Return a sha256 fingerprint rather than the entire tls certificate

This commit is contained in:
Mark Haines 2015-04-14 19:10:09 +01:00
parent d488463fa3
commit 32e14d8181
3 changed files with 33 additions and 3 deletions

View file

@ -19,6 +19,7 @@ from synapse.http.server import respond_with_json_bytes
from syutil.crypto.jsonsign import sign_json from syutil.crypto.jsonsign import sign_json
from syutil.base64util import encode_base64 from syutil.base64util import encode_base64
from syutil.jsonutil import encode_canonical_json from syutil.jsonutil import encode_canonical_json
from hashlib import sha256
from OpenSSL import crypto from OpenSSL import crypto
import logging import logging
@ -88,12 +89,17 @@ class LocalKey(Resource):
crypto.FILETYPE_ASN1, crypto.FILETYPE_ASN1,
self.config.tls_certificate self.config.tls_certificate
) )
sha256_fingerprint = sha256(x509_certificate_bytes).digest()
json_object = { json_object = {
u"expires": self.expires, u"valid_until": self.expires,
u"server_name": self.config.server_name, u"server_name": self.config.server_name,
u"verify_keys": verify_keys, u"verify_keys": verify_keys,
u"old_verify_keys": old_verify_keys, u"old_verify_keys": old_verify_keys,
u"tls_certificate": encode_base64(x509_certificate_bytes) u"tls_fingerprints": [{
u"sha256": encode_base64(sha256_fingerprint),
}]
} }
for key in self.config.signing_key: for key in self.config.signing_key:
json_object = sign_json( json_object = sign_json(

View file

@ -51,7 +51,7 @@ logger = logging.getLogger(__name__)
# Remember to update this number every time a change is made to database # Remember to update this number every time a change is made to database
# schema files, so the users will be informed on server restarts. # schema files, so the users will be informed on server restarts.
SCHEMA_VERSION = 15 SCHEMA_VERSION = 16
dir_path = os.path.abspath(os.path.dirname(__file__)) dir_path = os.path.abspath(os.path.dirname(__file__))

View file

@ -0,0 +1,24 @@
/* Copyright 2015 OpenMarket Ltd
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
CREATE TABLE IF NOT EXISTS server_keys (
server_name TEXT, -- Server name.
key_id TEXT, -- Requested key id.
from_server TEXT, -- Which server the keys were fetched from.
ts_added_ms INTEGER, -- When the keys were fetched
ts_expires_ms INTEGER, -- When this version of the keys exipires.
key_json BLOB, -- JSON certificate for the remote server.
CONSTRAINT uniqueness UNIQUE (server_name, key_id)
);