Actually we can't guarantee we can do that so nevermind

2025-12-29 01:33:10 -06:00 · 2021-08-05 15:06:54 +01:00 · 2021-08-05 15:06:54 +01:00 · 8fd501e2f6
parent dc81ec3a46
commit 8fd501e2f6
1 changed files with 4 additions and 65 deletions
--- a/keyserver/internal/cross_signing.go
+++ b/keyserver/internal/cross_signing.go
@ -188,71 +188,10 @@ func (a *KeyInternalAPI) PerformUploadDeviceKeys(ctx context.Context, req *api.P

 		switch purpose {
 		case gomatrixserverlib.CrossSigningKeyPurposeMaster:
-			// The master key should be signed by the device key that uploaded it.
-			// Does the device key exist?
-			var signaturesFound []string
-			for userID, forUser := range req.MasterKey.Signatures {
-				if userID != req.UserID {
-					// Ignore signatures that didn't come from this user. We only
-					// care if the user signed their own master key.
-					continue
-				}
-				for keyID := range forUser {
-					signaturesFound = append(signaturesFound, string(keyID))
-				}
-			}
-
-			// If there is a signature from another of the user's key, let's find those keys.
-			if len(signaturesFound) > 0 {
-				localKeys, err := a.DB.DeviceKeysForUser(ctx, req.UserID, signaturesFound)
-				if err != nil {
-					res.Error = &api.KeyError{
-						Err: fmt.Sprintf("Failed to retrieve user device keys: %s", err.Error()),
-					}
-					return
-				}
-
-				// Look through the keys we were given and unmarshal them.
-				allDeviceKeys := map[string]map[gomatrixserverlib.KeyID]gomatrixserverlib.Base64Bytes{}
-				for _, localKey := range localKeys {
-					var deviceKeys gomatrixserverlib.DeviceKeys
-					if err := json.Unmarshal(localKey.KeyJSON, &deviceKeys); err != nil {
-						res.Error = &api.KeyError{
-							Err: fmt.Sprintf("Failed to unmarshal user device keys: %s", err.Error()),
-						}
-						return
-					}
-					allDeviceKeys[localKey.UserID] = deviceKeys.Keys
-				}
-
-				// For each signature we have, see if we can verify the signature.
-				for userID, forUser := range req.MasterKey.Signatures {
-					userKeys, ok := allDeviceKeys[userID]
-					if !ok {
-						res.Error = &api.KeyError{
-							Err: fmt.Sprintf("No keys were found for user %q", userID),
-						}
-						return
-					}
-					for keyID := range forUser {
-						key, ok := userKeys[keyID]
-						if !ok {
-							res.Error = &api.KeyError{
-								Err: fmt.Sprintf("No keys were found for user %q with key ID %q", userID, keyID),
-							}
-							return
-						}
-
-						if err := gomatrixserverlib.VerifyJSON(userID, keyID, ed25519.PublicKey(key), keyJSON); err != nil {
-							res.Error = &api.KeyError{
-								Err:                fmt.Sprintf("The master key failed signature verification: %s", err.Error()),
-								IsInvalidSignature: true,
-							}
-							return
-						}
-					}
-				}
-			}
+			// The master key might have a signature attached to it from the
+			// previous key, or from a device key, but there's no real need
+			// to verify it. Clients will perform key checks when the master
+			// key changes.

 		default:
 			// Sub-keys should be signed by the master key.