Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Fetch verify key locally rather than trying to do so over federation if origin and host are the same. #11129

Merged
merged 10 commits into from
Oct 28, 2021
Merged

Fetch verify key locally rather than trying to do so over federation if origin and host are the same. #11129

Changes from 1 commit
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
89e3fbf
add tests for fetching key locally
H-Shay Oct 19, 2021
7673fd8
add logic to check if origin server is same as host and fetch verify …
H-Shay Oct 19, 2021
955bae7
add changelog
H-Shay Oct 19, 2021
44f4a94
slight refactor, add docstring, change changelog entry
H-Shay Oct 20, 2021
1f45f4c
Make changelog entry one line
H-Shay Oct 25, 2021
c1a2c73
remove verify_json_locally and push locality check to process_request…
H-Shay Oct 25, 2021
d1c4bc4
remove leftover code reference
H-Shay Oct 25, 2021
939c07b
refactor to add common call to 'verify_json and associated handling code
H-Shay Oct 27, 2021
bc75c2b
add type hint to process_json
H-Shay Oct 27, 2021
2834a71
add some docstrings + very slight refactor
H-Shay Oct 28, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 47 additions & 0 deletions synapse/crypto/keyring.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
from signedjson.key import (
decode_verify_key_bytes,
encode_verify_key_base64,
get_verify_key,
is_signing_algorithm_supported,
)
from signedjson.sign import (
Expand Down Expand Up @@ -177,6 +178,48 @@ def __init__(
clock=hs.get_clock(),
process_batch_callback=self._inner_fetch_key_requests,
)
self.signing_key = hs.signing_key
self.hostname = hs.hostname

def verify_json_locally(self, server_name: str, json_object: JsonDict):
H-Shay marked this conversation as resolved.
Show resolved Hide resolved
verify_key = get_verify_key(self.signing_key)
H-Shay marked this conversation as resolved.
Show resolved Hide resolved
verified = False

try:
verify_signed_json(
json_object,
server_name,
verify_key,
)
verified = True

except SignatureVerifyException as e:
logger.debug(
"Error verifying signature for %s:%s:%s with key %s: %s",
server_name,
verify_key.alg,
verify_key.version,
encode_verify_key_base64(verify_key),
str(e),
)
raise SynapseError(
401,
"Invalid signature for server %s with key %s:%s: %s"
% (
server_name,
verify_key.alg,
verify_key.version,
str(e),
),
Codes.UNAUTHORIZED,
)

if not verified:
H-Shay marked this conversation as resolved.
Show resolved Hide resolved
raise SynapseError(
401,
"Unable to verify request",
Codes.UNAUTHORIZED,
)

async def verify_json_for_server(
self,
Expand All @@ -196,6 +239,10 @@ async def verify_json_for_server(
validity_time: timestamp at which we require the signing key to
be valid. (0 implies we don't care)
"""
# if we are the originating server don't fetch verify key for self over federation
H-Shay marked this conversation as resolved.
Show resolved Hide resolved
if server_name == self.hostname:
return self.verify_json_locally(server_name, json_object)
DMRobertson marked this conversation as resolved.
Show resolved Hide resolved

request = VerifyJsonRequest.from_json_object(
server_name,
json_object,
Expand Down