Add config option for keys to use to sign keys

This allows servers to separate keys that are used to sign remote keys when acting as a notary server.
2024-07-10 16:21:58 +00:00 · 2019-08-20 15:27:08 +01:00 · 2019-08-20 15:27:08 +01:00 · 5906be8589
commit 5906be8589
parent 72bc285669
3 changed files with 46 additions and 9 deletions
--- a/docs/sample_config.yaml
+++ b/docs/sample_config.yaml
@ -1027,6 +1027,14 @@ signing_key_path: "CONFDIR/SERVERNAME.signing.key"
 #
 #trusted_key_servers:
 #  - server_name: "matrix.org"
 #
 # The additional signing keys to use when acting as a trusted key server, on
 # top of the normal signing keys.
 #
 # Can contain multiple keys, one per line.
 #
 #key_server_signing_keys_path: "key_server_signing_keys.key"
 # Enable SAML2 for registration and login. Uses pysaml2.
--- a/synapse/config/key.py
+++ b/synapse/config/key.py
@ -76,7 +76,7 @@ class KeyConfig(Config):
                    config_dir_path, config["server_name"] + ".signing.key"
                )
-            self.signing_key = self.read_signing_key(signing_key_path)
+            self.signing_key = self.read_signing_keys(signing_key_path, "signing_key")
        self.old_signing_keys = self.read_old_signing_keys(
            config.get("old_signing_keys", {})
@ -85,6 +85,15 @@ class KeyConfig(Config):
            config.get("key_refresh_interval", "1d")
        )
        self.key_server_signing_keys = list(self.signing_key)
        key_server_signing_keys_path = config.get("key_server_signing_keys_path")
        if key_server_signing_keys_path:
            self.key_server_signing_keys.extend(
                self.read_signing_keys(
                    key_server_signing_keys_path, "key_server_signing_keys_path"
                )
            )
        # if neither trusted_key_servers nor perspectives are given, use the default.
        if "perspectives" not in config and "trusted_key_servers" not in config:
            key_servers = [{"server_name": "matrix.org"}]
@ -210,16 +219,34 @@ class KeyConfig(Config):
        #
        #trusted_key_servers:
        #  - server_name: "matrix.org"
        #
        # The additional signing keys to use when acting as a trusted key server, on
        # top of the normal signing keys.
        #
        # Can contain multiple keys, one per line.
        #
        #key_server_signing_keys_path: "key_server_signing_keys.key"
        """
            % locals()
        )
-    def read_signing_key(self, signing_key_path):
+    def read_signing_keys(self, signing_key_path, name):
-        signing_keys = self.read_file(signing_key_path, "signing_key")
+        """Read the signing keys in the given path.
        Args:
            signing_key_path (str)
            name (str): Associated config key name
        Returns:
            list[SigningKey]
        """
        signing_keys = self.read_file(signing_key_path, name)
        try:
            return read_signing_keys(signing_keys.splitlines(True))
        except Exception as e:
-            raise ConfigError("Error reading signing_key: %s" % (str(e)))
+            raise ConfigError("Error reading %s: %s" % (name, str(e)))
    def read_old_signing_keys(self, old_signing_keys):
        keys = {}
--- a/synapse/crypto/keyring.py
+++ b/synapse/crypto/keyring.py
@ -540,11 +540,13 @@ class BaseV2KeyFetcher(object):
                    verify_key=verify_key, valid_until_ts=key_data["expired_ts"]
                )
-        # re-sign the json with our own key, so that it is ready if we are asked to
+        # re-sign the json with our own keys, so that it is ready if we are
-        # give it out as a notary server
+        # asked to give it out as a notary server
-        signed_key_json = sign_json(
+        signed_key_json = response_json
-            response_json, self.config.server_name, self.config.signing_key[0]
+        for signing_key in self.config.key_server_signing_keys:
-        )
+            signed_key_json = sign_json(
                signed_key_json, self.config.server_name, signing_key
            )
        signed_key_json_bytes = encode_canonical_json(signed_key_json)