Return a sha256 fingerprint rather than the entire tls certificate

2015-04-14 19:10:09 +01:00 · 2015-04-14 19:10:09 +01:00 · 32e14d8181
parent d488463fa3
commit 32e14d8181
3 changed files with 33 additions and 3 deletions
--- a/synapse/rest/key/v2/local_key_resource.py
+++ b/synapse/rest/key/v2/local_key_resource.py
@ -19,6 +19,7 @@ from synapse.http.server import respond_with_json_bytes
 from syutil.crypto.jsonsign import sign_json
 from syutil.base64util import encode_base64
 from syutil.jsonutil import encode_canonical_json
+from hashlib import sha256
 from OpenSSL import crypto
 import logging

@ -88,12 +89,17 @@ class LocalKey(Resource):
            crypto.FILETYPE_ASN1,
            self.config.tls_certificate
        )
+
+        sha256_fingerprint = sha256(x509_certificate_bytes).digest()
+
        json_object = {
-            u"expires": self.expires,
+            u"valid_until": self.expires,
            u"server_name": self.config.server_name,
            u"verify_keys": verify_keys,
            u"old_verify_keys": old_verify_keys,
-            u"tls_certificate": encode_base64(x509_certificate_bytes)
+            u"tls_fingerprints": [{
+                u"sha256": encode_base64(sha256_fingerprint),
+            }]
        }
        for key in self.config.signing_key:
            json_object = sign_json(
--- a/synapse/storage/init.py
+++ b/synapse/storage/init.py
@ -51,7 +51,7 @@ logger = logging.getLogger(__name__)

 # Remember to update this number every time a change is made to database
 # schema files, so the users will be informed on server restarts.
-SCHEMA_VERSION = 15
+SCHEMA_VERSION = 16

 dir_path = os.path.abspath(os.path.dirname(__file__))

--- a/synapse/storage/schema/delta/16/server_keys.sql
+++ b/synapse/storage/schema/delta/16/server_keys.sql
@ -0,0 +1,24 @@
+/* Copyright 2015 OpenMarket Ltd
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+CREATE TABLE IF NOT EXISTS server_keys (
+    server_name TEXT, -- Server name.
+    key_id TEXT, -- Requested key id.
+    from_server TEXT, -- Which server the keys were fetched from.
+    ts_added_ms INTEGER, -- When the keys were fetched
+    ts_expires_ms INTEGER, -- When this version of the keys exipires.
+    key_json BLOB, -- JSON certificate for the remote server.
+    CONSTRAINT uniqueness UNIQUE (server_name, key_id)
+);