mirror of
https://git.anonymousland.org/anonymousland/synapse.git
synced 2025-01-13 18:19:24 -05:00
Add config option for keys to use to sign keys
This allows servers to separate keys that are used to sign remote keys when acting as a notary server.
This commit is contained in:
parent
72bc285669
commit
5906be8589
@ -1027,6 +1027,14 @@ signing_key_path: "CONFDIR/SERVERNAME.signing.key"
|
|||||||
#
|
#
|
||||||
#trusted_key_servers:
|
#trusted_key_servers:
|
||||||
# - server_name: "matrix.org"
|
# - server_name: "matrix.org"
|
||||||
|
#
|
||||||
|
|
||||||
|
# The additional signing keys to use when acting as a trusted key server, on
|
||||||
|
# top of the normal signing keys.
|
||||||
|
#
|
||||||
|
# Can contain multiple keys, one per line.
|
||||||
|
#
|
||||||
|
#key_server_signing_keys_path: "key_server_signing_keys.key"
|
||||||
|
|
||||||
|
|
||||||
# Enable SAML2 for registration and login. Uses pysaml2.
|
# Enable SAML2 for registration and login. Uses pysaml2.
|
||||||
|
@ -76,7 +76,7 @@ class KeyConfig(Config):
|
|||||||
config_dir_path, config["server_name"] + ".signing.key"
|
config_dir_path, config["server_name"] + ".signing.key"
|
||||||
)
|
)
|
||||||
|
|
||||||
self.signing_key = self.read_signing_key(signing_key_path)
|
self.signing_key = self.read_signing_keys(signing_key_path, "signing_key")
|
||||||
|
|
||||||
self.old_signing_keys = self.read_old_signing_keys(
|
self.old_signing_keys = self.read_old_signing_keys(
|
||||||
config.get("old_signing_keys", {})
|
config.get("old_signing_keys", {})
|
||||||
@ -85,6 +85,15 @@ class KeyConfig(Config):
|
|||||||
config.get("key_refresh_interval", "1d")
|
config.get("key_refresh_interval", "1d")
|
||||||
)
|
)
|
||||||
|
|
||||||
|
self.key_server_signing_keys = list(self.signing_key)
|
||||||
|
key_server_signing_keys_path = config.get("key_server_signing_keys_path")
|
||||||
|
if key_server_signing_keys_path:
|
||||||
|
self.key_server_signing_keys.extend(
|
||||||
|
self.read_signing_keys(
|
||||||
|
key_server_signing_keys_path, "key_server_signing_keys_path"
|
||||||
|
)
|
||||||
|
)
|
||||||
|
|
||||||
# if neither trusted_key_servers nor perspectives are given, use the default.
|
# if neither trusted_key_servers nor perspectives are given, use the default.
|
||||||
if "perspectives" not in config and "trusted_key_servers" not in config:
|
if "perspectives" not in config and "trusted_key_servers" not in config:
|
||||||
key_servers = [{"server_name": "matrix.org"}]
|
key_servers = [{"server_name": "matrix.org"}]
|
||||||
@ -210,16 +219,34 @@ class KeyConfig(Config):
|
|||||||
#
|
#
|
||||||
#trusted_key_servers:
|
#trusted_key_servers:
|
||||||
# - server_name: "matrix.org"
|
# - server_name: "matrix.org"
|
||||||
|
#
|
||||||
|
|
||||||
|
# The additional signing keys to use when acting as a trusted key server, on
|
||||||
|
# top of the normal signing keys.
|
||||||
|
#
|
||||||
|
# Can contain multiple keys, one per line.
|
||||||
|
#
|
||||||
|
#key_server_signing_keys_path: "key_server_signing_keys.key"
|
||||||
"""
|
"""
|
||||||
% locals()
|
% locals()
|
||||||
)
|
)
|
||||||
|
|
||||||
def read_signing_key(self, signing_key_path):
|
def read_signing_keys(self, signing_key_path, name):
|
||||||
signing_keys = self.read_file(signing_key_path, "signing_key")
|
"""Read the signing keys in the given path.
|
||||||
|
|
||||||
|
Args:
|
||||||
|
signing_key_path (str)
|
||||||
|
name (str): Associated config key name
|
||||||
|
|
||||||
|
Returns:
|
||||||
|
list[SigningKey]
|
||||||
|
"""
|
||||||
|
|
||||||
|
signing_keys = self.read_file(signing_key_path, name)
|
||||||
try:
|
try:
|
||||||
return read_signing_keys(signing_keys.splitlines(True))
|
return read_signing_keys(signing_keys.splitlines(True))
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
raise ConfigError("Error reading signing_key: %s" % (str(e)))
|
raise ConfigError("Error reading %s: %s" % (name, str(e)))
|
||||||
|
|
||||||
def read_old_signing_keys(self, old_signing_keys):
|
def read_old_signing_keys(self, old_signing_keys):
|
||||||
keys = {}
|
keys = {}
|
||||||
|
@ -540,10 +540,12 @@ class BaseV2KeyFetcher(object):
|
|||||||
verify_key=verify_key, valid_until_ts=key_data["expired_ts"]
|
verify_key=verify_key, valid_until_ts=key_data["expired_ts"]
|
||||||
)
|
)
|
||||||
|
|
||||||
# re-sign the json with our own key, so that it is ready if we are asked to
|
# re-sign the json with our own keys, so that it is ready if we are
|
||||||
# give it out as a notary server
|
# asked to give it out as a notary server
|
||||||
|
signed_key_json = response_json
|
||||||
|
for signing_key in self.config.key_server_signing_keys:
|
||||||
signed_key_json = sign_json(
|
signed_key_json = sign_json(
|
||||||
response_json, self.config.server_name, self.config.signing_key[0]
|
signed_key_json, self.config.server_name, signing_key
|
||||||
)
|
)
|
||||||
|
|
||||||
signed_key_json_bytes = encode_canonical_json(signed_key_json)
|
signed_key_json_bytes = encode_canonical_json(signed_key_json)
|
||||||
|
Loading…
Reference in New Issue
Block a user