cap the validity_ts on server signing keys

richvdh · richvdh · commit 00bf99fa628e · 2019-06-05T00:33:36.000+01:00
... as per matrix-org/matrix-spec-proposals#2075
diff --git a/changelog.d/5348.bugfix b/changelog.d/5348.bugfix
@@ -0,0 +1,2 @@
+Ensure that we have an up-to-date copy of the signing key when validating incoming federation requests.
+
diff --git a/synapse/crypto/keyring.py b/synapse/crypto/keyring.py
@@ -56,6 +56,9 @@
 from synapse.util.metrics import Measure
 from synapse.util.retryutils import NotRetryingDestination
 
+# the maximum amount of time we cache a signing key for, before we consider it invalid.
+MAX_KEY_VALID_MS = 7 * 24 * 3600 * 1000
+
 logger = logging.getLogger(__name__)
 
 
@@ -483,6 +486,9 @@ def process_v2_response(
         """
         ts_valid_until_ms = response_json[u"valid_until_ts"]
 
+        # cap the ts_valid_until_ms, to stop people poisoning our cache forever
+        ts_valid_until_ms = min(ts_valid_until_ms, time_added_ms + MAX_KEY_VALID_MS)
+
         # start by extracting the keys from the response, since they may be required
         # to validate the signature on the response.
         verify_keys = {}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+Ensure that we have an up-to-date copy of the signing key when validating incoming federation requests.`
	`2`	`+`