From 26c8540d035017b55fcb31b1b90054f6a2077dab Mon Sep 17 00:00:00 2001
From: Richard van der Hoff <richard@matrix.org>
Date: Tue, 23 May 2017 09:24:18 +0100
Subject: [PATCH] Add in a "verify" slash command to confirm signing keys
 (#912)

Allows users to send a text string via an alternative channel (like email
or SMS) which Riot can leverage to confirm that the signing keys match.

Effectively removes the tedium of checking keys until a better mechanism
is completed.

Signed-off-by: Kit Sczudlo <kit@kitscz.com>
---
 src/SlashCommands.js | 55 +++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 54 insertions(+), 1 deletion(-)

diff --git a/src/SlashCommands.js b/src/SlashCommands.js
index 1ddcf4832d6..ddba344e18a 100644
--- a/src/SlashCommands.js
+++ b/src/SlashCommands.js
@@ -282,7 +282,60 @@ var commands = {
             }
         }
         return reject(this.getUsage());
-    })
+    }),
+
+    // Verify a user, device, and pubkey tuple
+    verify: new Command("verify", "<userId> <deviceId> <deviceSigningKey>", function(room_id, args) {
+        if (args) {
+            var matches = args.match(/^(\S+) +(\S+) +(\S+)$/);
+            if (matches) {
+                const userId = matches[1];
+                const deviceId = matches[2];
+                const fingerprint = matches[3];
+
+                const device = MatrixClientPeg.get().getStoredDevice(userId, deviceId);
+                if (!device) {
+                    return reject(`Unknown (user, device) pair: (${userId}, ${deviceId})`);
+                }
+
+                if (device.isVerified()) {
+                    if (device.getFingerprint() === fingerprint) {
+                        return reject(`Device already verified!`);
+                    } else {
+                        return reject(`WARNING: Device already verified, but keys do NOT MATCH!`);
+                    }
+                }
+
+                if (device.getFingerprint() === fingerprint) {
+                    MatrixClientPeg.get().setDeviceVerified(
+                            userId, deviceId, true
+                    );
+
+                    // Tell the user we verified everything!
+                    const QuestionDialog = sdk.getComponent("dialogs.QuestionDialog");
+                    Modal.createDialog(QuestionDialog, {
+                        title: "Verified key",
+                        description: (
+                            <div>
+                                <p>
+                                    The signing key you provided matches the signing key you received
+                                    from { userId }'s device { deviceId }. Device marked as verified.
+                                </p>
+                            </div>
+                        ),
+                        hasCancelButton: false,
+                    });
+
+                    return success();
+                } else {
+                    return reject(`WARNING: KEY VERIFICATION FAILED! The signing key for ${userId} and device
+                            ${deviceId} is "${device.getFingerprint()}" which does not match the provided key
+                            "${fingerprint}". This could mean your communications are being intercepted!`);
+                }
+            }
+        }
+        return reject(this.getUsage());
+    }),
 };
 
 // helpful aliases