Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Remove signature check on v1 identity server lookups #8001

Merged
merged 3 commits into from
Aug 3, 2020
Merged

Remove signature check on v1 identity server lookups #8001

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
d233dd0
Remove signature check on v1 identity server lookups
anoadragon453 Jul 30, 2020
7863f49
Changelog
anoadragon453 Jul 30, 2020
9cae2fe
Update changelog.d/8001.misc
anoadragon453 Aug 3, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/8001.misc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Remove the signature check for v1 Identity Service lookup responses as they are effectively useless.
anoadragon453 marked this conversation as resolved.
Show resolved Hide resolved
34 changes: 3 additions & 31 deletions synapse/handlers/identity.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,14 +22,10 @@
from typing import Awaitable, Callable, Dict, List, Optional, Tuple

from canonicaljson import json
from signedjson.key import decode_verify_key_bytes
from signedjson.sign import verify_signed_json
from unpaddedbase64 import decode_base64

from twisted.internet.error import TimeoutError

from synapse.api.errors import (
AuthError,
CodeMessageException,
Codes,
HttpResponseException,
Expand Down Expand Up @@ -628,9 +624,9 @@ async def _lookup_3pid_v1(
)

if "mxid" in data:
if "signatures" not in data:
raise AuthError(401, "No signatures on 3pid binding")
await self._verify_any_signature(data, id_server)
# note: we used to verify the identity server's signature here, but no longer
# require or validate it. See the following for context:
# https://github.com/matrix-org/synapse/issues/5253#issuecomment-666246950
return data["mxid"]
except TimeoutError:
raise SynapseError(500, "Timed out contacting identity server")
Expand Down Expand Up @@ -751,30 +747,6 @@ async def _lookup_3pid_v2(
mxid = lookup_results["mappings"].get(lookup_value)
return mxid

async def _verify_any_signature(self, data, server_hostname):
if server_hostname not in data["signatures"]:
raise AuthError(401, "No signature from server %s" % (server_hostname,))
for key_name, signature in data["signatures"][server_hostname].items():
try:
key_data = await self.blacklisting_http_client.get_json(
"%s%s/_matrix/identity/api/v1/pubkey/%s"
% (id_server_scheme, server_hostname, key_name)
)
except TimeoutError:
raise SynapseError(500, "Timed out contacting identity server")
if "public_key" not in key_data:
raise AuthError(
401, "No public key named %s from %s" % (key_name, server_hostname)
)
verify_signed_json(
data,
server_hostname,
decode_verify_key_bytes(
key_name, decode_base64(key_data["public_key"])
),
)
return

async def ask_id_server_for_third_party_invite(
self,
requester: Requester,
Expand Down