Remove TLS fingerprints, improve perspective unmarshal handling (#1452)

* Add prefer_direct_fetch option * Update gomatrixserverlib * Update gomatrixserverlib * Update gomatrixserverlib * Don't deal in TLS fingerprints anymore
2025-07-29 12:42:46 +00:00 · 2020-09-29 17:08:18 +01:00 · 2020-09-29 17:08:18 +01:00 · f290e92a34
commit f290e92a34
parent 43cdba9a69
10 changed files with 34 additions and 58 deletions
--- a/internal/config/config.go
+++ b/internal/config/config.go
@ -16,7 +16,6 @@ package config

 import (
 	"bytes"
-	"crypto/sha256"
 	"encoding/pem"
 	"fmt"
 	"io"
@ -252,20 +251,6 @@ func loadConfig(
 		c.Global.OldVerifyKeys[i].KeyID, c.Global.OldVerifyKeys[i].PrivateKey = keyID, privateKey
 	}

-	for _, certPath := range c.FederationAPI.FederationCertificatePaths {
-		absCertPath := absPath(basePath, certPath)
-		var pemData []byte
-		pemData, err = readFile(absCertPath)
-		if err != nil {
-			return nil, err
-		}
-		fingerprint := fingerprintPEM(pemData)
-		if fingerprint == nil {
-			return nil, fmt.Errorf("no certificate PEM data in %q", absCertPath)
-		}
-		c.FederationAPI.TLSFingerPrints = append(c.FederationAPI.TLSFingerPrints, *fingerprint)
-	}
-
 	c.MediaAPI.AbsBasePath = Path(absPath(basePath, c.MediaAPI.BasePath))

 	// Generate data from config options
@ -494,20 +479,6 @@ func readKeyPEM(path string, data []byte, enforceKeyIDFormat bool) (gomatrixserv
 	}
 }

-func fingerprintPEM(data []byte) *gomatrixserverlib.TLSFingerprint {
-	for {
-		var certDERBlock *pem.Block
-		certDERBlock, data = pem.Decode(data)
-		if data == nil {
-			return nil
-		}
-		if certDERBlock.Type == "CERTIFICATE" {
-			digest := sha256.Sum256(certDERBlock.Bytes)
-			return &gomatrixserverlib.TLSFingerprint{SHA256: digest[:]}
-		}
-	}
-}
-
 // AppServiceURL returns a HTTP URL for where the appservice component is listening.
 func (config *Dendrite) AppServiceURL() string {
 	// Hard code the appservice server to talk HTTP for now.
--- a/internal/config/config_federationapi.go
+++ b/internal/config/config_federationapi.go
@ -1,7 +1,5 @@
 package config

-import "github.com/matrix-org/gomatrixserverlib"
-
 type FederationAPI struct {
 	Matrix *Global `yaml:"-"`

@ -14,10 +12,6 @@ type FederationAPI struct {
 	// to match one of these certificates.
 	// The certificates should be in PEM format.
 	FederationCertificatePaths []Path `yaml:"federation_certificates"`
-
-	// A list of SHA256 TLS fingerprints for the X509 certificates used by the
-	// federation listener for this server.
-	TLSFingerPrints []gomatrixserverlib.TLSFingerprint `yaml:"-"`
 }

 func (c *FederationAPI) Defaults() {
--- a/internal/config/config_serverkey.go
+++ b/internal/config/config_serverkey.go
@ -14,6 +14,9 @@ type ServerKeyAPI struct {
 	// Perspective keyservers, to use as a backup when direct key fetch
 	// requests don't succeed
 	KeyPerspectives KeyPerspectives `yaml:"key_perspectives"`
+
+	// Should we prefer direct key fetches over perspective ones?
+	PreferDirectFetch bool `yaml:"prefer_direct_fetch"`
 }

 func (c *ServerKeyAPI) Defaults() {
--- a/internal/config/config_test.go
+++ b/internal/config/config_test.go
@ -253,19 +253,6 @@ Key-ID: ` + testKeyID + `
 -----END MATRIX PRIVATE KEY-----
 `

-func TestFingerprintPEM(t *testing.T) {
-	got := fingerprintPEM([]byte(testCert))
-	if got == nil {
-		t.Error("failed to calculate fingerprint")
-	}
-	if string(got.SHA256) != testCertFingerprint {
-		t.Errorf("bad fingerprint: wanted %q got %q", got, testCertFingerprint)
-	}
-
-}
-
-const testCertFingerprint = "56.\\SPQxE\xd4\x95\xfb\xf6\xd5\x04\x91\xcb/\x07\xb1^\x88\x08\xe3\xc1p\xdfY\x04\x19w\xcb"
-
 const testCert = `
 -----BEGIN CERTIFICATE-----
 MIIE0zCCArugAwIBAgIJAPype3u24LJeMA0GCSqGSIb3DQEBCwUAMAAwHhcNMTcw