Cannot get Smack OX IM working

This is continuation of previous discussion. The thread is locked so I cannot continue there.

Today I decided that I will play around and try to send encrypted messages. But I could not. All I get is keys not found. I decided that I will create a very simple project to demo the issue (lacks a lot of standard stuffs but should be easy to test things with.

All the project does is login and chat with user filled in the chat with edittex.

Can any one try it and help me spot where I do things wrong?
Thank you!
ChatWithOpenPGP.zip (1.2 MB)

I think presenting your code via git on e.g. gitlab.com would increase your chances that someone tests and comments on it.

Cool, let me do just that!
Thanks!

Here is the repo: https://gitlab.com/public-projects11/chatwithopenpgp

It appears you do not do any trust management.
Smack will consider keys that get imported as undecided until you mark them as trusted using openPgpContact.trust(fingerprint).
You can get a list of trusted keys using openPgpContact.getTrustedAnnouncedKeys(). This is the set of keys Smack will consider for encryption.

Sometimes I encounter the issue that my server does not properly deliver the keys of my contacts to me via pep notifications. To work around this you could use openPgpContact.updateKeys(connection) which will explicitly query for keys of the contact.
Then you should trust the keys and be good to go

Here is a patched onClick method:

editorBtn.setOnClickListener {
            val texEditor = findViewById<EditText>(R.id.editor)
            val chatWith = findViewById<EditText>(R.id.chatWith)

            val jid: BareJid = JidCreate.bareFrom("${chatWith.text}")
            val message: String = texEditor.text.toString()
            val contact = openPgpManager?.getOpenPgpContact(jid.asEntityBareJidIfPossible());
            // workaround for possible pep issues. Only necessary if you notice that your server does not deliver pep items
            contact?.updateKeys(connection)
            // in production you should replace this with some elaborate trust model (eg. TOFU)
            for (key in contact?.announcedPublicKeys!!) {
                contact?.trust(OpenPgpV4Fingerprint(key.publicKey))
            }

            oxManager?.sendOxMessage(
                openPgpManager?.getOpenPgpContact(jid.asEntityBareJidIfPossible()),
                message
            )

            texEditor.setText("")
        }

Great thanks Paul. Am sure it could take me years to just recognize that
Let me patch and finally put the issue to rest!

Maybe we should also add a more prominent hint to the documentation?

Edit: There is already some hint present

I think what is missing is actually a minimal example. Many of the developers are not having a very good PGP background and so may miss the most obvious statement in the docs

I don’t think that you can or should implement OpenPGP-based encryption without having knowledge about OpenPGP. We are talking about security sensitive stuff where, where one mistake can compromise the whole encryption scheme.

Hence I am always skeptical when it comes to “minimal examples” for encryption. That easily leads to cargo cult programming which, especially in the case of encryption, is the path to eternal doom.

That said, the API should be as easy, and especially safe, to use as possible.

Well I agree with everything you have said. However, my comment was rather on illustrating the document with example (like is done in other instances like connection and in some places this same extension).

I didn’t meant a working code.

Just as side note the product must be audited by security experts before it goes live as many developers aren’t indeed sec gurus!

This topic was automatically closed 62 days after the last reply. New replies are no longer allowed.