mirror of
https://mau.dev/maunium/synapse.git
synced 2024-12-14 15:53:51 +01:00
Add some logging to 3pid invite sig verification (#5015)
I had to add quite a lot of logging to diagnose a problem with 3pid invites - we only logged the one failure which isn't all that informative. NB. I'm not convinced the logic of this loop is right: I think it should just accept a single valid signature from a trusted source rather than fail if *any* signature is invalid. Also it should probably not skip the rest of middle loop if a check fails? However, I'm deliberately not changing the logic here.
This commit is contained in:
parent
82d9d524bd
commit
f2d2ae03da
2 changed files with 39 additions and 8 deletions
1
changelog.d/5015.misc
Normal file
1
changelog.d/5015.misc
Normal file
|
@ -0,0 +1 @@
|
|||
Add logging to 3pid invite signature verification.
|
|
@ -2744,25 +2744,55 @@ class FederationHandler(BaseHandler):
|
|||
if not invite_event:
|
||||
raise AuthError(403, "Could not find invite")
|
||||
|
||||
logger.debug("Checking auth on event %r", event.content)
|
||||
|
||||
last_exception = None
|
||||
# for each public key in the 3pid invite event
|
||||
for public_key_object in self.hs.get_auth().get_public_keys(invite_event):
|
||||
try:
|
||||
# for each sig on the third_party_invite block of the actual invite
|
||||
for server, signature_block in signed["signatures"].items():
|
||||
for key_name, encoded_signature in signature_block.items():
|
||||
if not key_name.startswith("ed25519:"):
|
||||
continue
|
||||
|
||||
public_key = public_key_object["public_key"]
|
||||
verify_key = decode_verify_key_bytes(
|
||||
key_name,
|
||||
decode_base64(public_key)
|
||||
logger.debug(
|
||||
"Attempting to verify sig with key %s from %r "
|
||||
"against pubkey %r",
|
||||
key_name, server, public_key_object,
|
||||
)
|
||||
verify_signed_json(signed, server, verify_key)
|
||||
if "key_validity_url" in public_key_object:
|
||||
yield self._check_key_revocation(
|
||||
public_key,
|
||||
|
||||
try:
|
||||
public_key = public_key_object["public_key"]
|
||||
verify_key = decode_verify_key_bytes(
|
||||
key_name,
|
||||
decode_base64(public_key)
|
||||
)
|
||||
verify_signed_json(signed, server, verify_key)
|
||||
logger.debug(
|
||||
"Successfully verified sig with key %s from %r "
|
||||
"against pubkey %r",
|
||||
key_name, server, public_key_object,
|
||||
)
|
||||
except Exception:
|
||||
logger.info(
|
||||
"Failed to verify sig with key %s from %r "
|
||||
"against pubkey %r",
|
||||
key_name, server, public_key_object,
|
||||
)
|
||||
raise
|
||||
try:
|
||||
if "key_validity_url" in public_key_object:
|
||||
yield self._check_key_revocation(
|
||||
public_key,
|
||||
public_key_object["key_validity_url"]
|
||||
)
|
||||
except Exception:
|
||||
logger.info(
|
||||
"Failed to query key_validity_url %s",
|
||||
public_key_object["key_validity_url"]
|
||||
)
|
||||
raise
|
||||
return
|
||||
except Exception as e:
|
||||
last_exception = e
|
||||
|
|
Loading…
Reference in a new issue