Allow resigning of events with a new signing key (#19668)

This adds a way to re-sign all locally-created events with a new signing
key, which is useful when rotating server signing keys.

This doesn't trigger automatically, instead needs to be triggered when
needed via the admin API.

c.f.
matrix-org/internal-config#1670 (comment)
for internal discussion.

---------

Co-authored-by: Kegan Dougall <kegan@element.io>
Co-authored-by: Erik Johnston <erikj@element.io>

Author: 3 people

changelog.d/19668.feature

@@ -0,0 +1 @@
+Add a way to re-sign local events with a new signing key.

docs/usage/administration/admin_api/background_updates.md

@@ -107,3 +107,6 @@ The following JSON body parameters are available:
 - `job_name` - A string which job to run. Valid values are:
   - `populate_stats_process_rooms` - Recalculate the stats for all rooms.
   - `regenerate_directory` - Recalculate the [user directory](../../../user_directory.md) if it is stale or out of sync.
+  - `event_resign` - Re-sign all locally-sent events with the current signing key. This is useful after rotating the server's signing key to ensure all historical events are signed with the new key. Optional additional parameters:
+    - `old_key` - Only re-sign events whose signature verifies against this key. Format: `"ed25519:key_id base64_public_key"` (e.g. `"ed25519:my_old_key XGX0JRS2Af3be3knz2fBiRbApjm2Dh61gXDJA8kcJNI"`).
+    - `before_ts` - Only re-sign events with a `received_ts` less than this value (milliseconds since the epoch).

poetry.lock

@@ -29,7 +29,10 @@ dependencies = [
     # We require 2.0.0 for immutabledict support.
     "canonicaljson>=2.0.0,<3.0.0",
     # we use the type definitions added in signedjson 1.1.
-    "signedjson>=1.1.0,<2.0.0",
+    # 1.1.0 erroneously removed decode_verify_key_base64 (reintroduced in 1.1.1).
+    # 1.1.1 is mispackaged (importlib-metadata dependency without minimum version bound)
+    # 1.1.2, 1.1.3 and 1.1.4 were all released on the same day, so no good reason to use the older version.
+    "signedjson>=1.1.4,<2.0.0",
     # validating SSL certs for IP addresses requires service_identity 18.1.
     "service-identity>=18.1.0",
     # Twisted 18.9 introduces some logger improvements that the structured

pyproject.toml

@@ -27,15 +27,15 @@
 
 from canonicaljson import encode_canonical_json
 from signedjson.sign import sign_json
-from signedjson.types import SigningKey
+from signedjson.types import SigningKey, VerifyKey
 from unpaddedbase64 import decode_base64, encode_base64
 
 from synapse.api.errors import Codes, SynapseError
 from synapse.api.room_versions import RoomVersion
 from synapse.events import EventBase
 from synapse.events.utils import prune_event, prune_event_dict
 from synapse.logging.opentracing import trace
-from synapse.types import JsonDict
+from synapse.types import JsonDict, UserID
 
 logger = logging.getLogger(__name__)
 
@@ -192,3 +192,54 @@ def add_hashes_and_signatures(
     event_dict["signatures"] = compute_event_signature(
         room_version, event_dict, signature_name=signature_name, signing_key=signing_key
     )
+
+
+def resign_event(
+    ev: EventBase,
+    server_name: str,
+    signing_key: SigningKey,
+    time_now: int | None = None,
+) -> JsonDict:
+    """Re-sign the provided event with the given signing key. Any existing signatures on the event
+    for this server_name are removed.
+
+    If there has been no signature for this event by this server_name, the event is still re-signed.
+    If there have been signatures on this event by this server_name, the event is not re-checked for
+    validity. As such, only events that have valid signatures should be passed into this function
+    e.g. from the event_json table in the database.
+    """
+    event_dict = ev.get_pdu_json(time_now=time_now)
+    event_dict["signatures"].pop(
+        server_name, None
+    )  # remove existing signatures for this server_name
+    event_dict["signatures"].update(
+        compute_event_signature(
+            ev.room_version,
+            event_dict,
+            server_name,
+            signing_key,
+        )
+    )
+    return event_dict
+
+
+def event_needs_resigning(
+    ev: EventBase, server_name: str, verify_key: VerifyKey
+) -> bool:
+    """Check if this event needs re-signing.
+
+    This returns True if all of the following are True:
+     - the event `sender` domain matches the `server_name` provided.
+     - the event has not been already signed with this `verify_key`.
+    """
+    sender = UserID.from_string(ev.sender)
+    if sender.domain != server_name:
+        return False
+    want_key_id = verify_key.alg + ":" + verify_key.version
+    signed_with_current_key_id = ev.signatures.get(server_name, {}).get(
+        want_key_id, None
+    )
+    if signed_with_current_key_id:
+        return False
+
+    return True

synapse/crypto/event_signing.py

@@ -18,6 +18,7 @@
 # [This file includes modifications made by New Vector Limited]
 #
 #
+import json
 import logging
 from http import HTTPStatus
 from typing import TYPE_CHECKING
@@ -150,6 +151,24 @@ async def on_POST(self, request: SynapseRequest) -> tuple[int, JsonDict]:
                     "populate_user_directory_process_users",
                 ),
             ]
+        elif job_name == "event_resign":
+            old_key = body.get("old_key")
+            if old_key is not None and not isinstance(old_key, str):
+                raise SynapseError(
+                    HTTPStatus.BAD_REQUEST,
+                    "'old_key' must be a string",
+                )
+            before_ts = body.get("before_ts")
+            if before_ts is not None and not isinstance(before_ts, int):
+                raise SynapseError(
+                    HTTPStatus.BAD_REQUEST,
+                    "'before_ts' must be an integer",
+                )
+            progress = {
+                "old_key": old_key,
+                "before_ts": before_ts,
+            }
+            jobs = [("event_resign", json.dumps(progress), "")]
         else:
             raise SynapseError(HTTPStatus.BAD_REQUEST, "Invalid job_name")