Return a sha256 fingerprint rather than the entire tls certificate

3 files changed, 33 insertions, 3 deletions

diff --git a/synapse/rest/key/v2/local_key_resource.py b/synapse/rest/key/v2/local_key_resource.py

index 5c77f308df..f1ac1c8fb3 100644
--- a/synapse/rest/key/v2/local_key_resource.py
+++ b/synapse/rest/key/v2/local_key_resource.py
@@ -19,6 +19,7 @@ from synapse.http.server import respond_with_json_bytes
 from syutil.crypto.jsonsign import sign_json
 from syutil.base64util import encode_base64
 from syutil.jsonutil import encode_canonical_json
+from hashlib import sha256
 from OpenSSL import crypto
 import logging
 
@@ -88,12 +89,17 @@ class LocalKey(Resource):
             crypto.FILETYPE_ASN1,
             self.config.tls_certificate
         )
+
+        sha256_fingerprint = sha256(x509_certificate_bytes).digest()
+
         json_object = {
-            u"expires": self.expires,
+            u"valid_until": self.expires,
             u"server_name": self.config.server_name,
             u"verify_keys": verify_keys,
             u"old_verify_keys": old_verify_keys,
-            u"tls_certificate": encode_base64(x509_certificate_bytes)
+            u"tls_fingerprints": [{
+                u"sha256": encode_base64(sha256_fingerprint),
+            }]
         }
         for key in self.config.signing_key:
             json_object = sign_json(
diff --git a/synapse/storage/__init__.py b/synapse/storage/__init__.py

index f4dec70393..09f24a5c8e 100644
--- a/synapse/storage/__init__.py
+++ b/synapse/storage/__init__.py
@@ -51,7 +51,7 @@ logger = logging.getLogger(__name__)
 
 # Remember to update this number every time a change is made to database
 # schema files, so the users will be informed on server restarts.
-SCHEMA_VERSION = 15
+SCHEMA_VERSION = 16
 
 dir_path = os.path.abspath(os.path.dirname(__file__))
 
diff --git a/synapse/storage/schema/delta/16/server_keys.sql b/synapse/storage/schema/delta/16/server_keys.sql
new file mode 100644

index 0000000000..d9b10d87f3
--- /dev/null
+++ b/synapse/storage/schema/delta/16/server_keys.sql
@@ -0,0 +1,24 @@
+/* Copyright 2015 OpenMarket Ltd
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+CREATE TABLE IF NOT EXISTS server_keys (
+    server_name TEXT, -- Server name.
+    key_id TEXT, -- Requested key id.
+    from_server TEXT, -- Which server the keys were fetched from.
+    ts_added_ms INTEGER, -- When the keys were fetched
+    ts_expires_ms INTEGER, -- When this version of the keys exipires.
+    key_json BLOB, -- JSON certificate for the remote server.
+    CONSTRAINT uniqueness UNIQUE (server_name, key_id)
+);