mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-27 22:03:31 +01:00
Add a master-key-ed25519 line for convenience
This commit is contained in:
parent
3028507e96
commit
3d653dff5e
@ -2406,6 +2406,7 @@ router_dump_router_to_string(routerinfo_t *router,
|
||||
if (emit_ed_sigs) {
|
||||
/* Encode ed25519 signing cert */
|
||||
char ed_cert_base64[256];
|
||||
char ed_fp_base64[ED25519_BASE64_LEN+1];
|
||||
if (base64_encode(ed_cert_base64, sizeof(ed_cert_base64),
|
||||
(const char*)router->signing_key_cert->encoded,
|
||||
router->signing_key_cert->encoded_len,
|
||||
@ -2413,10 +2414,17 @@ router_dump_router_to_string(routerinfo_t *router,
|
||||
log_err(LD_BUG,"Couldn't base64-encode signing key certificate!");
|
||||
goto err;
|
||||
}
|
||||
if (ed25519_public_to_base64(ed_fp_base64,
|
||||
&router->signing_key_cert->signing_key)<0) {
|
||||
log_err(LD_BUG,"Couldn't base64-encode identity key\n");
|
||||
goto err;
|
||||
}
|
||||
tor_asprintf(&ed_cert_line, "identity-ed25519\n"
|
||||
"-----BEGIN ED25519 CERT-----\n"
|
||||
"%s"
|
||||
"-----END ED25519 CERT-----\n", ed_cert_base64);
|
||||
"-----END ED25519 CERT-----\n"
|
||||
"master-key-ed25519 %s\n",
|
||||
ed_cert_base64, ed_fp_base64);
|
||||
}
|
||||
|
||||
/* PEM-encode the onion key */
|
||||
|
@ -89,6 +89,7 @@ typedef enum {
|
||||
K_IPV6_POLICY,
|
||||
K_ROUTER_SIG_ED25519,
|
||||
K_IDENTITY_ED25519,
|
||||
K_MASTER_KEY_ED25519,
|
||||
K_ONION_KEY_CROSSCERT,
|
||||
K_NTOR_ONION_KEY_CROSSCERT,
|
||||
|
||||
@ -302,6 +303,7 @@ static token_rule_t routerdesc_token_table[] = {
|
||||
T01("extra-info-digest", K_EXTRA_INFO_DIGEST, GE(1), NO_OBJ ),
|
||||
T01("hidden-service-dir", K_HIDDEN_SERVICE_DIR, NO_ARGS, NO_OBJ ),
|
||||
T01("identity-ed25519", K_IDENTITY_ED25519, NO_ARGS, NEED_OBJ ),
|
||||
T01("master-key-ed25519", K_MASTER_KEY_ED25519, GE(1), NO_OBJ ),
|
||||
T01("router-sig-ed25519", K_ROUTER_SIG_ED25519, GE(1), NO_OBJ ),
|
||||
T01("onion-key-crosscert", K_ONION_KEY_CROSSCERT, NO_ARGS, NEED_OBJ ),
|
||||
T01("ntor-onion-key-crosscert", K_NTOR_ONION_KEY_CROSSCERT,
|
||||
@ -1337,9 +1339,11 @@ router_parse_entry_from_string(const char *s, const char *end,
|
||||
}
|
||||
|
||||
{
|
||||
directory_token_t *ed_sig_tok, *ed_cert_tok, *cc_tap_tok, *cc_ntor_tok;
|
||||
directory_token_t *ed_sig_tok, *ed_cert_tok, *cc_tap_tok, *cc_ntor_tok,
|
||||
*master_key_tok;
|
||||
ed_sig_tok = find_opt_by_keyword(tokens, K_ROUTER_SIG_ED25519);
|
||||
ed_cert_tok = find_opt_by_keyword(tokens, K_IDENTITY_ED25519);
|
||||
master_key_tok = find_opt_by_keyword(tokens, K_MASTER_KEY_ED25519);
|
||||
cc_tap_tok = find_opt_by_keyword(tokens, K_ONION_KEY_CROSSCERT);
|
||||
cc_ntor_tok = find_opt_by_keyword(tokens, K_NTOR_ONION_KEY_CROSSCERT);
|
||||
int n_ed_toks = !!ed_sig_tok + !!ed_cert_tok +
|
||||
@ -1350,6 +1354,11 @@ router_parse_entry_from_string(const char *s, const char *end,
|
||||
"cross-certification support");
|
||||
goto err;
|
||||
}
|
||||
if (master_key_tok && !ed_sig_tok) {
|
||||
log_warn(LD_DIR, "Router descriptor has ed25519 master key but no "
|
||||
"certificate");
|
||||
goto err;
|
||||
}
|
||||
if (ed_sig_tok) {
|
||||
tor_assert(ed_cert_tok && cc_tap_tok && cc_ntor_tok);
|
||||
const int ed_cert_token_pos = smartlist_pos(tokens, ed_cert_tok);
|
||||
@ -1394,12 +1403,30 @@ router_parse_entry_from_string(const char *s, const char *end,
|
||||
goto err;
|
||||
}
|
||||
router->signing_key_cert = cert; /* makes sure it gets freed. */
|
||||
|
||||
if (cert->cert_type != CERT_TYPE_ID_SIGNING ||
|
||||
! cert->signing_key_included) {
|
||||
log_warn(LD_DIR, "Invalid form for ed25519 cert");
|
||||
goto err;
|
||||
}
|
||||
|
||||
if (master_key_tok) {
|
||||
/* This token is optional, but if it's present, it must match
|
||||
* the signature in the signing cert, or supplant it. */
|
||||
tor_assert(master_key_tok->n_args >= 1);
|
||||
ed25519_public_key_t pkey;
|
||||
if (ed25519_public_from_base64(&pkey, master_key_tok->args[0])<0) {
|
||||
log_warn(LD_DIR, "Can't parse ed25519 master key");
|
||||
goto err;
|
||||
}
|
||||
|
||||
if (fast_memneq(&cert->signing_key.pubkey,
|
||||
pkey.pubkey, ED25519_PUBKEY_LEN)) {
|
||||
log_warn(LD_DIR, "Ed25519 master key does not match "
|
||||
"key in certificate");
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
ntor_cc_cert = tor_cert_parse((const uint8_t*)cc_ntor_tok->object_body,
|
||||
cc_ntor_tok->object_size);
|
||||
if (!ntor_cc_cert) {
|
||||
|
@ -227,8 +227,16 @@ test_dir_formats(void *arg)
|
||||
"identity-ed25519\n"
|
||||
"-----BEGIN ED25519 CERT-----\n", sizeof(buf2));
|
||||
strlcat(buf2, cert_buf, sizeof(buf2));
|
||||
strlcat(buf2, "-----END ED25519 CERT-----\n"
|
||||
"platform Tor "VERSION" on ", sizeof(buf2));
|
||||
strlcat(buf2, "-----END ED25519 CERT-----\n", sizeof(buf2));
|
||||
strlcat(buf2, "master-key-ed25519 ", sizeof(buf2));
|
||||
{
|
||||
char k[ED25519_BASE64_LEN+1];
|
||||
tt_assert(ed25519_public_to_base64(k, &r2->signing_key_cert->signing_key)
|
||||
>= 0);
|
||||
strlcat(buf2, k, sizeof(buf2));
|
||||
strlcat(buf2, "\n", sizeof(buf2));
|
||||
}
|
||||
strlcat(buf2, "platform Tor "VERSION" on ", sizeof(buf2));
|
||||
strlcat(buf2, get_uname(), sizeof(buf2));
|
||||
strlcat(buf2, "\n"
|
||||
"protocols Link 1 2 Circuit 1\n"
|
||||
|
Loading…
Reference in New Issue
Block a user