mirror of
https://github.com/matrix-org/dendrite.git
synced 2024-11-29 17:51:56 -06:00
Add a database for storing the server keys (#137)
* Add a database for storing the server keys * Tweak wording, and comment on the resolution of the timestamp * Update gomatrixserverlib
This commit is contained in:
parent
6eae6f7598
commit
7cbdab30f4
|
@ -25,6 +25,7 @@ import (
|
||||||
"github.com/matrix-org/dendrite/clientapi/producers"
|
"github.com/matrix-org/dendrite/clientapi/producers"
|
||||||
"github.com/matrix-org/dendrite/clientapi/routing"
|
"github.com/matrix-org/dendrite/clientapi/routing"
|
||||||
"github.com/matrix-org/dendrite/common"
|
"github.com/matrix-org/dendrite/common"
|
||||||
|
"github.com/matrix-org/dendrite/common/keydb"
|
||||||
"github.com/matrix-org/dendrite/roomserver/api"
|
"github.com/matrix-org/dendrite/roomserver/api"
|
||||||
|
|
||||||
"github.com/matrix-org/gomatrixserverlib"
|
"github.com/matrix-org/gomatrixserverlib"
|
||||||
|
@ -41,6 +42,7 @@ var (
|
||||||
serverName = gomatrixserverlib.ServerName(os.Getenv("SERVER_NAME"))
|
serverName = gomatrixserverlib.ServerName(os.Getenv("SERVER_NAME"))
|
||||||
serverKey = os.Getenv("SERVER_KEY")
|
serverKey = os.Getenv("SERVER_KEY")
|
||||||
accountDataSource = os.Getenv("ACCOUNT_DATABASE")
|
accountDataSource = os.Getenv("ACCOUNT_DATABASE")
|
||||||
|
keyDataSource = os.Getenv("KEY_DATABASE")
|
||||||
)
|
)
|
||||||
|
|
||||||
func main() {
|
func main() {
|
||||||
|
@ -79,7 +81,7 @@ func main() {
|
||||||
|
|
||||||
roomserverProducer, err := producers.NewRoomserverProducer(cfg.KafkaProducerURIs, cfg.ClientAPIOutputTopic)
|
roomserverProducer, err := producers.NewRoomserverProducer(cfg.KafkaProducerURIs, cfg.ClientAPIOutputTopic)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Panicf("Failed to setup kafka producers(%s): %s", cfg.KafkaProducerURIs, err)
|
log.Panicf("Failed to setup kafka producers(%q): %s", cfg.KafkaProducerURIs, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
federation := gomatrixserverlib.NewFederationClient(cfg.ServerName, cfg.KeyID, cfg.PrivateKey)
|
federation := gomatrixserverlib.NewFederationClient(cfg.ServerName, cfg.KeyID, cfg.PrivateKey)
|
||||||
|
@ -87,11 +89,15 @@ func main() {
|
||||||
queryAPI := api.NewRoomserverQueryAPIHTTP(cfg.RoomserverURL, nil)
|
queryAPI := api.NewRoomserverQueryAPIHTTP(cfg.RoomserverURL, nil)
|
||||||
accountDB, err := accounts.NewDatabase(accountDataSource, serverName)
|
accountDB, err := accounts.NewDatabase(accountDataSource, serverName)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Panicf("Failed to setup account database(%s): %s", accountDataSource, err.Error())
|
log.Panicf("Failed to setup account database(%q): %s", accountDataSource, err.Error())
|
||||||
}
|
}
|
||||||
deviceDB, err := devices.NewDatabase(accountDataSource, serverName)
|
deviceDB, err := devices.NewDatabase(accountDataSource, serverName)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Panicf("Failed to setup device database(%s): %s", accountDataSource, err.Error())
|
log.Panicf("Failed to setup device database(%q): %s", accountDataSource, err.Error())
|
||||||
|
}
|
||||||
|
keyDB, err := keydb.NewDatabase(keyDataSource)
|
||||||
|
if err != nil {
|
||||||
|
log.Panicf("Failed to setup key database(%q): %s", keyDataSource, err.Error())
|
||||||
}
|
}
|
||||||
|
|
||||||
keyRing := gomatrixserverlib.KeyRing{
|
keyRing := gomatrixserverlib.KeyRing{
|
||||||
|
@ -99,7 +105,7 @@ func main() {
|
||||||
// TODO: Use perspective key fetchers for production.
|
// TODO: Use perspective key fetchers for production.
|
||||||
&gomatrixserverlib.DirectKeyFetcher{federation.Client},
|
&gomatrixserverlib.DirectKeyFetcher{federation.Client},
|
||||||
},
|
},
|
||||||
KeyDatabase: &dummyKeyDatabase{},
|
KeyDatabase: keyDB,
|
||||||
}
|
}
|
||||||
|
|
||||||
routing.Setup(
|
routing.Setup(
|
||||||
|
@ -108,18 +114,3 @@ func main() {
|
||||||
)
|
)
|
||||||
log.Fatal(http.ListenAndServe(bindAddr, nil))
|
log.Fatal(http.ListenAndServe(bindAddr, nil))
|
||||||
}
|
}
|
||||||
|
|
||||||
// TODO: Implement a proper key database.
|
|
||||||
type dummyKeyDatabase struct{}
|
|
||||||
|
|
||||||
func (d *dummyKeyDatabase) FetchKeys(
|
|
||||||
requests map[gomatrixserverlib.PublicKeyRequest]gomatrixserverlib.Timestamp,
|
|
||||||
) (map[gomatrixserverlib.PublicKeyRequest]gomatrixserverlib.ServerKeys, error) {
|
|
||||||
return nil, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func (d *dummyKeyDatabase) StoreKeys(
|
|
||||||
map[gomatrixserverlib.PublicKeyRequest]gomatrixserverlib.ServerKeys,
|
|
||||||
) error {
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
|
@ -23,6 +23,7 @@ import (
|
||||||
|
|
||||||
"github.com/matrix-org/dendrite/clientapi/producers"
|
"github.com/matrix-org/dendrite/clientapi/producers"
|
||||||
"github.com/matrix-org/dendrite/common"
|
"github.com/matrix-org/dendrite/common"
|
||||||
|
"github.com/matrix-org/dendrite/common/keydb"
|
||||||
"github.com/matrix-org/dendrite/federationapi/config"
|
"github.com/matrix-org/dendrite/federationapi/config"
|
||||||
"github.com/matrix-org/dendrite/federationapi/routing"
|
"github.com/matrix-org/dendrite/federationapi/routing"
|
||||||
"github.com/matrix-org/dendrite/roomserver/api"
|
"github.com/matrix-org/dendrite/roomserver/api"
|
||||||
|
@ -47,6 +48,7 @@ var (
|
||||||
kafkaURIs = strings.Split(os.Getenv("KAFKA_URIS"), ",")
|
kafkaURIs = strings.Split(os.Getenv("KAFKA_URIS"), ",")
|
||||||
roomserverURL = os.Getenv("ROOMSERVER_URL")
|
roomserverURL = os.Getenv("ROOMSERVER_URL")
|
||||||
roomserverInputTopic = os.Getenv("TOPIC_INPUT_ROOM_EVENT")
|
roomserverInputTopic = os.Getenv("TOPIC_INPUT_ROOM_EVENT")
|
||||||
|
keyDataSource = os.Getenv("KEY_DATABASE")
|
||||||
)
|
)
|
||||||
|
|
||||||
func main() {
|
func main() {
|
||||||
|
@ -95,12 +97,17 @@ func main() {
|
||||||
|
|
||||||
federation := gomatrixserverlib.NewFederationClient(cfg.ServerName, cfg.KeyID, cfg.PrivateKey)
|
federation := gomatrixserverlib.NewFederationClient(cfg.ServerName, cfg.KeyID, cfg.PrivateKey)
|
||||||
|
|
||||||
|
keyDB, err := keydb.NewDatabase(keyDataSource)
|
||||||
|
if err != nil {
|
||||||
|
log.Panicf("Failed to setup key database(%q): %s", keyDataSource, err.Error())
|
||||||
|
}
|
||||||
|
|
||||||
keyRing := gomatrixserverlib.KeyRing{
|
keyRing := gomatrixserverlib.KeyRing{
|
||||||
KeyFetchers: []gomatrixserverlib.KeyFetcher{
|
KeyFetchers: []gomatrixserverlib.KeyFetcher{
|
||||||
// TODO: Use perspective key fetchers for production.
|
// TODO: Use perspective key fetchers for production.
|
||||||
&gomatrixserverlib.DirectKeyFetcher{federation.Client},
|
&gomatrixserverlib.DirectKeyFetcher{federation.Client},
|
||||||
},
|
},
|
||||||
KeyDatabase: &dummyKeyDatabase{},
|
KeyDatabase: keyDB,
|
||||||
}
|
}
|
||||||
queryAPI := api.NewRoomserverQueryAPIHTTP(roomserverURL, nil)
|
queryAPI := api.NewRoomserverQueryAPIHTTP(roomserverURL, nil)
|
||||||
|
|
||||||
|
@ -112,18 +119,3 @@ func main() {
|
||||||
routing.Setup(http.DefaultServeMux, cfg, queryAPI, roomserverProducer, keyRing, federation)
|
routing.Setup(http.DefaultServeMux, cfg, queryAPI, roomserverProducer, keyRing, federation)
|
||||||
log.Fatal(http.ListenAndServe(bindAddr, nil))
|
log.Fatal(http.ListenAndServe(bindAddr, nil))
|
||||||
}
|
}
|
||||||
|
|
||||||
// TODO: Implement a proper key database.
|
|
||||||
type dummyKeyDatabase struct{}
|
|
||||||
|
|
||||||
func (d *dummyKeyDatabase) FetchKeys(
|
|
||||||
requests map[gomatrixserverlib.PublicKeyRequest]gomatrixserverlib.Timestamp,
|
|
||||||
) (map[gomatrixserverlib.PublicKeyRequest]gomatrixserverlib.ServerKeys, error) {
|
|
||||||
return nil, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func (d *dummyKeyDatabase) StoreKeys(
|
|
||||||
map[gomatrixserverlib.PublicKeyRequest]gomatrixserverlib.ServerKeys,
|
|
||||||
) error {
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
70
src/github.com/matrix-org/dendrite/common/keydb/keydb.go
Normal file
70
src/github.com/matrix-org/dendrite/common/keydb/keydb.go
Normal file
|
@ -0,0 +1,70 @@
|
||||||
|
// Copyright 2017 Vector Creations Ltd
|
||||||
|
//
|
||||||
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
// you may not use this file except in compliance with the License.
|
||||||
|
// You may obtain a copy of the License at
|
||||||
|
//
|
||||||
|
// http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
//
|
||||||
|
// Unless required by applicable law or agreed to in writing, software
|
||||||
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
// See the License for the specific language governing permissions and
|
||||||
|
// limitations under the License.
|
||||||
|
|
||||||
|
package keydb
|
||||||
|
|
||||||
|
import (
|
||||||
|
"database/sql"
|
||||||
|
"github.com/matrix-org/gomatrixserverlib"
|
||||||
|
)
|
||||||
|
|
||||||
|
// A Database implements gomatrixserverlib.KeyDatabase and is used to store
|
||||||
|
// the public keys for other matrix servers.
|
||||||
|
type Database struct {
|
||||||
|
statements serverKeyStatements
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewDatabase prepares a new key database.
|
||||||
|
// It creates the necessary tables if they don't already exist.
|
||||||
|
// It prepares all the SQL statements that it will use.
|
||||||
|
// Returns an error if there was a problem talking to the database.
|
||||||
|
func NewDatabase(dataSourceName string) (*Database, error) {
|
||||||
|
db, err := sql.Open("postgres", dataSourceName)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
d := &Database{}
|
||||||
|
d.statements.prepare(db)
|
||||||
|
return d, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// FetchKeys implements gomatrixserverlib.KeyDatabase
|
||||||
|
func (d *Database) FetchKeys(
|
||||||
|
requests map[gomatrixserverlib.PublicKeyRequest]gomatrixserverlib.Timestamp,
|
||||||
|
) (map[gomatrixserverlib.PublicKeyRequest]gomatrixserverlib.ServerKeys, error) {
|
||||||
|
return d.statements.bulkSelectServerKeys(requests)
|
||||||
|
}
|
||||||
|
|
||||||
|
// StoreKeys implements gomatrixserverlib.KeyDatabase
|
||||||
|
func (d *Database) StoreKeys(
|
||||||
|
keyMap map[gomatrixserverlib.PublicKeyRequest]gomatrixserverlib.ServerKeys,
|
||||||
|
) error {
|
||||||
|
// TODO: Inserting all the keys within a single transaction may
|
||||||
|
// be more efficient since the transaction overhead can be quite
|
||||||
|
// high for a single insert statement.
|
||||||
|
var lastErr error
|
||||||
|
for request, keys := range keyMap {
|
||||||
|
if err := d.statements.upsertServerKeys(request, keys); err != nil {
|
||||||
|
// Rather than returning immediately on error we try to insert the
|
||||||
|
// remaining keys.
|
||||||
|
// Since we are inserting the keys outside of a transaction it is
|
||||||
|
// possible for some of the inserts to succeed even though some
|
||||||
|
// of the inserts have failed.
|
||||||
|
// Ensuring that we always insert all the keys we can means that
|
||||||
|
// this behaviour won't depend on the iteration order of the map.
|
||||||
|
lastErr = err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return lastErr
|
||||||
|
}
|
|
@ -0,0 +1,125 @@
|
||||||
|
// Copyright 2017 Vector Creations Ltd
|
||||||
|
//
|
||||||
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
// you may not use this file except in compliance with the License.
|
||||||
|
// You may obtain a copy of the License at
|
||||||
|
//
|
||||||
|
// http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
//
|
||||||
|
// Unless required by applicable law or agreed to in writing, software
|
||||||
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
// See the License for the specific language governing permissions and
|
||||||
|
// limitations under the License.
|
||||||
|
|
||||||
|
package keydb
|
||||||
|
|
||||||
|
import (
|
||||||
|
"database/sql"
|
||||||
|
"encoding/json"
|
||||||
|
"github.com/lib/pq"
|
||||||
|
"github.com/matrix-org/gomatrixserverlib"
|
||||||
|
)
|
||||||
|
|
||||||
|
const serverKeysSchema = `
|
||||||
|
-- A cache of server keys downloaded from remote servers.
|
||||||
|
CREATE TABLE IF NOT EXISTS server_keys (
|
||||||
|
-- The name of the matrix server the key is for.
|
||||||
|
server_name TEXT NOT NULL,
|
||||||
|
-- The ID of the server key.
|
||||||
|
server_key_id TEXT NOT NULL,
|
||||||
|
-- Combined server name and key ID separated by the ASCII unit separator
|
||||||
|
-- to make it easier to run bulk queries.
|
||||||
|
server_name_and_key_id TEXT NOT NULL,
|
||||||
|
-- When the keys are valid until as a millisecond timestamp.
|
||||||
|
valid_until_ts BIGINT NOT NULL,
|
||||||
|
-- The raw JSON for the server key.
|
||||||
|
server_key_json TEXT NOT NULL,
|
||||||
|
CONSTRAINT server_keys_unique UNIQUE (server_name, server_key_id)
|
||||||
|
);
|
||||||
|
|
||||||
|
CREATE INDEX IF NOT EXISTS server_name_and_key_id ON server_keys (server_name_and_key_id);
|
||||||
|
`
|
||||||
|
|
||||||
|
const bulkSelectServerKeysSQL = "" +
|
||||||
|
"SELECT server_name, server_key_id, server_key_json FROM server_keys" +
|
||||||
|
" WHERE server_name_and_key_id = ANY($1)"
|
||||||
|
|
||||||
|
const upsertServerKeysSQL = "" +
|
||||||
|
"INSERT INTO server_keys (server_name, server_key_id," +
|
||||||
|
" server_name_and_key_id, valid_until_ts, server_key_json)" +
|
||||||
|
" VALUES ($1, $2, $3, $4, $5)" +
|
||||||
|
" ON CONFLICT ON CONSTRAINT server_keys_unique" +
|
||||||
|
" DO UPDATE SET valid_until_ts = $4, server_key_json = $5"
|
||||||
|
|
||||||
|
type serverKeyStatements struct {
|
||||||
|
bulkSelectServerKeysStmt *sql.Stmt
|
||||||
|
upsertServerKeysStmt *sql.Stmt
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *serverKeyStatements) prepare(db *sql.DB) (err error) {
|
||||||
|
_, err = db.Exec(serverKeysSchema)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if s.bulkSelectServerKeysStmt, err = db.Prepare(bulkSelectServerKeysSQL); err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if s.upsertServerKeysStmt, err = db.Prepare(upsertServerKeysSQL); err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *serverKeyStatements) bulkSelectServerKeys(
|
||||||
|
requests map[gomatrixserverlib.PublicKeyRequest]gomatrixserverlib.Timestamp,
|
||||||
|
) (map[gomatrixserverlib.PublicKeyRequest]gomatrixserverlib.ServerKeys, error) {
|
||||||
|
var nameAndKeyIDs []string
|
||||||
|
for request := range requests {
|
||||||
|
nameAndKeyIDs = append(nameAndKeyIDs, nameAndKeyID(request))
|
||||||
|
}
|
||||||
|
rows, err := s.bulkSelectServerKeysStmt.Query(pq.StringArray(nameAndKeyIDs))
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
defer rows.Close()
|
||||||
|
results := map[gomatrixserverlib.PublicKeyRequest]gomatrixserverlib.ServerKeys{}
|
||||||
|
for rows.Next() {
|
||||||
|
var serverName string
|
||||||
|
var keyID string
|
||||||
|
var keyJSON []byte
|
||||||
|
if err := rows.Scan(&serverName, &keyID, &keyJSON); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
var serverKeys gomatrixserverlib.ServerKeys
|
||||||
|
if err := json.Unmarshal(keyJSON, &serverKeys); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
r := gomatrixserverlib.PublicKeyRequest{
|
||||||
|
gomatrixserverlib.ServerName(serverName), gomatrixserverlib.KeyID(keyID),
|
||||||
|
}
|
||||||
|
results[r] = serverKeys
|
||||||
|
}
|
||||||
|
return results, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *serverKeyStatements) upsertServerKeys(
|
||||||
|
request gomatrixserverlib.PublicKeyRequest, keys gomatrixserverlib.ServerKeys,
|
||||||
|
) error {
|
||||||
|
keyJSON, err := json.Marshal(keys)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
_, err = s.upsertServerKeysStmt.Exec(
|
||||||
|
string(request.ServerName), string(request.KeyID), nameAndKeyID(request),
|
||||||
|
int64(keys.ValidUntilTS), keyJSON,
|
||||||
|
)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func nameAndKeyID(request gomatrixserverlib.PublicKeyRequest) string {
|
||||||
|
return string(request.ServerName) + "\x1F" + string(request.KeyID)
|
||||||
|
}
|
2
vendor/manifest
vendored
2
vendor/manifest
vendored
|
@ -98,7 +98,7 @@
|
||||||
{
|
{
|
||||||
"importpath": "github.com/matrix-org/gomatrixserverlib",
|
"importpath": "github.com/matrix-org/gomatrixserverlib",
|
||||||
"repository": "https://github.com/matrix-org/gomatrixserverlib",
|
"repository": "https://github.com/matrix-org/gomatrixserverlib",
|
||||||
"revision": "b1dfcb3b345cc8410f1a03fec0a1ffe6bd002dcd",
|
"revision": "0e1596ae7b0a034ec572cd1448aeaf7e96bff95a",
|
||||||
"branch": "master"
|
"branch": "master"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
|
|
@ -32,6 +32,12 @@ type KeyFetcher interface {
|
||||||
type KeyDatabase interface {
|
type KeyDatabase interface {
|
||||||
KeyFetcher
|
KeyFetcher
|
||||||
// Add a block of public keys to the database.
|
// Add a block of public keys to the database.
|
||||||
|
// Returns an error if there was a problem storing the keys.
|
||||||
|
// A database is not required to rollback storing the all keys if some of
|
||||||
|
// the keys aren't stored, and an in-progess store may be partially visible
|
||||||
|
// to a concurrent FetchKeys(). This is acceptable since the database is
|
||||||
|
// only used as a cache for the keys, so if a FetchKeys() races with a
|
||||||
|
// StoreKeys() and some of the keys are missing they will be just be refetched.
|
||||||
StoreKeys(map[PublicKeyRequest]ServerKeys) error
|
StoreKeys(map[PublicKeyRequest]ServerKeys) error
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -30,15 +30,22 @@ type KeyID string
|
||||||
// SignJSON signs a JSON object returning a copy signed with the given key.
|
// SignJSON signs a JSON object returning a copy signed with the given key.
|
||||||
// https://matrix.org/docs/spec/server_server/unstable.html#signing-json
|
// https://matrix.org/docs/spec/server_server/unstable.html#signing-json
|
||||||
func SignJSON(signingName string, keyID KeyID, privateKey ed25519.PrivateKey, message []byte) ([]byte, error) {
|
func SignJSON(signingName string, keyID KeyID, privateKey ed25519.PrivateKey, message []byte) ([]byte, error) {
|
||||||
|
// Unpack the top-level key of the JSON object without unpacking the contents of the keys.
|
||||||
|
// This allows us to add and remove the top-level keys from the JSON object.
|
||||||
|
// It also ensures that the JSON is actually a valid JSON object.
|
||||||
var object map[string]*json.RawMessage
|
var object map[string]*json.RawMessage
|
||||||
var signatures map[string]map[KeyID]Base64String
|
var signatures map[string]map[KeyID]Base64String
|
||||||
if err := json.Unmarshal(message, &object); err != nil {
|
if err := json.Unmarshal(message, &object); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// We don't sign the contents of the unsigned key so we remove it.
|
||||||
rawUnsigned, hasUnsigned := object["unsigned"]
|
rawUnsigned, hasUnsigned := object["unsigned"]
|
||||||
delete(object, "unsigned")
|
delete(object, "unsigned")
|
||||||
|
|
||||||
|
// Parse the existing signatures if they exist.
|
||||||
|
// Signing a JSON object adds our signature to the existing
|
||||||
|
// signature rather than replacing it.
|
||||||
if rawSignatures := object["signatures"]; rawSignatures != nil {
|
if rawSignatures := object["signatures"]; rawSignatures != nil {
|
||||||
if err := json.Unmarshal(*rawSignatures, &signatures); err != nil {
|
if err := json.Unmarshal(*rawSignatures, &signatures); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
@ -48,32 +55,35 @@ func SignJSON(signingName string, keyID KeyID, privateKey ed25519.PrivateKey, me
|
||||||
signatures = map[string]map[KeyID]Base64String{}
|
signatures = map[string]map[KeyID]Base64String{}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Encode the JSON object without the "signatures" key or
|
||||||
|
// the "unsigned" key in the canonical format.
|
||||||
unsorted, err := json.Marshal(object)
|
unsorted, err := json.Marshal(object)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
canonical, err := CanonicalJSON(unsorted)
|
canonical, err := CanonicalJSON(unsorted)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Sign the canonical JSON with the ed25519 key.
|
||||||
signature := Base64String(ed25519.Sign(privateKey, canonical))
|
signature := Base64String(ed25519.Sign(privateKey, canonical))
|
||||||
|
|
||||||
|
// Add the signature to the "signature" key.
|
||||||
signaturesForEntity := signatures[signingName]
|
signaturesForEntity := signatures[signingName]
|
||||||
if signaturesForEntity != nil {
|
if signaturesForEntity != nil {
|
||||||
signaturesForEntity[keyID] = signature
|
signaturesForEntity[keyID] = signature
|
||||||
} else {
|
} else {
|
||||||
signatures[signingName] = map[KeyID]Base64String{keyID: signature}
|
signatures[signingName] = map[KeyID]Base64String{keyID: signature}
|
||||||
}
|
}
|
||||||
|
|
||||||
var rawSignatures json.RawMessage
|
var rawSignatures json.RawMessage
|
||||||
rawSignatures, err = json.Marshal(signatures)
|
rawSignatures, err = json.Marshal(signatures)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
object["signatures"] = &rawSignatures
|
object["signatures"] = &rawSignatures
|
||||||
|
|
||||||
|
// Add the unsigned key back if it was present.
|
||||||
if hasUnsigned {
|
if hasUnsigned {
|
||||||
object["unsigned"] = rawUnsigned
|
object["unsigned"] = rawUnsigned
|
||||||
}
|
}
|
||||||
|
@ -98,41 +108,45 @@ func ListKeyIDs(signingName string, message []byte) ([]KeyID, error) {
|
||||||
|
|
||||||
// VerifyJSON checks that the entity has signed the message using a particular key.
|
// VerifyJSON checks that the entity has signed the message using a particular key.
|
||||||
func VerifyJSON(signingName string, keyID KeyID, publicKey ed25519.PublicKey, message []byte) error {
|
func VerifyJSON(signingName string, keyID KeyID, publicKey ed25519.PublicKey, message []byte) error {
|
||||||
|
// Unpack the top-level key of the JSON object without unpacking the contents of the keys.
|
||||||
|
// This allows us to add and remove the top-level keys from the JSON object.
|
||||||
|
// It also ensures that the JSON is actually a valid JSON object.
|
||||||
var object map[string]*json.RawMessage
|
var object map[string]*json.RawMessage
|
||||||
var signatures map[string]map[KeyID]Base64String
|
var signatures map[string]map[KeyID]Base64String
|
||||||
if err := json.Unmarshal(message, &object); err != nil {
|
if err := json.Unmarshal(message, &object); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
delete(object, "unsigned")
|
|
||||||
|
|
||||||
|
// Check that there is a signature from the entity that we are expecting a signature from.
|
||||||
if object["signatures"] == nil {
|
if object["signatures"] == nil {
|
||||||
return fmt.Errorf("No signatures")
|
return fmt.Errorf("No signatures")
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := json.Unmarshal(*object["signatures"], &signatures); err != nil {
|
if err := json.Unmarshal(*object["signatures"], &signatures); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
delete(object, "signatures")
|
|
||||||
|
|
||||||
signature, ok := signatures[signingName][keyID]
|
signature, ok := signatures[signingName][keyID]
|
||||||
if !ok {
|
if !ok {
|
||||||
return fmt.Errorf("No signature from %q with ID %q", signingName, keyID)
|
return fmt.Errorf("No signature from %q with ID %q", signingName, keyID)
|
||||||
}
|
}
|
||||||
|
|
||||||
if len(signature) != ed25519.SignatureSize {
|
if len(signature) != ed25519.SignatureSize {
|
||||||
return fmt.Errorf("Bad signature length from %q with ID %q", signingName, keyID)
|
return fmt.Errorf("Bad signature length from %q with ID %q", signingName, keyID)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// The "unsigned" key and "signatures" keys aren't covered by the signature so remove them.
|
||||||
|
delete(object, "unsigned")
|
||||||
|
delete(object, "signatures")
|
||||||
|
|
||||||
|
// Encode the JSON without the "unsigned" and "signatures" keys in the canonical format.
|
||||||
unsorted, err := json.Marshal(object)
|
unsorted, err := json.Marshal(object)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
canonical, err := CanonicalJSON(unsorted)
|
canonical, err := CanonicalJSON(unsorted)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Verify the ed25519 signature.
|
||||||
if !ed25519.Verify(publicKey, canonical, signature) {
|
if !ed25519.Verify(publicKey, canonical, signature) {
|
||||||
return fmt.Errorf("Bad signature from %q with ID %q", signingName, keyID)
|
return fmt.Errorf("Bad signature from %q with ID %q", signingName, keyID)
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue