summary refs log tree commit diff
path: root/scripts
diff options
context:
space:
mode:
authorErik Johnston <erik@matrix.org>2014-11-03 16:35:48 +0000
committerErik Johnston <erik@matrix.org>2014-11-03 16:35:48 +0000
commitbab28465130ca32eea003db51e500872cbb48c29 (patch)
tree00c7d00ce33e8d1dbbdce4ebc5f56dc346b8b894 /scripts
parentAdd option to not bind to HTTPS port. This is useful if running behind an ssl... (diff)
parentScript for checking event hashes (diff)
downloadsynapse-bab28465130ca32eea003db51e500872cbb48c29.tar.xz
Merge branch 'event_signing' of github.com:matrix-org/synapse into federation_authorization
Diffstat (limited to 'scripts')
-rw-r--r--scripts/check_event_hash.py43
-rw-r--r--scripts/check_signature.py74
2 files changed, 117 insertions, 0 deletions
diff --git a/scripts/check_event_hash.py b/scripts/check_event_hash.py
new file mode 100644
index 0000000000..9fa4452ee6
--- /dev/null
+++ b/scripts/check_event_hash.py
@@ -0,0 +1,43 @@
+from synapse.crypto.event_signing import *
+from syutil.base64util import encode_base64
+
+import argparse
+import hashlib
+import sys
+import json
+
+class dictobj(dict):
+    def __init__(self, *args, **kargs):
+        dict.__init__(self, *args, **kargs)
+        self.__dict__ = self
+
+    def get_dict(self):
+        return dict(self)
+
+
+def main():
+    parser = parser = argparse.ArgumentParser()
+    parser.add_argument("input_json", nargs="?", type=argparse.FileType('r'),
+                        default=sys.stdin)
+    args = parser.parse_args()
+    logging.basicConfig()
+
+    event_json = dictobj(json.load(args.input_json))
+
+    algorithms = {
+        "sha256": hashlib.sha256,
+    }
+
+    for alg_name in event_json.hashes:
+        if check_event_pdu_content_hash(event_json, algorithms[alg_name]):
+            print "PASS content hash %s" % (alg_name,)
+        else:
+            print "FAIL content hash %s" % (alg_name,)
+
+    for algorithm in algorithms.values():
+        name, h_bytes = compute_pdu_event_reference_hash(event_json, algorithm)
+        print "Reference hash %s: %s" % (name, encode_base64(bytes))
+
+if __name__=="__main__":
+    main()
+
diff --git a/scripts/check_signature.py b/scripts/check_signature.py
new file mode 100644
index 0000000000..e7964e7e71
--- /dev/null
+++ b/scripts/check_signature.py
@@ -0,0 +1,74 @@
+
+from synapse.crypto.event_signing import verify_signed_event_pdu
+from syutil.crypto.jsonsign import verify_signed_json
+from syutil.crypto.signing_key import (
+    decode_verify_key_bytes, write_signing_keys
+)
+from syutil.base64util import decode_base64
+
+import urllib2
+import json
+import sys
+import dns.resolver
+import pprint
+import argparse
+import logging
+
+def get_targets(server_name):
+    if ":" in server_name:
+        target, port = server_name.split(":")
+        yield (target, int(port))
+        return
+    try:
+        answers = dns.resolver.query("_matrix._tcp." + server_name, "SRV")
+        for srv in answers:
+            yield (srv.target, srv.port)
+    except dns.resolver.NXDOMAIN:
+        yield (server_name, 8480)
+
+def get_server_keys(server_name, target, port):
+    url = "https://%s:%i/_matrix/key/v1" % (target, port)
+    keys = json.load(urllib2.urlopen(url))
+    verify_keys = {}
+    for key_id, key_base64 in keys["verify_keys"].items():
+        verify_key = decode_verify_key_bytes(key_id, decode_base64(key_base64))
+        verify_signed_json(keys, server_name, verify_key)
+        verify_keys[key_id] = verify_key
+    return verify_keys
+
+def main():
+
+    parser = argparse.ArgumentParser()
+    parser.add_argument("signature_name")
+    parser.add_argument("input_json", nargs="?", type=argparse.FileType('r'),
+                        default=sys.stdin)
+
+    args = parser.parse_args()
+    logging.basicConfig()
+
+    server_name = args.signature_name
+    keys = {}
+    for target, port in get_targets(server_name):
+        try:
+            keys = get_server_keys(server_name, target, port)
+            print "Using keys from https://%s:%s/_matrix/key/v1" % (target, port)
+            write_signing_keys(sys.stdout, keys.values())
+            break
+        except:
+            logging.exception("Error talking to %s:%s", target, port)
+
+    json_to_check = json.load(args.input_json)
+    print "Checking JSON:"
+    for key_id in json_to_check["signatures"][args.signature_name]:
+        try:
+            key = keys[key_id]
+            verify_signed_json(json_to_check, args.signature_name, key)
+            print "PASS %s" % (key_id,)
+        except:
+            logging.exception("Check for key %s failed" % (key_id,))
+            print "FAIL %s" % (key_id,)
+
+
+if __name__ == '__main__':
+    main()
+