diff options
author | Neil Alexander <neilalexander@users.noreply.github.com> | 2020-09-29 17:08:18 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-09-29 17:08:18 +0100 |
commit | f290e92a34c67e4d9673629810ac8f0f85b28b7c (patch) | |
tree | 01df1a3f865d899a6ec150365f4254cba08d10fe /internal | |
parent | 43cdba9a69674899a5900aee976ebc7add286914 (diff) |
Remove TLS fingerprints, improve perspective unmarshal handling (#1452)
* Add prefer_direct_fetch option
* Update gomatrixserverlib
* Update gomatrixserverlib
* Update gomatrixserverlib
* Don't deal in TLS fingerprints anymore
Diffstat (limited to 'internal')
-rw-r--r-- | internal/config/config.go | 29 | ||||
-rw-r--r-- | internal/config/config_federationapi.go | 6 | ||||
-rw-r--r-- | internal/config/config_serverkey.go | 3 | ||||
-rw-r--r-- | internal/config/config_test.go | 13 |
4 files changed, 3 insertions, 48 deletions
diff --git a/internal/config/config.go b/internal/config/config.go index 7528aa23..74d3f4fa 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -16,7 +16,6 @@ package config import ( "bytes" - "crypto/sha256" "encoding/pem" "fmt" "io" @@ -252,20 +251,6 @@ func loadConfig( c.Global.OldVerifyKeys[i].KeyID, c.Global.OldVerifyKeys[i].PrivateKey = keyID, privateKey } - for _, certPath := range c.FederationAPI.FederationCertificatePaths { - absCertPath := absPath(basePath, certPath) - var pemData []byte - pemData, err = readFile(absCertPath) - if err != nil { - return nil, err - } - fingerprint := fingerprintPEM(pemData) - if fingerprint == nil { - return nil, fmt.Errorf("no certificate PEM data in %q", absCertPath) - } - c.FederationAPI.TLSFingerPrints = append(c.FederationAPI.TLSFingerPrints, *fingerprint) - } - c.MediaAPI.AbsBasePath = Path(absPath(basePath, c.MediaAPI.BasePath)) // Generate data from config options @@ -494,20 +479,6 @@ func readKeyPEM(path string, data []byte, enforceKeyIDFormat bool) (gomatrixserv } } -func fingerprintPEM(data []byte) *gomatrixserverlib.TLSFingerprint { - for { - var certDERBlock *pem.Block - certDERBlock, data = pem.Decode(data) - if data == nil { - return nil - } - if certDERBlock.Type == "CERTIFICATE" { - digest := sha256.Sum256(certDERBlock.Bytes) - return &gomatrixserverlib.TLSFingerprint{SHA256: digest[:]} - } - } -} - // AppServiceURL returns a HTTP URL for where the appservice component is listening. func (config *Dendrite) AppServiceURL() string { // Hard code the appservice server to talk HTTP for now. diff --git a/internal/config/config_federationapi.go b/internal/config/config_federationapi.go index 727bfce2..64803d95 100644 --- a/internal/config/config_federationapi.go +++ b/internal/config/config_federationapi.go @@ -1,7 +1,5 @@ package config -import "github.com/matrix-org/gomatrixserverlib" - type FederationAPI struct { Matrix *Global `yaml:"-"` @@ -14,10 +12,6 @@ type FederationAPI struct { // to match one of these certificates. // The certificates should be in PEM format. FederationCertificatePaths []Path `yaml:"federation_certificates"` - - // A list of SHA256 TLS fingerprints for the X509 certificates used by the - // federation listener for this server. - TLSFingerPrints []gomatrixserverlib.TLSFingerprint `yaml:"-"` } func (c *FederationAPI) Defaults() { diff --git a/internal/config/config_serverkey.go b/internal/config/config_serverkey.go index 40506d23..788a2fa0 100644 --- a/internal/config/config_serverkey.go +++ b/internal/config/config_serverkey.go @@ -14,6 +14,9 @@ type ServerKeyAPI struct { // Perspective keyservers, to use as a backup when direct key fetch // requests don't succeed KeyPerspectives KeyPerspectives `yaml:"key_perspectives"` + + // Should we prefer direct key fetches over perspective ones? + PreferDirectFetch bool `yaml:"prefer_direct_fetch"` } func (c *ServerKeyAPI) Defaults() { diff --git a/internal/config/config_test.go b/internal/config/config_test.go index 7549fa02..4107b684 100644 --- a/internal/config/config_test.go +++ b/internal/config/config_test.go @@ -253,19 +253,6 @@ Key-ID: ` + testKeyID + ` -----END MATRIX PRIVATE KEY----- ` -func TestFingerprintPEM(t *testing.T) { - got := fingerprintPEM([]byte(testCert)) - if got == nil { - t.Error("failed to calculate fingerprint") - } - if string(got.SHA256) != testCertFingerprint { - t.Errorf("bad fingerprint: wanted %q got %q", got, testCertFingerprint) - } - -} - -const testCertFingerprint = "56.\\SPQxE\xd4\x95\xfb\xf6\xd5\x04\x91\xcb/\x07\xb1^\x88\x08\xe3\xc1p\xdfY\x04\x19w\xcb" - const testCert = ` -----BEGIN CERTIFICATE----- MIIE0zCCArugAwIBAgIJAPype3u24LJeMA0GCSqGSIb3DQEBCwUAMAAwHhcNMTcw |