forked from MirrorHub/synapse
Merge pull request #1167 from matrix-org/markjh/fingerprints
Add config option for adding additional TLS fingerprints
This commit is contained in:
Mark Haines
GitHub
commit
9e18e0b1cb
2 changed files with 46 additions and 13 deletions
|
|
@ -19,6 +19,9 @@ from OpenSSL import crypto
|
||||||
import subprocess
|
import subprocess
|
||||||
import os
|
import os
|
||||||
|
|
||||||
|
from hashlib import sha256
|
||||||
|
from unpaddedbase64 import encode_base64
|
||||||
|
|
||||||
GENERATE_DH_PARAMS = False
|
GENERATE_DH_PARAMS = False
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -42,6 +45,19 @@ class TlsConfig(Config):
|
||||||
config.get("tls_dh_params_path"), "tls_dh_params"
|
config.get("tls_dh_params_path"), "tls_dh_params"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
self.tls_fingerprints = config["tls_fingerprints"]
|
||||||
|
|
||||||
|
# Check that our own certificate is included in the list of fingerprints
|
||||||
|
# and include it if it is not.
|
||||||
|
x509_certificate_bytes = crypto.dump_certificate(
|
||||||
|
crypto.FILETYPE_ASN1,
|
||||||
|
self.tls_certificate
|
||||||
|
)
|
||||||
|
sha256_fingerprint = encode_base64(sha256(x509_certificate_bytes).digest())
|
||||||
|
sha256_fingerprints = set(f["sha256"] for f in self.tls_fingerprints)
|
||||||
|
if sha256_fingerprint not in sha256_fingerprints:
|
||||||
|
self.tls_fingerprints.append({u"sha256": sha256_fingerprint})
|
||||||
|
|
||||||
# This config option applies to non-federation HTTP clients
|
# This config option applies to non-federation HTTP clients
|
||||||
# (e.g. for talking to recaptcha, identity servers, and such)
|
# (e.g. for talking to recaptcha, identity servers, and such)
|
||||||
# It should never be used in production, and is intended for
|
# It should never be used in production, and is intended for
|
||||||
|
|
@ -73,6 +89,28 @@ class TlsConfig(Config):
|
||||||
|
|
||||||
# Don't bind to the https port
|
# Don't bind to the https port
|
||||||
no_tls: False
|
no_tls: False
|
||||||
|
|
||||||
|
# List of allowed TLS fingerprints for this server to publish along
|
||||||
|
# with the signing keys for this server. Other matrix servers that
|
||||||
|
# make HTTPS requests to this server will check that the TLS
|
||||||
|
# certificates returned by this server match one of the fingerprints.
|
||||||
|
#
|
||||||
|
# Synapse automatically adds its the fingerprint of its own certificate
|
||||||
|
# to the list. So if federation traffic is handle directly by synapse
|
||||||
|
# then no modification to the list is required.
|
||||||
|
#
|
||||||
|
# If synapse is run behind a load balancer that handles the TLS then it
|
||||||
|
# will be necessary to add the fingerprints of the certificates used by
|
||||||
|
# the loadbalancers to this list if they are different to the one
|
||||||
|
# synapse is using.
|
||||||
|
#
|
||||||
|
# Homeservers are permitted to cache the list of TLS fingerprints
|
||||||
|
# returned in the key responses up to the "valid_until_ts" returned in
|
||||||
|
# key. It may be necessary to publish the fingerprints of a new
|
||||||
|
# certificate and wait until the "valid_until_ts" of the previous key
|
||||||
|
# responses have passed before deploying it.
|
||||||
|
tls_fingerprints: []
|
||||||
|
# tls_fingerprints: [{"sha256": "<base64_encoded_sha256_fingerprint>"}]
|
||||||
""" % locals()
|
""" % locals()
|
||||||
|
|
||||||
def read_tls_certificate(self, cert_path):
|
def read_tls_certificate(self, cert_path):
|
||||||
|
|
|
||||||
|
|
@ -19,8 +19,6 @@ from synapse.http.server import respond_with_json_bytes
|
||||||
from signedjson.sign import sign_json
|
from signedjson.sign import sign_json
|
||||||
from unpaddedbase64 import encode_base64
|
from unpaddedbase64 import encode_base64
|
||||||
from canonicaljson import encode_canonical_json
|
from canonicaljson import encode_canonical_json
|
||||||
from hashlib import sha256
|
|
||||||
from OpenSSL import crypto
|
|
||||||
import logging
|
import logging
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -48,8 +46,12 @@ class LocalKey(Resource):
|
||||||
"expired_ts": # integer posix timestamp when the key expired.
|
"expired_ts": # integer posix timestamp when the key expired.
|
||||||
"key": # base64 encoded NACL verification key.
|
"key": # base64 encoded NACL verification key.
|
||||||
}
|
}
|
||||||
}
|
},
|
||||||
"tls_certificate": # base64 ASN.1 DER encoded X.509 tls cert.
|
"tls_fingerprints": [ # Fingerprints of the TLS certs this server uses.
|
||||||
|
{
|
||||||
|
"sha256": # base64 encoded sha256 fingerprint of the X509 cert
|
||||||
|
},
|
||||||
|
],
|
||||||
"signatures": {
|
"signatures": {
|
||||||
"this.server.example.com": {
|
"this.server.example.com": {
|
||||||
"algorithm:version": # NACL signature for this server
|
"algorithm:version": # NACL signature for this server
|
||||||
|
|
@ -90,21 +92,14 @@ class LocalKey(Resource):
|
||||||
u"expired_ts": key.expired,
|
u"expired_ts": key.expired,
|
||||||
}
|
}
|
||||||
|
|
||||||
x509_certificate_bytes = crypto.dump_certificate(
|
tls_fingerprints = self.config.tls_fingerprints
|
||||||
crypto.FILETYPE_ASN1,
|
|
||||||
self.config.tls_certificate
|
|
||||||
)
|
|
||||||
|
|
||||||
sha256_fingerprint = sha256(x509_certificate_bytes).digest()
|
|
||||||
|
|
||||||
json_object = {
|
json_object = {
|
||||||
u"valid_until_ts": self.valid_until_ts,
|
u"valid_until_ts": self.valid_until_ts,
|
||||||
u"server_name": self.config.server_name,
|
u"server_name": self.config.server_name,
|
||||||
u"verify_keys": verify_keys,
|
u"verify_keys": verify_keys,
|
||||||
u"old_verify_keys": old_verify_keys,
|
u"old_verify_keys": old_verify_keys,
|
||||||
u"tls_fingerprints": [{
|
u"tls_fingerprints": tls_fingerprints,
|
||||||
u"sha256": encode_base64(sha256_fingerprint),
|
|
||||||
}]
|
|
||||||
}
|
}
|
||||||
for key in self.config.signing_key:
|
for key in self.config.signing_key:
|
||||||
json_object = sign_json(
|
json_object = sign_json(
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue