Only sign when we respond to remote key requests

2024-06-18 10:38:21 +02:00 · 2019-08-21 10:39:45 +01:00 · 2019-08-21 10:39:45 +01:00 · 97cbc96093
parent 5906be8589
commit 97cbc96093
2 changed files with 15 additions and 22 deletions
--- a/synapse/crypto/keyring.py
+++ b/synapse/crypto/keyring.py
@ -30,7 +30,6 @@ from signedjson.key import (
 from signedjson.sign import (
    SignatureVerifyException,
    encode_canonical_json,
-    sign_json,
    signature_ids,
    verify_signed_json,
 )
@ -540,15 +539,7 @@ class BaseV2KeyFetcher(object):
                    verify_key=verify_key, valid_until_ts=key_data["expired_ts"]
                )

-        # re-sign the json with our own keys, so that it is ready if we are
-        # asked to give it out as a notary server
-        signed_key_json = response_json
-        for signing_key in self.config.key_server_signing_keys:
-            signed_key_json = sign_json(
-                signed_key_json, self.config.server_name, signing_key
-            )
-
-        signed_key_json_bytes = encode_canonical_json(signed_key_json)
+        signed_key_json_bytes = encode_canonical_json(response_json)

        yield make_deferred_yieldable(
            defer.gatherResults(
--- a/synapse/rest/key/v2/remote_key_resource.py
+++ b/synapse/rest/key/v2/remote_key_resource.py
@ -13,7 +13,9 @@
 # limitations under the License.

 import logging
-from io import BytesIO
+
+from canonicaljson import json
+from signedjson.sign import sign_json

 from twisted.internet import defer

@ -95,6 +97,7 @@ class RemoteKey(DirectServeResource):
        self.store = hs.get_datastore()
        self.clock = hs.get_clock()
        self.federation_domain_whitelist = hs.config.federation_domain_whitelist
+        self.config = hs.config

    @wrap_json_request_handler
    async def _async_render_GET(self, request):
@ -214,15 +217,14 @@ class RemoteKey(DirectServeResource):
            yield self.fetcher.get_keys(cache_misses)
            yield self.query_keys(request, query, query_remote_on_cache_miss=False)
        else:
-            result_io = BytesIO()
-            result_io.write(b'{"server_keys":')
-            sep = b"["
-            for json_bytes in json_results:
-                result_io.write(sep)
-                result_io.write(json_bytes)
-                sep = b","
-            if sep == b"[":
-                result_io.write(sep)
-            result_io.write(b"]}")
+            signed_keys = []
+            for key_json in json_results:
+                key_json = json.loads(key_json)
+                for signing_key in self.config.key_server_signing_keys:
+                    key_json = sign_json(key_json, self.config.server_name, signing_key)

-            respond_with_json_bytes(request, 200, result_io.getvalue())
+                signed_keys.append(key_json)
+
+            results = {"server_keys": signed_keys}
+
+            respond_with_json_bytes(request, 200, json.dumps(results).encode("utf-8"))