Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Commit

Permalink
Merge pull request #5895 from matrix-org/erikj/notary_key
Browse files Browse the repository at this point in the history
  • Loading branch information
anoadragon453 committed Feb 21, 2020
2 parents 2b62e3f + f5b50d0 commit 265bcb1
Show file tree
Hide file tree
Showing 6 changed files with 57 additions and 27 deletions.
1 change: 1 addition & 0 deletions changelog.d/5895.feature
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Add config option to sign remote key query responses with a separate key.
2 changes: 1 addition & 1 deletion changelog.d/5909.misc
Original file line number Diff line number Diff line change
@@ -1 +1 @@
Fix error message which referred to public_base_url instead of public_baseurl.
Fix error message which referred to public_base_url instead of public_baseurl. Thanks to @aaronraimist for the fix!
8 changes: 8 additions & 0 deletions docs/sample_config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -1184,6 +1184,14 @@ signing_key_path: "CONFDIR/SERVERNAME.signing.key"
#
#trusted_key_servers:
# - server_name: "matrix.org"
#

# The signing keys to use when acting as a trusted key server. If not specified
# defaults to the server signing key.
#
# Can contain multiple keys, one per line.
#
#key_server_signing_keys_path: "key_server_signing_keys.key"


# Enable SAML2 for registration and login. Uses pysaml2.
Expand Down
34 changes: 30 additions & 4 deletions synapse/config/key.py
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,7 @@ def read_config(self, config, config_dir_path, **kwargs):
config_dir_path, config["server_name"] + ".signing.key"
)

self.signing_key = self.read_signing_key(signing_key_path)
self.signing_key = self.read_signing_keys(signing_key_path, "signing_key")

self.old_signing_keys = self.read_old_signing_keys(
config.get("old_signing_keys", {})
Expand All @@ -85,6 +85,14 @@ def read_config(self, config, config_dir_path, **kwargs):
config.get("key_refresh_interval", "1d")
)

key_server_signing_keys_path = config.get("key_server_signing_keys_path")
if key_server_signing_keys_path:
self.key_server_signing_keys = self.read_signing_keys(
key_server_signing_keys_path, "key_server_signing_keys_path"
)
else:
self.key_server_signing_keys = list(self.signing_key)

# if neither trusted_key_servers nor perspectives are given, use the default.
if "perspectives" not in config and "trusted_key_servers" not in config:
key_servers = [{"server_name": "matrix.org"}]
Expand Down Expand Up @@ -210,16 +218,34 @@ def generate_config_section(
#
#trusted_key_servers:
# - server_name: "matrix.org"
#
# The signing keys to use when acting as a trusted key server. If not specified
# defaults to the server signing key.
#
# Can contain multiple keys, one per line.
#
#key_server_signing_keys_path: "key_server_signing_keys.key"
"""
% locals()
)

def read_signing_key(self, signing_key_path):
signing_keys = self.read_file(signing_key_path, "signing_key")
def read_signing_keys(self, signing_key_path, name):
"""Read the signing keys in the given path.
Args:
signing_key_path (str)
name (str): Associated config key name
Returns:
list[SigningKey]
"""

signing_keys = self.read_file(signing_key_path, name)
try:
return read_signing_keys(signing_keys.splitlines(True))
except Exception as e:
raise ConfigError("Error reading signing_key: %s" % (str(e)))
raise ConfigError("Error reading %s: %s" % (name, str(e)))

def read_old_signing_keys(self, old_signing_keys):
keys = {}
Expand Down
11 changes: 2 additions & 9 deletions synapse/crypto/keyring.py
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,6 @@
from signedjson.sign import (
SignatureVerifyException,
encode_canonical_json,
sign_json,
signature_ids,
verify_signed_json,
)
Expand Down Expand Up @@ -539,13 +538,7 @@ def process_v2_response(self, from_server, response_json, time_added_ms):
verify_key=verify_key, valid_until_ts=key_data["expired_ts"]
)

# re-sign the json with our own key, so that it is ready if we are asked to
# give it out as a notary server
signed_key_json = sign_json(
response_json, self.config.server_name, self.config.signing_key[0]
)

signed_key_json_bytes = encode_canonical_json(signed_key_json)
key_json_bytes = encode_canonical_json(response_json)

yield make_deferred_yieldable(
defer.gatherResults(
Expand All @@ -557,7 +550,7 @@ def process_v2_response(self, from_server, response_json, time_added_ms):
from_server=from_server,
ts_now_ms=time_added_ms,
ts_expires_ms=ts_valid_until_ms,
key_json_bytes=signed_key_json_bytes,
key_json_bytes=key_json_bytes,
)
for key_id in verify_keys
],
Expand Down
28 changes: 15 additions & 13 deletions synapse/rest/key/v2/remote_key_resource.py
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,9 @@
# limitations under the License.

import logging
from io import BytesIO

from canonicaljson import encode_canonical_json, json
from signedjson.sign import sign_json

from twisted.internet import defer

Expand Down Expand Up @@ -95,6 +97,7 @@ def __init__(self, hs):
self.store = hs.get_datastore()
self.clock = hs.get_clock()
self.federation_domain_whitelist = hs.config.federation_domain_whitelist
self.config = hs.config

@wrap_json_request_handler
async def _async_render_GET(self, request):
Expand Down Expand Up @@ -214,15 +217,14 @@ def query_keys(self, request, query, query_remote_on_cache_miss=False):
yield self.fetcher.get_keys(cache_misses)
yield self.query_keys(request, query, query_remote_on_cache_miss=False)
else:
result_io = BytesIO()
result_io.write(b'{"server_keys":')
sep = b"["
for json_bytes in json_results:
result_io.write(sep)
result_io.write(json_bytes)
sep = b","
if sep == b"[":
result_io.write(sep)
result_io.write(b"]}")

respond_with_json_bytes(request, 200, result_io.getvalue())
signed_keys = []
for key_json in json_results:
key_json = json.loads(key_json)
for signing_key in self.config.key_server_signing_keys:
key_json = sign_json(key_json, self.config.server_name, signing_key)

signed_keys.append(key_json)

results = {"server_keys": signed_keys}

respond_with_json_bytes(request, 200, encode_canonical_json(results))

0 comments on commit 265bcb1

Please sign in to comment.