Merge pull request #1167 from matrix-org/markjh/fingerprints
Add config option for adding additional TLS fingerprintspull/1176/head
commit
9e18e0b1cb
|
@ -19,6 +19,9 @@ from OpenSSL import crypto
|
|||
import subprocess
|
||||
import os
|
||||
|
||||
from hashlib import sha256
|
||||
from unpaddedbase64 import encode_base64
|
||||
|
||||
GENERATE_DH_PARAMS = False
|
||||
|
||||
|
||||
|
@ -42,6 +45,19 @@ class TlsConfig(Config):
|
|||
config.get("tls_dh_params_path"), "tls_dh_params"
|
||||
)
|
||||
|
||||
self.tls_fingerprints = config["tls_fingerprints"]
|
||||
|
||||
# Check that our own certificate is included in the list of fingerprints
|
||||
# and include it if it is not.
|
||||
x509_certificate_bytes = crypto.dump_certificate(
|
||||
crypto.FILETYPE_ASN1,
|
||||
self.tls_certificate
|
||||
)
|
||||
sha256_fingerprint = encode_base64(sha256(x509_certificate_bytes).digest())
|
||||
sha256_fingerprints = set(f["sha256"] for f in self.tls_fingerprints)
|
||||
if sha256_fingerprint not in sha256_fingerprints:
|
||||
self.tls_fingerprints.append({u"sha256": sha256_fingerprint})
|
||||
|
||||
# This config option applies to non-federation HTTP clients
|
||||
# (e.g. for talking to recaptcha, identity servers, and such)
|
||||
# It should never be used in production, and is intended for
|
||||
|
@ -73,6 +89,28 @@ class TlsConfig(Config):
|
|||
|
||||
# Don't bind to the https port
|
||||
no_tls: False
|
||||
|
||||
# List of allowed TLS fingerprints for this server to publish along
|
||||
# with the signing keys for this server. Other matrix servers that
|
||||
# make HTTPS requests to this server will check that the TLS
|
||||
# certificates returned by this server match one of the fingerprints.
|
||||
#
|
||||
# Synapse automatically adds its the fingerprint of its own certificate
|
||||
# to the list. So if federation traffic is handle directly by synapse
|
||||
# then no modification to the list is required.
|
||||
#
|
||||
# If synapse is run behind a load balancer that handles the TLS then it
|
||||
# will be necessary to add the fingerprints of the certificates used by
|
||||
# the loadbalancers to this list if they are different to the one
|
||||
# synapse is using.
|
||||
#
|
||||
# Homeservers are permitted to cache the list of TLS fingerprints
|
||||
# returned in the key responses up to the "valid_until_ts" returned in
|
||||
# key. It may be necessary to publish the fingerprints of a new
|
||||
# certificate and wait until the "valid_until_ts" of the previous key
|
||||
# responses have passed before deploying it.
|
||||
tls_fingerprints: []
|
||||
# tls_fingerprints: [{"sha256": "<base64_encoded_sha256_fingerprint>"}]
|
||||
""" % locals()
|
||||
|
||||
def read_tls_certificate(self, cert_path):
|
||||
|
|
|
@ -19,8 +19,6 @@ from synapse.http.server import respond_with_json_bytes
|
|||
from signedjson.sign import sign_json
|
||||
from unpaddedbase64 import encode_base64
|
||||
from canonicaljson import encode_canonical_json
|
||||
from hashlib import sha256
|
||||
from OpenSSL import crypto
|
||||
import logging
|
||||
|
||||
|
||||
|
@ -48,8 +46,12 @@ class LocalKey(Resource):
|
|||
"expired_ts": # integer posix timestamp when the key expired.
|
||||
"key": # base64 encoded NACL verification key.
|
||||
}
|
||||
}
|
||||
"tls_certificate": # base64 ASN.1 DER encoded X.509 tls cert.
|
||||
},
|
||||
"tls_fingerprints": [ # Fingerprints of the TLS certs this server uses.
|
||||
{
|
||||
"sha256": # base64 encoded sha256 fingerprint of the X509 cert
|
||||
},
|
||||
],
|
||||
"signatures": {
|
||||
"this.server.example.com": {
|
||||
"algorithm:version": # NACL signature for this server
|
||||
|
@ -90,21 +92,14 @@ class LocalKey(Resource):
|
|||
u"expired_ts": key.expired,
|
||||
}
|
||||
|
||||
x509_certificate_bytes = crypto.dump_certificate(
|
||||
crypto.FILETYPE_ASN1,
|
||||
self.config.tls_certificate
|
||||
)
|
||||
|
||||
sha256_fingerprint = sha256(x509_certificate_bytes).digest()
|
||||
tls_fingerprints = self.config.tls_fingerprints
|
||||
|
||||
json_object = {
|
||||
u"valid_until_ts": self.valid_until_ts,
|
||||
u"server_name": self.config.server_name,
|
||||
u"verify_keys": verify_keys,
|
||||
u"old_verify_keys": old_verify_keys,
|
||||
u"tls_fingerprints": [{
|
||||
u"sha256": encode_base64(sha256_fingerprint),
|
||||
}]
|
||||
u"tls_fingerprints": tls_fingerprints,
|
||||
}
|
||||
for key in self.config.signing_key:
|
||||
json_object = sign_json(
|
||||
|
|
Loading…
Reference in New Issue