Fix exception when fetching notary server's old keys (#6625)

Lift the restriction that *all* the keys used for signing v2 key responses be present in verify_keys. Fixes #6596.
2025-05-05 14:24:56 -04:00 · 2020-01-06 12:33:56 +00:00 · 2020-01-06 12:33:56 +00:00 · 4b36b482e0
commit 4b36b482e0
parent 18674eebb1
3 changed files with 107 additions and 54 deletions
--- a/synapse/crypto/keyring.py
+++ b/synapse/crypto/keyring.py
@ -511,17 +511,18 @@ class BaseV2KeyFetcher(object):
        server_name = response_json["server_name"]
        verified = False
        for key_id in response_json["signatures"].get(server_name, {}):
-            # each of the keys used for the signature must be present in the response
-            # json.
            key = verify_keys.get(key_id)
            if not key:
-                raise KeyLookupError(
-                    "Key response is signed by key id %s:%s but that key is not "
-                    "present in the response" % (server_name, key_id)
-                )
+                # the key may not be present in verify_keys if:
+                #  * we got the key from the notary server, and:
+                #  * the key belongs to the notary server, and:
+                #  * the notary server is using a different key to sign notary
+                #    responses.
+                continue

            verify_signed_json(response_json, server_name, key.verify_key)
            verified = True
+            break

        if not verified:
            raise KeyLookupError(