Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Commit

Permalink
Fix exception when fetching notary server's old keys
Browse files Browse the repository at this point in the history 
Lift the restriction that *all* the keys used for signing v2 key responses be
present in verify_keys.

Fixes #6596.
  • Loading branch information
@richvdh
richvdh committed Jan 3, 2020
1 parent dc96943 commit 78e5326
Show file tree
Hide file tree
Showing 3 changed files with 103 additions and 50 deletions.
1 change: 1 addition & 0 deletions changelog.d/6625.bugfix
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Fix exception when fetching the `matrix.org:ed25519:auto` key.
13 changes: 7 additions & 6 deletions synapse/crypto/keyring.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -511,17 +511,18 @@ def process_v2_response(self, from_server, response_json, time_added_ms):
server_name = response_json["server_name"]
verified = False
for key_id in response_json["signatures"].get(server_name, {}):
# each of the keys used for the signature must be present in the response
# json.
key = verify_keys.get(key_id)
if not key:
raise KeyLookupError(
"Key response is signed by key id %s:%s but that key is not "
"present in the response" % (server_name, key_id)
)
# the key may not be present in verify_keys if:
# * we got the key from the notary server, and:
# * the key belongs to the notary server, and:
# * the notary server is using a different key to sign notary
# responses.
continue

verify_signed_json(response_json, server_name, key.verify_key)
verified = True
break

if not verified:
raise KeyLookupError(
Expand Down
139 changes: 95 additions & 44 deletions tests/crypto/test_keyring.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
import canonicaljson
import signedjson.key
import signedjson.sign
from nacl.signing import SigningKey
from signedjson.key import encode_verify_key_base64, get_verify_key

from twisted.internet import defer
Expand Down Expand Up @@ -412,46 +413,117 @@ def make_homeserver(self, reactor, clock):
handlers=None, http_client=self.http_client, config=config
)

def test_get_keys_from_perspectives(self):
# arbitrarily advance the clock a bit
self.reactor.advance(100)

fetcher = PerspectivesKeyFetcher(self.hs)

SERVER_NAME = "server2"
testkey = signedjson.key.generate_signing_key("ver1")
testverifykey = signedjson.key.get_verify_key(testkey)
testverifykey_id = "ed25519:ver1"
VALID_UNTIL_TS = 200 * 1000
def build_perspectives_response(
self, server_name: str, signing_key: SigningKey, valid_until_ts: int,
) -> dict:
"""
Build a valid perspectives server response to a request for the given key
"""
verify_key = signedjson.key.get_verify_key(signing_key)
verifykey_id = "%s:%s" % (verify_key.alg, verify_key.version)

# valid response
response = {
"server_name": SERVER_NAME,
"server_name": server_name,
"old_verify_keys": {},
"valid_until_ts": VALID_UNTIL_TS,
"valid_until_ts": valid_until_ts,
"verify_keys": {
testverifykey_id: {
"key": signedjson.key.encode_verify_key_base64(testverifykey)
verifykey_id: {
"key": signedjson.key.encode_verify_key_base64(verify_key)
}
},
}

# the response must be signed by both the origin server and the perspectives
# server.
signedjson.sign.sign_json(response, SERVER_NAME, testkey)
signedjson.sign.sign_json(response, server_name, signing_key)
self.mock_perspective_server.sign_response(response)
return response

def expect_outgoing_key_query(
self, expected_server_name: str, expected_key_id: str, response: dict
) -> None:
"""
Tell the mock http client to expect a perspectives-server key query
"""

def post_json(destination, path, data, **kwargs):
self.assertEqual(destination, self.mock_perspective_server.server_name)
self.assertEqual(path, "/_matrix/key/v2/query")

# check that the request is for the expected key
q = data["server_keys"]
self.assertEqual(list(q[SERVER_NAME].keys()), ["key1"])
self.assertEqual(list(q[expected_server_name].keys()), [expected_key_id])
return {"server_keys": [response]}

self.http_client.post_json.side_effect = post_json

def test_get_keys_from_perspectives(self):
# arbitrarily advance the clock a bit
self.reactor.advance(100)

fetcher = PerspectivesKeyFetcher(self.hs)

SERVER_NAME = "server2"
testkey = signedjson.key.generate_signing_key("ver1")
testverifykey = signedjson.key.get_verify_key(testkey)
testverifykey_id = "ed25519:ver1"
VALID_UNTIL_TS = 200 * 1000

response = self.build_perspectives_response(
SERVER_NAME, testkey, VALID_UNTIL_TS,
)

self.expect_outgoing_key_query(SERVER_NAME, "key1", response)

keys_to_fetch = {SERVER_NAME: {"key1": 0}}
keys = self.get_success(fetcher.get_keys(keys_to_fetch))
self.assertIn(SERVER_NAME, keys)
k = keys[SERVER_NAME][testverifykey_id]
self.assertEqual(k.valid_until_ts, VALID_UNTIL_TS)
self.assertEqual(k.verify_key, testverifykey)
self.assertEqual(k.verify_key.alg, "ed25519")
self.assertEqual(k.verify_key.version, "ver1")

# check that the perspectives store is correctly updated
lookup_triplet = (SERVER_NAME, testverifykey_id, None)
key_json = self.get_success(
self.hs.get_datastore().get_server_keys_json([lookup_triplet])
)
res = key_json[lookup_triplet]
self.assertEqual(len(res), 1)
res = res[0]
self.assertEqual(res["key_id"], testverifykey_id)
self.assertEqual(res["from_server"], self.mock_perspective_server.server_name)
self.assertEqual(res["ts_added_ms"], self.reactor.seconds() * 1000)
self.assertEqual(res["ts_valid_until_ms"], VALID_UNTIL_TS)

self.assertEqual(
bytes(res["key_json"]), canonicaljson.encode_canonical_json(response)
)

def test_get_perspectives_own_key(self):
"""Check that we can get the perspectives server's own keys
This is slightly complicated by the fact that the perspectives server may
use different keys for signing notary responses.
"""

# arbitrarily advance the clock a bit
self.reactor.advance(100)

fetcher = PerspectivesKeyFetcher(self.hs)

SERVER_NAME = self.mock_perspective_server.server_name
testkey = signedjson.key.generate_signing_key("ver1")
testverifykey = signedjson.key.get_verify_key(testkey)
testverifykey_id = "ed25519:ver1"
VALID_UNTIL_TS = 200 * 1000

response = self.build_perspectives_response(
SERVER_NAME, testkey, VALID_UNTIL_TS
)

self.expect_outgoing_key_query(SERVER_NAME, "key1", response)

keys_to_fetch = {SERVER_NAME: {"key1": 0}}
keys = self.get_success(fetcher.get_keys(keys_to_fetch))
self.assertIn(SERVER_NAME, keys)
Expand Down Expand Up @@ -490,35 +562,14 @@ def test_invalid_perspectives_responses(self):
VALID_UNTIL_TS = 200 * 1000

def build_response():
# valid response
response = {
"server_name": SERVER_NAME,
"old_verify_keys": {},
"valid_until_ts": VALID_UNTIL_TS,
"verify_keys": {
testverifykey_id: {
"key": signedjson.key.encode_verify_key_base64(testverifykey)
}
},
}

# the response must be signed by both the origin server and the perspectives
# server.
signedjson.sign.sign_json(response, SERVER_NAME, testkey)
self.mock_perspective_server.sign_response(response)
return response
return self.build_perspectives_response(
SERVER_NAME, testkey, VALID_UNTIL_TS
)

def get_key_from_perspectives(response):
fetcher = PerspectivesKeyFetcher(self.hs)
keys_to_fetch = {SERVER_NAME: {"key1": 0}}

def post_json(destination, path, data, **kwargs):
self.assertEqual(destination, self.mock_perspective_server.server_name)
self.assertEqual(path, "/_matrix/key/v2/query")
return {"server_keys": [response]}

self.http_client.post_json.side_effect = post_json

self.expect_outgoing_key_query(SERVER_NAME, "key1", response)
return self.get_success(fetcher.get_keys(keys_to_fetch))

# start with a valid response so we can check we are testing the right thing
Expand Down

0 comments on commit 78e5326

Please sign in to comment.