From c1d9025453e00690b0c44fa8fc066fa989111c7f Mon Sep 17 00:00:00 2001 From: Travis Ralston Date: Wed, 4 Sep 2024 16:28:12 -0600 Subject: [PATCH] Ensure remote signing keys expire after at most 7 days (#613) --- CHANGELOG.md | 1 + matrix/requests_signing.go | 5 ++++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 91fdeb6d..b02fbf8a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), * Return a 404 instead of 500 when clients access media which is frozen. * Ensure the request parameters are correctly set for authenticated media client requests. +* Ensure remote signing keys expire after at most 7 days. * Fixed parsing of `Authorization` headers for federated servers. ## [1.3.7] - July 30, 2024 diff --git a/matrix/requests_signing.go b/matrix/requests_signing.go index da97ea94..0524a31d 100644 --- a/matrix/requests_signing.go +++ b/matrix/requests_signing.go @@ -5,6 +5,7 @@ import ( "encoding/json" "errors" "fmt" + "math" "net/http" "sync" "time" @@ -128,11 +129,13 @@ func QuerySigningKeys(serverName string) (ServerSigningKeys, error) { if keyInfo.ServerName != serverName { return nil, fmt.Errorf("got keys for '%s' but expected '%s'", keyInfo.ServerName, serverName) } + maxValidity := time.Now().Add(7 * 24 * time.Hour) if keyInfo.ValidUntilTs <= util.NowMillis() { return nil, errors.New("returned server keys are expired") } + keyInfo.ValidUntilTs = int64(math.Min(float64(keyInfo.ValidUntilTs), float64(maxValidity.UnixMilli()))) cacheUntil := time.Until(time.UnixMilli(keyInfo.ValidUntilTs)) / 2 - if cacheUntil <= (6 * time.Second) { + if cacheUntil <= (1 * time.Minute) { return nil, errors.New("returned server keys would expire too quickly") }