forked from MirrorHub/synapse
Return a sha256 fingerprint rather than the entire tls certificate
This commit is contained in:
parent
d488463fa3
commit
32e14d8181
3 changed files with 33 additions and 3 deletions
|
@ -19,6 +19,7 @@ from synapse.http.server import respond_with_json_bytes
|
||||||
from syutil.crypto.jsonsign import sign_json
|
from syutil.crypto.jsonsign import sign_json
|
||||||
from syutil.base64util import encode_base64
|
from syutil.base64util import encode_base64
|
||||||
from syutil.jsonutil import encode_canonical_json
|
from syutil.jsonutil import encode_canonical_json
|
||||||
|
from hashlib import sha256
|
||||||
from OpenSSL import crypto
|
from OpenSSL import crypto
|
||||||
import logging
|
import logging
|
||||||
|
|
||||||
|
@ -88,12 +89,17 @@ class LocalKey(Resource):
|
||||||
crypto.FILETYPE_ASN1,
|
crypto.FILETYPE_ASN1,
|
||||||
self.config.tls_certificate
|
self.config.tls_certificate
|
||||||
)
|
)
|
||||||
|
|
||||||
|
sha256_fingerprint = sha256(x509_certificate_bytes).digest()
|
||||||
|
|
||||||
json_object = {
|
json_object = {
|
||||||
u"expires": self.expires,
|
u"valid_until": self.expires,
|
||||||
u"server_name": self.config.server_name,
|
u"server_name": self.config.server_name,
|
||||||
u"verify_keys": verify_keys,
|
u"verify_keys": verify_keys,
|
||||||
u"old_verify_keys": old_verify_keys,
|
u"old_verify_keys": old_verify_keys,
|
||||||
u"tls_certificate": encode_base64(x509_certificate_bytes)
|
u"tls_fingerprints": [{
|
||||||
|
u"sha256": encode_base64(sha256_fingerprint),
|
||||||
|
}]
|
||||||
}
|
}
|
||||||
for key in self.config.signing_key:
|
for key in self.config.signing_key:
|
||||||
json_object = sign_json(
|
json_object = sign_json(
|
||||||
|
|
|
@ -51,7 +51,7 @@ logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
# Remember to update this number every time a change is made to database
|
# Remember to update this number every time a change is made to database
|
||||||
# schema files, so the users will be informed on server restarts.
|
# schema files, so the users will be informed on server restarts.
|
||||||
SCHEMA_VERSION = 15
|
SCHEMA_VERSION = 16
|
||||||
|
|
||||||
dir_path = os.path.abspath(os.path.dirname(__file__))
|
dir_path = os.path.abspath(os.path.dirname(__file__))
|
||||||
|
|
||||||
|
|
24
synapse/storage/schema/delta/16/server_keys.sql
Normal file
24
synapse/storage/schema/delta/16/server_keys.sql
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
/* Copyright 2015 OpenMarket Ltd
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
CREATE TABLE IF NOT EXISTS server_keys (
|
||||||
|
server_name TEXT, -- Server name.
|
||||||
|
key_id TEXT, -- Requested key id.
|
||||||
|
from_server TEXT, -- Which server the keys were fetched from.
|
||||||
|
ts_added_ms INTEGER, -- When the keys were fetched
|
||||||
|
ts_expires_ms INTEGER, -- When this version of the keys exipires.
|
||||||
|
key_json BLOB, -- JSON certificate for the remote server.
|
||||||
|
CONSTRAINT uniqueness UNIQUE (server_name, key_id)
|
||||||
|
);
|
Loading…
Reference in a new issue