diff options
-rw-r--r-- | MANIFEST.in | 1 | ||||
-rw-r--r-- | docker/README.md | 6 | ||||
-rw-r--r-- | synapse/crypto/keyring.py | 31 |
3 files changed, 30 insertions, 8 deletions
diff --git a/MANIFEST.in b/MANIFEST.in index e2a6623a63..a8803f52e2 100644 --- a/MANIFEST.in +++ b/MANIFEST.in @@ -31,3 +31,4 @@ recursive-exclude jenkins *.sh prune .github prune demo/etc +prune docker diff --git a/docker/README.md b/docker/README.md index f60ea49234..8303a7fecd 100644 --- a/docker/README.md +++ b/docker/README.md @@ -12,9 +12,11 @@ within your control. ### Using docker-compose (easier) This image is designed to run either with an automatically generated configuration -file or with a custom configuration that requires manual edition. +file or with a custom configuration that requires manual editing. -An easy way to make use of this image is via docker-compose, see the (https://github.com/matrix-org/synapse/tree/develop/contrib/docker)[contrib] section of the synapse project for examples. +An easy way to make use of this image is via docker-compose. See the +(https://github.com/matrix-org/synapse/tree/develop/contrib/docker)[contrib] +section of the synapse project for examples. ### Without Compose (harder) diff --git a/synapse/crypto/keyring.py b/synapse/crypto/keyring.py index 22ee0fc93f..9b17ef0a08 100644 --- a/synapse/crypto/keyring.py +++ b/synapse/crypto/keyring.py @@ -27,10 +27,12 @@ from synapse.util.metrics import Measure from twisted.internet import defer from signedjson.sign import ( - verify_signed_json, signature_ids, sign_json, encode_canonical_json + verify_signed_json, signature_ids, sign_json, encode_canonical_json, + SignatureVerifyException, ) from signedjson.key import ( - is_signing_algorithm_supported, decode_verify_key_bytes + is_signing_algorithm_supported, decode_verify_key_bytes, + encode_verify_key_base64, ) from unpaddedbase64 import decode_base64, encode_base64 @@ -56,7 +58,7 @@ Attributes: key_ids(set(str)): The set of key_ids to that could be used to verify the JSON object json_object(dict): The JSON object to verify. - deferred(twisted.internet.defer.Deferred): + deferred(Deferred[str, str, nacl.signing.VerifyKey]): A deferred (server_name, key_id, verify_key) tuple that resolves when a verify key has been fetched. The deferreds' callbacks are run with no logcontext. @@ -736,6 +738,17 @@ class Keyring(object): @defer.inlineCallbacks def _handle_key_deferred(verify_request): + """Waits for the key to become available, and then performs a verification + + Args: + verify_request (VerifyKeyRequest): + + Returns: + Deferred[None] + + Raises: + SynapseError if there was a problem performing the verification + """ server_name = verify_request.server_name try: with PreserveLoggingContext(): @@ -768,11 +781,17 @@ def _handle_key_deferred(verify_request): )) try: verify_signed_json(json_object, server_name, verify_key) - except Exception: + except SignatureVerifyException as e: + logger.debug( + "Error verifying signature for %s:%s:%s with key %s: %s", + server_name, verify_key.alg, verify_key.version, + encode_verify_key_base64(verify_key), + str(e), + ) raise SynapseError( 401, - "Invalid signature for server %s with key %s:%s" % ( - server_name, verify_key.alg, verify_key.version + "Invalid signature for server %s with key %s:%s: %s" % ( + server_name, verify_key.alg, verify_key.version, str(e), ), Codes.UNAUTHORIZED, ) |