diff options
Diffstat (limited to 'synapse/storage')
-rw-r--r-- | synapse/storage/__init__.py | 1 | ||||
-rw-r--r-- | synapse/storage/keys.py | 75 | ||||
-rw-r--r-- | synapse/storage/schema/keys.sql | 13 |
3 files changed, 52 insertions, 37 deletions
diff --git a/synapse/storage/__init__.py b/synapse/storage/__init__.py index 66658f6721..ef98b6a444 100644 --- a/synapse/storage/__init__.py +++ b/synapse/storage/__init__.py @@ -56,6 +56,7 @@ SCHEMAS = [ "presence", "im", "room_aliases", + "keys", ] diff --git a/synapse/storage/keys.py b/synapse/storage/keys.py index 5a38c3e8f2..253dc17be2 100644 --- a/synapse/storage/keys.py +++ b/synapse/storage/keys.py @@ -18,7 +18,8 @@ from _base import SQLBaseStore from twisted.internet import defer import OpenSSL -import nacl.signing +from syutil.crypto.signing_key import decode_verify_key_bytes +import hashlib class KeyStore(SQLBaseStore): """Persistence for signature verification keys and tls X.509 certificates @@ -42,62 +43,74 @@ class KeyStore(SQLBaseStore): ) defer.returnValue(tls_certificate) - def store_server_certificate(self, server_name, key_server, ts_now_ms, + def store_server_certificate(self, server_name, from_server, time_now_ms, tls_certificate): """Stores the TLS X.509 certificate for the given server Args: - server_name (bytes): The name of the server. - key_server (bytes): Where the certificate was looked up - ts_now_ms (int): The time now in milliseconds + server_name (str): The name of the server. + from_server (str): Where the certificate was looked up + time_now_ms (int): The time now in milliseconds tls_certificate (OpenSSL.crypto.X509): The X.509 certificate. """ tls_certificate_bytes = OpenSSL.crypto.dump_certificate( OpenSSL.crypto.FILETYPE_ASN1, tls_certificate ) + fingerprint = hashlib.sha256(tls_certificate_bytes).hexdigest() return self._simple_insert( table="server_tls_certificates", - keyvalues={ + values={ "server_name": server_name, - "key_server": key_server, - "ts_added_ms": ts_now_ms, - "tls_certificate": tls_certificate_bytes, + "fingerprint": fingerprint, + "from_server": from_server, + "ts_added_ms": time_now_ms, + "tls_certificate": buffer(tls_certificate_bytes), }, ) @defer.inlineCallbacks - def get_server_verification_key(self, server_name): - """Retrieve the NACL verification key for a given server + def get_server_verify_keys(self, server_name, key_ids): + """Retrieve the NACL verification key for a given server for the given + key_ids Args: - server_name (bytes): The name of the server. + server_name (str): The name of the server. + key_ids (list of str): List of key_ids to try and look up. Returns: - (nacl.signing.VerifyKey): The verification key. + (list of VerifyKey): The verification keys. """ - verification_key_bytes, = yield self._simple_select_one( - table="server_signature_keys", - key_values={"server_name": server_name}, - retcols=("tls_certificate",), + sql = ( + "SELECT key_id, verify_key FROM server_signature_keys" + " WHERE server_name = ?" + " AND key_id in (" + ",".join("?" for key_id in key_ids) + ")" ) - verification_key = nacl.signing.VerifyKey(verification_key_bytes) - defer.returnValue(verification_key) - def store_server_verification_key(self, server_name, key_version, - key_server, ts_now_ms, verification_key): + rows = yield self._execute_and_decode(sql, server_name, *key_ids) + + keys = [] + for row in rows: + key_id = row["key_id"] + key_bytes = row["verify_key"] + key = decode_verify_key_bytes(key_id, str(key_bytes)) + keys.append(key) + defer.returnValue(keys) + + def store_server_verify_key(self, server_name, from_server, time_now_ms, + verify_key): """Stores a NACL verification key for the given server. Args: - server_name (bytes): The name of the server. - key_version (bytes): The version of the key for the server. - key_server (bytes): Where the verification key was looked up + server_name (str): The name of the server. + key_id (str): The version of the key for the server. + from_server (str): Where the verification key was looked up ts_now_ms (int): The time now in milliseconds - verification_key (nacl.signing.VerifyKey): The NACL verify key. + verification_key (VerifyKey): The NACL verify key. """ - verification_key_bytes = verification_key.encode() + verify_key_bytes = verify_key.encode() return self._simple_insert( table="server_signature_keys", - key_values={ + values={ "server_name": server_name, - "key_version": key_version, - "key_server": key_server, - "ts_added_ms": ts_now_ms, - "verification_key": verification_key_bytes, + "key_id": "%s:%s" % (verify_key.alg, verify_key.version), + "from_server": from_server, + "ts_added_ms": time_now_ms, + "verify_key": buffer(verify_key.encode()), }, ) diff --git a/synapse/storage/schema/keys.sql b/synapse/storage/schema/keys.sql index 706a1a03ff..9bf2068d84 100644 --- a/synapse/storage/schema/keys.sql +++ b/synapse/storage/schema/keys.sql @@ -14,17 +14,18 @@ */ CREATE TABLE IF NOT EXISTS server_tls_certificates( server_name TEXT, -- Server name. - key_server TEXT, -- Which key server the certificate was fetched from. + fingerprint TEXT, -- Certificate fingerprint. + from_server TEXT, -- Which key server the certificate was fetched from. ts_added_ms INTEGER, -- When the certifcate was added. tls_certificate BLOB, -- DER encoded x509 certificate. - CONSTRAINT uniqueness UNIQUE (server_name) + CONSTRAINT uniqueness UNIQUE (server_name, fingerprint) ); CREATE TABLE IF NOT EXISTS server_signature_keys( server_name TEXT, -- Server name. - key_version TEXT, -- Key version. - key_server TEXT, -- Which key server the key was fetched form. + key_id TEXT, -- Key version. + from_server TEXT, -- Which key server the key was fetched form. ts_added_ms INTEGER, -- When the key was added. - verification_key BLOB, -- NACL verification key. - CONSTRAINT uniqueness UNIQUE (server_name, key_version) + verify_key BLOB, -- NACL verification key. + CONSTRAINT uniqueness UNIQUE (server_name, key_id) ); |