1 /* Copyright (c) 2014-2019, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
4 #ifndef TORCERT_H_INCLUDED
5 #define TORCERT_H_INCLUDED
7 #include "lib/crypt_ops/crypto_ed25519.h"
9 #define SIGNED_KEY_TYPE_ED25519 0x01
11 #define CERT_TYPE_ID_SIGNING 0x04
12 #define CERT_TYPE_SIGNING_LINK 0x05
13 #define CERT_TYPE_SIGNING_AUTH 0x06
14 #define CERT_TYPE_SIGNING_HS_DESC 0x08
15 #define CERT_TYPE_AUTH_HS_IP_KEY 0x09
16 #define CERT_TYPE_ONION_ID 0x0A
17 #define CERT_TYPE_CROSS_HS_IP_KEYS 0x0B
19 #define CERT_FLAG_INCLUDE_SIGNING_KEY 0x1
21 /** An ed25519-signed certificate as used throughout the Tor protocol.
23 typedef struct tor_cert_st
{
24 /** The key authenticated by this certificate */
25 ed25519_public_key_t signed_key
;
26 /** The key that signed this certificate. This value may be unset if the
27 * certificate has never been checked, and didn't include its own key. */
28 ed25519_public_key_t signing_key
;
29 /** A time after which this certificate will no longer be valid. */
32 /** The encoded representation of this certificate */
34 /** The length of <b>encoded</b> */
37 /** One of CERT_TYPE_... */
39 /** True iff we received a signing key embedded in this certificate */
40 unsigned signing_key_included
: 1;
41 /** True iff we checked the signature and found it bad */
43 /** True iff we checked the signature and found it correct */
45 /** True iff we checked the signature and first found that the cert
47 unsigned cert_expired
: 1;
48 /** True iff we checked the signature and found the whole cert valid */
49 unsigned cert_valid
: 1;
54 tor_cert_t
*tor_cert_create(const ed25519_keypair_t
*signing_key
,
56 const ed25519_public_key_t
*signed_key
,
57 time_t now
, time_t lifetime
,
60 tor_cert_t
*tor_cert_parse(const uint8_t *cert
, size_t certlen
);
62 void tor_cert_free_(tor_cert_t
*cert
);
63 #define tor_cert_free(cert) FREE_AND_NULL(tor_cert_t, tor_cert_free_, (cert))
65 int tor_cert_get_checkable_sig(ed25519_checkable_t
*checkable_out
,
66 const tor_cert_t
*out
,
67 const ed25519_public_key_t
*pubkey
,
68 time_t *expiration_out
);
70 int tor_cert_checksig(tor_cert_t
*cert
,
71 const ed25519_public_key_t
*pubkey
, time_t now
);
72 const char *tor_cert_describe_signature_status(const tor_cert_t
*cert
);
74 tor_cert_t
*tor_cert_dup(const tor_cert_t
*cert
);
75 int tor_cert_eq(const tor_cert_t
*cert1
, const tor_cert_t
*cert2
);
76 int tor_cert_opt_eq(const tor_cert_t
*cert1
, const tor_cert_t
*cert2
);
78 ssize_t
tor_make_rsa_ed25519_crosscert(const ed25519_public_key_t
*ed_key
,
79 const crypto_pk_t
*rsa_key
,
83 rsa_ed25519_crosscert_check
, (const uint8_t *crosscert
,
84 const size_t crosscert_len
,
85 const crypto_pk_t
*rsa_id_key
,
86 const ed25519_public_key_t
*master_key
,
87 const time_t reject_if_expired_before
));
89 or_handshake_certs_t
*or_handshake_certs_new(void);
90 void or_handshake_certs_free_(or_handshake_certs_t
*certs
);
91 #define or_handshake_certs_free(certs) \
92 FREE_AND_NULL(or_handshake_certs_t, or_handshake_certs_free_, (certs))
93 int or_handshake_certs_rsa_ok(int severity
,
94 or_handshake_certs_t
*certs
,
95 struct tor_tls_t
*tls
,
97 int or_handshake_certs_ed25519_ok(int severity
,
98 or_handshake_certs_t
*certs
,
99 struct tor_tls_t
*tls
,
101 void or_handshake_certs_check_both(int severity
,
102 or_handshake_certs_t
*certs
,
103 struct tor_tls_t
*tls
,
105 const ed25519_public_key_t
**ed_id_out
,
106 const common_digests_t
**rsa_id_out
);
108 int tor_cert_encode_ed22519(const tor_cert_t
*cert
, char **cert_str_out
);
110 MOCK_DECL(int, check_tap_onion_key_crosscert
,(const uint8_t *crosscert
,
112 const crypto_pk_t
*onion_pkey
,
113 const ed25519_public_key_t
*master_id_pkey
,
114 const uint8_t *rsa_id_digest
));
116 #endif /* !defined(TORCERT_H_INCLUDED) */