1 /* Copyright (c) 2014, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
7 #include "crypto_pwbox.h"
8 #include "routerkeys.h"
11 #define ENC_KEY_HEADER "Boxed Ed25519 key"
12 #define ENC_KEY_TAG "master"
15 do_getpass(const char *prompt
, char *buf
, size_t buflen
,
16 int twice
, const or_options_t
*options
)
18 if (options
->keygen_force_passphrase
== FORCE_PASSPHRASE_OFF
) {
29 if (options
->use_keygen_passphrase_fd
) {
31 fd
= options
->keygen_passphrase_fd
;
32 length
= read_all(fd
, buf
, buflen
-1, 0);
39 const char msg
[] = "One more time:";
40 size_t p2len
= strlen(prompt
) + 1;
41 if (p2len
< sizeof(msg
))
43 prompt2
= tor_malloc(strlen(prompt
)+1);
44 memset(prompt2
, ' ', p2len
);
45 memcpy(prompt2
+ p2len
- sizeof(msg
), msg
, sizeof(msg
));
47 buf2
= tor_malloc_zero(buflen
);
51 length
= tor_getpass(prompt
, buf
, buflen
);
58 ssize_t length2
= tor_getpass(prompt2
, buf2
, buflen
);
60 if (length
!= length2
|| tor_memneq(buf
, buf2
, length
)) {
61 fprintf(stderr
, "That didn't match.\n");
70 memwipe(buf2
, 0, buflen
);
74 if (options
->keygen_force_passphrase
== FORCE_PASSPHRASE_ON
&& length
== 0)
81 read_encrypted_secret_key(ed25519_secret_key_t
*out
,
85 uint8_t *secret
= NULL
;
86 size_t secret_len
= 0;
88 uint8_t encrypted_key
[256];
92 ssize_t encrypted_len
= crypto_read_tagged_contents_from_file(fname
,
96 sizeof(encrypted_key
));
97 if (encrypted_len
< 0) {
99 log_info(LD_OR
, "%s is missing", fname
);
103 if (strcmp(tag
, ENC_KEY_TAG
)) {
104 saved_errno
= EINVAL
;
110 do_getpass("Enter pasphrase for master key:", pwbuf
, sizeof(pwbuf
), 0,
113 saved_errno
= EINVAL
;
116 const int r
= crypto_unpwbox(&secret
, &secret_len
,
117 encrypted_key
, encrypted_len
,
119 if (r
== UNPWBOX_CORRUPTED
) {
120 log_err(LD_OR
, "%s is corrupted.", fname
);
121 saved_errno
= EINVAL
;
123 } else if (r
== UNPWBOX_OKAY
) {
127 /* Otherwise, passphrase is bad, so try again till user does ctrl-c or gets
131 if (secret_len
!= ED25519_SECKEY_LEN
) {
132 log_err(LD_OR
, "%s is corrupted.", fname
);
133 saved_errno
= EINVAL
;
136 memcpy(out
->seckey
, secret
, ED25519_SECKEY_LEN
);
140 memwipe(encrypted_key
, 0, sizeof(encrypted_key
));
141 memwipe(pwbuf
, 0, sizeof(pwbuf
));
144 memwipe(secret
, 0, secret_len
);
153 write_encrypted_secret_key(const ed25519_secret_key_t
*key
,
158 uint8_t *encrypted_key
= NULL
;
159 size_t encrypted_len
= 0;
161 if (do_getpass("Enter new passphrase:", pwbuf0
, sizeof(pwbuf0
), 1,
162 get_options()) < 0) {
163 log_warn(LD_OR
, "NO/failed passphrase");
167 if (strlen(pwbuf0
) == 0) {
168 if (get_options()->keygen_force_passphrase
== FORCE_PASSPHRASE_ON
)
174 if (crypto_pwbox(&encrypted_key
, &encrypted_len
,
175 key
->seckey
, sizeof(key
->seckey
),
176 pwbuf0
, strlen(pwbuf0
), 0) < 0) {
177 log_warn(LD_OR
, "crypto_pwbox failed!?");
180 if (crypto_write_tagged_contents_to_file(fname
,
183 encrypted_key
, encrypted_len
) < 0)
188 memwipe(encrypted_key
, 0, encrypted_len
);
189 tor_free(encrypted_key
);
191 memwipe(pwbuf0
, 0, sizeof(pwbuf0
));
196 write_secret_key(const ed25519_secret_key_t
*key
, int encrypted
,
198 const char *fname_tag
,
199 const char *encrypted_fname
)
202 int r
= write_encrypted_secret_key(key
, encrypted_fname
);
206 /* Try to unlink the unencrypted key, if any existed before */
207 if (strcmp(fname
, encrypted_fname
))
211 /* Unrecoverable failure! */
215 fprintf(stderr
, "Not encrypting the secret key.\n");
217 return ed25519_seckey_write_to_file(key
, fname
, fname_tag
);
221 * Read an ed25519 key and associated certificates from files beginning with
222 * <b>fname</b>, with certificate type <b>cert_type</b>. On failure, return
223 * NULL; on success return the keypair.
225 * If INIT_ED_KEY_CREATE is set in <b>flags</b>, then create the key (and
226 * certificate if requested) if it doesn't exist, and save it to disk.
228 * If INIT_ED_KEY_NEEDCERT is set in <b>flags</b>, load/create a certificate
229 * too and store it in *<b>cert_out</b>. Fail if the cert can't be
230 * found/created. To create a certificate, <b>signing_key</b> must be set to
231 * the key that should sign it; <b>now</b> to the current time, and
232 * <b>lifetime</b> to the lifetime of the key.
234 * If INIT_ED_KEY_REPLACE is set in <b>flags</b>, then create and save new key
235 * whether we can read the old one or not.
237 * If INIT_ED_KEY_EXTRA_STRONG is set in <b>flags</b>, set the extra_strong
238 * flag when creating the secret key.
240 * If INIT_ED_KEY_INCLUDE_SIGNING_KEY_IN_CERT is set in <b>flags</b>, and
241 * we create a new certificate, create it with the signing key embedded.
243 * If INIT_ED_KEY_SPLIT is set in <b>flags</b>, and we create a new key,
244 * store the public key in a separate file from the secret key.
246 * If INIT_ED_KEY_MISSING_SECRET_OK is set in <b>flags</b>, and we find a
247 * public key file but no secret key file, return successfully anyway.
249 * If INIT_ED_KEY_OMIT_SECRET is set in <b>flags</b>, do not even try to
250 * load or return a secret key (but create and save one if needed).
252 * If INIT_ED_KEY_TRY_ENCRYPTED is set, we look for an encrypted secret key
253 * and consider encrypting any new secret key.
255 * If INIT_ED_KEY_NO_REPAIR is set, and there is any issue loading the keys
256 * from disk _other than their absence_ (full or partial), we do not try to
259 * If INIT_ED_KEY_SUGGEST_KEYGEN is set, have log messages about failures
260 * refer to the --keygen option.
262 * If INIT_ED_KEY_EXPLICIT_FNAME is set, use the provided file name for the
263 * secret key file, encrypted or not.
266 ed_key_init_from_file(const char *fname
, uint32_t flags
,
268 const ed25519_keypair_t
*signing_key
,
272 struct tor_cert_st
**cert_out
)
274 char *secret_fname
= NULL
;
275 char *encrypted_secret_fname
= NULL
;
276 char *public_fname
= NULL
;
277 char *cert_fname
= NULL
;
278 const char *loaded_secret_fname
= NULL
;
279 int created_pk
= 0, created_sk
= 0, created_cert
= 0;
280 const int try_to_load
= ! (flags
& INIT_ED_KEY_REPLACE
);
281 const int encrypt_key
= !! (flags
& INIT_ED_KEY_TRY_ENCRYPTED
);
282 const int norepair
= !! (flags
& INIT_ED_KEY_NO_REPAIR
);
283 const int split
= !! (flags
& INIT_ED_KEY_SPLIT
);
284 const int omit_secret
= !! (flags
& INIT_ED_KEY_OMIT_SECRET
);
285 const int explicit_fname
= !! (flags
& INIT_ED_KEY_EXPLICIT_FNAME
);
287 /* we don't support setting both of these flags at once. */
288 tor_assert((flags
& (INIT_ED_KEY_NO_REPAIR
|INIT_ED_KEY_NEEDCERT
)) !=
289 (INIT_ED_KEY_NO_REPAIR
|INIT_ED_KEY_NEEDCERT
));
292 tor_snprintf(tag
, sizeof(tag
), "type%d", (int)cert_type
);
294 tor_cert_t
*cert
= NULL
;
295 char *got_tag
= NULL
;
296 ed25519_keypair_t
*keypair
= tor_malloc_zero(sizeof(ed25519_keypair_t
));
298 if (explicit_fname
) {
299 secret_fname
= tor_strdup(fname
);
300 encrypted_secret_fname
= tor_strdup(fname
);
302 tor_asprintf(&secret_fname
, "%s_secret_key", fname
);
303 tor_asprintf(&encrypted_secret_fname
, "%s_secret_key_encrypted", fname
);
305 tor_asprintf(&public_fname
, "%s_public_key", fname
);
306 tor_asprintf(&cert_fname
, "%s_cert", fname
);
308 /* Try to read the secret key. */
310 if (try_to_load
&& (!omit_secret
|| file_status(public_fname
)==FN_NOENT
)) {
311 int rv
= ed25519_seckey_read_from_file(&keypair
->seckey
,
312 &got_tag
, secret_fname
);
315 loaded_secret_fname
= secret_fname
;
318 if (errno
!= ENOENT
&& norepair
) {
319 tor_log(severity
, LD_OR
, "Unable to read %s: %s", secret_fname
,
326 /* Should we try for an encrypted key? */
327 int have_encrypted_secret_file
= 0;
328 if (!have_secret
&& try_to_load
&& encrypt_key
) {
329 int r
= read_encrypted_secret_key(&keypair
->seckey
,
330 encrypted_secret_fname
);
333 have_encrypted_secret_file
= 1;
334 got_tag
= tor_strdup(tag
);
335 loaded_secret_fname
= encrypted_secret_fname
;
336 } else if (errno
!= ENOENT
&& norepair
) {
337 tor_log(severity
, LD_OR
, "Unable to read %s: %s",
338 encrypted_secret_fname
, strerror(errno
));
343 /* Check if it's there anyway, so we don't replace it. */
344 if (file_status(encrypted_secret_fname
) != FN_NOENT
)
345 have_encrypted_secret_file
= 1;
350 if (strcmp(got_tag
, tag
)) {
351 tor_log(severity
, LD_OR
, "%s has wrong tag", loaded_secret_fname
);
354 /* Derive the public key */
355 if (ed25519_public_key_generate(&keypair
->pubkey
, &keypair
->seckey
)<0) {
356 tor_log(severity
, LD_OR
, "%s can't produce a public key",
357 loaded_secret_fname
);
362 /* If we do split keys here, try to read the pubkey. */
363 int found_public
= 0;
364 if (try_to_load
&& (!have_secret
|| split
)) {
365 ed25519_public_key_t pubkey_tmp
;
367 found_public
= ed25519_pubkey_read_from_file(&pubkey_tmp
,
368 &got_tag
, public_fname
) == 0;
369 if (!found_public
&& errno
!= ENOENT
&& norepair
) {
370 tor_log(severity
, LD_OR
, "Unable to read %s: %s", public_fname
,
374 if (found_public
&& strcmp(got_tag
, tag
)) {
375 tor_log(severity
, LD_OR
, "%s has wrong tag", public_fname
);
380 /* If we have a secret key and we're reloading the public key,
381 * the key must match! */
382 if (! ed25519_pubkey_eq(&keypair
->pubkey
, &pubkey_tmp
)) {
383 tor_log(severity
, LD_OR
, "%s does not match %s! If you are trying "
384 "to restore from backup, make sure you didn't mix up the "
385 "key files. If you are absolutely sure that %s is the right "
386 "key for this relay, delete %s or move it out of the way.",
387 public_fname
, loaded_secret_fname
,
388 loaded_secret_fname
, public_fname
);
392 /* We only have the public key; better use that. */
394 memcpy(&keypair
->pubkey
, &pubkey_tmp
, sizeof(pubkey_tmp
));
397 /* We have no public key file, but we do have a secret key, make the
398 * public key file! */
400 if (ed25519_pubkey_write_to_file(&keypair
->pubkey
, public_fname
, tag
)
402 tor_log(severity
, LD_OR
, "Couldn't repair %s", public_fname
);
405 tor_log(LOG_NOTICE
, LD_OR
,
406 "Found secret key but not %s. Regenerating.",
413 /* If the secret key is absent and it's not allowed to be, fail. */
414 if (!have_secret
&& found_public
&&
415 !(flags
& INIT_ED_KEY_MISSING_SECRET_OK
)) {
416 if (have_encrypted_secret_file
) {
417 tor_log(severity
, LD_OR
, "We needed to load a secret key from %s, "
418 "but it was encrypted. Try 'tor --keygen' instead, so you "
419 "can enter the passphrase.",
422 tor_log(severity
, LD_OR
, "We needed to load a secret key from %s, "
423 "but couldn't find it. %s", secret_fname
,
424 (flags
& INIT_ED_KEY_SUGGEST_KEYGEN
) ?
425 "If you're keeping your master secret key offline, you will "
426 "need to run 'tor --keygen' to generate new signing keys." :
427 "Did you forget to copy it over when you copied the rest of the "
428 "signing key material?");
433 /* If it's absent, and we're not supposed to make a new keypair, fail. */
434 if (!have_secret
&& !found_public
&& !(flags
& INIT_ED_KEY_CREATE
)) {
436 tor_log(severity
, LD_OR
, "No key found in %s or %s.",
437 secret_fname
, public_fname
);
439 tor_log(severity
, LD_OR
, "No key found in %s.", secret_fname
);
444 /* If the secret key is absent, but the encrypted key would be present,
446 if (!have_secret
&& !found_public
&& have_encrypted_secret_file
) {
447 tor_assert(!encrypt_key
);
448 tor_log(severity
, LD_OR
, "Found an encrypted secret key, "
449 "but not public key file %s!", public_fname
);
453 /* if it's absent, make a new keypair... */
454 if (!have_secret
&& !found_public
) {
456 keypair
= ed_key_new(signing_key
, flags
, now
, lifetime
,
459 tor_log(severity
, LD_OR
, "Couldn't create keypair");
462 created_pk
= created_sk
= created_cert
= 1;
465 /* Write it to disk if we're supposed to do with a new passphrase, or if
466 * we just created it. */
467 if (created_sk
|| (have_secret
&& get_options()->change_key_passphrase
)) {
468 if (write_secret_key(&keypair
->seckey
,
470 secret_fname
, tag
, encrypted_secret_fname
) < 0
473 ed25519_pubkey_write_to_file(&keypair
->pubkey
, public_fname
, tag
) < 0)
476 crypto_write_tagged_contents_to_file(cert_fname
, "ed25519v1-cert",
477 tag
, cert
->encoded
, cert
->encoded_len
) < 0)) {
478 tor_log(severity
, LD_OR
, "Couldn't write keys or cert to file.");
484 /* If we're not supposed to get a cert, we're done. */
485 if (! (flags
& INIT_ED_KEY_NEEDCERT
))
490 uint8_t certbuf
[256];
491 ssize_t cert_body_len
= crypto_read_tagged_contents_from_file(
492 cert_fname
, "ed25519v1-cert",
493 &got_tag
, certbuf
, sizeof(certbuf
));
494 if (cert_body_len
>= 0 && !strcmp(got_tag
, tag
))
495 cert
= tor_cert_parse(certbuf
, cert_body_len
);
497 /* If we got it, check it to the extent we can. */
501 tor_log(severity
, LD_OR
, "Cert was unparseable");
503 } else if (!tor_memeq(cert
->signed_key
.pubkey
, keypair
->pubkey
.pubkey
,
504 ED25519_PUBKEY_LEN
)) {
505 tor_log(severity
, LD_OR
, "Cert was for wrong key");
507 } else if (signing_key
&&
508 tor_cert_checksig(cert
, &signing_key
->pubkey
, now
) < 0) {
509 tor_log(severity
, LD_OR
, "Can't check certificate");
511 } else if (cert
->cert_expired
) {
512 tor_log(severity
, LD_OR
, "Certificate is expired");
514 } else if (signing_key
&& cert
->signing_key_included
&&
515 ! ed25519_pubkey_eq(&signing_key
->pubkey
, &cert
->signing_key
)) {
516 tor_log(severity
, LD_OR
, "Certificate signed by unexpectd key!");
525 /* If we got a cert, we're done. */
529 /* If we didn't get a cert, and we're not supposed to make one, fail. */
530 if (!signing_key
|| !(flags
& INIT_ED_KEY_CREATE
)) {
531 tor_log(severity
, LD_OR
, "Without signing key, can't create certificate");
535 /* We have keys but not a certificate, so make one. */
536 uint32_t cert_flags
= 0;
537 if (flags
& INIT_ED_KEY_INCLUDE_SIGNING_KEY_IN_CERT
)
538 cert_flags
|= CERT_FLAG_INCLUDE_SIGNING_KEY
;
539 cert
= tor_cert_create(signing_key
, cert_type
,
545 tor_log(severity
, LD_OR
, "Couldn't create certificate");
549 /* Write it to disk. */
551 if (crypto_write_tagged_contents_to_file(cert_fname
, "ed25519v1-cert",
552 tag
, cert
->encoded
, cert
->encoded_len
) < 0) {
553 tor_log(severity
, LD_OR
, "Couldn't write cert to disk.");
567 memwipe(keypair
, 0, sizeof(*keypair
));
573 unlink(secret_fname
);
575 unlink(public_fname
);
580 tor_free(encrypted_secret_fname
);
581 tor_free(secret_fname
);
582 tor_free(public_fname
);
583 tor_free(cert_fname
);
590 * Create a new signing key and (optionally) certficiate; do not read or write
591 * from disk. See ed_key_init_from_file() for more information.
594 ed_key_new(const ed25519_keypair_t
*signing_key
,
599 struct tor_cert_st
**cert_out
)
604 const int extra_strong
= !! (flags
& INIT_ED_KEY_EXTRA_STRONG
);
605 ed25519_keypair_t
*keypair
= tor_malloc_zero(sizeof(ed25519_keypair_t
));
606 if (ed25519_keypair_generate(keypair
, extra_strong
) < 0)
609 if (! (flags
& INIT_ED_KEY_NEEDCERT
))
612 tor_assert(signing_key
);
613 tor_assert(cert_out
);
614 uint32_t cert_flags
= 0;
615 if (flags
& INIT_ED_KEY_INCLUDE_SIGNING_KEY_IN_CERT
)
616 cert_flags
|= CERT_FLAG_INCLUDE_SIGNING_KEY
;
617 tor_cert_t
*cert
= tor_cert_create(signing_key
, cert_type
,
632 static ed25519_keypair_t
*master_identity_key
= NULL
;
633 static ed25519_keypair_t
*master_signing_key
= NULL
;
634 static ed25519_keypair_t
*current_auth_key
= NULL
;
635 static tor_cert_t
*signing_key_cert
= NULL
;
636 static tor_cert_t
*link_cert_cert
= NULL
;
637 static tor_cert_t
*auth_key_cert
= NULL
;
639 static uint8_t *rsa_ed_crosscert
= NULL
;
640 static size_t rsa_ed_crosscert_len
= 0;
643 * Running as a server: load, reload, or refresh our ed25519 keys and
644 * certificates, creating and saving new ones as needed.
647 load_ed_keys(const or_options_t
*options
, time_t now
)
649 ed25519_keypair_t
*id
= NULL
;
650 ed25519_keypair_t
*sign
= NULL
;
651 ed25519_keypair_t
*auth
= NULL
;
652 const ed25519_keypair_t
*sign_signing_key_with_id
= NULL
;
653 const ed25519_keypair_t
*use_signing
= NULL
;
654 const tor_cert_t
*check_signing_cert
= NULL
;
655 tor_cert_t
*sign_cert
= NULL
;
656 tor_cert_t
*auth_cert
= NULL
;
658 #define FAIL(msg) do { \
659 log_warn(LD_OR, (msg)); \
662 #define SET_KEY(key, newval) do { \
663 ed25519_keypair_free(key); \
666 #define SET_CERT(cert, newval) do { \
667 tor_cert_free(cert); \
670 #define EXPIRES_SOON(cert, interval) \
671 (!(cert) || (cert)->valid_until < now + (interval))
673 /* XXXX support encrypted identity keys fully */
675 /* First try to get the signing key to see how it is. */
676 if (master_signing_key
) {
677 check_signing_cert
= signing_key_cert
;
678 use_signing
= master_signing_key
;
681 options_get_datadir_fname2(options
, "keys", "ed25519_signing");
682 sign
= ed_key_init_from_file(
684 INIT_ED_KEY_NEEDCERT
|
685 INIT_ED_KEY_INCLUDE_SIGNING_KEY_IN_CERT
,
687 NULL
, 0, 0, CERT_TYPE_ID_SIGNING
, &sign_cert
);
689 check_signing_cert
= sign_cert
;
693 const int need_new_signing_key
=
694 NULL
== use_signing
||
695 EXPIRES_SOON(check_signing_cert
, 0) ||
696 (options
->command
== CMD_KEYGEN
&& ! options
->change_key_passphrase
);
697 const int want_new_signing_key
=
698 need_new_signing_key
||
699 EXPIRES_SOON(check_signing_cert
, options
->TestingSigningKeySlop
);
701 if (need_new_signing_key
) {
702 log_notice(LD_OR
, "It looks like I need to generate and sign a new "
703 "medium-term signing key, because %s. To do that, I need to "
704 "load (or create) the permanent master identity key.",
705 (NULL
== use_signing
) ? "I don't have one" :
706 EXPIRES_SOON(check_signing_cert
, 0) ? "the one I have is expired" :
707 "you asked me to make one with --keygen");
708 } else if (want_new_signing_key
) {
709 log_notice(LD_OR
, "It looks like I should try to generate and sign a "
710 "new medium-term signing key, because the one I have is "
711 "going to expire soon. To do that, I'm going to have to try to "
712 "load the permanent master identity key.");
718 INIT_ED_KEY_EXTRA_STRONG
|INIT_ED_KEY_NO_REPAIR
);
720 flags
|= INIT_ED_KEY_CREATE
;
721 if (! need_new_signing_key
)
722 flags
|= INIT_ED_KEY_MISSING_SECRET_OK
;
723 if (! want_new_signing_key
)
724 flags
|= INIT_ED_KEY_OMIT_SECRET
;
725 if (options
->command
== CMD_KEYGEN
)
726 flags
|= INIT_ED_KEY_TRY_ENCRYPTED
;
728 /* Check the key directory */
729 if (check_private_dir(options
->DataDirectory
, CPD_CREATE
, options
->User
)) {
730 log_err(LD_OR
, "Can't create/check datadirectory %s",
731 options
->DataDirectory
);
734 char *fname
= get_datadir_fname("keys");
735 if (check_private_dir(fname
, CPD_CREATE
, options
->User
) < 0) {
736 log_err(LD_OR
, "Problem creating/checking key directory %s", fname
);
741 if (options
->master_key_fname
) {
742 fname
= tor_strdup(options
->master_key_fname
);
743 flags
|= INIT_ED_KEY_EXPLICIT_FNAME
;
745 fname
= options_get_datadir_fname2(options
, "keys", "ed25519_master_id");
747 id
= ed_key_init_from_file(
750 LOG_WARN
, NULL
, 0, 0, 0, NULL
);
753 if (need_new_signing_key
) {
754 FAIL("Missing identity key");
756 log_warn(LD_OR
, "Master public key was absent; inferring from "
757 "public key in signing certificate and saving to disk.");
758 tor_assert(check_signing_cert
);
759 id
= tor_malloc_zero(sizeof(*id
));
760 memcpy(&id
->pubkey
, &check_signing_cert
->signing_key
,
761 sizeof(ed25519_public_key_t
));
762 fname
= options_get_datadir_fname2(options
, "keys",
763 "ed25519_master_id_public_key");
764 if (ed25519_pubkey_write_to_file(&id
->pubkey
, fname
, "type0") < 0) {
765 log_warn(LD_OR
, "Error while attempting to write master public key "
773 if (tor_mem_is_zero((char*)id
->seckey
.seckey
, sizeof(id
->seckey
)))
774 sign_signing_key_with_id
= NULL
;
776 sign_signing_key_with_id
= id
;
779 if (master_identity_key
&&
780 !ed25519_pubkey_eq(&id
->pubkey
, &master_identity_key
->pubkey
)) {
781 FAIL("Identity key on disk does not match key we loaded earlier!");
784 if (need_new_signing_key
&& NULL
== sign_signing_key_with_id
)
785 FAIL("Can't load master key make a new signing key.");
788 if (! sign_cert
->signing_key_included
)
789 FAIL("Loaded a signing cert with no key included!");
790 if (! ed25519_pubkey_eq(&sign_cert
->signing_key
, &id
->pubkey
))
791 FAIL("The signing cert we have was not signed with the master key "
793 if (tor_cert_checksig(sign_cert
, &id
->pubkey
, 0) < 0)
794 FAIL("The signing cert we loaded was not signed correctly!");
797 if (want_new_signing_key
&& sign_signing_key_with_id
) {
798 uint32_t flags
= (INIT_ED_KEY_CREATE
|
800 INIT_ED_KEY_EXTRA_STRONG
|
801 INIT_ED_KEY_NEEDCERT
|
802 INIT_ED_KEY_INCLUDE_SIGNING_KEY_IN_CERT
);
804 options_get_datadir_fname2(options
, "keys", "ed25519_signing");
805 sign
= ed_key_init_from_file(fname
,
807 sign_signing_key_with_id
, now
,
808 options
->SigningKeyLifetime
,
809 CERT_TYPE_ID_SIGNING
, &sign_cert
);
812 FAIL("Missing signing key");
815 tor_assert(sign_cert
->signing_key_included
);
816 tor_assert(ed25519_pubkey_eq(&sign_cert
->signing_key
, &id
->pubkey
));
817 tor_assert(ed25519_pubkey_eq(&sign_cert
->signed_key
, &sign
->pubkey
));
818 } else if (want_new_signing_key
) {
819 static ratelim_t missing_master
= RATELIM_INIT(3600);
820 log_fn_ratelim(&missing_master
, LOG_WARN
, LD_OR
,
821 "Signing key will expire soon, but I can't load the "
822 "master key to sign a new one!");
825 tor_assert(use_signing
);
827 /* At this point we no longer need our secret identity key. So wipe
828 * it, if we loaded it in the first place. */
829 memwipe(id
->seckey
.seckey
, 0, sizeof(id
->seckey
));
831 if (options
->command
== CMD_KEYGEN
)
834 if (!rsa_ed_crosscert
&& server_mode(options
)) {
836 ssize_t crosscert_len
= tor_make_rsa_ed25519_crosscert(&id
->pubkey
,
837 get_server_identity_key(),
838 now
+10*365*86400,/*XXXX*/
840 rsa_ed_crosscert_len
= crosscert_len
;
841 rsa_ed_crosscert
= crosscert
;
844 if (!current_auth_key
||
845 EXPIRES_SOON(auth_key_cert
, options
->TestingAuthKeySlop
)) {
846 auth
= ed_key_new(use_signing
, INIT_ED_KEY_NEEDCERT
,
848 options
->TestingAuthKeyLifetime
,
849 CERT_TYPE_SIGNING_AUTH
, &auth_cert
);
852 FAIL("Can't create auth key");
855 /* We've generated or loaded everything. Put them in memory. */
858 if (! master_identity_key
) {
859 SET_KEY(master_identity_key
, id
);
864 SET_KEY(master_signing_key
, sign
);
865 SET_CERT(signing_key_cert
, sign_cert
);
868 SET_KEY(current_auth_key
, auth
);
869 SET_CERT(auth_key_cert
, auth_cert
);
874 ed25519_keypair_free(id
);
875 ed25519_keypair_free(sign
);
876 ed25519_keypair_free(auth
);
877 tor_cert_free(sign_cert
);
878 tor_cert_free(auth_cert
);
884 generate_ed_link_cert(const or_options_t
*options
, time_t now
)
886 const tor_x509_cert_t
*link
= NULL
, *id
= NULL
;
887 tor_cert_t
*link_cert
= NULL
;
889 if (tor_tls_get_my_certs(1, &link
, &id
) < 0 || link
== NULL
) {
890 log_warn(LD_OR
, "Can't get my x509 link cert.");
894 const digests_t
*digests
= tor_x509_cert_get_cert_digests(link
);
896 if (link_cert_cert
&&
897 ! EXPIRES_SOON(link_cert_cert
, options
->TestingLinkKeySlop
) &&
898 fast_memeq(digests
->d
[DIGEST_SHA256
], link_cert_cert
->signed_key
.pubkey
,
903 ed25519_public_key_t dummy_key
;
904 memcpy(dummy_key
.pubkey
, digests
->d
[DIGEST_SHA256
], DIGEST256_LEN
);
906 link_cert
= tor_cert_create(get_master_signing_keypair(),
907 CERT_TYPE_SIGNING_LINK
,
910 options
->TestingLinkCertLifetime
, 0);
913 SET_CERT(link_cert_cert
, link_cert
);
923 should_make_new_ed_keys(const or_options_t
*options
, const time_t now
)
925 if (!master_identity_key
||
926 !master_signing_key
||
929 EXPIRES_SOON(signing_key_cert
, options
->TestingSigningKeySlop
) ||
930 EXPIRES_SOON(auth_key_cert
, options
->TestingAuthKeySlop
) ||
931 EXPIRES_SOON(link_cert_cert
, options
->TestingLinkKeySlop
))
934 const tor_x509_cert_t
*link
= NULL
, *id
= NULL
;
936 if (tor_tls_get_my_certs(1, &link
, &id
) < 0 || link
== NULL
)
939 const digests_t
*digests
= tor_x509_cert_get_cert_digests(link
);
941 if (!fast_memeq(digests
->d
[DIGEST_SHA256
],
942 link_cert_cert
->signed_key
.pubkey
,
952 const ed25519_public_key_t
*
953 get_master_identity_key(void)
955 if (!master_identity_key
)
957 return &master_identity_key
->pubkey
;
960 const ed25519_keypair_t
*
961 get_master_signing_keypair(void)
963 return master_signing_key
;
966 const struct tor_cert_st
*
967 get_master_signing_key_cert(void)
969 return signing_key_cert
;
972 const ed25519_keypair_t
*
973 get_current_auth_keypair(void)
975 return current_auth_key
;
979 get_current_link_cert_cert(void)
981 return link_cert_cert
;
985 get_current_auth_key_cert(void)
987 return auth_key_cert
;
991 get_master_rsa_crosscert(const uint8_t **cert_out
,
994 *cert_out
= rsa_ed_crosscert
;
995 *size_out
= rsa_ed_crosscert_len
;
998 /** Construct cross-certification for the master identity key with
999 * the ntor onion key. Store the sign of the corresponding ed25519 public key
1000 * in *<b>sign_out</b>. */
1002 make_ntor_onion_key_crosscert(const curve25519_keypair_t
*onion_key
,
1003 const ed25519_public_key_t
*master_id_key
, time_t now
, time_t lifetime
,
1006 tor_cert_t
*cert
= NULL
;
1007 ed25519_keypair_t ed_onion_key
;
1009 if (ed25519_keypair_from_curve25519_keypair(&ed_onion_key
, sign_out
,
1013 cert
= tor_cert_create(&ed_onion_key
, CERT_TYPE_ONION_ID
, master_id_key
,
1017 memwipe(&ed_onion_key
, 0, sizeof(ed_onion_key
));
1021 /** Construct and return an RSA signature for the TAP onion key to
1022 * cross-certify the RSA and Ed25519 identity keys. Set <b>len_out</b> to its
1025 make_tap_onion_key_crosscert(const crypto_pk_t
*onion_key
,
1026 const ed25519_public_key_t
*master_id_key
,
1027 const crypto_pk_t
*rsa_id_key
,
1030 uint8_t signature
[PK_BYTES
];
1031 uint8_t signed_data
[DIGEST_LEN
+ ED25519_PUBKEY_LEN
];
1034 crypto_pk_get_digest(rsa_id_key
, (char*)signed_data
);
1035 memcpy(signed_data
+ DIGEST_LEN
, master_id_key
->pubkey
, ED25519_PUBKEY_LEN
);
1037 int r
= crypto_pk_private_sign(onion_key
,
1038 (char*)signature
, sizeof(signature
),
1039 (const char*)signed_data
, sizeof(signed_data
));
1045 return tor_memdup(signature
, r
);
1048 /** Check whether an RSA-TAP cross-certification is correct. Return 0 if it
1049 * is, -1 if it isn't. */
1051 check_tap_onion_key_crosscert(const uint8_t *crosscert
,
1053 const crypto_pk_t
*onion_pkey
,
1054 const ed25519_public_key_t
*master_id_pkey
,
1055 const uint8_t *rsa_id_digest
)
1057 uint8_t *cc
= tor_malloc(crypto_pk_keysize(onion_pkey
));
1059 crypto_pk_public_checksig(onion_pkey
,
1061 crypto_pk_keysize(onion_pkey
),
1062 (const char*)crosscert
,
1067 if (cc_len
< DIGEST_LEN
+ ED25519_PUBKEY_LEN
) {
1068 log_warn(LD_DIR
, "Short signature on cross-certification with TAP key");
1071 if (tor_memneq(cc
, rsa_id_digest
, DIGEST_LEN
) ||
1072 tor_memneq(cc
+ DIGEST_LEN
, master_id_pkey
->pubkey
,
1073 ED25519_PUBKEY_LEN
)) {
1074 log_warn(LD_DIR
, "Incorrect cross-certification with TAP key");
1086 routerkeys_free_all(void)
1088 ed25519_keypair_free(master_identity_key
);
1089 ed25519_keypair_free(master_signing_key
);
1090 ed25519_keypair_free(current_auth_key
);
1091 tor_cert_free(signing_key_cert
);
1092 tor_cert_free(link_cert_cert
);
1093 tor_cert_free(auth_key_cert
);
1095 master_identity_key
= master_signing_key
= NULL
;
1096 current_auth_key
= NULL
;
1097 signing_key_cert
= link_cert_cert
= auth_key_cert
= NULL
;