Only sign when we respond to remote key requests

This commit is contained in:
Erik Johnston 2019-08-21 10:39:45 +01:00
parent 5906be8589
commit 97cbc96093
2 changed files with 15 additions and 22 deletions

View file

@ -30,7 +30,6 @@ from signedjson.key import (
from signedjson.sign import ( from signedjson.sign import (
SignatureVerifyException, SignatureVerifyException,
encode_canonical_json, encode_canonical_json,
sign_json,
signature_ids, signature_ids,
verify_signed_json, verify_signed_json,
) )
@ -540,15 +539,7 @@ class BaseV2KeyFetcher(object):
verify_key=verify_key, valid_until_ts=key_data["expired_ts"] verify_key=verify_key, valid_until_ts=key_data["expired_ts"]
) )
# re-sign the json with our own keys, so that it is ready if we are signed_key_json_bytes = encode_canonical_json(response_json)
# asked to give it out as a notary server
signed_key_json = response_json
for signing_key in self.config.key_server_signing_keys:
signed_key_json = sign_json(
signed_key_json, self.config.server_name, signing_key
)
signed_key_json_bytes = encode_canonical_json(signed_key_json)
yield make_deferred_yieldable( yield make_deferred_yieldable(
defer.gatherResults( defer.gatherResults(

View file

@ -13,7 +13,9 @@
# limitations under the License. # limitations under the License.
import logging import logging
from io import BytesIO
from canonicaljson import json
from signedjson.sign import sign_json
from twisted.internet import defer from twisted.internet import defer
@ -95,6 +97,7 @@ class RemoteKey(DirectServeResource):
self.store = hs.get_datastore() self.store = hs.get_datastore()
self.clock = hs.get_clock() self.clock = hs.get_clock()
self.federation_domain_whitelist = hs.config.federation_domain_whitelist self.federation_domain_whitelist = hs.config.federation_domain_whitelist
self.config = hs.config
@wrap_json_request_handler @wrap_json_request_handler
async def _async_render_GET(self, request): async def _async_render_GET(self, request):
@ -214,15 +217,14 @@ class RemoteKey(DirectServeResource):
yield self.fetcher.get_keys(cache_misses) yield self.fetcher.get_keys(cache_misses)
yield self.query_keys(request, query, query_remote_on_cache_miss=False) yield self.query_keys(request, query, query_remote_on_cache_miss=False)
else: else:
result_io = BytesIO() signed_keys = []
result_io.write(b'{"server_keys":') for key_json in json_results:
sep = b"[" key_json = json.loads(key_json)
for json_bytes in json_results: for signing_key in self.config.key_server_signing_keys:
result_io.write(sep) key_json = sign_json(key_json, self.config.server_name, signing_key)
result_io.write(json_bytes)
sep = b","
if sep == b"[":
result_io.write(sep)
result_io.write(b"]}")
respond_with_json_bytes(request, 200, result_io.getvalue()) signed_keys.append(key_json)
results = {"server_keys": signed_keys}
respond_with_json_bytes(request, 200, json.dumps(results).encode("utf-8"))