1 /* Copyright (c) 2014-2021, The Tor Project, Inc. */ 2 /* See LICENSE for licensing information */ 3 4 /** 5 * @file torcert.h 6 * @brief Header for torcert.c 7 **/ 8 9 #ifndef TORCERT_H_INCLUDED 10 #define TORCERT_H_INCLUDED 11 12 #include "lib/crypt_ops/crypto_ed25519.h" 13 14 #define SIGNED_KEY_TYPE_ED25519 0x01 15 #define SIGNED_KEY_TYPE_SHA256_OF_RSA 0x02 16 #define SIGNED_KEY_TYPE_SHA256_OF_X509 0x03 17 18 #define CERT_TYPE_ID_SIGNING 0x04 19 #define CERT_TYPE_SIGNING_LINK 0x05 20 #define CERT_TYPE_SIGNING_AUTH 0x06 21 #define CERT_TYPE_SIGNING_HS_DESC 0x08 22 #define CERT_TYPE_AUTH_HS_IP_KEY 0x09 23 #define CERT_TYPE_ONION_ID 0x0A 24 #define CERT_TYPE_CROSS_HS_IP_KEYS 0x0B 25 26 #define CERT_FLAG_INCLUDE_SIGNING_KEY 0x1 27 28 /** An ed25519-signed certificate as used throughout the Tor protocol. 29 **/ 30 typedef struct tor_cert_st { 31 /** The key authenticated by this certificate */ 32 ed25519_public_key_t signed_key; 33 /** The key that signed this certificate. This value may be unset if the 34 * certificate has never been checked, and didn't include its own key. */ 35 ed25519_public_key_t signing_key; 36 /** A time after which this certificate will no longer be valid. */ 37 time_t valid_until; 38 39 /** The encoded representation of this certificate */ 40 uint8_t *encoded; 41 /** The length of <b>encoded</b> */ 42 size_t encoded_len; 43 44 /** One of CERT_TYPE_... */ 45 uint8_t cert_type; 46 /** True iff we received a signing key embedded in this certificate */ 47 unsigned signing_key_included : 1; 48 /** True iff we checked the signature and found it bad */ 49 unsigned sig_bad : 1; 50 /** True iff we checked the signature and found it correct */ 51 unsigned sig_ok : 1; 52 /** True iff we checked the signature and first found that the cert 53 * had expired */ 54 unsigned cert_expired : 1; 55 /** True iff we checked the signature and found the whole cert valid */ 56 unsigned cert_valid : 1; 57 } tor_cert_t; 58 59 struct tor_tls_t; 60 61 tor_cert_t *tor_cert_create_ed25519(const ed25519_keypair_t *signing_key, 62 uint8_t cert_type, 63 const ed25519_public_key_t *signed_key, 64 time_t now, time_t lifetime, 65 uint32_t flags); 66 tor_cert_t * tor_cert_create_raw(const ed25519_keypair_t *signing_key, 67 uint8_t cert_type, 68 uint8_t signed_key_type, 69 const uint8_t signed_key_info[32], 70 time_t now, time_t lifetime, 71 uint32_t flags); 72 73 tor_cert_t *tor_cert_parse(const uint8_t *cert, size_t certlen); 74 75 void tor_cert_free_(tor_cert_t *cert); 76 #define tor_cert_free(cert) FREE_AND_NULL(tor_cert_t, tor_cert_free_, (cert)) 77 78 int tor_cert_get_checkable_sig(ed25519_checkable_t *checkable_out, 79 const tor_cert_t *out, 80 const ed25519_public_key_t *pubkey, 81 time_t *expiration_out); 82 83 int tor_cert_checksig(tor_cert_t *cert, 84 const ed25519_public_key_t *pubkey, time_t now); 85 const char *tor_cert_describe_signature_status(const tor_cert_t *cert); 86 87 MOCK_DECL(tor_cert_t *,tor_cert_dup,(const tor_cert_t *cert)); 88 int tor_cert_eq(const tor_cert_t *cert1, const tor_cert_t *cert2); 89 int tor_cert_opt_eq(const tor_cert_t *cert1, const tor_cert_t *cert2); 90 91 ssize_t tor_make_rsa_ed25519_crosscert(const ed25519_public_key_t *ed_key, 92 const crypto_pk_t *rsa_key, 93 time_t expires, 94 uint8_t **cert); 95 MOCK_DECL(int, 96 rsa_ed25519_crosscert_check, (const uint8_t *crosscert, 97 const size_t crosscert_len, 98 const crypto_pk_t *rsa_id_key, 99 const ed25519_public_key_t *master_key, 100 const time_t reject_if_expired_before)); 101 102 or_handshake_certs_t *or_handshake_certs_new(void); 103 void or_handshake_certs_free_(or_handshake_certs_t *certs); 104 #define or_handshake_certs_free(certs) \ 105 FREE_AND_NULL(or_handshake_certs_t, or_handshake_certs_free_, (certs)) 106 int or_handshake_certs_rsa_ok(int severity, 107 or_handshake_certs_t *certs, 108 struct tor_tls_t *tls, 109 time_t now); 110 int or_handshake_certs_ed25519_ok(int severity, 111 or_handshake_certs_t *certs, 112 struct tor_tls_t *tls, 113 time_t now); 114 void or_handshake_certs_check_both(int severity, 115 or_handshake_certs_t *certs, 116 struct tor_tls_t *tls, 117 time_t now, 118 const ed25519_public_key_t **ed_id_out, 119 const common_digests_t **rsa_id_out); 120 121 int tor_cert_encode_ed22519(const tor_cert_t *cert, char **cert_str_out); 122 123 MOCK_DECL(int, check_tap_onion_key_crosscert,(const uint8_t *crosscert, 124 int crosscert_len, 125 const crypto_pk_t *onion_pkey, 126 const ed25519_public_key_t *master_id_pkey, 127 const uint8_t *rsa_id_digest)); 128 129 #endif /* !defined(TORCERT_H_INCLUDED) */ 130