search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
minor updates on upcoming changelog
[tor.git] / src / or / torcert.h
blobc77ae2089df209ec7710c5c2afb03527b660b71d
1 /* Copyright (c) 2014-2017, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
3
4 #ifndef TORCERT_H_INCLUDED
5 #define TORCERT_H_INCLUDED
6
7 #include "crypto_ed25519.h"
8
9 #define SIGNED_KEY_TYPE_ED25519 0x01
10
11 #define CERT_TYPE_ID_SIGNING 0x04
12 #define CERT_TYPE_SIGNING_LINK 0x05
13 #define CERT_TYPE_SIGNING_AUTH 0x06
14 #define CERT_TYPE_SIGNING_HS_DESC 0x08
15 #define CERT_TYPE_AUTH_HS_IP_KEY 0x09
16 #define CERT_TYPE_ONION_ID 0x0A
17 #define CERT_TYPE_CROSS_HS_IP_KEYS 0x0B
18
19 #define CERT_FLAG_INCLUDE_SIGNING_KEY 0x1
20
21 /** An ed25519-signed certificate as used throughout the Tor protocol.
22 **/
23 typedef struct tor_cert_st {
24 /** The key authenticated by this certificate */
25 ed25519_public_key_t signed_key;
26 /** The key that signed this certificate. This value may be unset if the
27 * certificate has never been checked, and didn't include its own key. */
28 ed25519_public_key_t signing_key;
29 /** A time after which this certificate will no longer be valid. */
30 time_t valid_until;
31
32 /** The encoded representation of this certificate */
33 uint8_t *encoded;
34 /** The length of <b>encoded</b> */
35 size_t encoded_len;
36
37 /** One of CERT_TYPE_... */
38 uint8_t cert_type;
39 /** True iff we received a signing key embedded in this certificate */
40 unsigned signing_key_included : 1;
41 /** True iff we checked the signature and found it bad */
42 unsigned sig_bad : 1;
43 /** True iff we checked the signature and found it correct */
44 unsigned sig_ok : 1;
45 /** True iff we checked the signature and first found that the cert
46 * had expired */
47 unsigned cert_expired : 1;
48 /** True iff we checked the signature and found the whole cert valid */
49 unsigned cert_valid : 1;
50 } tor_cert_t;
51
52 tor_cert_t *tor_cert_create(const ed25519_keypair_t *signing_key,
53 uint8_t cert_type,
54 const ed25519_public_key_t *signed_key,
55 time_t now, time_t lifetime,
56 uint32_t flags);
57
58 tor_cert_t *tor_cert_parse(const uint8_t *cert, size_t certlen);
59
60 void tor_cert_free(tor_cert_t *cert);
61
62 int tor_cert_get_checkable_sig(ed25519_checkable_t *checkable_out,
63 const tor_cert_t *out,
64 const ed25519_public_key_t *pubkey,
65 time_t *expiration_out);
66
67 int tor_cert_checksig(tor_cert_t *cert,
68 const ed25519_public_key_t *pubkey, time_t now);
69
70 tor_cert_t *tor_cert_dup(const tor_cert_t *cert);
71 int tor_cert_eq(const tor_cert_t *cert1, const tor_cert_t *cert2);
72 int tor_cert_opt_eq(const tor_cert_t *cert1, const tor_cert_t *cert2);
73
74 ssize_t tor_make_rsa_ed25519_crosscert(const ed25519_public_key_t *ed_key,
75 const crypto_pk_t *rsa_key,
76 time_t expires,
77 uint8_t **cert);
78 MOCK_DECL(int,
79 rsa_ed25519_crosscert_check, (const uint8_t *crosscert,
80 const size_t crosscert_len,
81 const crypto_pk_t *rsa_id_key,
82 const ed25519_public_key_t *master_key,
83 const time_t reject_if_expired_before));
84
85 or_handshake_certs_t *or_handshake_certs_new(void);
86 void or_handshake_certs_free(or_handshake_certs_t *certs);
87 int or_handshake_certs_rsa_ok(int severity,
88 or_handshake_certs_t *certs,
89 tor_tls_t *tls,
90 time_t now);
91 int or_handshake_certs_ed25519_ok(int severity,
92 or_handshake_certs_t *certs,
93 tor_tls_t *tls,
94 time_t now);
95 void or_handshake_certs_check_both(int severity,
96 or_handshake_certs_t *certs,
97 tor_tls_t *tls,
98 time_t now,
99 const ed25519_public_key_t **ed_id_out,
100 const common_digests_t **rsa_id_out);
101
102 int tor_cert_encode_ed22519(const tor_cert_t *cert, char **cert_str_out);
103
104 #endif /* !defined(TORCERT_H_INCLUDED) */
105
The Onion Router