Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Add config option to sign remote key query responses with a separate key. #5895

Merged
merged 5 commits into from
Aug 27, 2019
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/5895.feature
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Add config option to sign remote key query responses with a separate key.
8 changes: 8 additions & 0 deletions docs/sample_config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -1027,6 +1027,14 @@ signing_key_path: "CONFDIR/SERVERNAME.signing.key"
#
#trusted_key_servers:
# - server_name: "matrix.org"
#

# The signing keys to use when acting as a trusted key server. If not specified
# defaults to the server signing key.
#
# Can contain multiple keys, one per line.
#
#key_server_signing_keys_path: "key_server_signing_keys.key"


# Enable SAML2 for registration and login. Uses pysaml2.
Expand Down
34 changes: 30 additions & 4 deletions synapse/config/key.py
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,7 @@ def read_config(self, config, config_dir_path, **kwargs):
config_dir_path, config["server_name"] + ".signing.key"
)

self.signing_key = self.read_signing_key(signing_key_path)
self.signing_key = self.read_signing_keys(signing_key_path, "signing_key")

self.old_signing_keys = self.read_old_signing_keys(
config.get("old_signing_keys", {})
Expand All @@ -85,6 +85,14 @@ def read_config(self, config, config_dir_path, **kwargs):
config.get("key_refresh_interval", "1d")
)

key_server_signing_keys_path = config.get("key_server_signing_keys_path")
if key_server_signing_keys_path:
self.key_server_signing_keys = self.read_signing_keys(
key_server_signing_keys_path, "key_server_signing_keys_path"
)
else:
self.key_server_signing_keys = list(self.signing_key)

# if neither trusted_key_servers nor perspectives are given, use the default.
if "perspectives" not in config and "trusted_key_servers" not in config:
key_servers = [{"server_name": "matrix.org"}]
Expand Down Expand Up @@ -210,16 +218,34 @@ def generate_config_section(
#
#trusted_key_servers:
# - server_name: "matrix.org"
#

# The signing keys to use when acting as a trusted key server. If not specified
# defaults to the server signing key.
#
# Can contain multiple keys, one per line.
#
#key_server_signing_keys_path: "key_server_signing_keys.key"
"""
% locals()
)

def read_signing_key(self, signing_key_path):
signing_keys = self.read_file(signing_key_path, "signing_key")
def read_signing_keys(self, signing_key_path, name):
"""Read the signing keys in the given path.

Args:
signing_key_path (str)
name (str): Associated config key name

Returns:
list[SigningKey]
"""

signing_keys = self.read_file(signing_key_path, name)
try:
return read_signing_keys(signing_keys.splitlines(True))
except Exception as e:
raise ConfigError("Error reading signing_key: %s" % (str(e)))
raise ConfigError("Error reading %s: %s" % (name, str(e)))

def read_old_signing_keys(self, old_signing_keys):
keys = {}
Expand Down
11 changes: 2 additions & 9 deletions synapse/crypto/keyring.py
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,6 @@
from signedjson.sign import (
SignatureVerifyException,
encode_canonical_json,
sign_json,
signature_ids,
verify_signed_json,
)
Expand Down Expand Up @@ -540,13 +539,7 @@ def process_v2_response(self, from_server, response_json, time_added_ms):
verify_key=verify_key, valid_until_ts=key_data["expired_ts"]
)

# re-sign the json with our own key, so that it is ready if we are asked to
# give it out as a notary server
signed_key_json = sign_json(
response_json, self.config.server_name, self.config.signing_key[0]
)

signed_key_json_bytes = encode_canonical_json(signed_key_json)
key_json_bytes = encode_canonical_json(response_json)

yield make_deferred_yieldable(
defer.gatherResults(
Expand All @@ -558,7 +551,7 @@ def process_v2_response(self, from_server, response_json, time_added_ms):
from_server=from_server,
ts_now_ms=time_added_ms,
ts_expires_ms=ts_valid_until_ms,
key_json_bytes=signed_key_json_bytes,
key_json_bytes=key_json_bytes,
)
for key_id in verify_keys
],
Expand Down
28 changes: 15 additions & 13 deletions synapse/rest/key/v2/remote_key_resource.py
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,9 @@
# limitations under the License.

import logging
from io import BytesIO

from canonicaljson import encode_canonical_json, json
from signedjson.sign import sign_json

from twisted.internet import defer

Expand Down Expand Up @@ -95,6 +97,7 @@ def __init__(self, hs):
self.store = hs.get_datastore()
self.clock = hs.get_clock()
self.federation_domain_whitelist = hs.config.federation_domain_whitelist
self.config = hs.config

@wrap_json_request_handler
async def _async_render_GET(self, request):
Expand Down Expand Up @@ -214,15 +217,14 @@ def query_keys(self, request, query, query_remote_on_cache_miss=False):
yield self.fetcher.get_keys(cache_misses)
yield self.query_keys(request, query, query_remote_on_cache_miss=False)
else:
result_io = BytesIO()
result_io.write(b'{"server_keys":')
sep = b"["
for json_bytes in json_results:
result_io.write(sep)
result_io.write(json_bytes)
sep = b","
if sep == b"[":
result_io.write(sep)
result_io.write(b"]}")

respond_with_json_bytes(request, 200, result_io.getvalue())
signed_keys = []
for key_json in json_results:
key_json = json.loads(key_json)
for signing_key in self.config.key_server_signing_keys:
key_json = sign_json(key_json, self.config.server_name, signing_key)

signed_keys.append(key_json)

results = {"server_keys": signed_keys}

respond_with_json_bytes(request, 200, encode_canonical_json(results))