src/feature/nodelist/torcert.h

   1 /* Copyright (c) 2014-2019, The Tor Project, Inc. */
   2 /* See LICENSE for licensing information */
   3
   4 #ifndef TORCERT_H_INCLUDED
   5 #define TORCERT_H_INCLUDED
   6
   7 #include "lib/crypt_ops/crypto_ed25519.h"
   8
   9 #define SIGNED_KEY_TYPE_ED25519     0x01
  10
  11 #define CERT_TYPE_ID_SIGNING        0x04
  12 #define CERT_TYPE_SIGNING_LINK      0x05
  13 #define CERT_TYPE_SIGNING_AUTH      0x06
  14 #define CERT_TYPE_SIGNING_HS_DESC   0x08
  15 #define CERT_TYPE_AUTH_HS_IP_KEY    0x09
  16 #define CERT_TYPE_ONION_ID          0x0A
  17 #define CERT_TYPE_CROSS_HS_IP_KEYS  0x0B
  18
  19 #define CERT_FLAG_INCLUDE_SIGNING_KEY 0x1
  20
  21 /** An ed25519-signed certificate as used throughout the Tor protocol.
  22  **/
  23 typedef struct tor_cert_st {
  24   /** The key authenticated by this certificate */
  25   ed25519_public_key_t signed_key;
  26   /** The key that signed this certificate. This value may be unset if the
  27    * certificate has never been checked, and didn't include its own key. */
  28   ed25519_public_key_t signing_key;
  29   /** A time after which this certificate will no longer be valid. */
  30   time_t valid_until;
  31
  32   /** The encoded representation of this certificate */
  33   uint8_t *encoded;
  34   /** The length of <b>encoded</b> */
  35   size_t encoded_len;
  36
  37   /** One of CERT_TYPE_... */
  38   uint8_t cert_type;
  39   /** True iff we received a signing key embedded in this certificate */
  40   unsigned signing_key_included : 1;
  41   /** True iff we checked the signature and found it bad */
  42   unsigned sig_bad : 1;
  43   /** True iff we checked the signature and found it correct */
  44   unsigned sig_ok : 1;
  45   /** True iff we checked the signature and first found that the cert
  46    * had expired */
  47   unsigned cert_expired : 1;
  48   /** True iff we checked the signature and found the whole cert valid */
  49   unsigned cert_valid : 1;
  50 } tor_cert_t;
  51
  52 struct tor_tls_t;
  53
  54 tor_cert_t *tor_cert_create(const ed25519_keypair_t *signing_key,
  55                             uint8_t cert_type,
  56                             const ed25519_public_key_t *signed_key,
  57                             time_t now, time_t lifetime,
  58                             uint32_t flags);
  59
  60 tor_cert_t *tor_cert_parse(const uint8_t *cert, size_t certlen);
  61
  62 void tor_cert_free_(tor_cert_t *cert);
  63 #define tor_cert_free(cert) FREE_AND_NULL(tor_cert_t, tor_cert_free_, (cert))
  64
  65 int tor_cert_get_checkable_sig(ed25519_checkable_t *checkable_out,
  66                                const tor_cert_t *out,
  67                                const ed25519_public_key_t *pubkey,
  68                                time_t *expiration_out);
  69
  70 int tor_cert_checksig(tor_cert_t *cert,
  71                       const ed25519_public_key_t *pubkey, time_t now);
  72 const char *tor_cert_describe_signature_status(const tor_cert_t *cert);
  73
  74 tor_cert_t *tor_cert_dup(const tor_cert_t *cert);
  75 int tor_cert_eq(const tor_cert_t *cert1, const tor_cert_t *cert2);
  76 int tor_cert_opt_eq(const tor_cert_t *cert1, const tor_cert_t *cert2);
  77
  78 ssize_t tor_make_rsa_ed25519_crosscert(const ed25519_public_key_t *ed_key,
  79                                        const crypto_pk_t *rsa_key,
  80                                        time_t expires,
  81                                        uint8_t **cert);
  82 MOCK_DECL(int,
  83 rsa_ed25519_crosscert_check, (const uint8_t *crosscert,
  84                               const size_t crosscert_len,
  85                               const crypto_pk_t *rsa_id_key,
  86                               const ed25519_public_key_t *master_key,
  87                               const time_t reject_if_expired_before));
  88
  89 or_handshake_certs_t *or_handshake_certs_new(void);
  90 void or_handshake_certs_free_(or_handshake_certs_t *certs);
  91 #define or_handshake_certs_free(certs) \
  92   FREE_AND_NULL(or_handshake_certs_t, or_handshake_certs_free_, (certs))
  93 int or_handshake_certs_rsa_ok(int severity,
  94                               or_handshake_certs_t *certs,
  95                               struct tor_tls_t *tls,
  96                               time_t now);
  97 int or_handshake_certs_ed25519_ok(int severity,
  98                                   or_handshake_certs_t *certs,
  99                                   struct tor_tls_t *tls,
 100                                   time_t now);
 101 void or_handshake_certs_check_both(int severity,
 102                               or_handshake_certs_t *certs,
 103                               struct tor_tls_t *tls,
 104                               time_t now,
 105                               const ed25519_public_key_t **ed_id_out,
 106                               const common_digests_t **rsa_id_out);
 107
 108 int tor_cert_encode_ed22519(const tor_cert_t *cert, char **cert_str_out);
 109
 110 MOCK_DECL(int, check_tap_onion_key_crosscert,(const uint8_t *crosscert,
 111                                   int crosscert_len,
 112                                   const crypto_pk_t *onion_pkey,
 113                                   const ed25519_public_key_t *master_id_pkey,
 114                                   const uint8_t *rsa_id_digest));
 115
 116 #endif /* !defined(TORCERT_H_INCLUDED) */