aboutsummaryrefslogtreecommitdiff
path: root/internal
diff options
context:
space:
mode:
authorNeil Alexander <neilalexander@users.noreply.github.com>2020-09-29 17:08:18 +0100
committerGitHub <noreply@github.com>2020-09-29 17:08:18 +0100
commitf290e92a34c67e4d9673629810ac8f0f85b28b7c (patch)
tree01df1a3f865d899a6ec150365f4254cba08d10fe /internal
parent43cdba9a69674899a5900aee976ebc7add286914 (diff)
Remove TLS fingerprints, improve perspective unmarshal handling (#1452)
* Add prefer_direct_fetch option * Update gomatrixserverlib * Update gomatrixserverlib * Update gomatrixserverlib * Don't deal in TLS fingerprints anymore
Diffstat (limited to 'internal')
-rw-r--r--internal/config/config.go29
-rw-r--r--internal/config/config_federationapi.go6
-rw-r--r--internal/config/config_serverkey.go3
-rw-r--r--internal/config/config_test.go13
4 files changed, 3 insertions, 48 deletions
diff --git a/internal/config/config.go b/internal/config/config.go
index 7528aa23..74d3f4fa 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -16,7 +16,6 @@ package config
import (
"bytes"
- "crypto/sha256"
"encoding/pem"
"fmt"
"io"
@@ -252,20 +251,6 @@ func loadConfig(
c.Global.OldVerifyKeys[i].KeyID, c.Global.OldVerifyKeys[i].PrivateKey = keyID, privateKey
}
- for _, certPath := range c.FederationAPI.FederationCertificatePaths {
- absCertPath := absPath(basePath, certPath)
- var pemData []byte
- pemData, err = readFile(absCertPath)
- if err != nil {
- return nil, err
- }
- fingerprint := fingerprintPEM(pemData)
- if fingerprint == nil {
- return nil, fmt.Errorf("no certificate PEM data in %q", absCertPath)
- }
- c.FederationAPI.TLSFingerPrints = append(c.FederationAPI.TLSFingerPrints, *fingerprint)
- }
-
c.MediaAPI.AbsBasePath = Path(absPath(basePath, c.MediaAPI.BasePath))
// Generate data from config options
@@ -494,20 +479,6 @@ func readKeyPEM(path string, data []byte, enforceKeyIDFormat bool) (gomatrixserv
}
}
-func fingerprintPEM(data []byte) *gomatrixserverlib.TLSFingerprint {
- for {
- var certDERBlock *pem.Block
- certDERBlock, data = pem.Decode(data)
- if data == nil {
- return nil
- }
- if certDERBlock.Type == "CERTIFICATE" {
- digest := sha256.Sum256(certDERBlock.Bytes)
- return &gomatrixserverlib.TLSFingerprint{SHA256: digest[:]}
- }
- }
-}
-
// AppServiceURL returns a HTTP URL for where the appservice component is listening.
func (config *Dendrite) AppServiceURL() string {
// Hard code the appservice server to talk HTTP for now.
diff --git a/internal/config/config_federationapi.go b/internal/config/config_federationapi.go
index 727bfce2..64803d95 100644
--- a/internal/config/config_federationapi.go
+++ b/internal/config/config_federationapi.go
@@ -1,7 +1,5 @@
package config
-import "github.com/matrix-org/gomatrixserverlib"
-
type FederationAPI struct {
Matrix *Global `yaml:"-"`
@@ -14,10 +12,6 @@ type FederationAPI struct {
// to match one of these certificates.
// The certificates should be in PEM format.
FederationCertificatePaths []Path `yaml:"federation_certificates"`
-
- // A list of SHA256 TLS fingerprints for the X509 certificates used by the
- // federation listener for this server.
- TLSFingerPrints []gomatrixserverlib.TLSFingerprint `yaml:"-"`
}
func (c *FederationAPI) Defaults() {
diff --git a/internal/config/config_serverkey.go b/internal/config/config_serverkey.go
index 40506d23..788a2fa0 100644
--- a/internal/config/config_serverkey.go
+++ b/internal/config/config_serverkey.go
@@ -14,6 +14,9 @@ type ServerKeyAPI struct {
// Perspective keyservers, to use as a backup when direct key fetch
// requests don't succeed
KeyPerspectives KeyPerspectives `yaml:"key_perspectives"`
+
+ // Should we prefer direct key fetches over perspective ones?
+ PreferDirectFetch bool `yaml:"prefer_direct_fetch"`
}
func (c *ServerKeyAPI) Defaults() {
diff --git a/internal/config/config_test.go b/internal/config/config_test.go
index 7549fa02..4107b684 100644
--- a/internal/config/config_test.go
+++ b/internal/config/config_test.go
@@ -253,19 +253,6 @@ Key-ID: ` + testKeyID + `
-----END MATRIX PRIVATE KEY-----
`
-func TestFingerprintPEM(t *testing.T) {
- got := fingerprintPEM([]byte(testCert))
- if got == nil {
- t.Error("failed to calculate fingerprint")
- }
- if string(got.SHA256) != testCertFingerprint {
- t.Errorf("bad fingerprint: wanted %q got %q", got, testCertFingerprint)
- }
-
-}
-
-const testCertFingerprint = "56.\\SPQxE\xd4\x95\xfb\xf6\xd5\x04\x91\xcb/\x07\xb1^\x88\x08\xe3\xc1p\xdfY\x04\x19w\xcb"
-
const testCert = `
-----BEGIN CERTIFICATE-----
MIIE0zCCArugAwIBAgIJAPype3u24LJeMA0GCSqGSIb3DQEBCwUAMAAwHhcNMTcw