Merge pull request #312 from matrix-org/daniel/3pidinvites

Stuff signed data in a standalone object
author: Daniel Wagner-Hall <dawagner@gmail.com> 2015-10-19 15:52:34 +0100
committer: Daniel Wagner-Hall <dawagner@gmail.com> 2015-10-19 15:52:34 +0100
commit: 9261ef3a15583bc8d07077ecf59c026909c3623e (patch)
tree: 3494e17d08a857013ca09c94dcfe8824564bc27d /synapse
parent: Merge pull request #307 from matrix-org/erikj/search (diff)
parent: Stuff signed data in a standalone object (diff)
download: synapse-9261ef3a15583bc8d07077ecf59c026909c3623e.tar.xz
2 files changed, 15 insertions, 8 deletions
diff --git a/synapse/api/auth.py b/synapse/api/auth.py
index 5c83aafa7d..cf19eda4e9 100644
--- a/synapse/api/auth.py
+++ b/synapse/api/auth.py
@@ -14,7 +14,8 @@
 # limitations under the License.
 
 """This module contains classes for authenticating the user."""
-from nacl.exceptions import BadSignatureError
+from signedjson.key import decode_verify_key_bytes
+from signedjson.sign import verify_signed_json, SignatureVerifyException
 
 from twisted.internet import defer
 
@@ -26,7 +27,6 @@ from synapse.util import third_party_invites
 from unpaddedbase64 import decode_base64
 
 import logging
-import nacl.signing
 import pymacaroons
 
 logger = logging.getLogger(__name__)
@@ -416,16 +416,23 @@ class Auth(object):
                     key_validity_url
                 )
                 return False
-            for _, signature_block in join_third_party_invite["signatures"].items():
+            signed = join_third_party_invite["signed"]
+            if signed["mxid"] != event.user_id:
+                return False
+            if signed["token"] != token:
+                return False
+            for server, signature_block in signed["signatures"].items():
                 for key_name, encoded_signature in signature_block.items():
                     if not key_name.startswith("ed25519:"):
                         return False
-                    verify_key = nacl.signing.VerifyKey(decode_base64(public_key))
-                    signature = decode_base64(encoded_signature)
-                    verify_key.verify(token, signature)
+                    verify_key = decode_verify_key_bytes(
+                        key_name,
+                        decode_base64(public_key)
+                    )
+                    verify_signed_json(signed, server, verify_key)
                     return True
             return False
-        except (KeyError, BadSignatureError,):
+        except (KeyError, SignatureVerifyException,):
             return False
 
     def _get_power_level_event(self, auth_events):
diff --git a/synapse/util/third_party_invites.py b/synapse/util/third_party_invites.py
index 792db5ba39..31d186740d 100644
--- a/synapse/util/third_party_invites.py
+++ b/synapse/util/third_party_invites.py
@@ -23,8 +23,8 @@ JOIN_KEYS = {
     "token",
     "public_key",
     "key_validity_url",
-    "signatures",
     "sender",
+    "signed",
 }
author	Daniel Wagner-Hall <dawagner@gmail.com>	2015-10-19 15:52:34 +0100
committer	Daniel Wagner-Hall <dawagner@gmail.com>	2015-10-19 15:52:34 +0100
commit	9261ef3a15583bc8d07077ecf59c026909c3623e (patch)
tree	3494e17d08a857013ca09c94dcfe8824564bc27d /synapse
parent	Merge pull request #307 from matrix-org/erikj/search (diff)
parent	Stuff signed data in a standalone object (diff)
download	synapse-9261ef3a15583bc8d07077ecf59c026909c3623e.tar.xz