Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Make key fetches use regular federation client #4426

Merged
merged 3 commits into from
Jan 22, 2019
Merged

Make key fetches use regular federation client #4426

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
0cf07f4
Make key fetches use regular federation client
richvdh Jan 21, 2019
b177e79
changelog
richvdh Jan 21, 2019
9c33460
Remove redundant check for tls_fingerprints
richvdh Jan 22, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/4426.misc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Remove redundant SynapseKeyClientProtocol magic
149 changes: 0 additions & 149 deletions synapse/crypto/keyclient.py
View file
Open in desktop

This file was deleted.

30 changes: 7 additions & 23 deletions synapse/crypto/keyring.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,10 +14,11 @@
# See the License for the specific language governing permissions and
# limitations under the License.

import hashlib
import logging
from collections import namedtuple

from six.moves import urllib

from signedjson.key import (
decode_verify_key_bytes,
encode_verify_key_base64,
Expand All @@ -30,13 +31,11 @@
signature_ids,
verify_signed_json,
)
from unpaddedbase64 import decode_base64, encode_base64
from unpaddedbase64 import decode_base64

from OpenSSL import crypto
from twisted.internet import defer

from synapse.api.errors import Codes, SynapseError
from synapse.crypto.keyclient import fetch_server_key
from synapse.util import logcontext, unwrapFirstError
from synapse.util.logcontext import (
LoggingContext,
Expand Down Expand Up @@ -503,31 +502,16 @@ def get_server_verify_key_v2_direct(self, server_name, key_ids):
if requested_key_id in keys:
continue

(response, tls_certificate) = yield fetch_server_key(
server_name, self.hs.tls_client_options_factory, requested_key_id
response = yield self.client.get_json(
destination=server_name,
path="/_matrix/key/v2/server/" + urllib.parse.quote(requested_key_id),
ignore_backoff=True,
)

if (u"signatures" not in response
or server_name not in response[u"signatures"]):
raise KeyLookupError("Key response not signed by remote server")

if "tls_fingerprints" not in response:
raise KeyLookupError("Key response missing TLS fingerprints")

certificate_bytes = crypto.dump_certificate(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this matter?

crypto.FILETYPE_ASN1, tls_certificate
)
sha256_fingerprint = hashlib.sha256(certificate_bytes).digest()
sha256_fingerprint_b64 = encode_base64(sha256_fingerprint)

response_sha256_fingerprints = set()
for fingerprint in response[u"tls_fingerprints"]:
if u"sha256" in fingerprint:
response_sha256_fingerprints.add(fingerprint[u"sha256"])

if sha256_fingerprint_b64 not in response_sha256_fingerprints:
raise KeyLookupError("TLS certificate not allowed by fingerprints")

response_keys = yield self.process_v2_response(
from_server=server_name,
requested_ids=[requested_key_id],
Expand Down