Merge pull request #5895 from matrix-org/erikj/notary_key

Add config option to sign remote key query responses with a separate key.
This commit is contained in:
Erik Johnston 2019-08-27 11:51:37 +01:00 committed by GitHub
commit f5b50d0871
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 55 additions and 25 deletions

1
changelog.d/5895.feature Normal file
View File

@ -0,0 +1 @@
Add config option to sign remote key query responses with a separate key.

View File

@ -1027,6 +1027,14 @@ signing_key_path: "CONFDIR/SERVERNAME.signing.key"
# #
#trusted_key_servers: #trusted_key_servers:
# - server_name: "matrix.org" # - server_name: "matrix.org"
#
# The signing keys to use when acting as a trusted key server. If not specified
# defaults to the server signing key.
#
# Can contain multiple keys, one per line.
#
#key_server_signing_keys_path: "key_server_signing_keys.key"
# Enable SAML2 for registration and login. Uses pysaml2. # Enable SAML2 for registration and login. Uses pysaml2.

View File

@ -76,7 +76,7 @@ class KeyConfig(Config):
config_dir_path, config["server_name"] + ".signing.key" config_dir_path, config["server_name"] + ".signing.key"
) )
self.signing_key = self.read_signing_key(signing_key_path) self.signing_key = self.read_signing_keys(signing_key_path, "signing_key")
self.old_signing_keys = self.read_old_signing_keys( self.old_signing_keys = self.read_old_signing_keys(
config.get("old_signing_keys", {}) config.get("old_signing_keys", {})
@ -85,6 +85,14 @@ class KeyConfig(Config):
config.get("key_refresh_interval", "1d") config.get("key_refresh_interval", "1d")
) )
key_server_signing_keys_path = config.get("key_server_signing_keys_path")
if key_server_signing_keys_path:
self.key_server_signing_keys = self.read_signing_keys(
key_server_signing_keys_path, "key_server_signing_keys_path"
)
else:
self.key_server_signing_keys = list(self.signing_key)
# if neither trusted_key_servers nor perspectives are given, use the default. # if neither trusted_key_servers nor perspectives are given, use the default.
if "perspectives" not in config and "trusted_key_servers" not in config: if "perspectives" not in config and "trusted_key_servers" not in config:
key_servers = [{"server_name": "matrix.org"}] key_servers = [{"server_name": "matrix.org"}]
@ -210,16 +218,34 @@ class KeyConfig(Config):
# #
#trusted_key_servers: #trusted_key_servers:
# - server_name: "matrix.org" # - server_name: "matrix.org"
#
# The signing keys to use when acting as a trusted key server. If not specified
# defaults to the server signing key.
#
# Can contain multiple keys, one per line.
#
#key_server_signing_keys_path: "key_server_signing_keys.key"
""" """
% locals() % locals()
) )
def read_signing_key(self, signing_key_path): def read_signing_keys(self, signing_key_path, name):
signing_keys = self.read_file(signing_key_path, "signing_key") """Read the signing keys in the given path.
Args:
signing_key_path (str)
name (str): Associated config key name
Returns:
list[SigningKey]
"""
signing_keys = self.read_file(signing_key_path, name)
try: try:
return read_signing_keys(signing_keys.splitlines(True)) return read_signing_keys(signing_keys.splitlines(True))
except Exception as e: except Exception as e:
raise ConfigError("Error reading signing_key: %s" % (str(e))) raise ConfigError("Error reading %s: %s" % (name, str(e)))
def read_old_signing_keys(self, old_signing_keys): def read_old_signing_keys(self, old_signing_keys):
keys = {} keys = {}

View File

@ -29,7 +29,6 @@ from signedjson.key import (
from signedjson.sign import ( from signedjson.sign import (
SignatureVerifyException, SignatureVerifyException,
encode_canonical_json, encode_canonical_json,
sign_json,
signature_ids, signature_ids,
verify_signed_json, verify_signed_json,
) )
@ -539,13 +538,7 @@ class BaseV2KeyFetcher(object):
verify_key=verify_key, valid_until_ts=key_data["expired_ts"] verify_key=verify_key, valid_until_ts=key_data["expired_ts"]
) )
# re-sign the json with our own key, so that it is ready if we are asked to key_json_bytes = encode_canonical_json(response_json)
# give it out as a notary server
signed_key_json = sign_json(
response_json, self.config.server_name, self.config.signing_key[0]
)
signed_key_json_bytes = encode_canonical_json(signed_key_json)
yield make_deferred_yieldable( yield make_deferred_yieldable(
defer.gatherResults( defer.gatherResults(
@ -557,7 +550,7 @@ class BaseV2KeyFetcher(object):
from_server=from_server, from_server=from_server,
ts_now_ms=time_added_ms, ts_now_ms=time_added_ms,
ts_expires_ms=ts_valid_until_ms, ts_expires_ms=ts_valid_until_ms,
key_json_bytes=signed_key_json_bytes, key_json_bytes=key_json_bytes,
) )
for key_id in verify_keys for key_id in verify_keys
], ],

View File

@ -13,7 +13,9 @@
# limitations under the License. # limitations under the License.
import logging import logging
from io import BytesIO
from canonicaljson import encode_canonical_json, json
from signedjson.sign import sign_json
from twisted.internet import defer from twisted.internet import defer
@ -95,6 +97,7 @@ class RemoteKey(DirectServeResource):
self.store = hs.get_datastore() self.store = hs.get_datastore()
self.clock = hs.get_clock() self.clock = hs.get_clock()
self.federation_domain_whitelist = hs.config.federation_domain_whitelist self.federation_domain_whitelist = hs.config.federation_domain_whitelist
self.config = hs.config
@wrap_json_request_handler @wrap_json_request_handler
async def _async_render_GET(self, request): async def _async_render_GET(self, request):
@ -214,15 +217,14 @@ class RemoteKey(DirectServeResource):
yield self.fetcher.get_keys(cache_misses) yield self.fetcher.get_keys(cache_misses)
yield self.query_keys(request, query, query_remote_on_cache_miss=False) yield self.query_keys(request, query, query_remote_on_cache_miss=False)
else: else:
result_io = BytesIO() signed_keys = []
result_io.write(b'{"server_keys":') for key_json in json_results:
sep = b"[" key_json = json.loads(key_json)
for json_bytes in json_results: for signing_key in self.config.key_server_signing_keys:
result_io.write(sep) key_json = sign_json(key_json, self.config.server_name, signing_key)
result_io.write(json_bytes)
sep = b","
if sep == b"[":
result_io.write(sep)
result_io.write(b"]}")
respond_with_json_bytes(request, 200, result_io.getvalue()) signed_keys.append(key_json)
results = {"server_keys": signed_keys}
respond_with_json_bytes(request, 200, encode_canonical_json(results))