diff --git a/synapse/crypto/keyclient.py b/synapse/crypto/keyclient.py
index c11df5c529..5949ea0573 100644
--- a/synapse/crypto/keyclient.py
+++ b/synapse/crypto/keyclient.py
@@ -15,9 +15,10 @@
from twisted.web.http import HTTPClient
+from twisted.internet.protocol import Factory
from twisted.internet import defer, reactor
-from twisted.internet.protocol import ClientFactory
-from twisted.names.srvconnect import SRVConnector
+from twisted.internet.endpoints import connectProtocol
+from synapse.http.endpoint import matrix_endpoint
import json
import logging
@@ -30,15 +31,19 @@ def fetch_server_key(server_name, ssl_context_factory):
"""Fetch the keys for a remote server."""
factory = SynapseKeyClientFactory()
+ endpoint = matrix_endpoint(
+ reactor, server_name, ssl_context_factory, timeout=30
+ )
- SRVConnector(
- reactor, "matrix", server_name, factory,
- protocol="tcp", connectFuncName="connectSSL", defaultPort=443,
- connectFuncKwArgs=dict(contextFactory=ssl_context_factory)).connect()
-
- server_key, server_certificate = yield factory.remote_key
-
- defer.returnValue((server_key, server_certificate))
+ for i in range(5):
+ try:
+ protocol = yield endpoint.connect(factory)
+ server_response, server_certificate = yield protocol.remote_key
+ defer.returnValue((server_response, server_certificate))
+ return
+ except Exception as e:
+ logger.exception(e)
+ raise IOError("Cannot get key for %s" % server_name)
class SynapseKeyClientError(Exception):
@@ -51,69 +56,47 @@ class SynapseKeyClientProtocol(HTTPClient):
the server and extracts the X.509 certificate for the remote peer from the
SSL connection."""
+ timeout = 30
+
+ def __init__(self):
+ self.remote_key = defer.Deferred()
+
def connectionMade(self):
logger.debug("Connected to %s", self.transport.getHost())
- self.sendCommand(b"GET", b"/key")
+ self.sendCommand(b"GET", b"/_matrix/key/v1/")
self.endHeaders()
self.timer = reactor.callLater(
- self.factory.timeout_seconds,
+ self.timeout,
self.on_timeout
)
def handleStatus(self, version, status, message):
if status != b"200":
- logger.info("Non-200 response from %s: %s %s",
- self.transport.getHost(), status, message)
+ #logger.info("Non-200 response from %s: %s %s",
+ # self.transport.getHost(), status, message)
self.transport.abortConnection()
def handleResponse(self, response_body_bytes):
try:
json_response = json.loads(response_body_bytes)
except ValueError:
- logger.info("Invalid JSON response from %s",
- self.transport.getHost())
+ #logger.info("Invalid JSON response from %s",
+ # self.transport.getHost())
self.transport.abortConnection()
return
certificate = self.transport.getPeerCertificate()
- self.factory.on_remote_key((json_response, certificate))
+ self.remote_key.callback((json_response, certificate))
self.transport.abortConnection()
self.timer.cancel()
def on_timeout(self):
logger.debug("Timeout waiting for response from %s",
self.transport.getHost())
+ self.remote_key.errback(IOError("Timeout waiting for response"))
self.transport.abortConnection()
-class SynapseKeyClientFactory(ClientFactory):
+class SynapseKeyClientFactory(Factory):
protocol = SynapseKeyClientProtocol
- max_retries = 5
- timeout_seconds = 30
-
- def __init__(self):
- self.succeeded = False
- self.retries = 0
- self.remote_key = defer.Deferred()
- def on_remote_key(self, key):
- self.succeeded = True
- self.remote_key.callback(key)
-
- def retry_connection(self, connector):
- self.retries += 1
- if self.retries < self.max_retries:
- connector.connector = None
- connector.connect()
- else:
- self.remote_key.errback(
- SynapseKeyClientError("Max retries exceeded"))
-
- def clientConnectionFailed(self, connector, reason):
- logger.info("Connection failed %s", reason)
- self.retry_connection(connector)
-
- def clientConnectionLost(self, connector, reason):
- logger.info("Connection lost %s", reason)
- if not self.succeeded:
- self.retry_connection(connector)
diff --git a/synapse/crypto/keyring.py b/synapse/crypto/keyring.py
new file mode 100644
index 0000000000..015f76ebe3
--- /dev/null
+++ b/synapse/crypto/keyring.py
@@ -0,0 +1,154 @@
+# -*- coding: utf-8 -*-
+# Copyright 2014 OpenMarket Ltd
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from synapse.crypto.keyclient import fetch_server_key
+from twisted.internet import defer
+from syutil.crypto.jsonsign import verify_signed_json, signature_ids
+from syutil.crypto.signing_key import (
+ is_signing_algorithm_supported, decode_verify_key_bytes
+)
+from syutil.base64util import decode_base64, encode_base64
+from synapse.api.errors import SynapseError, Codes
+
+from OpenSSL import crypto
+
+import logging
+
+
+logger = logging.getLogger(__name__)
+
+
+class Keyring(object):
+ def __init__(self, hs):
+ self.store = hs.get_datastore()
+ self.clock = hs.get_clock()
+ self.hs = hs
+
+ @defer.inlineCallbacks
+ def verify_json_for_server(self, server_name, json_object):
+ key_ids = signature_ids(json_object, server_name)
+ if not key_ids:
+ raise SynapseError(
+ 400,
+ "Not signed with a supported algorithm",
+ Codes.UNAUTHORIZED,
+ )
+ try:
+ verify_key = yield self.get_server_verify_key(server_name, key_ids)
+ except IOError:
+ raise SynapseError(
+ 502,
+ "Error downloading keys for %s" % (server_name,),
+ Codes.UNAUTHORIZED,
+ )
+ except:
+ raise SynapseError(
+ 401,
+ "No key for %s with id %s" % (server_name, key_ids),
+ Codes.UNAUTHORIZED,
+ )
+ try:
+ verify_signed_json(json_object, server_name, verify_key)
+ except:
+ raise SynapseError(
+ 401,
+ "Invalid signature for server %s with key %s:%s" % (
+ server_name, verify_key.alg, verify_key.version
+ ),
+ Codes.UNAUTHORIZED,
+ )
+
+ @defer.inlineCallbacks
+ def get_server_verify_key(self, server_name, key_ids):
+ """Finds a verification key for the server with one of the key ids.
+ Args:
+ server_name (str): The name of the server to fetch a key for.
+ keys_ids (list of str): The key_ids to check for.
+ """
+
+ # Check the datastore to see if we have one cached.
+ cached = yield self.store.get_server_verify_keys(server_name, key_ids)
+
+ if cached:
+ defer.returnValue(cached[0])
+ return
+
+ # Try to fetch the key from the remote server.
+ # TODO(markjh): Ratelimit requests to a given server.
+
+ (response, tls_certificate) = yield fetch_server_key(
+ server_name, self.hs.tls_context_factory
+ )
+
+ # Check the response.
+
+ x509_certificate_bytes = crypto.dump_certificate(
+ crypto.FILETYPE_ASN1, tls_certificate
+ )
+
+ if ("signatures" not in response
+ or server_name not in response["signatures"]):
+ raise ValueError("Key response not signed by remote server")
+
+ if "tls_certificate" not in response:
+ raise ValueError("Key response missing TLS certificate")
+
+ tls_certificate_b64 = response["tls_certificate"]
+
+ if encode_base64(x509_certificate_bytes) != tls_certificate_b64:
+ raise ValueError("TLS certificate doesn't match")
+
+ verify_keys = {}
+ for key_id, key_base64 in response["verify_keys"].items():
+ if is_signing_algorithm_supported(key_id):
+ key_bytes = decode_base64(key_base64)
+ verify_key = decode_verify_key_bytes(key_id, key_bytes)
+ verify_keys[key_id] = verify_key
+
+ for key_id in response["signatures"][server_name]:
+ if key_id not in response["verify_keys"]:
+ raise ValueError(
+ "Key response must include verification keys for all"
+ " signatures"
+ )
+ if key_id in verify_keys:
+ verify_signed_json(
+ response,
+ server_name,
+ verify_keys[key_id]
+ )
+
+ # Cache the result in the datastore.
+
+ time_now_ms = self.clock.time_msec()
+
+ self.store.store_server_certificate(
+ server_name,
+ server_name,
+ time_now_ms,
+ tls_certificate,
+ )
+
+ for key_id, key in verify_keys.items():
+ self.store.store_server_verify_key(
+ server_name, server_name, time_now_ms, key
+ )
+
+ for key_id in key_ids:
+ if key_id in verify_keys:
+ defer.returnValue(verify_keys[key_id])
+ return
+
+ raise ValueError("No verification key found for given key ids")
diff --git a/synapse/crypto/keyserver.py b/synapse/crypto/keyserver.py
deleted file mode 100644
index a23484dbae..0000000000
--- a/synapse/crypto/keyserver.py
+++ /dev/null
@@ -1,111 +0,0 @@
-# -*- coding: utf-8 -*-
-# Copyright 2014 OpenMarket Ltd
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-
-from twisted.internet import reactor, ssl
-from twisted.web import server
-from twisted.web.resource import Resource
-from twisted.python.log import PythonLoggingObserver
-
-from synapse.crypto.resource.key import LocalKey
-from synapse.crypto.config import load_config
-
-from syutil.base64util import decode_base64
-
-from OpenSSL import crypto, SSL
-
-import logging
-import nacl.signing
-import sys
-
-
-class KeyServerSSLContextFactory(ssl.ContextFactory):
- """Factory for PyOpenSSL SSL contexts that are used to handle incoming
- connections and to make connections to remote servers."""
-
- def __init__(self, key_server):
- self._context = SSL.Context(SSL.SSLv23_METHOD)
- self.configure_context(self._context, key_server)
-
- @staticmethod
- def configure_context(context, key_server):
- context.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3)
- context.use_certificate(key_server.tls_certificate)
- context.use_privatekey(key_server.tls_private_key)
- context.load_tmp_dh(key_server.tls_dh_params_path)
- context.set_cipher_list("!ADH:HIGH+kEDH:!AECDH:HIGH+kEECDH")
-
- def getContext(self):
- return self._context
-
-
-class KeyServer(object):
- """An HTTPS server serving LocalKey and RemoteKey resources."""
-
- def __init__(self, server_name, tls_certificate_path, tls_private_key_path,
- tls_dh_params_path, signing_key_path, bind_host, bind_port):
- self.server_name = server_name
- self.tls_certificate = self.read_tls_certificate(tls_certificate_path)
- self.tls_private_key = self.read_tls_private_key(tls_private_key_path)
- self.tls_dh_params_path = tls_dh_params_path
- self.signing_key = self.read_signing_key(signing_key_path)
- self.bind_host = bind_host
- self.bind_port = int(bind_port)
- self.ssl_context_factory = KeyServerSSLContextFactory(self)
-
- @staticmethod
- def read_tls_certificate(cert_path):
- with open(cert_path) as cert_file:
- cert_pem = cert_file.read()
- return crypto.load_certificate(crypto.FILETYPE_PEM, cert_pem)
-
- @staticmethod
- def read_tls_private_key(private_key_path):
- with open(private_key_path) as private_key_file:
- private_key_pem = private_key_file.read()
- return crypto.load_privatekey(crypto.FILETYPE_PEM, private_key_pem)
-
- @staticmethod
- def read_signing_key(signing_key_path):
- with open(signing_key_path) as signing_key_file:
- signing_key_b64 = signing_key_file.read()
- signing_key_bytes = decode_base64(signing_key_b64)
- return nacl.signing.SigningKey(signing_key_bytes)
-
- def run(self):
- root = Resource()
- root.putChild("key", LocalKey(self))
- site = server.Site(root)
- reactor.listenSSL(
- self.bind_port,
- site,
- self.ssl_context_factory,
- interface=self.bind_host
- )
-
- logging.basicConfig(level=logging.DEBUG)
- observer = PythonLoggingObserver()
- observer.start()
-
- reactor.run()
-
-
-def main():
- key_server = KeyServer(**load_config(__doc__, sys.argv[1:]))
- key_server.run()
-
-
-if __name__ == "__main__":
- main()
diff --git a/synapse/crypto/resource/__init__.py b/synapse/crypto/resource/__init__.py
deleted file mode 100644
index 9bff9ec169..0000000000
--- a/synapse/crypto/resource/__init__.py
+++ /dev/null
@@ -1,15 +0,0 @@
-# -*- coding: utf-8 -*-
-# Copyright 2014 OpenMarket Ltd
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
diff --git a/synapse/crypto/resource/key.py b/synapse/crypto/resource/key.py
deleted file mode 100644
index 48d14b9f4a..0000000000
--- a/synapse/crypto/resource/key.py
+++ /dev/null
@@ -1,161 +0,0 @@
-# -*- coding: utf-8 -*-
-# Copyright 2014 OpenMarket Ltd
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-
-from twisted.web.resource import Resource
-from twisted.web.server import NOT_DONE_YET
-from twisted.internet import defer
-from synapse.http.server import respond_with_json_bytes
-from synapse.crypto.keyclient import fetch_server_key
-from syutil.crypto.jsonsign import sign_json, verify_signed_json
-from syutil.base64util import encode_base64, decode_base64
-from syutil.jsonutil import encode_canonical_json
-from OpenSSL import crypto
-from nacl.signing import VerifyKey
-import logging
-
-
-logger = logging.getLogger(__name__)
-
-
-class LocalKey(Resource):
- """HTTP resource containing encoding the TLS X.509 certificate and NACL
- signature verification keys for this server::
-
- GET /key HTTP/1.1
-
- HTTP/1.1 200 OK
- Content-Type: application/json
- {
- "server_name": "this.server.example.com"
- "signature_verify_key": # base64 encoded NACL verification key.
- "tls_certificate": # base64 ASN.1 DER encoded X.509 tls cert.
- "signatures": {
- "this.server.example.com": # NACL signature for this server.
- }
- }
- """
-
- def __init__(self, key_server):
- self.key_server = key_server
- self.response_body = encode_canonical_json(
- self.response_json_object(key_server)
- )
- Resource.__init__(self)
-
- @staticmethod
- def response_json_object(key_server):
- verify_key_bytes = key_server.signing_key.verify_key.encode()
- x509_certificate_bytes = crypto.dump_certificate(
- crypto.FILETYPE_ASN1,
- key_server.tls_certificate
- )
- json_object = {
- u"server_name": key_server.server_name,
- u"signature_verify_key": encode_base64(verify_key_bytes),
- u"tls_certificate": encode_base64(x509_certificate_bytes)
- }
- signed_json = sign_json(
- json_object,
- key_server.server_name,
- key_server.signing_key
- )
- return signed_json
-
- def getChild(self, name, request):
- logger.info("getChild %s %s", name, request)
- if name == '':
- return self
- else:
- return RemoteKey(name, self.key_server)
-
- def render_GET(self, request):
- return respond_with_json_bytes(request, 200, self.response_body)
-
-
-class RemoteKey(Resource):
- """HTTP resource for retreiving the TLS certificate and NACL signature
- verification keys for a another server. Checks that the reported X.509 TLS
- certificate matches the one used in the HTTPS connection. Checks that the
- NACL signature for the remote server is valid. Returns JSON signed by both
- the remote server and by this server.
-
- GET /key/remote.server.example.com HTTP/1.1
-
- HTTP/1.1 200 OK
- Content-Type: application/json
- {
- "server_name": "remote.server.example.com"
- "signature_verify_key": # base64 encoded NACL verification key.
- "tls_certificate": # base64 ASN.1 DER encoded X.509 tls cert.
- "signatures": {
- "remote.server.example.com": # NACL signature for remote server.
- "this.server.example.com": # NACL signature for this server.
- }
- }
- """
-
- isLeaf = True
-
- def __init__(self, server_name, key_server):
- self.server_name = server_name
- self.key_server = key_server
- Resource.__init__(self)
-
- def render_GET(self, request):
- self._async_render_GET(request)
- return NOT_DONE_YET
-
- @defer.inlineCallbacks
- def _async_render_GET(self, request):
- try:
- server_keys, certificate = yield fetch_server_key(
- self.server_name,
- self.key_server.ssl_context_factory
- )
-
- resp_server_name = server_keys[u"server_name"]
- verify_key_b64 = server_keys[u"signature_verify_key"]
- tls_certificate_b64 = server_keys[u"tls_certificate"]
- verify_key = VerifyKey(decode_base64(verify_key_b64))
-
- if resp_server_name != self.server_name:
- raise ValueError("Wrong server name '%s' != '%s'" %
- (resp_server_name, self.server_name))
-
- x509_certificate_bytes = crypto.dump_certificate(
- crypto.FILETYPE_ASN1,
- certificate
- )
-
- if encode_base64(x509_certificate_bytes) != tls_certificate_b64:
- raise ValueError("TLS certificate doesn't match")
-
- verify_signed_json(server_keys, self.server_name, verify_key)
-
- signed_json = sign_json(
- server_keys,
- self.key_server.server_name,
- self.key_server.signing_key
- )
-
- json_bytes = encode_canonical_json(signed_json)
- respond_with_json_bytes(request, 200, json_bytes)
-
- except Exception as e:
- json_bytes = encode_canonical_json({
- u"error": {u"code": 502, u"message": e.message}
- })
- respond_with_json_bytes(request, 502, json_bytes)
|
