forked from MirrorHub/synapse
Stuff signed data in a standalone object
Makes both generating it in sydent, and verifying it here, simpler at the cost of some repetition
This commit is contained in:
parent
c225d63e9e
commit
0e5239ffc3
2 changed files with 15 additions and 8 deletions
|
@ -14,7 +14,8 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
"""This module contains classes for authenticating the user."""
|
"""This module contains classes for authenticating the user."""
|
||||||
from nacl.exceptions import BadSignatureError
|
from signedjson.key import decode_verify_key_bytes
|
||||||
|
from signedjson.sign import verify_signed_json, SignatureVerifyException
|
||||||
|
|
||||||
from twisted.internet import defer
|
from twisted.internet import defer
|
||||||
|
|
||||||
|
@ -26,7 +27,6 @@ from synapse.util import third_party_invites
|
||||||
from unpaddedbase64 import decode_base64
|
from unpaddedbase64 import decode_base64
|
||||||
|
|
||||||
import logging
|
import logging
|
||||||
import nacl.signing
|
|
||||||
import pymacaroons
|
import pymacaroons
|
||||||
|
|
||||||
logger = logging.getLogger(__name__)
|
logger = logging.getLogger(__name__)
|
||||||
|
@ -416,16 +416,23 @@ class Auth(object):
|
||||||
key_validity_url
|
key_validity_url
|
||||||
)
|
)
|
||||||
return False
|
return False
|
||||||
for _, signature_block in join_third_party_invite["signatures"].items():
|
signed = join_third_party_invite["signed"]
|
||||||
|
if signed["mxid"] != event.user_id:
|
||||||
|
return False
|
||||||
|
if signed["token"] != token:
|
||||||
|
return False
|
||||||
|
for server, signature_block in signed["signatures"].items():
|
||||||
for key_name, encoded_signature in signature_block.items():
|
for key_name, encoded_signature in signature_block.items():
|
||||||
if not key_name.startswith("ed25519:"):
|
if not key_name.startswith("ed25519:"):
|
||||||
return False
|
return False
|
||||||
verify_key = nacl.signing.VerifyKey(decode_base64(public_key))
|
verify_key = decode_verify_key_bytes(
|
||||||
signature = decode_base64(encoded_signature)
|
key_name,
|
||||||
verify_key.verify(token, signature)
|
decode_base64(public_key)
|
||||||
|
)
|
||||||
|
verify_signed_json(signed, server, verify_key)
|
||||||
return True
|
return True
|
||||||
return False
|
return False
|
||||||
except (KeyError, BadSignatureError,):
|
except (KeyError, SignatureVerifyException,):
|
||||||
return False
|
return False
|
||||||
|
|
||||||
def _get_power_level_event(self, auth_events):
|
def _get_power_level_event(self, auth_events):
|
||||||
|
|
|
@ -23,8 +23,8 @@ JOIN_KEYS = {
|
||||||
"token",
|
"token",
|
||||||
"public_key",
|
"public_key",
|
||||||
"key_validity_url",
|
"key_validity_url",
|
||||||
"signatures",
|
|
||||||
"sender",
|
"sender",
|
||||||
|
"signed",
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue