summary refs log tree commit diff
path: root/synapse/config/key.py
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--synapse/config/key.py139
1 files changed, 61 insertions, 78 deletions
diff --git a/synapse/config/key.py b/synapse/config/key.py
index a2de6d5c17..a63f7d841b 100644
--- a/synapse/config/key.py
+++ b/synapse/config/key.py
@@ -24,44 +24,53 @@ from syutil.base64util import decode_base64
 
 class KeyConfig(Config):
 
-    def __init__(self, args):
-        super(KeyConfig, self).__init__(args)
-        self.signing_key = self.read_signing_key(args.signing_key_path)
+    def read_config(self, config):
+        self.signing_key = self.read_signing_key(config["signing_key_path"])
         self.old_signing_keys = self.read_old_signing_keys(
-            args.old_signing_key_path
+            config["old_signing_keys"]
+        )
+        self.key_refresh_interval = self.parse_duration(
+            config["key_refresh_interval"]
         )
-        self.key_refresh_interval = args.key_refresh_interval
         self.perspectives = self.read_perspectives(
-            args.perspectives_config_path
+            config["perspectives"]
         )
 
-    @classmethod
-    def add_arguments(cls, parser):
-        super(KeyConfig, cls).add_arguments(parser)
-        key_group = parser.add_argument_group("keys")
-        key_group.add_argument("--signing-key-path",
-                               help="The signing key to sign messages with")
-        key_group.add_argument("--old-signing-key-path",
-                               help="The keys that the server used to sign"
-                                    " sign messages with but won't use"
-                                    " to sign new messages. E.g. it has"
-                                    " lost its private key")
-        key_group.add_argument("--key-refresh-interval",
-                               default=24 * 60 * 60 * 1000,  # 1 Day
-                               help="How long a key response is valid for."
-                                    " Used to set the exipiry in /key/v2/."
-                                    " Controls how frequently servers will"
-                                    " query what keys are still valid")
-        key_group.add_argument("--perspectives-config-path",
-                               help="The trusted servers to download signing"
-                                    " keys from")
-
-    def read_perspectives(self, perspectives_config_path):
-        config = self.read_yaml_file(
-            perspectives_config_path, "perspectives_config_path"
-        )
+    def default_config(self, config_dir_path, server_name):
+        base_key_name = os.path.join(config_dir_path, server_name)
+        return """\
+        ## Signing Keys ##
+
+        # Path to the signing key to sign messages with
+        signing_key_path: "%(base_key_name)s.signing.key"
+
+        # The keys that the server used to sign messages with but won't use
+        # to sign new messages. E.g. it has lost its private key
+        old_signing_keys: {}
+        #  "ed25519:auto":
+        #    # Base64 encoded public key
+        #    key: "The public part of your old signing key."
+        #    # Millisecond POSIX timestamp when the key expired.
+        #    expired_ts: 123456789123
+
+        # How long key response published by this server is valid for.
+        # Used to set the valid_until_ts in /key/v2 APIs.
+        # Determines how quickly servers will query to check which keys
+        # are still valid.
+        key_refresh_interval: "1d" # 1 Day.
+
+        # The trusted servers to download signing keys from.
+        perspectives:
+          servers:
+            "matrix.org":
+              verify_keys:
+                "ed25519:auto":
+                  key: "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"
+        """ % locals()
+
+    def read_perspectives(self, perspectives_config):
         servers = {}
-        for server_name, server_config in config["servers"].items():
+        for server_name, server_config in perspectives_config["servers"].items():
             for key_id, key_data in server_config["verify_keys"].items():
                 if is_signing_algorithm_supported(key_id):
                     key_base64 = key_data["key"]
@@ -82,37 +91,31 @@ class KeyConfig(Config):
                 " Try running again with --generate-config"
             )
 
-    def read_old_signing_keys(self, old_signing_key_path):
-        old_signing_keys = self.read_file(
-            old_signing_key_path, "old_signing_key"
-        )
-        try:
-            return syutil.crypto.signing_key.read_old_signing_keys(
-                old_signing_keys.splitlines(True)
-            )
-        except Exception:
-            raise ConfigError(
-                "Error reading old signing keys."
-            )
-
-    @classmethod
-    def generate_config(cls, args, config_dir_path):
-        super(KeyConfig, cls).generate_config(args, config_dir_path)
-        base_key_name = os.path.join(config_dir_path, args.server_name)
-
-        args.pid_file = os.path.abspath(args.pid_file)
-
-        if not args.signing_key_path:
-            args.signing_key_path = base_key_name + ".signing.key"
+    def read_old_signing_keys(self, old_signing_keys):
+        keys = {}
+        for key_id, key_data in old_signing_keys.items():
+            if is_signing_algorithm_supported(key_id):
+                key_base64 = key_data["key"]
+                key_bytes = decode_base64(key_base64)
+                verify_key = decode_verify_key_bytes(key_id, key_bytes)
+                verify_key.expired_ts = key_data["expired_ts"]
+                keys[key_id] = verify_key
+            else:
+                raise ConfigError(
+                    "Unsupported signing algorithm for old key: %r" % (key_id,)
+                )
+        return keys
 
-        if not os.path.exists(args.signing_key_path):
-            with open(args.signing_key_path, "w") as signing_key_file:
+    def generate_keys(self, config):
+        signing_key_path = config["signing_key_path"]
+        if not os.path.exists(signing_key_path):
+            with open(signing_key_path, "w") as signing_key_file:
                 syutil.crypto.signing_key.write_signing_keys(
                     signing_key_file,
                     (syutil.crypto.signing_key.generate_signing_key("auto"),),
                 )
         else:
-            signing_keys = cls.read_file(args.signing_key_path, "signing_key")
+            signing_keys = self.read_file(signing_key_path, "signing_key")
             if len(signing_keys.split("\n")[0].split()) == 1:
                 # handle keys in the old format.
                 key = syutil.crypto.signing_key.decode_signing_key_base64(
@@ -120,28 +123,8 @@ class KeyConfig(Config):
                     "auto",
                     signing_keys.split("\n")[0]
                 )
-                with open(args.signing_key_path, "w") as signing_key_file:
+                with open(signing_key_path, "w") as signing_key_file:
                     syutil.crypto.signing_key.write_signing_keys(
                         signing_key_file,
                         (key,),
                     )
-
-        if not args.old_signing_key_path:
-            args.old_signing_key_path = base_key_name + ".old.signing.keys"
-
-        if not os.path.exists(args.old_signing_key_path):
-            with open(args.old_signing_key_path, "w"):
-                pass
-
-        if not args.perspectives_config_path:
-            args.perspectives_config_path = base_key_name + ".perspectives"
-
-        if not os.path.exists(args.perspectives_config_path):
-            with open(args.perspectives_config_path, "w") as perspectives_file:
-                perspectives_file.write(
-                    'servers:\n'
-                    '  matrix.org:\n'
-                    '    verify_keys:\n'
-                    '      "ed25519:auto":\n'
-                    '         key: "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"\n'
-                )