yetangitu/funkwhale
1
0
Fork 0
mirror of https://code.eliotberriot.com/funkwhale/funkwhale.git synced 2025-10-03 23:59:15 +02:00
Code Issues Releases Wiki Activity

Fix #658: Support blind key rotation in HTTP Signatures

Browse source
This commit is contained in:
Eliot Berriot 2019-01-11 11:04:11 +01:00
parent 8c578fa9f5
commit 5fe30cf59b
No known key found for this signature in database
GPG key ID: DD6965E2476E5C27
9 changed files with 162 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

8
api/funkwhale_api/federation/authentication.py
View file

@ -49,7 +49,13 @@ class SignatureAuthentication(authentication.BaseAuthentication):
try:
signing.verify_django(request, actor.public_key.encode("utf-8"))
except cryptography.exceptions.InvalidSignature:
raise rest_exceptions.AuthenticationFailed("Invalid signature")
# in case of invalid signature, we refetch the actor object
# to load a potentially new public key. This process is called
# Blind key rotation, and is described at
# https://blog.dereferenced.org/the-case-for-blind-key-rotation
# if signature verification fails after that, then we return a 403 error
actor = actors.get_actor(actor_url, skip_cache=True)
signing.verify_django(request, actor.public_key.encode("utf-8"))
return actor