verifier.py 7.7 KB

  1. # -*- coding: utf-8 -*-
  2. # Copyright 2018 New Vector Ltd
  3. #
  4. # Licensed under the Apache License, Version 2.0 (the "License");
  5. # you may not use this file except in compliance with the License.
  6. # You may obtain a copy of the License at
  7. #
  8. # http://www.apache.org/licenses/LICENSE-2.0
  9. #
  10. # Unless required by applicable law or agreed to in writing, software
  11. # distributed under the License is distributed on an "AS IS" BASIS,
  12. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13. # See the License for the specific language governing permissions and
  14. # limitations under the License.
  15. from __future__ import absolute_import
  16. import logging
  17. import time
  18. from twisted.internet import defer
  19. from unpaddedbase64 import decode_base64
  20. import signedjson.sign
  21. import signedjson.key
  22. from signedjson.sign import SignatureVerifyException
  23. from sydent.http.httpclient import FederationHttpClient
  24. logger = logging.getLogger(__name__)
  25. class NoAuthenticationError(Exception):
  26. """
  27. Raised when no signature is provided that could be authenticated
  28. """
  29. pass
  30. class Verifier(object):
  31. """
  32. Verifies signed json blobs from Matrix Homeservers by finding the
  33. homeserver's address, contacting it, requesting its keys and
  34. verifying that the signature on the json blob matches.
  35. """
  36. def __init__(self, sydent):
  37. self.sydent = sydent
  38. # Cache of server keys. These are cached until the 'valid_until_ts' time
  39. # in the result.
  40. self.cache = {
  41. # server_name: <result from keys query>,
  42. }
  43. @defer.inlineCallbacks
  44. def _getKeysForServer(self, server_name):
  45. """Get the signing key data from a homeserver.
  46. :param server_name: The name of the server to request the keys from.
  47. :type server_name: unicode
  48. :return: The verification keys returned by the server.
  49. :rtype: twisted.internet.defer.Deferred[dict[unicode, dict[unicode, unicode]]]
  50. """
  51. if server_name in self.cache:
  52. cached = self.cache[server_name]
  53. now = int(time.time() * 1000)
  54. if cached['valid_until_ts'] > now:
  55. defer.returnValue(self.cache[server_name]['verify_keys'])
  56. client = FederationHttpClient(self.sydent)
  57. result = yield client.get_json("matrix://%s/_matrix/key/v2/server/" % server_name)
  58. if 'verify_keys' not in result:
  59. raise SignatureVerifyException("No key found in response")
  60. if 'valid_until_ts' in result:
  61. # Don't cache anything without a valid_until_ts or we wouldn't
  62. # know when to expire it.
  63. logger.info("Got keys for %s: caching until %s", server_name, result['valid_until_ts'])
  64. self.cache[server_name] = result
  65. defer.returnValue(result['verify_keys'])
  66. @defer.inlineCallbacks
  67. def verifyServerSignedJson(self, signed_json, acceptable_server_names=None):
  68. """Given a signed json object, try to verify any one
  69. of the signatures on it
  70. XXX: This contains a fairly noddy version of the home server
  71. SRV lookup and signature verification. It does no caching (just
  72. fetches the signature each time and does not contact any other
  73. servers to do perspective checks).
  74. :param acceptable_server_names: If provided and not None,
  75. only signatures from servers in this list will be accepted.
  76. :type acceptable_server_names: list[unicode] or None
  77. :return a tuple of the server name and key name that was
  78. successfully verified.
  79. :rtype: twisted.internet.defer.Deferred[tuple[unicode]]
  80. :raise SignatureVerifyException: The json cannot be verified.
  81. """
  82. if 'signatures' not in signed_json:
  83. raise SignatureVerifyException("Signature missing")
  84. for server_name, sigs in signed_json['signatures'].items():
  85. if acceptable_server_names is not None:
  86. if server_name not in acceptable_server_names:
  87. continue
  88. server_keys = yield self._getKeysForServer(server_name)
  89. for key_name, sig in sigs.items():
  90. if key_name in server_keys:
  91. if 'key' not in server_keys[key_name]:
  92. logger.warn("Ignoring key %s with no 'key'")
  93. continue
  94. key_bytes = decode_base64(server_keys[key_name]['key'])
  95. verify_key = signedjson.key.decode_verify_key_bytes(key_name, key_bytes)
  96. logger.info("verifying sig from key %r", key_name)
  97. signedjson.sign.verify_signed_json(signed_json, server_name, verify_key)
  98. logger.info("Verified signature with key %s from %s", key_name, server_name)
  99. defer.returnValue((server_name, key_name))
  100. logger.warn(
  101. "No matching key found for signature block %r in server keys %r",
  102. signed_json['signatures'], server_keys,
  103. )
  104. logger.warn(
  105. "Unable to verify any signatures from block %r. Acceptable server names: %r",
  106. signed_json['signatures'], acceptable_server_names,
  107. )
  108. raise SignatureVerifyException("No matching signature found")
  109. @defer.inlineCallbacks
  110. def authenticate_request(self, request, content):
  111. """Authenticates a Matrix federation request based on the X-Matrix header
  112. XXX: Copied largely from synapse
  113. :param request: The request object to authenticate
  114. :type request: twisted.web.server.Request
  115. :param content: The content of the request, if any
  116. :type content: bytes or None
  117. :return: The origin of the server whose signature was validated
  118. :rtype: twisted.internet.defer.Deferred[unicode]
  119. """
  120. json_request = {
  121. "method": request.method,
  122. "uri": request.uri,
  123. "destination_is": self.sydent.server_name,
  124. "signatures": {},
  125. }
  126. if content is not None:
  127. json_request["content"] = content
  128. origin = None
  129. def parse_auth_header(header_str):
  130. """
  131. Extracts a server name, signing key and payload signature from an
  132. authentication header.
  133. :param header_str: The content of the header
  134. :type header_str: unicode
  135. :return: The server name, the signing key, and the payload signature.
  136. :rtype: tuple[unicode]
  137. """
  138. try:
  139. params = header_str.split(u" ")[1].split(u",")
  140. param_dict = dict(kv.split(u"=") for kv in params)
  141. def strip_quotes(value):
  142. if value.startswith(u"\""):
  143. return value[1:-1]
  144. else:
  145. return value
  146. origin = strip_quotes(param_dict["origin"])
  147. key = strip_quotes(param_dict["key"])
  148. sig = strip_quotes(param_dict["sig"])
  149. return origin, key, sig
  150. except Exception:
  151. raise SignatureVerifyException("Malformed Authorization header")
  152. auth_headers = request.requestHeaders.getRawHeaders(u"Authorization")
  153. if not auth_headers:
  154. raise NoAuthenticationError("Missing Authorization headers")
  155. for auth in auth_headers:
  156. if auth.startswith(u"X-Matrix"):
  157. (origin, key, sig) = parse_auth_header(auth)
  158. json_request["origin"] = origin
  159. json_request["signatures"].setdefault(origin, {})[key] = sig
  160. if not json_request["signatures"]:
  161. raise NoAuthenticationError("Missing X-Matrix Authorization header")
  162. yield self.verifyServerSignedJson(json_request, [origin])
  163. logger.info("Verified request from HS %s", origin)
  164. defer.returnValue(origin)