Add some logging to 3pid invite sig verification (#5015)

I had to add quite a lot of logging to diagnose a problem with 3pid
invites - we only logged the one failure which isn't all that
informative.

NB. I'm not convinced the logic of this loop is right: I think it
should just accept a single valid signature from a trusted source
rather than fail if *any* signature is invalid. Also it should
probably not skip the rest of middle loop if a check fails? However,
I'm deliberately not changing the logic here.
This commit is contained in:
David Baker 2019-06-18 22:51:24 +01:00 committed by Richard van der Hoff
parent 82d9d524bd
commit f2d2ae03da
2 changed files with 39 additions and 8 deletions

1
changelog.d/5015.misc Normal file
View File

@ -0,0 +1 @@
Add logging to 3pid invite signature verification.

View File

@ -2744,25 +2744,55 @@ class FederationHandler(BaseHandler):
if not invite_event: if not invite_event:
raise AuthError(403, "Could not find invite") raise AuthError(403, "Could not find invite")
logger.debug("Checking auth on event %r", event.content)
last_exception = None last_exception = None
# for each public key in the 3pid invite event
for public_key_object in self.hs.get_auth().get_public_keys(invite_event): for public_key_object in self.hs.get_auth().get_public_keys(invite_event):
try: try:
# for each sig on the third_party_invite block of the actual invite
for server, signature_block in signed["signatures"].items(): for server, signature_block in signed["signatures"].items():
for key_name, encoded_signature in signature_block.items(): for key_name, encoded_signature in signature_block.items():
if not key_name.startswith("ed25519:"): if not key_name.startswith("ed25519:"):
continue continue
logger.debug(
"Attempting to verify sig with key %s from %r "
"against pubkey %r",
key_name, server, public_key_object,
)
try:
public_key = public_key_object["public_key"] public_key = public_key_object["public_key"]
verify_key = decode_verify_key_bytes( verify_key = decode_verify_key_bytes(
key_name, key_name,
decode_base64(public_key) decode_base64(public_key)
) )
verify_signed_json(signed, server, verify_key) verify_signed_json(signed, server, verify_key)
logger.debug(
"Successfully verified sig with key %s from %r "
"against pubkey %r",
key_name, server, public_key_object,
)
except Exception:
logger.info(
"Failed to verify sig with key %s from %r "
"against pubkey %r",
key_name, server, public_key_object,
)
raise
try:
if "key_validity_url" in public_key_object: if "key_validity_url" in public_key_object:
yield self._check_key_revocation( yield self._check_key_revocation(
public_key, public_key,
public_key_object["key_validity_url"] public_key_object["key_validity_url"]
) )
except Exception:
logger.info(
"Failed to query key_validity_url %s",
public_key_object["key_validity_url"]
)
raise
return return
except Exception as e: except Exception as e:
last_exception = e last_exception = e