticipantKeyUpdated(id, key, index) {
-        logger.debug(`Participant ${id} updated their key`);
-
-        this._e2eeCtx.setKey(id, key, index);
-    }
-
-    /**
-     * Handles an update in a participant's presence property.
-     *
-     * @param {JitsiParticipant} participant - The participant.
-     * @param {string} name - The name of the property that changed.
-     * @param {*} oldValue - The property's previous value.
-     * @param {*} newValue - The property's new value.
-     * @private
-     */
-    async _onParticipantPropertyChanged(participant, name, oldValue, newValue) {
-        switch (name) {
-        case 'e2ee.idKey':
-            logger.debug(`Participant ${participant.getId()} updated their id key: ${newValue}`);
-            break;
-        case 'e2ee.enabled':
-            if (!newValue && this._enabled) {
-                this._olmAdapter.clearParticipantSession(participant);
-
-                this._rotateKey();
-            }
-            break;
-        }
-    }
-
-    /**
-     * Advances the current key by using ratcheting.
-     *
-     * @private
-     */
-    async _ratchetKeyImpl() {
-        logger.debug('Ratchetting key');
-
-        const material = await importKey(this._key);
-        const newKey = await ratchet(material);
-
-        this._key = new Uint8Array(newKey);
-
-        const index = this._olmAdapter.updateCurrentKey(this._key);
-
-        this._e2eeCtx.setKey(this.conference.myUserId(), this._key, index);
+        await this._keyHandler.setEnabled(enabled);
     }
 
     /**
-     * Rotates the local key. Rotating the key implies creating a new one, then distributing it
-     * to all participants and once they all received it, start using it.
+     * Sets the key and index for End-to-End encryption.
      *
-     * @private
-     */
-    async _rotateKeyImpl() {
-        logger.debug('Rotating key');
-
-        this._key = this._generateKey();
-        const index = await this._olmAdapter.updateKey(this._key);
-
-        this._e2eeCtx.setKey(this.conference.myUserId(), this._key, index);
-    }
-
-    /**
-     * Setup E2EE for the receiving side.
-     *
-     * @private
-     */
-    _setupReceiverE2EEForTrack(tpc, track) {
-        if (!this._enabled) {
-            return;
-        }
-
-        const receiver = tpc.findReceiverForTrack(track.track);
-
-        if (receiver) {
-            this._e2eeCtx.handleReceiver(receiver, track.getType(), track.getParticipantId());
-        } else {
-            logger.warn(`Could not handle E2EE for ${track}: receiver not found in: ${tpc}`);
-        }
-    }
-
-    /**
-     * Setup E2EE for the sending side.
-     *
-     * @param {JingleSessionPC} session - the session which sends the media produced by the track.
-     * @param {JitsiLocalTrack} track - the local track for which e2e encoder will be configured.
-     * @private
-     */
-    _setupSenderE2EEForTrack(session, track) {
-        if (!this._enabled) {
-            return;
-        }
-
-        const pc = session.peerconnection;
-        const sender = pc && pc.findSenderForTrack(track.track);
-
-        if (sender) {
-            this._e2eeCtx.handleSender(sender, track.getType(), track.getParticipantId());
-        } else {
-            logger.warn(`Could not handle E2EE for ${track}: sender not found in ${pc}`);
-        }
-    }
-
-    /**
-     * Setup E2EE on the sender that is created for the unmuted local video track.
-     * @param {JitsiLocalTrack} track - the track for which muted status has changed.
-     * @private
+     * @param {CryptoKey} [keyInfo.encryptionKey] - encryption key.
+     * @param {Number} [keyInfo.index] - the index of the encryption key.
+     * @returns {void}
      */
-    _trackMuteChanged(track) {
-        if (browser.doesVideoMuteByStreamRemove() && track.isLocal() && track.isVideoTrack() && !track.isMuted()) {
-            for (const session of this.conference._getMediaSessions()) {
-                this._setupSenderE2EEForTrack(session, track);
-            }
-        }
+    setEncryptionKey(keyInfo) {
+        this._keyHandler.setKey(keyInfo);
     }
 }

modules/e2ee/ExternallyManagedKeyHandler.js

@@ -0,0 +1,25 @@
+import { KeyHandler } from './KeyHandler';
+
+/**
+ * This module integrates {@link E2EEContext} with {external} in order to set the keys for encryption.
+ */
+export class ExternallyManagedKeyHandler extends KeyHandler {
+    /**
+     * Build a new ExternallyManagedKeyHandler instance, which will be used in a given conference.
+     * @param conference - the current conference.
+     */
+    constructor(conference) {
+        super(conference, { sharedKey: true });
+    }
+
+    /**
+     * Sets the key and index for End-to-End encryption.
+     *
+     * @param {CryptoKey} [keyInfo.encryptionKey] - encryption key.
+     * @param {Number} [keyInfo.index] - the index of the encryption key.
+     * @returns {void}
+     */
+    setKey(keyInfo) {
+        this.e2eeCtx.setKey(undefined, { encryptionKey: keyInfo.encryptionKey }, keyInfo.index);
+    }
+}

modules/e2ee/KeyHandler.js

@@ -0,0 +1,177 @@
+/* global __filename */
+
+import { getLogger } from 'jitsi-meet-logger';
+
+import * as JitsiConferenceEvents from '../../JitsiConferenceEvents';
+import RTCEvents from '../../service/RTC/RTCEvents';
+import browser from '../browser';
+import Deferred from '../util/Deferred';
+import Listenable from '../util/Listenable';
+
+import E2EEContext from './E2EEContext';
+
+const logger = getLogger(__filename);
+
+/**
+ * Abstract class that integrates {@link E2EEContext} with a key management system.
+ */
+export class KeyHandler extends Listenable {
+    /**
+     * Build a new KeyHandler instance, which will be used in a given conference.
+     * @param {JitsiConference} conference - the current conference.
+     * @param {object} options - the options passed to {E2EEContext}, see implemention.
+     */
+    constructor(conference, options = {}) {
+        super();
+
+        this.conference = conference;
+        this.e2eeCtx = new E2EEContext(options);
+
+        this.enabled = false;
+        this._enabling = undefined;
+
+        // Conference media events in order to attach the encryptor / decryptor.
+        // FIXME add events to TraceablePeerConnection which will allow to see when there's new receiver or sender
+        // added instead of shenanigans around conference track events and track muted.
+        //
+
+        this.conference.on(
+            JitsiConferenceEvents._MEDIA_SESSION_STARTED,
+            this._onMediaSessionStarted.bind(this));
+        this.conference.on(
+            JitsiConferenceEvents.TRACK_ADDED,
+            track => track.isLocal() && this._onLocalTrackAdded(track));
+        this.conference.rtc.on(
+            RTCEvents.REMOTE_TRACK_ADDED,
+            (track, tpc) => this._setupReceiverE2EEForTrack(tpc, track));
+        this.conference.on(
+            JitsiConferenceEvents.TRACK_MUTE_CHANGED,
+            this._trackMuteChanged.bind(this));
+    }
+
+    /**
+     * Indicates whether E2EE is currently enabled or not.
+     *
+     * @returns {boolean}
+     */
+    isEnabled() {
+        return this.enabled;
+    }
+
+    /**
+     * Enables / disables End-To-End encryption.
+     *
+     * @param {boolean} enabled - whether E2EE should be enabled or not.
+     * @returns {void}
+     */
+    async setEnabled(enabled) {
+        if (enabled === this.enabled) {
+            return;
+        }
+
+        this._enabling && await this._enabling;
+
+        this._enabling = new Deferred();
+
+        this.enabled = enabled;
+
+        if (!enabled) {
+            this.e2eeCtx.cleanupAll();
+        }
+
+        this._setEnabled && await this._setEnabled(enabled);
+
+        this.conference.setLocalParticipantProperty('e2ee.enabled', enabled);
+
+        this.conference._restartMediaSessions();
+
+        this._enabling.resolve();
+    }
+
+    /**
+     * Sets the key for End-to-End encryption.
+     *
+     * @returns {void}
+     */
+    setEncryptionKey() {
+        throw new Error('Not implemented by subclass');
+    }
+
+    /**
+     * Setup E2EE on the new track that has been added to the conference, apply it on all the open peerconnections.
+     * @param {JitsiLocalTrack} track - the new track that's being added to the conference.
+     * @private
+     */
+    _onLocalTrackAdded(track) {
+        for (const session of this.conference._getMediaSessions()) {
+            this._setupSenderE2EEForTrack(session, track);
+        }
+    }
+
+    /**
+     * Setups E2E encryption for the new session.
+     * @param {JingleSessionPC} session - the new media session.
+     * @private
+     */
+    _onMediaSessionStarted(session) {
+        const localTracks = this.conference.getLocalTracks();
+
+        for (const track of localTracks) {
+            this._setupSenderE2EEForTrack(session, track);
+        }
+    }
+
+    /**
+     * Setup E2EE for the receiving side.
+     *
+     * @private
+     */
+    _setupReceiverE2EEForTrack(tpc, track) {
+        if (!this.enabled) {
+            return;
+        }
+
+        const receiver = tpc.findReceiverForTrack(track.track);
+
+        if (receiver) {
+            this.e2eeCtx.handleReceiver(receiver, track.getType(), track.getParticipantId());
+        } else {
+            logger.warn(`Could not handle E2EE for ${track}: receiver not found in: ${tpc}`);
+        }
+    }
+
+    /**
+     * Setup E2EE for the sending side.
+     *
+     * @param {JingleSessionPC} session - the session which sends the media produced by the track.
+     * @param {JitsiLocalTrack} track - the local track for which e2e encoder will be configured.
+     * @private
+     */
+    _setupSenderE2EEForTrack(session, track) {
+        if (!this.enabled) {
+            return;
+        }
+
+        const pc = session.peerconnection;
+        const sender = pc && pc.findSenderForTrack(track.track);
+
+        if (sender) {
+            this.e2eeCtx.handleSender(sender, track.getType(), track.getParticipantId());
+        } else {
+            logger.warn(`Could not handle E2EE for ${track}: sender not found in ${pc}`);
+        }
+    }
+
+    /**
+     * Setup E2EE on the sender that is created for the unmuted local video track.
+     * @param {JitsiLocalTrack} track - the track for which muted status has changed.
+     * @private
+     */
+    _trackMuteChanged(track) {
+        if (browser.doesVideoMuteByStreamRemove() && track.isLocal() && track.isVideoTrack() && !track.isMuted()) {
+            for (const session of this.conference._getMediaSessions()) {
+                this._setupSenderE2EEForTrack(session, track);
+            }
+        }
+    }
+}

modules/e2ee/ManagedKeyHandler.js

@@ -0,0 +1,181 @@
+/* global __filename */
+
+import { getLogger } from 'jitsi-meet-logger';
+import debounce from 'lodash.debounce';
+
+import * as JitsiConferenceEvents from '../../JitsiConferenceEvents';
+
+import { KeyHandler } from './KeyHandler';
+import { OlmAdapter } from './OlmAdapter';
+import { importKey, ratchet } from './crypto-utils';
+
+const logger = getLogger(__filename);
+
+// Period which we'll wait before updating / rotating our keys when a participant
+// joins or leaves.
+const DEBOUNCE_PERIOD = 5000;
+
+/**
+ * This module integrates {@link E2EEContext} with {@link OlmAdapter} in order to distribute the keys for encryption.
+ */
+export class ManagedKeyHandler extends KeyHandler {
+    /**
+     * Build a new AutomaticKeyHandler instance, which will be used in a given conference.
+     */
+    constructor(conference) {
+        super(conference);
+
+        this._key = undefined;
+        this._conferenceJoined = false;
+
+        this._olmAdapter = new OlmAdapter(conference);
+
+        this._rotateKey = debounce(this._rotateKeyImpl, DEBOUNCE_PERIOD);
+        this._ratchetKey = debounce(this._ratchetKeyImpl, DEBOUNCE_PERIOD);
+
+        // Olm signalling events.
+        this._olmAdapter.on(
+            OlmAdapter.events.PARTICIPANT_KEY_UPDATED,
+            this._onParticipantKeyUpdated.bind(this));
+
+        this.conference.on(
+            JitsiConferenceEvents.PARTICIPANT_PROPERTY_CHANGED,
+            this._onParticipantPropertyChanged.bind(this));
+        this.conference.on(
+            JitsiConferenceEvents.USER_JOINED,
+            this._onParticipantJoined.bind(this));
+        this.conference.on(
+            JitsiConferenceEvents.USER_LEFT,
+            this._onParticipantLeft.bind(this));
+        this.conference.on(
+                JitsiConferenceEvents.CONFERENCE_JOINED,
+                () => {
+                    this._conferenceJoined = true;
+                });
+    }
+
+    /**
+     * When E2EE is enabled it initializes sessions and sets the key.
+     * Cleans up the sessions when disabled.
+     *
+     * @param {boolean} enabled - whether E2EE should be enabled or not.
+     * @returns {void}
+     */
+    async _setEnabled(enabled) {
+        if (enabled) {
+            await this._olmAdapter.initSessions();
+        } else {
+            this._olmAdapter.clearAllParticipantsSessions();
+        }
+
+        // Generate a random key in case we are enabling.
+        this._key = enabled ? this._generateKey() : false;
+
+        // Send it to others using the E2EE olm channel.
+        const index = await this._olmAdapter.updateKey(this._key);
+
+        // Set our key so we begin encrypting.
+        this.e2eeCtx.setKey(this.conference.myUserId(), this._key, index);
+    }
+
+    /**
+     * Handles an update in a participant's presence property.
+     *
+     * @param {JitsiParticipant} participant - The participant.
+     * @param {string} name - The name of the property that changed.
+     * @param {*} oldValue - The property's previous value.
+     * @param {*} newValue - The property's new value.
+     * @private
+     */
+    async _onParticipantPropertyChanged(participant, name, oldValue, newValue) {
+        switch (name) {
+        case 'e2ee.idKey':
+            logger.debug(`Participant ${participant.getId()} updated their id key: ${newValue}`);
+            break;
+        case 'e2ee.enabled':
+            if (!newValue && this.enabled) {
+                this._olmAdapter.clearParticipantSession(participant);
+            }
+            break;
+        }
+    }
+
+    /**
+     * Advances (using ratcheting) the current key when a new participant joins the conference.
+     * @private
+     */
+    _onParticipantJoined() {
+        if (this._conferenceJoined && this.enabled) {
+            this._ratchetKey();
+        }
+    }
+
+    /**
+     * Rotates the current key when a participant leaves the conference.
+     * @private
+     */
+    _onParticipantLeft(id) {
+        this.e2eeCtx.cleanup(id);
+
+        if (this.enabled) {
+            this._rotateKey();
+        }
+    }
+
+    /**
+     * Rotates the local key. Rotating the key implies creating a new one, then distributing it
+     * to all participants and once they all received it, start using it.
+     *
+     * @private
+     */
+    async _rotateKeyImpl() {
+        logger.debug('Rotating key');
+
+        this._key = this._generateKey();
+        const index = await this._olmAdapter.updateKey(this._key);
+
+        this.e2eeCtx.setKey(this.conference.myUserId(), this._key, index);
+    }
+
+    /**
+     * Advances the current key by using ratcheting.
+     *
+     * @private
+     */
+    async _ratchetKeyImpl() {
+        logger.debug('Ratchetting key');
+
+        const material = await importKey(this._key);
+        const newKey = await ratchet(material);
+
+        this._key = new Uint8Array(newKey);
+
+        const index = this._olmAdapter.updateCurrentKey(this._key);
+
+        this.e2eeCtx.setKey(this.conference.myUserId(), this._key, index);
+    }
+
+    /**
+     * Handles an update in a participant's key.
+     *
+     * @param {string} id - The participant ID.
+     * @param {Uint8Array | boolean} key - The new key for the participant.
+     * @param {Number} index - The new key's index.
+     * @private
+     */
+    _onParticipantKeyUpdated(id, key, index) {
+        logger.debug(`Participant ${id} updated their key`);
+
+        this.e2eeCtx.setKey(id, key, index);
+    }
+
+    /**
+     * Generates a new 256 bit random key.
+     *
+     * @returns {Uint8Array}
+     * @private
+     */
+    _generateKey() {
+        return window.crypto.getRandomValues(new Uint8Array(32));
+    }
+}

modules/e2ee/OlmAdapter.js

@@ -230,7 +230,7 @@ export class OlmAdapter extends Listenable {
 
             logger.debug(`Olm ${Olm.get_library_version().join('.')} initialized`);
             this._init.resolve();
-            this.eventEmitter.emit(OlmAdapterEvents.OLM_ID_KEY_READY, this._idKey);
+            this._onIdKeyReady(this._idKey);
         } catch (e) {
             logger.error('Failed to initialize Olm', e);
             this._init.reject(e);
@@ -238,6 +238,25 @@ export class OlmAdapter extends Listenable {
 
     }
 
+    /**
+     * Publishes our own Olmn id key in presence.
+     * @private
+     */
+    _onIdKeyReady(idKey) {
+        logger.debug(`Olm id key ready: ${idKey}`);
+
+        // Publish it in presence.
+        this._conf.setLocalParticipantProperty('e2ee.idKey', idKey);
+    }
+
+    /**
+     * Event posted when the E2EE signalling channel has been established with the given participant.
+     * @private
+     */
+    _onParticipantE2EEChannelReady(id) {
+        logger.debug(`E2EE channel with participant ${id} is ready`);
+    }
+
     /**
      * Internal helper for encrypting the current key information for a given participant.
      *
@@ -339,7 +358,7 @@ export class OlmAdapter extends Listenable {
                 };
 
                 this._sendMessage(ack, pId);
-                this.eventEmitter.emit(OlmAdapterEvents.PARTICIPANT_E2EE_CHANNEL_READY, pId);
+                this._onParticipantE2EEChannelReady(pId);
             }
             break;
         }
@@ -364,7 +383,7 @@ export class OlmAdapter extends Listenable {
                 olmData.session = session;
                 olmData.pendingSessionUuid = undefined;
 
-                this.eventEmitter.emit(OlmAdapterEvents.PARTICIPANT_E2EE_CHANNEL_READY, pId);
+                this._onParticipantE2EEChannelReady(pId);
 
                 this._reqs.delete(msg.data.uuid);
                 d.resolve();
@@ -611,8 +630,6 @@ export class OlmAdapter extends Listenable {
     }
 }
 
-OlmAdapter.events = OlmAdapterEvents;
-
 /**
  * Helper to ensure JSON parsing always returns an object.
  *
@@ -626,3 +643,5 @@ function safeJsonParse(data) {
         return {};
     }
 }
+
+OlmAdapter.events = OlmAdapterEvents;

modules/e2ee/Worker.js

@@ -7,6 +7,8 @@ import { Context } from './Context';
 
 const contexts = new Map(); // Map participant id => context
 
+let sharedContext;
+
 /**
  * Retrieves the participant {@code Context}, creating it if necessary.
  *
@@ -14,8 +16,12 @@ const contexts = new Map(); // Map participant id => context
  * @returns {Object} The context.
  */
 function getParticipantContext(participantId) {
+    if (sharedContext) {
+        return sharedContext;
+    }
+
     if (!contexts.has(participantId)) {
-        contexts.set(participantId, new Context(participantId));
+        contexts.set(participantId, new Context());
     }
 
     return contexts.get(participantId);
@@ -47,7 +53,13 @@ function handleTransform(context, operation, readableStream, writableStream) {
 onmessage = async event => {
     const { operation } = event.data;
 
-    if (operation === 'encode' || operation === 'decode') {
+    if (operation === 'initialize') {
+        const { sharedKey } = event.data;
+
+        if (sharedKey) {
+            sharedContext = new Context({ sharedKey });
+        }
+    } else if (operation === 'encode' || operation === 'decode') {
         const { readableStream, writableStream, participantId } = event.data;
         const context = getParticipantContext(participantId);
 
@@ -65,6 +77,8 @@ onmessage = async event => {
         const { participantId } = event.data;
 
         contexts.delete(participantId);
+    } else if (operation === 'cleanupAll') {
+        contexts.clear();
     } else {
         console.error('e2ee worker', operation);
     }