forked from MirrorHub/synapse
Only sign when we respond to remote key requests
This commit is contained in:
parent
5906be8589
commit
97cbc96093
2 changed files with 15 additions and 22 deletions
synapse
|
@ -30,7 +30,6 @@ from signedjson.key import (
|
||||||
from signedjson.sign import (
|
from signedjson.sign import (
|
||||||
SignatureVerifyException,
|
SignatureVerifyException,
|
||||||
encode_canonical_json,
|
encode_canonical_json,
|
||||||
sign_json,
|
|
||||||
signature_ids,
|
signature_ids,
|
||||||
verify_signed_json,
|
verify_signed_json,
|
||||||
)
|
)
|
||||||
|
@ -540,15 +539,7 @@ class BaseV2KeyFetcher(object):
|
||||||
verify_key=verify_key, valid_until_ts=key_data["expired_ts"]
|
verify_key=verify_key, valid_until_ts=key_data["expired_ts"]
|
||||||
)
|
)
|
||||||
|
|
||||||
# re-sign the json with our own keys, so that it is ready if we are
|
signed_key_json_bytes = encode_canonical_json(response_json)
|
||||||
# asked to give it out as a notary server
|
|
||||||
signed_key_json = response_json
|
|
||||||
for signing_key in self.config.key_server_signing_keys:
|
|
||||||
signed_key_json = sign_json(
|
|
||||||
signed_key_json, self.config.server_name, signing_key
|
|
||||||
)
|
|
||||||
|
|
||||||
signed_key_json_bytes = encode_canonical_json(signed_key_json)
|
|
||||||
|
|
||||||
yield make_deferred_yieldable(
|
yield make_deferred_yieldable(
|
||||||
defer.gatherResults(
|
defer.gatherResults(
|
||||||
|
|
|
@ -13,7 +13,9 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
import logging
|
import logging
|
||||||
from io import BytesIO
|
|
||||||
|
from canonicaljson import json
|
||||||
|
from signedjson.sign import sign_json
|
||||||
|
|
||||||
from twisted.internet import defer
|
from twisted.internet import defer
|
||||||
|
|
||||||
|
@ -95,6 +97,7 @@ class RemoteKey(DirectServeResource):
|
||||||
self.store = hs.get_datastore()
|
self.store = hs.get_datastore()
|
||||||
self.clock = hs.get_clock()
|
self.clock = hs.get_clock()
|
||||||
self.federation_domain_whitelist = hs.config.federation_domain_whitelist
|
self.federation_domain_whitelist = hs.config.federation_domain_whitelist
|
||||||
|
self.config = hs.config
|
||||||
|
|
||||||
@wrap_json_request_handler
|
@wrap_json_request_handler
|
||||||
async def _async_render_GET(self, request):
|
async def _async_render_GET(self, request):
|
||||||
|
@ -214,15 +217,14 @@ class RemoteKey(DirectServeResource):
|
||||||
yield self.fetcher.get_keys(cache_misses)
|
yield self.fetcher.get_keys(cache_misses)
|
||||||
yield self.query_keys(request, query, query_remote_on_cache_miss=False)
|
yield self.query_keys(request, query, query_remote_on_cache_miss=False)
|
||||||
else:
|
else:
|
||||||
result_io = BytesIO()
|
signed_keys = []
|
||||||
result_io.write(b'{"server_keys":')
|
for key_json in json_results:
|
||||||
sep = b"["
|
key_json = json.loads(key_json)
|
||||||
for json_bytes in json_results:
|
for signing_key in self.config.key_server_signing_keys:
|
||||||
result_io.write(sep)
|
key_json = sign_json(key_json, self.config.server_name, signing_key)
|
||||||
result_io.write(json_bytes)
|
|
||||||
sep = b","
|
|
||||||
if sep == b"[":
|
|
||||||
result_io.write(sep)
|
|
||||||
result_io.write(b"]}")
|
|
||||||
|
|
||||||
respond_with_json_bytes(request, 200, result_io.getvalue())
|
signed_keys.append(key_json)
|
||||||
|
|
||||||
|
results = {"server_keys": signed_keys}
|
||||||
|
|
||||||
|
respond_with_json_bytes(request, 200, json.dumps(results).encode("utf-8"))
|
||||||
|
|
Loading…
Reference in a new issue