diff options
author | Erik Johnston <erikj@jki.re> | 2016-08-10 10:56:08 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2016-08-10 10:56:08 +0100 |
commit | d45489474d0e9ee2451c04654f007a659c5d2ef6 (patch) | |
tree | d92a8abe1d05c5b7e6508c2568444a3a47402fe5 | |
parent | /login: Respond with a 403 when we get an invalid m.login.token (diff) | |
parent | Don't print stack traces when failing to get remote keys (diff) | |
download | synapse-d45489474d0e9ee2451c04654f007a659c5d2ef6.tar.xz |
Merge pull request #996 from matrix-org/erikj/tls_error
Don't print stack traces when failing to get remote keys
Diffstat (limited to '')
-rw-r--r-- | synapse/crypto/keyring.py | 28 | ||||
-rw-r--r-- | synapse/rest/key/v2/remote_key_resource.py | 4 |
2 files changed, 19 insertions, 13 deletions
diff --git a/synapse/crypto/keyring.py b/synapse/crypto/keyring.py index 5012c10ee8..7cd11cfae7 100644 --- a/synapse/crypto/keyring.py +++ b/synapse/crypto/keyring.py @@ -61,6 +61,10 @@ Attributes: """ +class KeyLookupError(ValueError): + pass + + class Keyring(object): def __init__(self, hs): self.store = hs.get_datastore() @@ -363,7 +367,7 @@ class Keyring(object): ) except Exception as e: logger.info( - "Unable to getting key %r for %r directly: %s %s", + "Unable to get key %r for %r directly: %s %s", key_ids, server_name, type(e).__name__, str(e.message), ) @@ -425,7 +429,7 @@ class Keyring(object): for response in responses: if (u"signatures" not in response or perspective_name not in response[u"signatures"]): - raise ValueError( + raise KeyLookupError( "Key response not signed by perspective server" " %r" % (perspective_name,) ) @@ -448,7 +452,7 @@ class Keyring(object): list(response[u"signatures"][perspective_name]), list(perspective_keys) ) - raise ValueError( + raise KeyLookupError( "Response not signed with a known key for perspective" " server %r" % (perspective_name,) ) @@ -491,10 +495,10 @@ class Keyring(object): if (u"signatures" not in response or server_name not in response[u"signatures"]): - raise ValueError("Key response not signed by remote server") + raise KeyLookupError("Key response not signed by remote server") if "tls_fingerprints" not in response: - raise ValueError("Key response missing TLS fingerprints") + raise KeyLookupError("Key response missing TLS fingerprints") certificate_bytes = crypto.dump_certificate( crypto.FILETYPE_ASN1, tls_certificate @@ -508,7 +512,7 @@ class Keyring(object): response_sha256_fingerprints.add(fingerprint[u"sha256"]) if sha256_fingerprint_b64 not in response_sha256_fingerprints: - raise ValueError("TLS certificate not allowed by fingerprints") + raise KeyLookupError("TLS certificate not allowed by fingerprints") response_keys = yield self.process_v2_response( from_server=server_name, @@ -560,14 +564,14 @@ class Keyring(object): server_name = response_json["server_name"] if only_from_server: if server_name != from_server: - raise ValueError( + raise KeyLookupError( "Expected a response for server %r not %r" % ( from_server, server_name ) ) for key_id in response_json["signatures"].get(server_name, {}): if key_id not in response_json["verify_keys"]: - raise ValueError( + raise KeyLookupError( "Key response must include verification keys for all" " signatures" ) @@ -635,15 +639,15 @@ class Keyring(object): if ("signatures" not in response or server_name not in response["signatures"]): - raise ValueError("Key response not signed by remote server") + raise KeyLookupError("Key response not signed by remote server") if "tls_certificate" not in response: - raise ValueError("Key response missing TLS certificate") + raise KeyLookupError("Key response missing TLS certificate") tls_certificate_b64 = response["tls_certificate"] if encode_base64(x509_certificate_bytes) != tls_certificate_b64: - raise ValueError("TLS certificate doesn't match") + raise KeyLookupError("TLS certificate doesn't match") # Cache the result in the datastore. @@ -659,7 +663,7 @@ class Keyring(object): for key_id in response["signatures"][server_name]: if key_id not in response["verify_keys"]: - raise ValueError( + raise KeyLookupError( "Key response must include verification keys for all" " signatures" ) diff --git a/synapse/rest/key/v2/remote_key_resource.py b/synapse/rest/key/v2/remote_key_resource.py index 7209d5a37d..9fe2013657 100644 --- a/synapse/rest/key/v2/remote_key_resource.py +++ b/synapse/rest/key/v2/remote_key_resource.py @@ -15,6 +15,7 @@ from synapse.http.server import request_handler, respond_with_json_bytes from synapse.http.servlet import parse_integer, parse_json_object_from_request from synapse.api.errors import SynapseError, Codes +from synapse.crypto.keyring import KeyLookupError from twisted.web.resource import Resource from twisted.web.server import NOT_DONE_YET @@ -210,9 +211,10 @@ class RemoteKey(Resource): yield self.keyring.get_server_verify_key_v2_direct( server_name, key_ids ) + except KeyLookupError as e: + logger.info("Failed to fetch key: %s", e) except: logger.exception("Failed to get key for %r", server_name) - pass yield self.query_keys( request, query, query_remote_on_cache_miss=False ) |