search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Prop210: Refactor connection_get_* to produce lists and counts
[tor.git] / src / test / test_routerkeys.c
bloba60cba746ef9b8cffbdf13d89b43060e69e7fef0
1 /* Copyright (c) 2001-2004, Roger Dingledine.
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 * Copyright (c) 2007-2015, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
5
6 #include "orconfig.h"
7 #define ROUTER_PRIVATE
8 #include "or.h"
9 #include "config.h"
10 #include "router.h"
11 #include "routerkeys.h"
12 #include "util.h"
13 #include "crypto.h"
14 #include "torcert.h"
15 #include "test.h"
16
17 #ifdef _WIN32
18 /* For mkdir() */
19 #include <direct.h>
20 #endif
21
22 static void
23 test_routerkeys_write_fingerprint(void *arg)
24 {
25 crypto_pk_t *key = pk_generate(2);
26 or_options_t *options = get_options_mutable();
27 const char *ddir = get_fname("write_fingerprint");
28 char *cp = NULL, *cp2 = NULL;
29 char fp[FINGERPRINT_LEN+1];
30
31 (void)arg;
32
33 tt_assert(key);
34
35 options->ORPort_set = 1; /* So that we can get the server ID key */
36 tor_free(options->DataDirectory);
37 options->DataDirectory = tor_strdup(ddir);
38 options->Nickname = tor_strdup("haflinger");
39 set_server_identity_key(key);
40 set_client_identity_key(crypto_pk_dup_key(key));
41
42 tt_int_op(0, OP_EQ, check_private_dir(ddir, CPD_CREATE, NULL));
43 tt_int_op(crypto_pk_cmp_keys(get_server_identity_key(),key),OP_EQ,0);
44
45 /* Write fingerprint file */
46 tt_int_op(0, OP_EQ, router_write_fingerprint(0));
47 cp = read_file_to_str(get_fname("write_fingerprint/fingerprint"),
48 0, NULL);
49 crypto_pk_get_fingerprint(key, fp, 0);
50 tor_asprintf(&cp2, "haflinger %s\n", fp);
51 tt_str_op(cp, OP_EQ, cp2);
52 tor_free(cp);
53 tor_free(cp2);
54
55 /* Write hashed-fingerprint file */
56 tt_int_op(0, OP_EQ, router_write_fingerprint(1));
57 cp = read_file_to_str(get_fname("write_fingerprint/hashed-fingerprint"),
58 0, NULL);
59 crypto_pk_get_hashed_fingerprint(key, fp);
60 tor_asprintf(&cp2, "haflinger %s\n", fp);
61 tt_str_op(cp, OP_EQ, cp2);
62 tor_free(cp);
63 tor_free(cp2);
64
65 /* Replace outdated file */
66 write_str_to_file(get_fname("write_fingerprint/hashed-fingerprint"),
67 "junk goes here", 0);
68 tt_int_op(0, OP_EQ, router_write_fingerprint(1));
69 cp = read_file_to_str(get_fname("write_fingerprint/hashed-fingerprint"),
70 0, NULL);
71 crypto_pk_get_hashed_fingerprint(key, fp);
72 tor_asprintf(&cp2, "haflinger %s\n", fp);
73 tt_str_op(cp, OP_EQ, cp2);
74 tor_free(cp);
75 tor_free(cp2);
76
77 done:
78 crypto_pk_free(key);
79 set_client_identity_key(NULL);
80 tor_free(cp);
81 tor_free(cp2);
82 }
83
84 static void
85 test_routerkeys_ed_certs(void *args)
86 {
87 (void)args;
88 ed25519_keypair_t kp1, kp2;
89 tor_cert_t *cert[2] = {NULL, NULL}, *nocert = NULL;
90 tor_cert_t *parsed_cert[2] = {NULL, NULL};
91 time_t now = 1412094534;
92 uint8_t *junk = NULL;
93 char *base64 = NULL;
94
95 tt_int_op(0,==,ed25519_keypair_generate(&kp1, 0));
96 tt_int_op(0,==,ed25519_keypair_generate(&kp2, 0));
97
98 for (int i = 0; i <= 1; ++i) {
99 uint32_t flags = i ? CERT_FLAG_INCLUDE_SIGNING_KEY : 0;
100
101 cert[i] = tor_cert_create(&kp1, 5, &kp2.pubkey, now, 10000, flags);
102 tt_assert(cert[i]);
103
104 tt_assert(cert[i]->sig_bad == 0);
105 tt_assert(cert[i]->sig_ok == 1);
106 tt_assert(cert[i]->cert_expired == 0);
107 tt_assert(cert[i]->cert_valid == 1);
108 tt_int_op(cert[i]->cert_type, ==, 5);
109 tt_mem_op(cert[i]->signed_key.pubkey, ==, &kp2.pubkey.pubkey, 32);
110 tt_mem_op(cert[i]->signing_key.pubkey, ==, &kp1.pubkey.pubkey, 32);
111 tt_int_op(cert[i]->signing_key_included, ==, i);
112
113 tt_assert(cert[i]->encoded);
114 tt_int_op(cert[i]->encoded_len, ==, 104 + 36 * i);
115 tt_int_op(cert[i]->encoded[0], ==, 1);
116 tt_int_op(cert[i]->encoded[1], ==, 5);
117
118 parsed_cert[i] = tor_cert_parse(cert[i]->encoded, cert[i]->encoded_len);
119 tt_assert(parsed_cert[i]);
120 tt_int_op(cert[i]->encoded_len, ==, parsed_cert[i]->encoded_len);
121 tt_mem_op(cert[i]->encoded, ==, parsed_cert[i]->encoded,
122 cert[i]->encoded_len);
123 tt_assert(parsed_cert[i]->sig_bad == 0);
124 tt_assert(parsed_cert[i]->sig_ok == 0);
125 tt_assert(parsed_cert[i]->cert_expired == 0);
126 tt_assert(parsed_cert[i]->cert_valid == 0);
127
128 /* Expired */
129 tt_int_op(tor_cert_checksig(parsed_cert[i], &kp1.pubkey, now + 30000),
130 <, 0);
131 tt_assert(parsed_cert[i]->cert_expired == 1);
132 parsed_cert[i]->cert_expired = 0;
133
134 /* Wrong key */
135 tt_int_op(tor_cert_checksig(parsed_cert[i], &kp2.pubkey, now), <, 0);
136 tt_assert(parsed_cert[i]->sig_bad== 1);
137 parsed_cert[i]->sig_bad = 0;
138
139 /* Missing key */
140 int ok = tor_cert_checksig(parsed_cert[i], NULL, now);
141 tt_int_op(ok < 0, ==, i == 0);
142 tt_assert(parsed_cert[i]->sig_bad == 0);
143 tt_assert(parsed_cert[i]->sig_ok == (i != 0));
144 tt_assert(parsed_cert[i]->cert_valid == (i != 0));
145 parsed_cert[i]->sig_bad = 0;
146 parsed_cert[i]->sig_ok = 0;
147 parsed_cert[i]->cert_valid = 0;
148
149 /* Right key */
150 tt_int_op(tor_cert_checksig(parsed_cert[i], &kp1.pubkey, now), ==, 0);
151 tt_assert(parsed_cert[i]->sig_bad == 0);
152 tt_assert(parsed_cert[i]->sig_ok == 1);
153 tt_assert(parsed_cert[i]->cert_expired == 0);
154 tt_assert(parsed_cert[i]->cert_valid == 1);
155 }
156
157 /* Now try some junky certs. */
158 /* - Truncated */
159 nocert = tor_cert_parse(cert[0]->encoded, cert[0]->encoded_len-1);
160 tt_ptr_op(NULL, ==, nocert);
161
162 /* - First byte modified */
163 cert[0]->encoded[0] = 99;
164 nocert = tor_cert_parse(cert[0]->encoded, cert[0]->encoded_len);
165 tt_ptr_op(NULL, ==, nocert);
166 cert[0]->encoded[0] = 1;
167
168 /* - Extra byte at the end*/
169 junk = tor_malloc_zero(cert[0]->encoded_len + 1);
170 memcpy(junk, cert[0]->encoded, cert[0]->encoded_len);
171 nocert = tor_cert_parse(junk, cert[0]->encoded_len+1);
172 tt_ptr_op(NULL, ==, nocert);
173
174 /* - Multiple signing key instances */
175 tor_free(junk);
176 junk = tor_malloc_zero(104 + 36 * 2);
177 junk[0] = 1; /* version */
178 junk[1] = 5; /* cert type */
179 junk[6] = 1; /* key type */
180 junk[39] = 2; /* n_extensions */
181 junk[41] = 32; /* extlen */
182 junk[42] = 4; /* exttype */
183 junk[77] = 32; /* extlen */
184 junk[78] = 4; /* exttype */
185 nocert = tor_cert_parse(junk, 104 + 36 * 2);
186 tt_ptr_op(NULL, ==, nocert);
187
188 done:
189 tor_cert_free(cert[0]);
190 tor_cert_free(cert[1]);
191 tor_cert_free(parsed_cert[0]);
192 tor_cert_free(parsed_cert[1]);
193 tor_cert_free(nocert);
194 tor_free(junk);
195 tor_free(base64);
196 }
197
198 static void
199 test_routerkeys_ed_key_create(void *arg)
200 {
201 (void)arg;
202 tor_cert_t *cert = NULL;
203 ed25519_keypair_t *kp1 = NULL, *kp2 = NULL;
204 time_t now = time(NULL);
205
206 /* This is a simple alias for 'make a new keypair' */
207 kp1 = ed_key_new(NULL, 0, 0, 0, 0, &cert);
208 tt_assert(kp1);
209
210 /* Create a new certificate signed by kp1. */
211 kp2 = ed_key_new(kp1, INIT_ED_KEY_NEEDCERT, now, 3600, 4, &cert);
212 tt_assert(kp2);
213 tt_assert(cert);
214 tt_mem_op(&cert->signed_key, ==, &kp2->pubkey, sizeof(ed25519_public_key_t));
215 tt_assert(! cert->signing_key_included);
216
217 tt_int_op(cert->valid_until, >=, now);
218 tt_int_op(cert->valid_until, <=, now+7200);
219
220 /* Create a new key-including certificate signed by kp1 */
221 ed25519_keypair_free(kp2);
222 tor_cert_free(cert);
223 cert = NULL; kp2 = NULL;
224 kp2 = ed_key_new(kp1, (INIT_ED_KEY_NEEDCERT|
225 INIT_ED_KEY_INCLUDE_SIGNING_KEY_IN_CERT),
226 now, 3600, 4, &cert);
227 tt_assert(kp2);
228 tt_assert(cert);
229 tt_assert(cert->signing_key_included);
230 tt_mem_op(&cert->signed_key, ==, &kp2->pubkey, sizeof(ed25519_public_key_t));
231 tt_mem_op(&cert->signing_key, ==, &kp1->pubkey,sizeof(ed25519_public_key_t));
232
233 done:
234 ed25519_keypair_free(kp1);
235 ed25519_keypair_free(kp2);
236 tor_cert_free(cert);
237 }
238
239 static void
240 test_routerkeys_ed_key_init_basic(void *arg)
241 {
242 (void) arg;
243
244 tor_cert_t *cert = NULL, *cert2 = NULL;
245 ed25519_keypair_t *kp1 = NULL, *kp2 = NULL, *kp3 = NULL;
246 time_t now = time(NULL);
247 char *fname1 = tor_strdup(get_fname("test_ed_key_1"));
248 char *fname2 = tor_strdup(get_fname("test_ed_key_2"));
249 struct stat st;
250
251 unlink(fname1);
252 unlink(fname2);
253
254 /* Fail to load a key that isn't there. */
255 kp1 = ed_key_init_from_file(fname1, 0, LOG_INFO, NULL, now, 0, 7, &cert);
256 tt_assert(kp1 == NULL);
257 tt_assert(cert == NULL);
258
259 /* Create the key if requested to do so. */
260 kp1 = ed_key_init_from_file(fname1, INIT_ED_KEY_CREATE, LOG_INFO,
261 NULL, now, 0, 7, &cert);
262 tt_assert(kp1 != NULL);
263 tt_assert(cert == NULL);
264 tt_int_op(stat(get_fname("test_ed_key_1_cert"), &st), <, 0);
265 tt_int_op(stat(get_fname("test_ed_key_1_secret_key"), &st), ==, 0);
266
267 /* Fail to load if we say we need a cert */
268 kp2 = ed_key_init_from_file(fname1, INIT_ED_KEY_NEEDCERT, LOG_INFO,
269 NULL, now, 0, 7, &cert);
270 tt_assert(kp2 == NULL);
271
272 /* Fail to load if we say the wrong key type */
273 kp2 = ed_key_init_from_file(fname1, 0, LOG_INFO,
274 NULL, now, 0, 6, &cert);
275 tt_assert(kp2 == NULL);
276
277 /* Load successfully if we're not picky, whether we say "create" or not. */
278 kp2 = ed_key_init_from_file(fname1, INIT_ED_KEY_CREATE, LOG_INFO,
279 NULL, now, 0, 7, &cert);
280 tt_assert(kp2 != NULL);
281 tt_assert(cert == NULL);
282 tt_mem_op(kp1, ==, kp2, sizeof(*kp1));
283 ed25519_keypair_free(kp2); kp2 = NULL;
284
285 kp2 = ed_key_init_from_file(fname1, 0, LOG_INFO,
286 NULL, now, 0, 7, &cert);
287 tt_assert(kp2 != NULL);
288 tt_assert(cert == NULL);
289 tt_mem_op(kp1, ==, kp2, sizeof(*kp1));
290 ed25519_keypair_free(kp2); kp2 = NULL;
291
292 /* Now create a key with a cert. */
293 kp2 = ed_key_init_from_file(fname2, (INIT_ED_KEY_CREATE|
294 INIT_ED_KEY_NEEDCERT),
295 LOG_INFO, kp1, now, 7200, 7, &cert);
296 tt_assert(kp2 != NULL);
297 tt_assert(cert != NULL);
298 tt_mem_op(kp1, !=, kp2, sizeof(*kp1));
299 tt_int_op(stat(get_fname("test_ed_key_2_cert"), &st), ==, 0);
300 tt_int_op(stat(get_fname("test_ed_key_2_secret_key"), &st), ==, 0);
301
302 tt_assert(cert->cert_valid == 1);
303 tt_mem_op(&cert->signed_key, ==, &kp2->pubkey, 32);
304
305 /* Now verify we can load the cert... */
306 kp3 = ed_key_init_from_file(fname2, (INIT_ED_KEY_CREATE|
307 INIT_ED_KEY_NEEDCERT),
308 LOG_INFO, kp1, now, 7200, 7, &cert2);
309 tt_mem_op(kp2, ==, kp3, sizeof(*kp2));
310 tt_mem_op(cert2->encoded, ==, cert->encoded, cert->encoded_len);
311 ed25519_keypair_free(kp3); kp3 = NULL;
312 tor_cert_free(cert2); cert2 = NULL;
313
314 /* ... even without create... */
315 kp3 = ed_key_init_from_file(fname2, INIT_ED_KEY_NEEDCERT,
316 LOG_INFO, kp1, now, 7200, 7, &cert2);
317 tt_mem_op(kp2, ==, kp3, sizeof(*kp2));
318 tt_mem_op(cert2->encoded, ==, cert->encoded, cert->encoded_len);
319 ed25519_keypair_free(kp3); kp3 = NULL;
320 tor_cert_free(cert2); cert2 = NULL;
321
322 /* ... but that we don't crash or anything if we say we don't want it. */
323 kp3 = ed_key_init_from_file(fname2, INIT_ED_KEY_NEEDCERT,
324 LOG_INFO, kp1, now, 7200, 7, NULL);
325 tt_mem_op(kp2, ==, kp3, sizeof(*kp2));
326 ed25519_keypair_free(kp3); kp3 = NULL;
327
328 /* Fail if we're told the wrong signing key */
329 kp3 = ed_key_init_from_file(fname2, INIT_ED_KEY_NEEDCERT,
330 LOG_INFO, kp2, now, 7200, 7, &cert2);
331 tt_assert(kp3 == NULL);
332 tt_assert(cert2 == NULL);
333
334 done:
335 ed25519_keypair_free(kp1);
336 ed25519_keypair_free(kp2);
337 ed25519_keypair_free(kp3);
338 tor_cert_free(cert);
339 tor_cert_free(cert2);
340 tor_free(fname1);
341 tor_free(fname2);
342 }
343
344 static void
345 test_routerkeys_ed_key_init_split(void *arg)
346 {
347 (void) arg;
348
349 tor_cert_t *cert = NULL;
350 ed25519_keypair_t *kp1 = NULL, *kp2 = NULL;
351 time_t now = time(NULL);
352 char *fname1 = tor_strdup(get_fname("test_ed_key_3"));
353 char *fname2 = tor_strdup(get_fname("test_ed_key_4"));
354 struct stat st;
355 const uint32_t flags = INIT_ED_KEY_SPLIT|INIT_ED_KEY_MISSING_SECRET_OK;
356
357 unlink(fname1);
358 unlink(fname2);
359
360 /* Can't load key that isn't there. */
361 kp1 = ed_key_init_from_file(fname1, flags, LOG_INFO, NULL, now, 0, 7, &cert);
362 tt_assert(kp1 == NULL);
363 tt_assert(cert == NULL);
364
365 /* Create a split key */
366 kp1 = ed_key_init_from_file(fname1, flags|INIT_ED_KEY_CREATE,
367 LOG_INFO, NULL, now, 0, 7, &cert);
368 tt_assert(kp1 != NULL);
369 tt_assert(cert == NULL);
370 tt_int_op(stat(get_fname("test_ed_key_3_cert"), &st), <, 0);
371 tt_int_op(stat(get_fname("test_ed_key_3_secret_key"), &st), ==, 0);
372 tt_int_op(stat(get_fname("test_ed_key_3_public_key"), &st), ==, 0);
373
374 /* Load it. */
375 kp2 = ed_key_init_from_file(fname1, flags|INIT_ED_KEY_CREATE,
376 LOG_INFO, NULL, now, 0, 7, &cert);
377 tt_assert(kp2 != NULL);
378 tt_assert(cert == NULL);
379 tt_mem_op(kp1, ==, kp2, sizeof(*kp2));
380 ed25519_keypair_free(kp2); kp2 = NULL;
381
382 /* Okay, try killing the secret key and loading it. */
383 unlink(get_fname("test_ed_key_3_secret_key"));
384 kp2 = ed_key_init_from_file(fname1, flags,
385 LOG_INFO, NULL, now, 0, 7, &cert);
386 tt_assert(kp2 != NULL);
387 tt_assert(cert == NULL);
388 tt_mem_op(&kp1->pubkey, ==, &kp2->pubkey, sizeof(kp2->pubkey));
389 tt_assert(tor_mem_is_zero((char*)kp2->seckey.seckey,
390 sizeof(kp2->seckey.seckey)));
391 ed25519_keypair_free(kp2); kp2 = NULL;
392
393 /* Even when we're told to "create", don't create if there's a public key */
394 kp2 = ed_key_init_from_file(fname1, flags|INIT_ED_KEY_CREATE,
395 LOG_INFO, NULL, now, 0, 7, &cert);
396 tt_assert(kp2 != NULL);
397 tt_assert(cert == NULL);
398 tt_mem_op(&kp1->pubkey, ==, &kp2->pubkey, sizeof(kp2->pubkey));
399 tt_assert(tor_mem_is_zero((char*)kp2->seckey.seckey,
400 sizeof(kp2->seckey.seckey)));
401 ed25519_keypair_free(kp2); kp2 = NULL;
402
403 /* Make sure we fail on a tag mismatch, though */
404 kp2 = ed_key_init_from_file(fname1, flags,
405 LOG_INFO, NULL, now, 0, 99, &cert);
406 tt_assert(kp2 == NULL);
407
408 done:
409 ed25519_keypair_free(kp1);
410 ed25519_keypair_free(kp2);
411 tor_cert_free(cert);
412 tor_free(fname1);
413 tor_free(fname2);
414 }
415
416 static void
417 test_routerkeys_ed_keys_init_all(void *arg)
418 {
419 (void)arg;
420 char *dir = tor_strdup(get_fname("test_ed_keys_init_all"));
421 or_options_t *options = tor_malloc_zero(sizeof(or_options_t));
422 time_t now = time(NULL);
423 ed25519_public_key_t id;
424 ed25519_keypair_t sign, auth;
425 tor_cert_t *link_cert = NULL;
426
427 get_options_mutable()->ORPort_set = 1;
428
429 crypto_pk_t *rsa = pk_generate(0);
430
431 set_server_identity_key(rsa);
432 set_client_identity_key(rsa);
433
434 router_initialize_tls_context();
435
436 options->SigningKeyLifetime = 30*86400;
437 options->TestingAuthKeyLifetime = 2*86400;
438 options->TestingLinkCertLifetime = 2*86400;
439 options->TestingSigningKeySlop = 2*86400;
440 options->TestingAuthKeySlop = 2*3600;
441 options->TestingLinkKeySlop = 2*3600;
442
443 #ifdef _WIN32
444 mkdir(dir);
445 mkdir(get_fname("test_ed_keys_init_all/keys"));
446 #else
447 mkdir(dir, 0700);
448 mkdir(get_fname("test_ed_keys_init_all/keys"), 0700);
449 #endif
450
451 options->DataDirectory = dir;
452
453 tt_int_op(0, ==, load_ed_keys(options, now));
454 tt_int_op(0, ==, generate_ed_link_cert(options, now));
455 tt_assert(get_master_identity_key());
456 tt_assert(get_master_identity_key());
457 tt_assert(get_master_signing_keypair());
458 tt_assert(get_current_auth_keypair());
459 tt_assert(get_master_signing_key_cert());
460 tt_assert(get_current_link_cert_cert());
461 tt_assert(get_current_auth_key_cert());
462 memcpy(&id, get_master_identity_key(), sizeof(id));
463 memcpy(&sign, get_master_signing_keypair(), sizeof(sign));
464 memcpy(&auth, get_current_auth_keypair(), sizeof(auth));
465 link_cert = tor_cert_dup(get_current_link_cert_cert());
466
467 /* Call load_ed_keys again, but nothing has changed. */
468 tt_int_op(0, ==, load_ed_keys(options, now));
469 tt_int_op(0, ==, generate_ed_link_cert(options, now));
470 tt_mem_op(&id, ==, get_master_identity_key(), sizeof(id));
471 tt_mem_op(&sign, ==, get_master_signing_keypair(), sizeof(sign));
472 tt_mem_op(&auth, ==, get_current_auth_keypair(), sizeof(auth));
473 tt_assert(tor_cert_eq(link_cert, get_current_link_cert_cert()));
474
475 /* Force a reload: we make new link/auth keys. */
476 routerkeys_free_all();
477 tt_int_op(0, ==, load_ed_keys(options, now));
478 tt_int_op(0, ==, generate_ed_link_cert(options, now));
479 tt_mem_op(&id, ==, get_master_identity_key(), sizeof(id));
480 tt_mem_op(&sign, ==, get_master_signing_keypair(), sizeof(sign));
481 tt_assert(tor_cert_eq(link_cert, get_current_link_cert_cert()));
482 tt_mem_op(&auth, !=, get_current_auth_keypair(), sizeof(auth));
483 tt_assert(get_master_signing_key_cert());
484 tt_assert(get_current_link_cert_cert());
485 tt_assert(get_current_auth_key_cert());
486 tor_cert_free(link_cert);
487 link_cert = tor_cert_dup(get_current_link_cert_cert());
488 memcpy(&auth, get_current_auth_keypair(), sizeof(auth));
489
490 /* Force a link/auth-key regeneration by advancing time. */
491 tt_int_op(0, ==, load_ed_keys(options, now+3*86400));
492 tt_int_op(0, ==, generate_ed_link_cert(options, now+3*86400));
493 tt_mem_op(&id, ==, get_master_identity_key(), sizeof(id));
494 tt_mem_op(&sign, ==, get_master_signing_keypair(), sizeof(sign));
495 tt_assert(! tor_cert_eq(link_cert, get_current_link_cert_cert()));
496 tt_mem_op(&auth, !=, get_current_auth_keypair(), sizeof(auth));
497 tt_assert(get_master_signing_key_cert());
498 tt_assert(get_current_link_cert_cert());
499 tt_assert(get_current_auth_key_cert());
500 tor_cert_free(link_cert);
501 link_cert = tor_cert_dup(get_current_link_cert_cert());
502 memcpy(&auth, get_current_auth_keypair(), sizeof(auth));
503
504 /* Force a signing-key regeneration by advancing time. */
505 tt_int_op(0, ==, load_ed_keys(options, now+100*86400));
506 tt_int_op(0, ==, generate_ed_link_cert(options, now+100*86400));
507 tt_mem_op(&id, ==, get_master_identity_key(), sizeof(id));
508 tt_mem_op(&sign, !=, get_master_signing_keypair(), sizeof(sign));
509 tt_assert(! tor_cert_eq(link_cert, get_current_link_cert_cert()));
510 tt_mem_op(&auth, !=, get_current_auth_keypair(), sizeof(auth));
511 tt_assert(get_master_signing_key_cert());
512 tt_assert(get_current_link_cert_cert());
513 tt_assert(get_current_auth_key_cert());
514 memcpy(&sign, get_master_signing_keypair(), sizeof(sign));
515 tor_cert_free(link_cert);
516 link_cert = tor_cert_dup(get_current_link_cert_cert());
517 memcpy(&auth, get_current_auth_keypair(), sizeof(auth));
518
519 /* Demonstrate that we can start up with no secret identity key */
520 routerkeys_free_all();
521 unlink(get_fname("test_ed_keys_init_all/keys/"
522 "ed25519_master_id_secret_key"));
523 tt_int_op(0, ==, load_ed_keys(options, now));
524 tt_int_op(0, ==, generate_ed_link_cert(options, now));
525 tt_mem_op(&id, ==, get_master_identity_key(), sizeof(id));
526 tt_mem_op(&sign, ==, get_master_signing_keypair(), sizeof(sign));
527 tt_assert(! tor_cert_eq(link_cert, get_current_link_cert_cert()));
528 tt_mem_op(&auth, !=, get_current_auth_keypair(), sizeof(auth));
529 tt_assert(get_master_signing_key_cert());
530 tt_assert(get_current_link_cert_cert());
531 tt_assert(get_current_auth_key_cert());
532
533 /* But we're in trouble if we have no id key and our signing key has
534 expired. */
535 log_global_min_severity_ = LOG_ERR; /* Suppress warnings.
536 * XXX (better way to do this)? */
537 routerkeys_free_all();
538 tt_int_op(-1, ==, load_ed_keys(options, now+200*86400));
539
540 done:
541 tor_free(dir);
542 tor_free(options);
543 tor_cert_free(link_cert);
544 routerkeys_free_all();
545 }
546
547 static void
548 test_routerkeys_cross_certify_ntor(void *args)
549 {
550 (void) args;
551
552 tor_cert_t *cert = NULL;
553 curve25519_keypair_t onion_keys;
554 ed25519_public_key_t master_key;
555 ed25519_public_key_t onion_check_key;
556 time_t now = time(NULL);
557 int sign;
558
559 tt_int_op(0, ==, ed25519_public_from_base64(&master_key,
560 "IamwritingthesetestsOnARainyAfternoonin2014"));
561 tt_int_op(0, ==, curve25519_keypair_generate(&onion_keys, 0));
562 cert = make_ntor_onion_key_crosscert(&onion_keys,
563 &master_key,
564 now, 10000,
565 &sign);
566 tt_assert(cert);
567 tt_assert(sign == 0 || sign == 1);
568 tt_int_op(cert->cert_type, ==, CERT_TYPE_ONION_ID);
569 tt_int_op(1, ==, ed25519_pubkey_eq(&cert->signed_key, &master_key));
570 tt_int_op(0, ==, ed25519_public_key_from_curve25519_public_key(
571 &onion_check_key, &onion_keys.pubkey, sign));
572 tt_int_op(0, ==, tor_cert_checksig(cert, &onion_check_key, now));
573
574 done:
575 tor_cert_free(cert);
576 }
577
578 static void
579 test_routerkeys_cross_certify_tap(void *args)
580 {
581 (void)args;
582 uint8_t *cc = NULL;
583 int cc_len;
584 ed25519_public_key_t master_key;
585 crypto_pk_t *onion_key = pk_generate(2), *id_key = pk_generate(1);
586 char digest[20];
587 char buf[128];
588 int n;
589
590 tt_int_op(0, ==, ed25519_public_from_base64(&master_key,
591 "IAlreadyWroteTestsForRouterdescsUsingTheseX"));
592
593 cc = make_tap_onion_key_crosscert(onion_key,
594 &master_key,
595 id_key, &cc_len);
596 tt_assert(cc);
597 tt_assert(cc_len);
598
599 n = crypto_pk_public_checksig(onion_key, buf, sizeof(buf),
600 (char*)cc, cc_len);
601 tt_int_op(n,>,0);
602 tt_int_op(n,==,52);
603
604 crypto_pk_get_digest(id_key, digest);
605 tt_mem_op(buf,==,digest,20);
606 tt_mem_op(buf+20,==,master_key.pubkey,32);
607
608 tt_int_op(0, ==, check_tap_onion_key_crosscert(cc, cc_len,
609 onion_key, &master_key, (uint8_t*)digest));
610
611 done:
612 tor_free(cc);
613 crypto_pk_free(id_key);
614 crypto_pk_free(onion_key);
615 }
616
617 #define TEST(name, flags) \
618 { #name , test_routerkeys_ ## name, (flags), NULL, NULL }
619
620 struct testcase_t routerkeys_tests[] = {
621 TEST(write_fingerprint, TT_FORK),
622 TEST(ed_certs, TT_FORK),
623 TEST(ed_key_create, TT_FORK),
624 TEST(ed_key_init_basic, TT_FORK),
625 TEST(ed_key_init_split, TT_FORK),
626 TEST(ed_keys_init_all, TT_FORK),
627 TEST(cross_certify_ntor, 0),
628 TEST(cross_certify_tap, 0),
629 END_OF_TESTCASES
630 };
631
The Onion Router