mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-24 04:13:28 +01:00
Merge branch 'tor-gitlab/mr/145'
This commit is contained in:
commit
4dbbc000b5
3
changes/ticket40124
Normal file
3
changes/ticket40124
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
o Minor bugfixes (spec conformance):
|
||||||
|
- Use the correct key type when generating signing->link
|
||||||
|
certificates. Fixes bug 40124; bugfix on 0.2.7.2-alpha.
|
@ -1587,7 +1587,7 @@ setup_desc_intro_point(const ed25519_keypair_t *signing_kp,
|
|||||||
memcpy(&desc_ip->onion_key, &ip->onion_key, sizeof(desc_ip->onion_key));
|
memcpy(&desc_ip->onion_key, &ip->onion_key, sizeof(desc_ip->onion_key));
|
||||||
|
|
||||||
/* Key and certificate material. */
|
/* Key and certificate material. */
|
||||||
desc_ip->auth_key_cert = tor_cert_create(signing_kp,
|
desc_ip->auth_key_cert = tor_cert_create_ed25519(signing_kp,
|
||||||
CERT_TYPE_AUTH_HS_IP_KEY,
|
CERT_TYPE_AUTH_HS_IP_KEY,
|
||||||
&ip->auth_key_kp.pubkey,
|
&ip->auth_key_kp.pubkey,
|
||||||
nearest_hour,
|
nearest_hour,
|
||||||
@ -1638,7 +1638,7 @@ setup_desc_intro_point(const ed25519_keypair_t *signing_kp,
|
|||||||
ed25519_public_key_from_curve25519_public_key(&ed25519_pubkey,
|
ed25519_public_key_from_curve25519_public_key(&ed25519_pubkey,
|
||||||
&ip->enc_key_kp.pubkey,
|
&ip->enc_key_kp.pubkey,
|
||||||
0);
|
0);
|
||||||
desc_ip->enc_key_cert = tor_cert_create(signing_kp,
|
desc_ip->enc_key_cert = tor_cert_create_ed25519(signing_kp,
|
||||||
CERT_TYPE_CROSS_HS_IP_KEYS,
|
CERT_TYPE_CROSS_HS_IP_KEYS,
|
||||||
&ed25519_pubkey, nearest_hour,
|
&ed25519_pubkey, nearest_hour,
|
||||||
HS_DESC_CERT_LIFETIME,
|
HS_DESC_CERT_LIFETIME,
|
||||||
@ -1712,12 +1712,13 @@ build_desc_signing_key_cert(hs_service_descriptor_t *desc, time_t now)
|
|||||||
|
|
||||||
/* Fresh certificate for the signing key. */
|
/* Fresh certificate for the signing key. */
|
||||||
plaintext->signing_key_cert =
|
plaintext->signing_key_cert =
|
||||||
tor_cert_create(&desc->blinded_kp, CERT_TYPE_SIGNING_HS_DESC,
|
tor_cert_create_ed25519(&desc->blinded_kp, CERT_TYPE_SIGNING_HS_DESC,
|
||||||
&desc->signing_kp.pubkey, now, HS_DESC_CERT_LIFETIME,
|
&desc->signing_kp.pubkey, now, HS_DESC_CERT_LIFETIME,
|
||||||
CERT_FLAG_INCLUDE_SIGNING_KEY);
|
CERT_FLAG_INCLUDE_SIGNING_KEY);
|
||||||
/* If the cert creation fails, the descriptor encoding will fail and thus
|
/* If the cert creation fails, the descriptor encoding will fail and thus
|
||||||
* ultimately won't be uploaded. We'll get a stack trace to help us learn
|
* ultimately won't be uploaded. We'll get a stack trace to help us learn
|
||||||
* where the call came from and the tor_cert_create() will log the error. */
|
* where the call came from and the tor_cert_create_ed25519() will log the
|
||||||
|
* error. */
|
||||||
tor_assert_nonfatal(plaintext->signing_key_cert);
|
tor_assert_nonfatal(plaintext->signing_key_cert);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -661,7 +661,7 @@ ed_key_init_from_file(const char *fname, uint32_t flags,
|
|||||||
uint32_t cert_flags = 0;
|
uint32_t cert_flags = 0;
|
||||||
if (flags & INIT_ED_KEY_INCLUDE_SIGNING_KEY_IN_CERT)
|
if (flags & INIT_ED_KEY_INCLUDE_SIGNING_KEY_IN_CERT)
|
||||||
cert_flags |= CERT_FLAG_INCLUDE_SIGNING_KEY;
|
cert_flags |= CERT_FLAG_INCLUDE_SIGNING_KEY;
|
||||||
cert = tor_cert_create(signing_key, cert_type,
|
cert = tor_cert_create_ed25519(signing_key, cert_type,
|
||||||
&keypair->pubkey,
|
&keypair->pubkey,
|
||||||
now, lifetime,
|
now, lifetime,
|
||||||
cert_flags);
|
cert_flags);
|
||||||
@ -739,7 +739,7 @@ ed_key_new(const ed25519_keypair_t *signing_key,
|
|||||||
uint32_t cert_flags = 0;
|
uint32_t cert_flags = 0;
|
||||||
if (flags & INIT_ED_KEY_INCLUDE_SIGNING_KEY_IN_CERT)
|
if (flags & INIT_ED_KEY_INCLUDE_SIGNING_KEY_IN_CERT)
|
||||||
cert_flags |= CERT_FLAG_INCLUDE_SIGNING_KEY;
|
cert_flags |= CERT_FLAG_INCLUDE_SIGNING_KEY;
|
||||||
tor_cert_t *cert = tor_cert_create(signing_key, cert_type,
|
tor_cert_t *cert = tor_cert_create_ed25519(signing_key, cert_type,
|
||||||
&keypair->pubkey,
|
&keypair->pubkey,
|
||||||
now, lifetime,
|
now, lifetime,
|
||||||
cert_flags);
|
cert_flags);
|
||||||
|
@ -37,11 +37,11 @@
|
|||||||
|
|
||||||
#include "core/or/or_handshake_certs_st.h"
|
#include "core/or/or_handshake_certs_st.h"
|
||||||
|
|
||||||
/** Helper for tor_cert_create(): signs any 32 bytes, not just an ed25519
|
/** As tor_cert_create(), but accept an arbitrary signed_key_type as the
|
||||||
* key.
|
* subject key -- not just an ed25519 key.
|
||||||
*/
|
*/
|
||||||
static tor_cert_t *
|
tor_cert_t *
|
||||||
tor_cert_sign_impl(const ed25519_keypair_t *signing_key,
|
tor_cert_create_raw(const ed25519_keypair_t *signing_key,
|
||||||
uint8_t cert_type,
|
uint8_t cert_type,
|
||||||
uint8_t signed_key_type,
|
uint8_t signed_key_type,
|
||||||
const uint8_t signed_key_info[32],
|
const uint8_t signed_key_info[32],
|
||||||
@ -128,13 +128,13 @@ tor_cert_sign_impl(const ed25519_keypair_t *signing_key,
|
|||||||
* the public part of <b>signing_key</b> in the certificate.
|
* the public part of <b>signing_key</b> in the certificate.
|
||||||
*/
|
*/
|
||||||
tor_cert_t *
|
tor_cert_t *
|
||||||
tor_cert_create(const ed25519_keypair_t *signing_key,
|
tor_cert_create_ed25519(const ed25519_keypair_t *signing_key,
|
||||||
uint8_t cert_type,
|
uint8_t cert_type,
|
||||||
const ed25519_public_key_t *signed_key,
|
const ed25519_public_key_t *signed_key,
|
||||||
time_t now, time_t lifetime,
|
time_t now, time_t lifetime,
|
||||||
uint32_t flags)
|
uint32_t flags)
|
||||||
{
|
{
|
||||||
return tor_cert_sign_impl(signing_key, cert_type,
|
return tor_cert_create_raw(signing_key, cert_type,
|
||||||
SIGNED_KEY_TYPE_ED25519, signed_key->pubkey,
|
SIGNED_KEY_TYPE_ED25519, signed_key->pubkey,
|
||||||
now, lifetime, flags);
|
now, lifetime, flags);
|
||||||
}
|
}
|
||||||
|
@ -11,7 +11,9 @@
|
|||||||
|
|
||||||
#include "lib/crypt_ops/crypto_ed25519.h"
|
#include "lib/crypt_ops/crypto_ed25519.h"
|
||||||
|
|
||||||
#define SIGNED_KEY_TYPE_ED25519 0x01
|
#define SIGNED_KEY_TYPE_ED25519 0x01
|
||||||
|
#define SIGNED_KEY_TYPE_SHA256_OF_RSA 0x02
|
||||||
|
#define SIGNED_KEY_TYPE_SHA256_OF_X509 0x03
|
||||||
|
|
||||||
#define CERT_TYPE_ID_SIGNING 0x04
|
#define CERT_TYPE_ID_SIGNING 0x04
|
||||||
#define CERT_TYPE_SIGNING_LINK 0x05
|
#define CERT_TYPE_SIGNING_LINK 0x05
|
||||||
@ -56,11 +58,17 @@ typedef struct tor_cert_st {
|
|||||||
|
|
||||||
struct tor_tls_t;
|
struct tor_tls_t;
|
||||||
|
|
||||||
tor_cert_t *tor_cert_create(const ed25519_keypair_t *signing_key,
|
tor_cert_t *tor_cert_create_ed25519(const ed25519_keypair_t *signing_key,
|
||||||
uint8_t cert_type,
|
uint8_t cert_type,
|
||||||
const ed25519_public_key_t *signed_key,
|
const ed25519_public_key_t *signed_key,
|
||||||
time_t now, time_t lifetime,
|
time_t now, time_t lifetime,
|
||||||
uint32_t flags);
|
uint32_t flags);
|
||||||
|
tor_cert_t * tor_cert_create_raw(const ed25519_keypair_t *signing_key,
|
||||||
|
uint8_t cert_type,
|
||||||
|
uint8_t signed_key_type,
|
||||||
|
const uint8_t signed_key_info[32],
|
||||||
|
time_t now, time_t lifetime,
|
||||||
|
uint32_t flags);
|
||||||
|
|
||||||
tor_cert_t *tor_cert_parse(const uint8_t *cert, size_t certlen);
|
tor_cert_t *tor_cert_parse(const uint8_t *cert, size_t certlen);
|
||||||
|
|
||||||
|
@ -387,12 +387,10 @@ generate_ed_link_cert(const or_options_t *options, time_t now,
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
ed25519_public_key_t dummy_key;
|
link_cert = tor_cert_create_raw(get_master_signing_keypair(),
|
||||||
memcpy(dummy_key.pubkey, digests->d[DIGEST_SHA256], DIGEST256_LEN);
|
|
||||||
|
|
||||||
link_cert = tor_cert_create(get_master_signing_keypair(),
|
|
||||||
CERT_TYPE_SIGNING_LINK,
|
CERT_TYPE_SIGNING_LINK,
|
||||||
&dummy_key,
|
SIGNED_KEY_TYPE_SHA256_OF_X509,
|
||||||
|
(const uint8_t*)digests->d[DIGEST_SHA256],
|
||||||
now,
|
now,
|
||||||
options->TestingLinkCertLifetime, 0);
|
options->TestingLinkCertLifetime, 0);
|
||||||
|
|
||||||
@ -466,7 +464,7 @@ init_mock_ed_keys(const crypto_pk_t *rsa_identity_key)
|
|||||||
MAKEKEY(master_signing_key);
|
MAKEKEY(master_signing_key);
|
||||||
MAKEKEY(current_auth_key);
|
MAKEKEY(current_auth_key);
|
||||||
#define MAKECERT(cert, signing, signed_, type, flags) \
|
#define MAKECERT(cert, signing, signed_, type, flags) \
|
||||||
cert = tor_cert_create(signing, \
|
cert = tor_cert_create_ed25519(signing, \
|
||||||
type, \
|
type, \
|
||||||
&signed_->pubkey, \
|
&signed_->pubkey, \
|
||||||
time(NULL), 86400, \
|
time(NULL), 86400, \
|
||||||
@ -699,8 +697,8 @@ make_ntor_onion_key_crosscert(const curve25519_keypair_t *onion_key,
|
|||||||
onion_key) < 0)
|
onion_key) < 0)
|
||||||
goto end;
|
goto end;
|
||||||
|
|
||||||
cert = tor_cert_create(&ed_onion_key, CERT_TYPE_ONION_ID, master_id_key,
|
cert = tor_cert_create_ed25519(&ed_onion_key, CERT_TYPE_ONION_ID,
|
||||||
now, lifetime, 0);
|
master_id_key, now, lifetime, 0);
|
||||||
|
|
||||||
end:
|
end:
|
||||||
memwipe(&ed_onion_key, 0, sizeof(ed_onion_key));
|
memwipe(&ed_onion_key, 0, sizeof(ed_onion_key));
|
||||||
|
@ -75,7 +75,8 @@ hs_helper_build_intro_point(const ed25519_keypair_t *signing_kp, time_t now,
|
|||||||
ret = ed25519_keypair_generate(&auth_kp, 0);
|
ret = ed25519_keypair_generate(&auth_kp, 0);
|
||||||
tt_int_op(ret, OP_EQ, 0);
|
tt_int_op(ret, OP_EQ, 0);
|
||||||
}
|
}
|
||||||
ip->auth_key_cert = tor_cert_create(signing_kp, CERT_TYPE_AUTH_HS_IP_KEY,
|
ip->auth_key_cert = tor_cert_create_ed25519(signing_kp,
|
||||||
|
CERT_TYPE_AUTH_HS_IP_KEY,
|
||||||
&auth_kp.pubkey, now,
|
&auth_kp.pubkey, now,
|
||||||
HS_DESC_CERT_LIFETIME,
|
HS_DESC_CERT_LIFETIME,
|
||||||
CERT_FLAG_INCLUDE_SIGNING_KEY);
|
CERT_FLAG_INCLUDE_SIGNING_KEY);
|
||||||
@ -110,7 +111,8 @@ hs_helper_build_intro_point(const ed25519_keypair_t *signing_kp, time_t now,
|
|||||||
}
|
}
|
||||||
ed25519_keypair_from_curve25519_keypair(&ed25519_kp, &signbit,
|
ed25519_keypair_from_curve25519_keypair(&ed25519_kp, &signbit,
|
||||||
&curve25519_kp);
|
&curve25519_kp);
|
||||||
cross_cert = tor_cert_create(signing_kp, CERT_TYPE_CROSS_HS_IP_KEYS,
|
cross_cert = tor_cert_create_ed25519(signing_kp,
|
||||||
|
CERT_TYPE_CROSS_HS_IP_KEYS,
|
||||||
&ed25519_kp.pubkey, time(NULL),
|
&ed25519_kp.pubkey, time(NULL),
|
||||||
HS_DESC_CERT_LIFETIME,
|
HS_DESC_CERT_LIFETIME,
|
||||||
CERT_FLAG_INCLUDE_SIGNING_KEY);
|
CERT_FLAG_INCLUDE_SIGNING_KEY);
|
||||||
@ -155,7 +157,7 @@ hs_helper_build_hs_desc_impl(unsigned int no_ip,
|
|||||||
sizeof(ed25519_public_key_t));
|
sizeof(ed25519_public_key_t));
|
||||||
|
|
||||||
desc->plaintext_data.signing_key_cert =
|
desc->plaintext_data.signing_key_cert =
|
||||||
tor_cert_create(&blinded_kp, CERT_TYPE_SIGNING_HS_DESC,
|
tor_cert_create_ed25519(&blinded_kp, CERT_TYPE_SIGNING_HS_DESC,
|
||||||
&signing_kp->pubkey, now, 3600,
|
&signing_kp->pubkey, now, 3600,
|
||||||
CERT_FLAG_INCLUDE_SIGNING_KEY);
|
CERT_FLAG_INCLUDE_SIGNING_KEY);
|
||||||
tt_assert(desc->plaintext_data.signing_key_cert);
|
tt_assert(desc->plaintext_data.signing_key_cert);
|
||||||
|
@ -943,7 +943,7 @@ test_dir_formats_rsa_ed25519(void *arg)
|
|||||||
ed25519_secret_key_from_seed(&kp2.seckey,
|
ed25519_secret_key_from_seed(&kp2.seckey,
|
||||||
(const uint8_t*)"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX");
|
(const uint8_t*)"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX");
|
||||||
ed25519_public_key_generate(&kp2.pubkey, &kp2.seckey);
|
ed25519_public_key_generate(&kp2.pubkey, &kp2.seckey);
|
||||||
r2->cache_info.signing_key_cert = tor_cert_create(&kp1,
|
r2->cache_info.signing_key_cert = tor_cert_create_ed25519(&kp1,
|
||||||
CERT_TYPE_ID_SIGNING,
|
CERT_TYPE_ID_SIGNING,
|
||||||
&kp2.pubkey,
|
&kp2.pubkey,
|
||||||
now, 86400,
|
now, 86400,
|
||||||
@ -7290,7 +7290,7 @@ test_dir_dirserv_router_get_status(void *arg)
|
|||||||
ed25519_secret_key_from_seed(&kp2.seckey,
|
ed25519_secret_key_from_seed(&kp2.seckey,
|
||||||
(const uint8_t*)"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX");
|
(const uint8_t*)"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX");
|
||||||
ed25519_public_key_generate(&kp2.pubkey, &kp2.seckey);
|
ed25519_public_key_generate(&kp2.pubkey, &kp2.seckey);
|
||||||
ri->cache_info.signing_key_cert = tor_cert_create(&kp1,
|
ri->cache_info.signing_key_cert = tor_cert_create_ed25519(&kp1,
|
||||||
CERT_TYPE_ID_SIGNING,
|
CERT_TYPE_ID_SIGNING,
|
||||||
&kp2.pubkey,
|
&kp2.pubkey,
|
||||||
now, 86400,
|
now, 86400,
|
||||||
|
@ -56,7 +56,7 @@ test_cert_encoding(void *arg)
|
|||||||
ret = ed25519_public_key_generate(&signed_key, &secret_key);
|
ret = ed25519_public_key_generate(&signed_key, &secret_key);
|
||||||
tt_int_op(ret, == , 0);
|
tt_int_op(ret, == , 0);
|
||||||
|
|
||||||
cert = tor_cert_create(&kp, CERT_TYPE_SIGNING_AUTH, &signed_key,
|
cert = tor_cert_create_ed25519(&kp, CERT_TYPE_SIGNING_AUTH, &signed_key,
|
||||||
now, 3600 * 2, CERT_FLAG_INCLUDE_SIGNING_KEY);
|
now, 3600 * 2, CERT_FLAG_INCLUDE_SIGNING_KEY);
|
||||||
tt_assert(cert);
|
tt_assert(cert);
|
||||||
|
|
||||||
@ -706,7 +706,7 @@ test_validate_cert(void *arg)
|
|||||||
tt_int_op(ret, OP_EQ, 0);
|
tt_int_op(ret, OP_EQ, 0);
|
||||||
|
|
||||||
/* Cert of type CERT_TYPE_AUTH_HS_IP_KEY. */
|
/* Cert of type CERT_TYPE_AUTH_HS_IP_KEY. */
|
||||||
cert = tor_cert_create(&kp, CERT_TYPE_AUTH_HS_IP_KEY,
|
cert = tor_cert_create_ed25519(&kp, CERT_TYPE_AUTH_HS_IP_KEY,
|
||||||
&kp.pubkey, now, 3600,
|
&kp.pubkey, now, 3600,
|
||||||
CERT_FLAG_INCLUDE_SIGNING_KEY);
|
CERT_FLAG_INCLUDE_SIGNING_KEY);
|
||||||
tt_assert(cert);
|
tt_assert(cert);
|
||||||
@ -726,8 +726,9 @@ test_validate_cert(void *arg)
|
|||||||
tor_cert_free(cert);
|
tor_cert_free(cert);
|
||||||
|
|
||||||
/* Try a cert without including the signing key. */
|
/* Try a cert without including the signing key. */
|
||||||
cert = tor_cert_create(&kp, CERT_TYPE_AUTH_HS_IP_KEY, &kp.pubkey, now,
|
cert = tor_cert_create_ed25519(&kp, CERT_TYPE_AUTH_HS_IP_KEY,
|
||||||
3600, 0);
|
&kp.pubkey, now, 3600, 0);
|
||||||
|
|
||||||
tt_assert(cert);
|
tt_assert(cert);
|
||||||
/* Test with a bad type. */
|
/* Test with a bad type. */
|
||||||
ret = cert_is_valid(cert, CERT_TYPE_AUTH_HS_IP_KEY, "unicorn");
|
ret = cert_is_valid(cert, CERT_TYPE_AUTH_HS_IP_KEY, "unicorn");
|
||||||
|
@ -710,7 +710,7 @@ CERTS_FAIL(missing_signing_key, /* ed25519 */
|
|||||||
* signing key. */
|
* signing key. */
|
||||||
const ed25519_keypair_t *mk = get_master_identity_keypair();
|
const ed25519_keypair_t *mk = get_master_identity_keypair();
|
||||||
const ed25519_keypair_t *sk = get_master_signing_keypair();
|
const ed25519_keypair_t *sk = get_master_signing_keypair();
|
||||||
tor_cert_t *bad_cert = tor_cert_create(mk, CERT_TYPE_ID_SIGNING,
|
tor_cert_t *bad_cert = tor_cert_create_ed25519(mk, CERT_TYPE_ID_SIGNING,
|
||||||
&sk->pubkey, time(NULL), 86400,
|
&sk->pubkey, time(NULL), 86400,
|
||||||
0 /* don't include signer */);
|
0 /* don't include signer */);
|
||||||
certs_cell_cert_setlen_body(cert, bad_cert->encoded_len);
|
certs_cell_cert_setlen_body(cert, bad_cert->encoded_len);
|
||||||
|
@ -151,7 +151,7 @@ test_routerkeys_ed_certs(void *args)
|
|||||||
for (int i = 0; i <= 1; ++i) {
|
for (int i = 0; i <= 1; ++i) {
|
||||||
uint32_t flags = i ? CERT_FLAG_INCLUDE_SIGNING_KEY : 0;
|
uint32_t flags = i ? CERT_FLAG_INCLUDE_SIGNING_KEY : 0;
|
||||||
|
|
||||||
cert[i] = tor_cert_create(&kp1, 5, &kp2.pubkey, now, 10000, flags);
|
cert[i] = tor_cert_create_ed25519(&kp1, 5, &kp2.pubkey, now, 10000, flags);
|
||||||
tt_assert(cert[i]);
|
tt_assert(cert[i]);
|
||||||
|
|
||||||
tt_uint_op(cert[i]->sig_bad, OP_EQ, 0);
|
tt_uint_op(cert[i]->sig_bad, OP_EQ, 0);
|
||||||
|
Loading…
Reference in New Issue
Block a user