2015-04-24 05:22:22 -04:00
|
|
|
# -*- coding: utf-8 -*-
|
2016-01-06 23:26:29 -05:00
|
|
|
# Copyright 2015, 2016 OpenMarket Ltd
|
2015-04-24 05:22:22 -04:00
|
|
|
#
|
|
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
# you may not use this file except in compliance with the License.
|
|
|
|
# You may obtain a copy of the License at
|
|
|
|
#
|
|
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
#
|
|
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
# See the License for the specific language governing permissions and
|
|
|
|
# limitations under the License.
|
|
|
|
|
2018-07-09 02:09:20 -04:00
|
|
|
import hashlib
|
|
|
|
import logging
|
|
|
|
import os
|
2015-08-24 11:17:38 -04:00
|
|
|
|
|
|
|
from signedjson.key import (
|
2018-07-09 02:09:20 -04:00
|
|
|
NACL_ED25519,
|
|
|
|
decode_signing_key_base64,
|
|
|
|
decode_verify_key_bytes,
|
|
|
|
generate_signing_key,
|
|
|
|
is_signing_algorithm_supported,
|
|
|
|
read_signing_keys,
|
|
|
|
write_signing_keys,
|
2015-08-24 11:17:38 -04:00
|
|
|
)
|
2015-08-25 05:42:59 -04:00
|
|
|
from unpaddedbase64 import decode_base64
|
2015-08-24 11:17:38 -04:00
|
|
|
|
2018-07-09 02:09:20 -04:00
|
|
|
from synapse.util.stringutils import random_string, random_string_with_symbols
|
2016-02-08 11:35:44 -05:00
|
|
|
|
2018-07-09 02:09:20 -04:00
|
|
|
from ._base import Config, ConfigError
|
2016-02-08 11:35:44 -05:00
|
|
|
|
|
|
|
logger = logging.getLogger(__name__)
|
2015-04-24 05:22:22 -04:00
|
|
|
|
|
|
|
|
|
|
|
class KeyConfig(Config):
|
|
|
|
|
2015-04-29 23:24:44 -04:00
|
|
|
def read_config(self, config):
|
|
|
|
self.signing_key = self.read_signing_key(config["signing_key_path"])
|
2015-04-24 05:22:22 -04:00
|
|
|
self.old_signing_keys = self.read_old_signing_keys(
|
2015-04-29 23:24:44 -04:00
|
|
|
config["old_signing_keys"]
|
|
|
|
)
|
|
|
|
self.key_refresh_interval = self.parse_duration(
|
|
|
|
config["key_refresh_interval"]
|
2015-04-24 05:22:22 -04:00
|
|
|
)
|
2015-04-24 06:26:19 -04:00
|
|
|
self.perspectives = self.read_perspectives(
|
2015-04-29 23:24:44 -04:00
|
|
|
config["perspectives"]
|
2015-04-24 06:26:19 -04:00
|
|
|
)
|
2015-04-24 05:22:22 -04:00
|
|
|
|
2016-02-08 11:35:44 -05:00
|
|
|
self.macaroon_secret_key = config.get(
|
|
|
|
"macaroon_secret_key", self.registration_shared_secret
|
|
|
|
)
|
|
|
|
|
|
|
|
if not self.macaroon_secret_key:
|
|
|
|
# Unfortunately, there are people out there that don't have this
|
|
|
|
# set. Lets just be "nice" and derive one from their secret key.
|
|
|
|
logger.warn("Config is missing missing macaroon_secret_key")
|
|
|
|
seed = self.signing_key[0].seed
|
|
|
|
self.macaroon_secret_key = hashlib.sha256(seed)
|
|
|
|
|
2016-04-20 10:21:40 -04:00
|
|
|
self.expire_access_token = config.get("expire_access_token", False)
|
|
|
|
|
2018-05-10 19:17:11 -04:00
|
|
|
# a secret which is used to calculate HMACs for form values, to stop
|
|
|
|
# falsification of values
|
|
|
|
self.form_secret = config.get("form_secret", None)
|
|
|
|
|
2018-12-21 10:04:57 -05:00
|
|
|
def default_config(self, config_dir_path, server_name, generate_secrets=False,
|
2016-02-08 11:35:44 -05:00
|
|
|
**kwargs):
|
2015-04-29 23:24:44 -04:00
|
|
|
base_key_name = os.path.join(config_dir_path, server_name)
|
2016-02-08 11:35:44 -05:00
|
|
|
|
2018-12-21 10:04:57 -05:00
|
|
|
if generate_secrets:
|
|
|
|
macaroon_secret_key = 'macaroon_secret_key: "%s"' % (
|
|
|
|
random_string_with_symbols(50),
|
|
|
|
)
|
|
|
|
form_secret = 'form_secret: "%s"' % random_string_with_symbols(50)
|
2016-02-08 11:35:44 -05:00
|
|
|
else:
|
2018-12-21 10:04:57 -05:00
|
|
|
macaroon_secret_key = "# macaroon_secret_key: <PRIVATE STRING>"
|
|
|
|
form_secret = "# form_secret: <PRIVATE STRING>"
|
2016-02-08 11:35:44 -05:00
|
|
|
|
2015-04-29 23:24:44 -04:00
|
|
|
return """\
|
2018-12-21 10:04:57 -05:00
|
|
|
# a secret which is used to sign access tokens. If none is specified,
|
|
|
|
# the registration_shared_secret is used, if one is given; otherwise,
|
|
|
|
# a secret key is derived from the signing key.
|
|
|
|
#
|
|
|
|
# Note that changing this will invalidate any active access tokens, so
|
|
|
|
# all clients will have to log back in.
|
|
|
|
%(macaroon_secret_key)s
|
2016-02-08 11:35:44 -05:00
|
|
|
|
2016-04-20 10:21:40 -04:00
|
|
|
# Used to enable access token expiration.
|
|
|
|
expire_access_token: False
|
|
|
|
|
2018-05-10 19:17:11 -04:00
|
|
|
# a secret which is used to calculate HMACs for form values, to stop
|
2018-12-21 10:04:57 -05:00
|
|
|
# falsification of values. Must be specified for the User Consent
|
|
|
|
# forms to work.
|
|
|
|
%(form_secret)s
|
2018-05-10 19:17:11 -04:00
|
|
|
|
2015-04-29 23:24:44 -04:00
|
|
|
## Signing Keys ##
|
|
|
|
|
|
|
|
# Path to the signing key to sign messages with
|
|
|
|
signing_key_path: "%(base_key_name)s.signing.key"
|
|
|
|
|
|
|
|
# The keys that the server used to sign messages with but won't use
|
|
|
|
# to sign new messages. E.g. it has lost its private key
|
|
|
|
old_signing_keys: {}
|
|
|
|
# "ed25519:auto":
|
|
|
|
# # Base64 encoded public key
|
|
|
|
# key: "The public part of your old signing key."
|
|
|
|
# # Millisecond POSIX timestamp when the key expired.
|
|
|
|
# expired_ts: 123456789123
|
|
|
|
|
|
|
|
# How long key response published by this server is valid for.
|
|
|
|
# Used to set the valid_until_ts in /key/v2 APIs.
|
|
|
|
# Determines how quickly servers will query to check which keys
|
|
|
|
# are still valid.
|
|
|
|
key_refresh_interval: "1d" # 1 Day.
|
|
|
|
|
|
|
|
# The trusted servers to download signing keys from.
|
|
|
|
perspectives:
|
|
|
|
servers:
|
|
|
|
"matrix.org":
|
|
|
|
verify_keys:
|
|
|
|
"ed25519:auto":
|
|
|
|
key: "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"
|
|
|
|
""" % locals()
|
|
|
|
|
|
|
|
def read_perspectives(self, perspectives_config):
|
2015-04-24 12:01:34 -04:00
|
|
|
servers = {}
|
2015-04-29 23:24:44 -04:00
|
|
|
for server_name, server_config in perspectives_config["servers"].items():
|
2015-04-24 12:01:34 -04:00
|
|
|
for key_id, key_data in server_config["verify_keys"].items():
|
|
|
|
if is_signing_algorithm_supported(key_id):
|
|
|
|
key_base64 = key_data["key"]
|
|
|
|
key_bytes = decode_base64(key_base64)
|
|
|
|
verify_key = decode_verify_key_bytes(key_id, key_bytes)
|
|
|
|
servers.setdefault(server_name, {})[key_id] = verify_key
|
2015-04-24 06:26:19 -04:00
|
|
|
return servers
|
2015-04-24 05:22:22 -04:00
|
|
|
|
|
|
|
def read_signing_key(self, signing_key_path):
|
|
|
|
signing_keys = self.read_file(signing_key_path, "signing_key")
|
|
|
|
try:
|
2015-08-24 11:17:38 -04:00
|
|
|
return read_signing_keys(signing_keys.splitlines(True))
|
2017-10-17 09:46:17 -04:00
|
|
|
except Exception as e:
|
2015-04-24 05:22:22 -04:00
|
|
|
raise ConfigError(
|
2017-10-17 09:46:17 -04:00
|
|
|
"Error reading signing_key: %s" % (str(e))
|
2015-04-24 05:22:22 -04:00
|
|
|
)
|
|
|
|
|
2015-04-29 23:24:44 -04:00
|
|
|
def read_old_signing_keys(self, old_signing_keys):
|
|
|
|
keys = {}
|
|
|
|
for key_id, key_data in old_signing_keys.items():
|
|
|
|
if is_signing_algorithm_supported(key_id):
|
|
|
|
key_base64 = key_data["key"]
|
|
|
|
key_bytes = decode_base64(key_base64)
|
|
|
|
verify_key = decode_verify_key_bytes(key_id, key_bytes)
|
|
|
|
verify_key.expired_ts = key_data["expired_ts"]
|
|
|
|
keys[key_id] = verify_key
|
|
|
|
else:
|
|
|
|
raise ConfigError(
|
|
|
|
"Unsupported signing algorithm for old key: %r" % (key_id,)
|
|
|
|
)
|
|
|
|
return keys
|
2015-04-24 05:22:22 -04:00
|
|
|
|
2015-04-30 11:52:57 -04:00
|
|
|
def generate_files(self, config):
|
2015-04-29 23:24:44 -04:00
|
|
|
signing_key_path = config["signing_key_path"]
|
2017-10-17 09:46:17 -04:00
|
|
|
|
|
|
|
if not self.path_exists(signing_key_path):
|
2015-04-29 23:24:44 -04:00
|
|
|
with open(signing_key_path, "w") as signing_key_file:
|
2015-04-30 10:13:14 -04:00
|
|
|
key_id = "a_" + random_string(4)
|
2015-08-24 11:17:38 -04:00
|
|
|
write_signing_keys(
|
|
|
|
signing_key_file, (generate_signing_key(key_id),),
|
2015-04-24 05:22:22 -04:00
|
|
|
)
|
|
|
|
else:
|
2015-04-29 23:24:44 -04:00
|
|
|
signing_keys = self.read_file(signing_key_path, "signing_key")
|
2015-04-24 05:22:22 -04:00
|
|
|
if len(signing_keys.split("\n")[0].split()) == 1:
|
|
|
|
# handle keys in the old format.
|
2015-04-30 12:54:01 -04:00
|
|
|
key_id = "a_" + random_string(4)
|
2015-08-24 11:17:38 -04:00
|
|
|
key = decode_signing_key_base64(
|
|
|
|
NACL_ED25519, key_id, signing_keys.split("\n")[0]
|
2015-04-24 05:22:22 -04:00
|
|
|
)
|
2015-04-29 23:24:44 -04:00
|
|
|
with open(signing_key_path, "w") as signing_key_file:
|
2015-08-24 11:17:38 -04:00
|
|
|
write_signing_keys(
|
|
|
|
signing_key_file, (key,),
|
2015-04-24 05:22:22 -04:00
|
|
|
)
|