Support specifying old_verify_keys in config

2025-12-16 23:31:24 +01:00 · 2024-09-13 14:46:27 +00:00 · 2024-09-13 14:46:27 +00:00 · 458a7458dc
commit 458a7458dc
parent 5691cf0868
3 changed files with 22 additions and 2 deletions
--- a/book/changelog.md
+++ b/book/changelog.md
@ -222,3 +222,5 @@ This will be the first release of Grapevine since it was forked from Conduit
    ([!58](https://gitlab.computer.surgery/matrix/grapevine-fork/-/merge_requests/58))
 16. Added support for configuring and serving `/.well-known/matrix/...` data.
    ([!90](https://gitlab.computer.surgery/matrix/grapevine-fork/-/merge_requests/90))
+17. Added support for configuring old verify/signing keys in config (`federation.old_verify_keys`)
+    ([!96](https://gitlab.computer.surgery/matrix/grapevine-fork/-/merge_requests/96))
--- a/src/config.rs
+++ b/src/config.rs
@ -1,12 +1,16 @@
 use std::{
    borrow::Cow,
+    collections::BTreeMap,
    fmt::{self, Display},
    net::{IpAddr, Ipv4Addr},
    path::{Path, PathBuf},
 };

 use once_cell::sync::Lazy;
-use ruma::{OwnedServerName, RoomVersionId};
+use ruma::{
+    api::federation::discovery::OldVerifyKey, OwnedServerName,
+    OwnedServerSigningKeyId, RoomVersionId,
+};
 use serde::Deserialize;

 use crate::error;
@ -288,6 +292,7 @@ pub(crate) struct FederationConfig {
    pub(crate) trusted_servers: Vec<OwnedServerName>,
    pub(crate) max_fetch_prev_events: u16,
    pub(crate) max_concurrent_requests: u16,
+    pub(crate) old_verify_keys: BTreeMap<OwnedServerSigningKeyId, OldVerifyKey>,
 }

 impl Default for FederationConfig {
@ -299,6 +304,7 @@ impl Default for FederationConfig {
            ],
            max_fetch_prev_events: 100,
            max_concurrent_requests: 100,
+            old_verify_keys: BTreeMap::new(),
        }
    }
 }
--- a/src/service/globals/data.rs
+++ b/src/service/globals/data.rs
@ -18,17 +18,29 @@ use crate::{services, Result};
 /// don't require post-validation
 #[derive(Deserialize, Debug, Clone)]
 pub(crate) struct SigningKeys {
+    // FIXME: Use [`OwnedServerSigningKeyId`] as key
+    // Not yet feasibly because they get passed to `verify_event`, see https://github.com/ruma/ruma/pull/1808
    pub(crate) verify_keys: BTreeMap<String, VerifyKey>,
    pub(crate) old_verify_keys: BTreeMap<String, OldVerifyKey>,
+
    pub(crate) valid_until_ts: MilliSecondsSinceUnixEpoch,
 }

 impl SigningKeys {
    /// Creates the `SigningKeys` struct, using the keys of the current server
    pub(crate) fn load_own_keys() -> Self {
+        let old_verify_keys = services()
+            .globals
+            .config
+            .federation
+            .old_verify_keys
+            .iter()
+            .map(|(id, key)| (id.to_string(), key.clone()))
+            .collect();
+
        let mut keys = Self {
            verify_keys: BTreeMap::new(),
-            old_verify_keys: BTreeMap::new(),
+            old_verify_keys,
            valid_until_ts: MilliSecondsSinceUnixEpoch::from_system_time(
                SystemTime::now() + Duration::from_secs(7 * 86400),
            )