check public key / server-id

2025-02-11 13:35:24 +00:00 · 2020-11-24 01:19:10 -07:00 · 2020-11-24 01:19:10 -07:00 · 42b7d3974f
commit 42b7d3974f
parent 1b531359d7
3 changed files with 11 additions and 5 deletions
--- a/src/allmydata/grid_manager.py
+++ b/src/allmydata/grid_manager.py
@ -346,7 +346,7 @@ def validate_grid_manager_certificate(gm_key, alleged_cert):
    return cert


-def create_grid_manager_verifier(keys, certs, now_fn=None, bad_cert=None):
+def create_grid_manager_verifier(keys, certs, public_key, now_fn=None, bad_cert=None):
    """
    Creates a predicate for confirming some Grid Manager-issued
    certificates against Grid Manager keys. A predicate is used
@ -358,6 +358,9 @@ def create_grid_manager_verifier(keys, certs, now_fn=None, bad_cert=None):
    :param list certs: 1 or more Grid Manager certificates each of
        which is a `dict` containing 'signature' and 'certificate' keys.

+    :param str public_key: the identifier of the server we expect
+        certificates for.
+
    :param callable now_fn: a callable which returns the current UTC
        timestamp (or datetime.utcnow if None).

@ -416,7 +419,8 @@ def create_grid_manager_verifier(keys, certs, now_fn=None, bad_cert=None):
        # if *any* certificate is still valid then we consider the server valid
        for cert in valid_certs:
            expires = datetime.utcfromtimestamp(cert['expires'])
-            # cert_pubkey = keyutil.parse_pubkey(cert['public_key'].encode('ascii'))
+            cert_pubkey = ed25519.verifying_key_from_string(cert['public_key'].encode('ascii'))
+            if cert['public_key'] == public_key:
                if expires > now:
                    # not-expired
                    return True
--- a/src/allmydata/storage_client.py
+++ b/src/allmydata/storage_client.py
@ -285,6 +285,7 @@ class StorageFarmBroker(service.MultiService):
        gm_verifier = create_grid_manager_verifier(
            self.storage_client_config.grid_manager_keys,
            server["ann"].get("grid-manager-certificates", []),
+            "pub-{}".format(server_id),  # server_id is v0-<key> not pub-v0-key .. for reasons?
        )

        s = NativeStorageServer(
--- a/src/allmydata/test/test_grid_manager.py
+++ b/src/allmydata/test/test_grid_manager.py
@ -287,6 +287,7 @@ class GridManagerVerifier(SyncTestCase):
        verify = create_grid_manager_verifier(
            [self.gm._public_key],
            [cert0],
+            ed25519.string_from_verifying_key(pub0),
        )

        self.assertTrue(verify())