SYN-75 Verify signatures on server to server transactions

2025-05-02 11:06:07 -04:00 · 2014-09-30 15:15:10 +01:00 · 2014-09-30 15:15:10 +01:00 · b95a178584
commit b95a178584
parent 52ca867670
14 changed files with 245 additions and 235 deletions
--- a/synapse/storage/keys.py
+++ b/synapse/storage/keys.py
@ -18,7 +18,8 @@ from _base import SQLBaseStore
 from twisted.internet import defer

 import OpenSSL
-import nacl.signing
+from  syutil.crypto.signing_key import decode_verify_key_bytes
+import hashlib

 class KeyStore(SQLBaseStore):
    """Persistence for signature verification keys and tls X.509 certificates
@ -42,62 +43,74 @@ class KeyStore(SQLBaseStore):
        )
        defer.returnValue(tls_certificate)

-    def store_server_certificate(self, server_name, key_server, ts_now_ms,
+    def store_server_certificate(self, server_name, from_server, time_now_ms,
                                 tls_certificate):
        """Stores the TLS X.509 certificate for the given server
        Args:
-            server_name (bytes): The name of the server.
-            key_server (bytes): Where the certificate was looked up
-            ts_now_ms (int): The time now in milliseconds
+            server_name (str): The name of the server.
+            from_server (str): Where the certificate was looked up
+            time_now_ms (int): The time now in milliseconds
            tls_certificate (OpenSSL.crypto.X509): The X.509 certificate.
        """
        tls_certificate_bytes = OpenSSL.crypto.dump_certificate(
            OpenSSL.crypto.FILETYPE_ASN1, tls_certificate
        )
+        fingerprint = hashlib.sha256(tls_certificate_bytes).hexdigest()
        return self._simple_insert(
            table="server_tls_certificates",
-            keyvalues={
+            values={
                "server_name": server_name,
-                "key_server": key_server,
-                "ts_added_ms": ts_now_ms,
-                "tls_certificate": tls_certificate_bytes,
+                "fingerprint": fingerprint,
+                "from_server": from_server,
+                "ts_added_ms": time_now_ms,
+                "tls_certificate": buffer(tls_certificate_bytes),
            },
        )

    @defer.inlineCallbacks
-    def get_server_verification_key(self, server_name):
-        """Retrieve the NACL verification key for a given server
+    def get_server_verify_keys(self, server_name, key_ids):
+        """Retrieve the NACL verification key for a given server for the given
+        key_ids
        Args:
-            server_name (bytes): The name of the server.
+            server_name (str): The name of the server.
+            key_ids (list of str): List of key_ids to try and look up.
        Returns:
-            (nacl.signing.VerifyKey): The verification key.
+            (list of VerifyKey): The verification keys.
        """
-        verification_key_bytes, = yield self._simple_select_one(
-            table="server_signature_keys",
-            key_values={"server_name": server_name},
-            retcols=("tls_certificate",),
+        sql = (
+            "SELECT key_id, verify_key FROM server_signature_keys"
+            " WHERE server_name = ?"
+            " AND key_id in (" + ",".join("?" for key_id in key_ids) + ")"
        )
-        verification_key = nacl.signing.VerifyKey(verification_key_bytes)
-        defer.returnValue(verification_key)

-    def store_server_verification_key(self, server_name, key_version,
-                                      key_server, ts_now_ms, verification_key):
+        rows = yield self._execute_and_decode(sql, server_name, *key_ids)
+
+        keys = []
+        for row in rows:
+            key_id = row["key_id"]
+            key_bytes = row["verify_key"]
+            key = decode_verify_key_bytes(key_id, str(key_bytes))
+            keys.append(key)
+        defer.returnValue(keys)
+
+    def store_server_verify_key(self, server_name, from_server, time_now_ms,
+                                verify_key):
        """Stores a NACL verification key for the given server.
        Args:
-            server_name (bytes): The name of the server.
-            key_version (bytes): The version of the key for the server.
-            key_server (bytes): Where the verification key was looked up
+            server_name (str): The name of the server.
+            key_id (str): The version of the key for the server.
+            from_server (str): Where the verification key was looked up
            ts_now_ms (int): The time now in milliseconds
-            verification_key (nacl.signing.VerifyKey): The NACL verify key.
+            verification_key (VerifyKey): The NACL verify key.
        """
-        verification_key_bytes = verification_key.encode()
+        verify_key_bytes = verify_key.encode()
        return self._simple_insert(
            table="server_signature_keys",
-            key_values={
+            values={
                "server_name": server_name,
-                "key_version": key_version,
-                "key_server": key_server,
-                "ts_added_ms": ts_now_ms,
-                "verification_key": verification_key_bytes,
+                "key_id": "%s:%s" % (verify_key.alg, verify_key.version),
+                "from_server": from_server,
+                "ts_added_ms": time_now_ms,
+                "verify_key": buffer(verify_key.encode()),
            },
        )