diff --git a/synapse/storage/__init__.py b/synapse/storage/__init__.py
index 66658f6721..ef98b6a444 100644
--- a/synapse/storage/__init__.py
+++ b/synapse/storage/__init__.py
@@ -56,6 +56,7 @@ SCHEMAS = [
"presence",
"im",
"room_aliases",
+ "keys",
]
diff --git a/synapse/storage/keys.py b/synapse/storage/keys.py
index 5a38c3e8f2..253dc17be2 100644
--- a/synapse/storage/keys.py
+++ b/synapse/storage/keys.py
@@ -18,7 +18,8 @@ from _base import SQLBaseStore
from twisted.internet import defer
import OpenSSL
-import nacl.signing
+from syutil.crypto.signing_key import decode_verify_key_bytes
+import hashlib
class KeyStore(SQLBaseStore):
"""Persistence for signature verification keys and tls X.509 certificates
@@ -42,62 +43,74 @@ class KeyStore(SQLBaseStore):
)
defer.returnValue(tls_certificate)
- def store_server_certificate(self, server_name, key_server, ts_now_ms,
+ def store_server_certificate(self, server_name, from_server, time_now_ms,
tls_certificate):
"""Stores the TLS X.509 certificate for the given server
Args:
- server_name (bytes): The name of the server.
- key_server (bytes): Where the certificate was looked up
- ts_now_ms (int): The time now in milliseconds
+ server_name (str): The name of the server.
+ from_server (str): Where the certificate was looked up
+ time_now_ms (int): The time now in milliseconds
tls_certificate (OpenSSL.crypto.X509): The X.509 certificate.
"""
tls_certificate_bytes = OpenSSL.crypto.dump_certificate(
OpenSSL.crypto.FILETYPE_ASN1, tls_certificate
)
+ fingerprint = hashlib.sha256(tls_certificate_bytes).hexdigest()
return self._simple_insert(
table="server_tls_certificates",
- keyvalues={
+ values={
"server_name": server_name,
- "key_server": key_server,
- "ts_added_ms": ts_now_ms,
- "tls_certificate": tls_certificate_bytes,
+ "fingerprint": fingerprint,
+ "from_server": from_server,
+ "ts_added_ms": time_now_ms,
+ "tls_certificate": buffer(tls_certificate_bytes),
},
)
@defer.inlineCallbacks
- def get_server_verification_key(self, server_name):
- """Retrieve the NACL verification key for a given server
+ def get_server_verify_keys(self, server_name, key_ids):
+ """Retrieve the NACL verification key for a given server for the given
+ key_ids
Args:
- server_name (bytes): The name of the server.
+ server_name (str): The name of the server.
+ key_ids (list of str): List of key_ids to try and look up.
Returns:
- (nacl.signing.VerifyKey): The verification key.
+ (list of VerifyKey): The verification keys.
"""
- verification_key_bytes, = yield self._simple_select_one(
- table="server_signature_keys",
- key_values={"server_name": server_name},
- retcols=("tls_certificate",),
+ sql = (
+ "SELECT key_id, verify_key FROM server_signature_keys"
+ " WHERE server_name = ?"
+ " AND key_id in (" + ",".join("?" for key_id in key_ids) + ")"
)
- verification_key = nacl.signing.VerifyKey(verification_key_bytes)
- defer.returnValue(verification_key)
- def store_server_verification_key(self, server_name, key_version,
- key_server, ts_now_ms, verification_key):
+ rows = yield self._execute_and_decode(sql, server_name, *key_ids)
+
+ keys = []
+ for row in rows:
+ key_id = row["key_id"]
+ key_bytes = row["verify_key"]
+ key = decode_verify_key_bytes(key_id, str(key_bytes))
+ keys.append(key)
+ defer.returnValue(keys)
+
+ def store_server_verify_key(self, server_name, from_server, time_now_ms,
+ verify_key):
"""Stores a NACL verification key for the given server.
Args:
- server_name (bytes): The name of the server.
- key_version (bytes): The version of the key for the server.
- key_server (bytes): Where the verification key was looked up
+ server_name (str): The name of the server.
+ key_id (str): The version of the key for the server.
+ from_server (str): Where the verification key was looked up
ts_now_ms (int): The time now in milliseconds
- verification_key (nacl.signing.VerifyKey): The NACL verify key.
+ verification_key (VerifyKey): The NACL verify key.
"""
- verification_key_bytes = verification_key.encode()
+ verify_key_bytes = verify_key.encode()
return self._simple_insert(
table="server_signature_keys",
- key_values={
+ values={
"server_name": server_name,
- "key_version": key_version,
- "key_server": key_server,
- "ts_added_ms": ts_now_ms,
- "verification_key": verification_key_bytes,
+ "key_id": "%s:%s" % (verify_key.alg, verify_key.version),
+ "from_server": from_server,
+ "ts_added_ms": time_now_ms,
+ "verify_key": buffer(verify_key.encode()),
},
)
diff --git a/synapse/storage/schema/keys.sql b/synapse/storage/schema/keys.sql
index 706a1a03ff..9bf2068d84 100644
--- a/synapse/storage/schema/keys.sql
+++ b/synapse/storage/schema/keys.sql
@@ -14,17 +14,18 @@
*/
CREATE TABLE IF NOT EXISTS server_tls_certificates(
server_name TEXT, -- Server name.
- key_server TEXT, -- Which key server the certificate was fetched from.
+ fingerprint TEXT, -- Certificate fingerprint.
+ from_server TEXT, -- Which key server the certificate was fetched from.
ts_added_ms INTEGER, -- When the certifcate was added.
tls_certificate BLOB, -- DER encoded x509 certificate.
- CONSTRAINT uniqueness UNIQUE (server_name)
+ CONSTRAINT uniqueness UNIQUE (server_name, fingerprint)
);
CREATE TABLE IF NOT EXISTS server_signature_keys(
server_name TEXT, -- Server name.
- key_version TEXT, -- Key version.
- key_server TEXT, -- Which key server the key was fetched form.
+ key_id TEXT, -- Key version.
+ from_server TEXT, -- Which key server the key was fetched form.
ts_added_ms INTEGER, -- When the key was added.
- verification_key BLOB, -- NACL verification key.
- CONSTRAINT uniqueness UNIQUE (server_name, key_version)
+ verify_key BLOB, -- NACL verification key.
+ CONSTRAINT uniqueness UNIQUE (server_name, key_id)
);
|
