diff --git a/changelog.d/4426.misc b/changelog.d/4426.misc
new file mode 100644
index 0000000000..cda50438e0
--- /dev/null
+++ b/changelog.d/4426.misc
@@ -0,0 +1 @@
+Remove redundant SynapseKeyClientProtocol magic
\ No newline at end of file
diff --git a/synapse/crypto/keyclient.py b/synapse/crypto/keyclient.py
deleted file mode 100644
index d40e4b8591..0000000000
--- a/synapse/crypto/keyclient.py
+++ /dev/null
@@ -1,149 +0,0 @@
-# -*- coding: utf-8 -*-
-# Copyright 2014-2016 OpenMarket Ltd
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-import logging
-
-from six.moves import urllib
-
-from canonicaljson import json
-
-from twisted.internet import defer, reactor
-from twisted.internet.error import ConnectError
-from twisted.internet.protocol import Factory
-from twisted.names.error import DomainError
-from twisted.web.http import HTTPClient
-
-from synapse.http.endpoint import matrix_federation_endpoint
-from synapse.util import logcontext
-
-logger = logging.getLogger(__name__)
-
-KEY_API_V2 = "/_matrix/key/v2/server/%s"
-
-
-@defer.inlineCallbacks
-def fetch_server_key(server_name, tls_client_options_factory, key_id):
- """Fetch the keys for a remote server."""
-
- factory = SynapseKeyClientFactory()
- factory.path = KEY_API_V2 % (urllib.parse.quote(key_id), )
- factory.host = server_name
- endpoint = matrix_federation_endpoint(
- reactor, server_name, tls_client_options_factory, timeout=30
- )
-
- for i in range(5):
- try:
- with logcontext.PreserveLoggingContext():
- protocol = yield endpoint.connect(factory)
- server_response, server_certificate = yield protocol.remote_key
- defer.returnValue((server_response, server_certificate))
- except SynapseKeyClientError as e:
- logger.warn("Error getting key for %r: %s", server_name, e)
- if e.status.startswith(b"4"):
- # Don't retry for 4xx responses.
- raise IOError("Cannot get key for %r" % server_name)
- except (ConnectError, DomainError) as e:
- logger.warn("Error getting key for %r: %s", server_name, e)
- except Exception:
- logger.exception("Error getting key for %r", server_name)
- raise IOError("Cannot get key for %r" % server_name)
-
-
-class SynapseKeyClientError(Exception):
- """The key wasn't retrieved from the remote server."""
- status = None
- pass
-
-
-class SynapseKeyClientProtocol(HTTPClient):
- """Low level HTTPS client which retrieves an application/json response from
- the server and extracts the X.509 certificate for the remote peer from the
- SSL connection."""
-
- timeout = 30
-
- def __init__(self):
- self.remote_key = defer.Deferred()
- self.host = None
- self._peer = None
-
- def connectionMade(self):
- self._peer = self.transport.getPeer()
- logger.debug("Connected to %s", self._peer)
-
- if not isinstance(self.path, bytes):
- self.path = self.path.encode('ascii')
-
- if not isinstance(self.host, bytes):
- self.host = self.host.encode('ascii')
-
- self.sendCommand(b"GET", self.path)
- if self.host:
- self.sendHeader(b"Host", self.host)
- self.endHeaders()
- self.timer = reactor.callLater(
- self.timeout,
- self.on_timeout
- )
-
- def errback(self, error):
- if not self.remote_key.called:
- self.remote_key.errback(error)
-
- def callback(self, result):
- if not self.remote_key.called:
- self.remote_key.callback(result)
-
- def handleStatus(self, version, status, message):
- if status != b"200":
- # logger.info("Non-200 response from %s: %s %s",
- # self.transport.getHost(), status, message)
- error = SynapseKeyClientError(
- "Non-200 response %r from %r" % (status, self.host)
- )
- error.status = status
- self.errback(error)
- self.transport.abortConnection()
-
- def handleResponse(self, response_body_bytes):
- try:
- json_response = json.loads(response_body_bytes)
- except ValueError:
- # logger.info("Invalid JSON response from %s",
- # self.transport.getHost())
- self.transport.abortConnection()
- return
-
- certificate = self.transport.getPeerCertificate()
- self.callback((json_response, certificate))
- self.transport.abortConnection()
- self.timer.cancel()
-
- def on_timeout(self):
- logger.debug(
- "Timeout waiting for response from %s: %s",
- self.host, self._peer,
- )
- self.errback(IOError("Timeout waiting for response"))
- self.transport.abortConnection()
-
-
-class SynapseKeyClientFactory(Factory):
- def protocol(self):
- protocol = SynapseKeyClientProtocol()
- protocol.path = self.path
- protocol.host = self.host
- return protocol
diff --git a/synapse/crypto/keyring.py b/synapse/crypto/keyring.py
index 515ebbc148..3a96980bed 100644
--- a/synapse/crypto/keyring.py
+++ b/synapse/crypto/keyring.py
@@ -14,10 +14,11 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-import hashlib
import logging
from collections import namedtuple
+from six.moves import urllib
+
from signedjson.key import (
decode_verify_key_bytes,
encode_verify_key_base64,
@@ -30,13 +31,11 @@ from signedjson.sign import (
signature_ids,
verify_signed_json,
)
-from unpaddedbase64 import decode_base64, encode_base64
+from unpaddedbase64 import decode_base64
-from OpenSSL import crypto
from twisted.internet import defer
from synapse.api.errors import Codes, SynapseError
-from synapse.crypto.keyclient import fetch_server_key
from synapse.util import logcontext, unwrapFirstError
from synapse.util.logcontext import (
LoggingContext,
@@ -503,31 +502,16 @@ class Keyring(object):
if requested_key_id in keys:
continue
- (response, tls_certificate) = yield fetch_server_key(
- server_name, self.hs.tls_client_options_factory, requested_key_id
+ response = yield self.client.get_json(
+ destination=server_name,
+ path="/_matrix/key/v2/server/" + urllib.parse.quote(requested_key_id),
+ ignore_backoff=True,
)
if (u"signatures" not in response
or server_name not in response[u"signatures"]):
raise KeyLookupError("Key response not signed by remote server")
- if "tls_fingerprints" not in response:
- raise KeyLookupError("Key response missing TLS fingerprints")
-
- certificate_bytes = crypto.dump_certificate(
- crypto.FILETYPE_ASN1, tls_certificate
- )
- sha256_fingerprint = hashlib.sha256(certificate_bytes).digest()
- sha256_fingerprint_b64 = encode_base64(sha256_fingerprint)
-
- response_sha256_fingerprints = set()
- for fingerprint in response[u"tls_fingerprints"]:
- if u"sha256" in fingerprint:
- response_sha256_fingerprints.add(fingerprint[u"sha256"])
-
- if sha256_fingerprint_b64 not in response_sha256_fingerprints:
- raise KeyLookupError("TLS certificate not allowed by fingerprints")
-
response_keys = yield self.process_v2_response(
from_server=server_name,
requested_ids=[requested_key_id],
|
