Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Commit

Permalink
Merge pull request #996 from matrix-org/erikj/tls_error
Browse files Browse the repository at this point in the history
Don't print stack traces when failing to get remote keys
  • Loading branch information
erikjohnston authored Aug 10, 2016
2 parents 79ebfbe + fa1ce4d commit d454894
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 13 deletions.
28 changes: 16 additions & 12 deletions synapse/crypto/keyring.py
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,10 @@
"""


class KeyLookupError(ValueError):
pass


class Keyring(object):
def __init__(self, hs):
self.store = hs.get_datastore()
Expand Down Expand Up @@ -363,7 +367,7 @@ def get_key(server_name, key_ids):
)
except Exception as e:
logger.info(
"Unable to getting key %r for %r directly: %s %s",
"Unable to get key %r for %r directly: %s %s",
key_ids, server_name,
type(e).__name__, str(e.message),
)
Expand Down Expand Up @@ -425,7 +429,7 @@ def get_server_verify_key_v2_indirect(self, server_names_and_key_ids,
for response in responses:
if (u"signatures" not in response
or perspective_name not in response[u"signatures"]):
raise ValueError(
raise KeyLookupError(
"Key response not signed by perspective server"
" %r" % (perspective_name,)
)
Expand All @@ -448,7 +452,7 @@ def get_server_verify_key_v2_indirect(self, server_names_and_key_ids,
list(response[u"signatures"][perspective_name]),
list(perspective_keys)
)
raise ValueError(
raise KeyLookupError(
"Response not signed with a known key for perspective"
" server %r" % (perspective_name,)
)
Expand Down Expand Up @@ -491,10 +495,10 @@ def get_server_verify_key_v2_direct(self, server_name, key_ids):

if (u"signatures" not in response
or server_name not in response[u"signatures"]):
raise ValueError("Key response not signed by remote server")
raise KeyLookupError("Key response not signed by remote server")

if "tls_fingerprints" not in response:
raise ValueError("Key response missing TLS fingerprints")
raise KeyLookupError("Key response missing TLS fingerprints")

certificate_bytes = crypto.dump_certificate(
crypto.FILETYPE_ASN1, tls_certificate
Expand All @@ -508,7 +512,7 @@ def get_server_verify_key_v2_direct(self, server_name, key_ids):
response_sha256_fingerprints.add(fingerprint[u"sha256"])

if sha256_fingerprint_b64 not in response_sha256_fingerprints:
raise ValueError("TLS certificate not allowed by fingerprints")
raise KeyLookupError("TLS certificate not allowed by fingerprints")

response_keys = yield self.process_v2_response(
from_server=server_name,
Expand Down Expand Up @@ -560,14 +564,14 @@ def process_v2_response(self, from_server, response_json,
server_name = response_json["server_name"]
if only_from_server:
if server_name != from_server:
raise ValueError(
raise KeyLookupError(
"Expected a response for server %r not %r" % (
from_server, server_name
)
)
for key_id in response_json["signatures"].get(server_name, {}):
if key_id not in response_json["verify_keys"]:
raise ValueError(
raise KeyLookupError(
"Key response must include verification keys for all"
" signatures"
)
Expand Down Expand Up @@ -635,15 +639,15 @@ def get_server_verify_key_v1_direct(self, server_name, key_ids):

if ("signatures" not in response
or server_name not in response["signatures"]):
raise ValueError("Key response not signed by remote server")
raise KeyLookupError("Key response not signed by remote server")

if "tls_certificate" not in response:
raise ValueError("Key response missing TLS certificate")
raise KeyLookupError("Key response missing TLS certificate")

tls_certificate_b64 = response["tls_certificate"]

if encode_base64(x509_certificate_bytes) != tls_certificate_b64:
raise ValueError("TLS certificate doesn't match")
raise KeyLookupError("TLS certificate doesn't match")

# Cache the result in the datastore.

Expand All @@ -659,7 +663,7 @@ def get_server_verify_key_v1_direct(self, server_name, key_ids):

for key_id in response["signatures"][server_name]:
if key_id not in response["verify_keys"]:
raise ValueError(
raise KeyLookupError(
"Key response must include verification keys for all"
" signatures"
)
Expand Down
4 changes: 3 additions & 1 deletion synapse/rest/key/v2/remote_key_resource.py
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
from synapse.http.server import request_handler, respond_with_json_bytes
from synapse.http.servlet import parse_integer, parse_json_object_from_request
from synapse.api.errors import SynapseError, Codes
from synapse.crypto.keyring import KeyLookupError

from twisted.web.resource import Resource
from twisted.web.server import NOT_DONE_YET
Expand Down Expand Up @@ -210,9 +211,10 @@ def query_keys(self, request, query, query_remote_on_cache_miss=False):
yield self.keyring.get_server_verify_key_v2_direct(
server_name, key_ids
)
except KeyLookupError as e:
logger.info("Failed to fetch key: %s", e)
except:
logger.exception("Failed to get key for %r", server_name)
pass
yield self.query_keys(
request, query, query_remote_on_cache_miss=False
)
Expand Down

0 comments on commit d454894

Please sign in to comment.