Add some logging to 3pid invite sig verification (#5015)
I had to add quite a lot of logging to diagnose a problem with 3pid invites - we only logged the one failure which isn't all that informative. NB. I'm not convinced the logic of this loop is right: I think it should just accept a single valid signature from a trusted source rather than fail if *any* signature is invalid. Also it should probably not skip the rest of middle loop if a check fails? However, I'm deliberately not changing the logic here.
This commit is contained in:
parent
82d9d524bd
commit
f2d2ae03da
|
@ -0,0 +1 @@
|
||||||
|
Add logging to 3pid invite signature verification.
|
|
@ -2744,25 +2744,55 @@ class FederationHandler(BaseHandler):
|
||||||
if not invite_event:
|
if not invite_event:
|
||||||
raise AuthError(403, "Could not find invite")
|
raise AuthError(403, "Could not find invite")
|
||||||
|
|
||||||
|
logger.debug("Checking auth on event %r", event.content)
|
||||||
|
|
||||||
last_exception = None
|
last_exception = None
|
||||||
|
# for each public key in the 3pid invite event
|
||||||
for public_key_object in self.hs.get_auth().get_public_keys(invite_event):
|
for public_key_object in self.hs.get_auth().get_public_keys(invite_event):
|
||||||
try:
|
try:
|
||||||
|
# for each sig on the third_party_invite block of the actual invite
|
||||||
for server, signature_block in signed["signatures"].items():
|
for server, signature_block in signed["signatures"].items():
|
||||||
for key_name, encoded_signature in signature_block.items():
|
for key_name, encoded_signature in signature_block.items():
|
||||||
if not key_name.startswith("ed25519:"):
|
if not key_name.startswith("ed25519:"):
|
||||||
continue
|
continue
|
||||||
|
|
||||||
public_key = public_key_object["public_key"]
|
logger.debug(
|
||||||
verify_key = decode_verify_key_bytes(
|
"Attempting to verify sig with key %s from %r "
|
||||||
key_name,
|
"against pubkey %r",
|
||||||
decode_base64(public_key)
|
key_name, server, public_key_object,
|
||||||
)
|
)
|
||||||
verify_signed_json(signed, server, verify_key)
|
|
||||||
if "key_validity_url" in public_key_object:
|
try:
|
||||||
yield self._check_key_revocation(
|
public_key = public_key_object["public_key"]
|
||||||
public_key,
|
verify_key = decode_verify_key_bytes(
|
||||||
|
key_name,
|
||||||
|
decode_base64(public_key)
|
||||||
|
)
|
||||||
|
verify_signed_json(signed, server, verify_key)
|
||||||
|
logger.debug(
|
||||||
|
"Successfully verified sig with key %s from %r "
|
||||||
|
"against pubkey %r",
|
||||||
|
key_name, server, public_key_object,
|
||||||
|
)
|
||||||
|
except Exception:
|
||||||
|
logger.info(
|
||||||
|
"Failed to verify sig with key %s from %r "
|
||||||
|
"against pubkey %r",
|
||||||
|
key_name, server, public_key_object,
|
||||||
|
)
|
||||||
|
raise
|
||||||
|
try:
|
||||||
|
if "key_validity_url" in public_key_object:
|
||||||
|
yield self._check_key_revocation(
|
||||||
|
public_key,
|
||||||
|
public_key_object["key_validity_url"]
|
||||||
|
)
|
||||||
|
except Exception:
|
||||||
|
logger.info(
|
||||||
|
"Failed to query key_validity_url %s",
|
||||||
public_key_object["key_validity_url"]
|
public_key_object["key_validity_url"]
|
||||||
)
|
)
|
||||||
|
raise
|
||||||
return
|
return
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
last_exception = e
|
last_exception = e
|
||||||
|
|
Loading…
Reference in New Issue