1 /* Copyright (c) 2014-2017, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
7 * \brief Functions and structures to handle generating and maintaining the
8 * set of keypairs necessary to be an OR.
10 * The keys handled here now are the Ed25519 keys that Tor relays use to sign
11 * descriptors, authenticate themselves on links, and identify one another
12 * uniquely. Other keys are maintained in router.c and rendservice.c.
14 * (TODO: The keys in router.c should go here too.)
20 #include "crypto_pwbox.h"
21 #include "routerkeys.h"
24 #define ENC_KEY_HEADER "Boxed Ed25519 key"
25 #define ENC_KEY_TAG "master"
29 do_getpass(const char *prompt
, char *buf
, size_t buflen
,
30 int twice
, const or_options_t
*options
)
32 if (options
->keygen_force_passphrase
== FORCE_PASSPHRASE_OFF
) {
43 if (options
->use_keygen_passphrase_fd
) {
45 fd
= options
->keygen_passphrase_fd
;
46 length
= read_all(fd
, buf
, buflen
-1, 0);
53 const char msg
[] = "One more time:";
54 size_t p2len
= strlen(prompt
) + 1;
55 if (p2len
< sizeof(msg
))
57 prompt2
= tor_malloc(p2len
);
58 memset(prompt2
, ' ', p2len
);
59 memcpy(prompt2
+ p2len
- sizeof(msg
), msg
, sizeof(msg
));
61 buf2
= tor_malloc_zero(buflen
);
65 length
= tor_getpass(prompt
, buf
, buflen
);
72 ssize_t length2
= tor_getpass(prompt2
, buf2
, buflen
);
74 if (length
!= length2
|| tor_memneq(buf
, buf2
, length
)) {
75 fprintf(stderr
, "That didn't match.\n");
84 memwipe(buf2
, 0, buflen
);
88 if (options
->keygen_force_passphrase
== FORCE_PASSPHRASE_ON
&& length
== 0)
96 read_encrypted_secret_key(ed25519_secret_key_t
*out
,
100 uint8_t *secret
= NULL
;
101 size_t secret_len
= 0;
103 uint8_t encrypted_key
[256];
107 ssize_t encrypted_len
= crypto_read_tagged_contents_from_file(fname
,
111 sizeof(encrypted_key
));
112 if (encrypted_len
< 0) {
114 log_info(LD_OR
, "%s is missing", fname
);
118 if (strcmp(tag
, ENC_KEY_TAG
)) {
119 saved_errno
= EINVAL
;
125 do_getpass("Enter passphrase for master key:", pwbuf
, sizeof(pwbuf
), 0,
128 saved_errno
= EINVAL
;
131 const int r_unbox
= crypto_unpwbox(&secret
, &secret_len
,
132 encrypted_key
, encrypted_len
,
134 if (r_unbox
== UNPWBOX_CORRUPTED
) {
135 log_err(LD_OR
, "%s is corrupted.", fname
);
136 saved_errno
= EINVAL
;
138 } else if (r_unbox
== UNPWBOX_OKAY
) {
142 /* Otherwise, passphrase is bad, so try again till user does ctrl-c or gets
146 if (secret_len
!= ED25519_SECKEY_LEN
) {
147 log_err(LD_OR
, "%s is corrupted.", fname
);
148 saved_errno
= EINVAL
;
151 memcpy(out
->seckey
, secret
, ED25519_SECKEY_LEN
);
155 memwipe(encrypted_key
, 0, sizeof(encrypted_key
));
156 memwipe(pwbuf
, 0, sizeof(pwbuf
));
159 memwipe(secret
, 0, secret_len
);
169 write_encrypted_secret_key(const ed25519_secret_key_t
*key
,
174 uint8_t *encrypted_key
= NULL
;
175 size_t encrypted_len
= 0;
177 if (do_getpass("Enter new passphrase:", pwbuf0
, sizeof(pwbuf0
), 1,
178 get_options()) < 0) {
179 log_warn(LD_OR
, "NO/failed passphrase");
183 if (strlen(pwbuf0
) == 0) {
184 if (get_options()->keygen_force_passphrase
== FORCE_PASSPHRASE_ON
)
190 if (crypto_pwbox(&encrypted_key
, &encrypted_len
,
191 key
->seckey
, sizeof(key
->seckey
),
192 pwbuf0
, strlen(pwbuf0
), 0) < 0) {
193 log_warn(LD_OR
, "crypto_pwbox failed!?");
196 if (crypto_write_tagged_contents_to_file(fname
,
199 encrypted_key
, encrypted_len
) < 0)
204 memwipe(encrypted_key
, 0, encrypted_len
);
205 tor_free(encrypted_key
);
207 memwipe(pwbuf0
, 0, sizeof(pwbuf0
));
213 write_secret_key(const ed25519_secret_key_t
*key
, int encrypted
,
215 const char *fname_tag
,
216 const char *encrypted_fname
)
219 int r
= write_encrypted_secret_key(key
, encrypted_fname
);
223 /* Try to unlink the unencrypted key, if any existed before */
224 if (strcmp(fname
, encrypted_fname
))
228 /* Unrecoverable failure! */
232 fprintf(stderr
, "Not encrypting the secret key.\n");
234 return ed25519_seckey_write_to_file(key
, fname
, fname_tag
);
238 * Read an ed25519 key and associated certificates from files beginning with
239 * <b>fname</b>, with certificate type <b>cert_type</b>. On failure, return
240 * NULL; on success return the keypair.
242 * If INIT_ED_KEY_CREATE is set in <b>flags</b>, then create the key (and
243 * certificate if requested) if it doesn't exist, and save it to disk.
245 * If INIT_ED_KEY_NEEDCERT is set in <b>flags</b>, load/create a certificate
246 * too and store it in *<b>cert_out</b>. Fail if the cert can't be
247 * found/created. To create a certificate, <b>signing_key</b> must be set to
248 * the key that should sign it; <b>now</b> to the current time, and
249 * <b>lifetime</b> to the lifetime of the key.
251 * If INIT_ED_KEY_REPLACE is set in <b>flags</b>, then create and save new key
252 * whether we can read the old one or not.
254 * If INIT_ED_KEY_EXTRA_STRONG is set in <b>flags</b>, set the extra_strong
255 * flag when creating the secret key.
257 * If INIT_ED_KEY_INCLUDE_SIGNING_KEY_IN_CERT is set in <b>flags</b>, and
258 * we create a new certificate, create it with the signing key embedded.
260 * If INIT_ED_KEY_SPLIT is set in <b>flags</b>, and we create a new key,
261 * store the public key in a separate file from the secret key.
263 * If INIT_ED_KEY_MISSING_SECRET_OK is set in <b>flags</b>, and we find a
264 * public key file but no secret key file, return successfully anyway.
266 * If INIT_ED_KEY_OMIT_SECRET is set in <b>flags</b>, do not try to load a
267 * secret key unless no public key is found. Do not return a secret key. (but
268 * create and save one if needed).
270 * If INIT_ED_KEY_NO_LOAD_SECRET is set in <b>flags</b>, don't try to load
271 * a secret key, no matter what.
273 * If INIT_ED_KEY_TRY_ENCRYPTED is set, we look for an encrypted secret key
274 * and consider encrypting any new secret key.
276 * If INIT_ED_KEY_NO_REPAIR is set, and there is any issue loading the keys
277 * from disk _other than their absence_ (full or partial), we do not try to
280 * If INIT_ED_KEY_SUGGEST_KEYGEN is set, have log messages about failures
281 * refer to the --keygen option.
283 * If INIT_ED_KEY_EXPLICIT_FNAME is set, use the provided file name for the
284 * secret key file, encrypted or not.
287 ed_key_init_from_file(const char *fname
, uint32_t flags
,
289 const ed25519_keypair_t
*signing_key
,
293 struct tor_cert_st
**cert_out
)
295 char *secret_fname
= NULL
;
296 char *encrypted_secret_fname
= NULL
;
297 char *public_fname
= NULL
;
298 char *cert_fname
= NULL
;
299 const char *loaded_secret_fname
= NULL
;
300 int created_pk
= 0, created_sk
= 0, created_cert
= 0;
301 const int try_to_load
= ! (flags
& INIT_ED_KEY_REPLACE
);
302 const int encrypt_key
= !! (flags
& INIT_ED_KEY_TRY_ENCRYPTED
);
303 const int norepair
= !! (flags
& INIT_ED_KEY_NO_REPAIR
);
304 const int split
= !! (flags
& INIT_ED_KEY_SPLIT
);
305 const int omit_secret
= !! (flags
& INIT_ED_KEY_OMIT_SECRET
);
306 const int offline_secret
= !! (flags
& INIT_ED_KEY_OFFLINE_SECRET
);
307 const int explicit_fname
= !! (flags
& INIT_ED_KEY_EXPLICIT_FNAME
);
309 /* we don't support setting both of these flags at once. */
310 tor_assert((flags
& (INIT_ED_KEY_NO_REPAIR
|INIT_ED_KEY_NEEDCERT
)) !=
311 (INIT_ED_KEY_NO_REPAIR
|INIT_ED_KEY_NEEDCERT
));
314 tor_snprintf(tag
, sizeof(tag
), "type%d", (int)cert_type
);
316 tor_cert_t
*cert
= NULL
;
317 char *got_tag
= NULL
;
318 ed25519_keypair_t
*keypair
= tor_malloc_zero(sizeof(ed25519_keypair_t
));
320 if (explicit_fname
) {
321 secret_fname
= tor_strdup(fname
);
322 encrypted_secret_fname
= tor_strdup(fname
);
324 tor_asprintf(&secret_fname
, "%s_secret_key", fname
);
325 tor_asprintf(&encrypted_secret_fname
, "%s_secret_key_encrypted", fname
);
327 tor_asprintf(&public_fname
, "%s_public_key", fname
);
328 tor_asprintf(&cert_fname
, "%s_cert", fname
);
330 /* Try to read the secret key. */
332 int load_secret
= try_to_load
&&
334 (!omit_secret
|| file_status(public_fname
)==FN_NOENT
);
336 int rv
= ed25519_seckey_read_from_file(&keypair
->seckey
,
337 &got_tag
, secret_fname
);
340 loaded_secret_fname
= secret_fname
;
343 if (errno
!= ENOENT
&& norepair
) {
344 tor_log(severity
, LD_OR
, "Unable to read %s: %s", secret_fname
,
351 /* Should we try for an encrypted key? */
352 int have_encrypted_secret_file
= 0;
353 if (!have_secret
&& try_to_load
&& encrypt_key
) {
354 int r
= read_encrypted_secret_key(&keypair
->seckey
,
355 encrypted_secret_fname
);
358 have_encrypted_secret_file
= 1;
359 tor_free(got_tag
); /* convince coverity we aren't leaking */
360 got_tag
= tor_strdup(tag
);
361 loaded_secret_fname
= encrypted_secret_fname
;
362 } else if (errno
!= ENOENT
&& norepair
) {
363 tor_log(severity
, LD_OR
, "Unable to read %s: %s",
364 encrypted_secret_fname
, strerror(errno
));
369 /* Check if it's there anyway, so we don't replace it. */
370 if (file_status(encrypted_secret_fname
) != FN_NOENT
)
371 have_encrypted_secret_file
= 1;
376 if (strcmp(got_tag
, tag
)) {
377 tor_log(severity
, LD_OR
, "%s has wrong tag", loaded_secret_fname
);
380 /* Derive the public key */
381 if (ed25519_public_key_generate(&keypair
->pubkey
, &keypair
->seckey
)<0) {
382 tor_log(severity
, LD_OR
, "%s can't produce a public key",
383 loaded_secret_fname
);
388 /* If we do split keys here, try to read the pubkey. */
389 int found_public
= 0;
390 if (try_to_load
&& (!have_secret
|| split
)) {
391 ed25519_public_key_t pubkey_tmp
;
393 found_public
= ed25519_pubkey_read_from_file(&pubkey_tmp
,
394 &got_tag
, public_fname
) == 0;
395 if (!found_public
&& errno
!= ENOENT
&& norepair
) {
396 tor_log(severity
, LD_OR
, "Unable to read %s: %s", public_fname
,
400 if (found_public
&& strcmp(got_tag
, tag
)) {
401 tor_log(severity
, LD_OR
, "%s has wrong tag", public_fname
);
406 /* If we have a secret key and we're reloading the public key,
407 * the key must match! */
408 if (! ed25519_pubkey_eq(&keypair
->pubkey
, &pubkey_tmp
)) {
409 tor_log(severity
, LD_OR
, "%s does not match %s! If you are trying "
410 "to restore from backup, make sure you didn't mix up the "
411 "key files. If you are absolutely sure that %s is the right "
412 "key for this relay, delete %s or move it out of the way.",
413 public_fname
, loaded_secret_fname
,
414 loaded_secret_fname
, public_fname
);
418 /* We only have the public key; better use that. */
420 memcpy(&keypair
->pubkey
, &pubkey_tmp
, sizeof(pubkey_tmp
));
423 /* We have no public key file, but we do have a secret key, make the
424 * public key file! */
426 if (ed25519_pubkey_write_to_file(&keypair
->pubkey
, public_fname
, tag
)
428 tor_log(severity
, LD_OR
, "Couldn't repair %s", public_fname
);
431 tor_log(LOG_NOTICE
, LD_OR
,
432 "Found secret key but not %s. Regenerating.",
439 /* If the secret key is absent and it's not allowed to be, fail. */
440 if (!have_secret
&& found_public
&&
441 !(flags
& INIT_ED_KEY_MISSING_SECRET_OK
)) {
442 if (have_encrypted_secret_file
) {
443 tor_log(severity
, LD_OR
, "We needed to load a secret key from %s, "
444 "but it was encrypted. Try 'tor --keygen' instead, so you "
445 "can enter the passphrase.",
447 } else if (offline_secret
) {
448 tor_log(severity
, LD_OR
, "We wanted to load a secret key from %s, "
449 "but you're keeping it offline. (OfflineMasterKey is set.)",
452 tor_log(severity
, LD_OR
, "We needed to load a secret key from %s, "
453 "but couldn't find it. %s", secret_fname
,
454 (flags
& INIT_ED_KEY_SUGGEST_KEYGEN
) ?
455 "If you're keeping your master secret key offline, you will "
456 "need to run 'tor --keygen' to generate new signing keys." :
457 "Did you forget to copy it over when you copied the rest of the "
458 "signing key material?");
463 /* If it's absent, and we're not supposed to make a new keypair, fail. */
464 if (!have_secret
&& !found_public
&& !(flags
& INIT_ED_KEY_CREATE
)) {
466 tor_log(severity
, LD_OR
, "No key found in %s or %s.",
467 secret_fname
, public_fname
);
469 tor_log(severity
, LD_OR
, "No key found in %s.", secret_fname
);
474 /* If the secret key is absent, but the encrypted key would be present,
476 if (!have_secret
&& !found_public
&& have_encrypted_secret_file
) {
477 tor_assert(!encrypt_key
);
478 tor_log(severity
, LD_OR
, "Found an encrypted secret key, "
479 "but not public key file %s!", public_fname
);
483 /* if it's absent, make a new keypair... */
484 if (!have_secret
&& !found_public
) {
486 keypair
= ed_key_new(signing_key
, flags
, now
, lifetime
,
489 tor_log(severity
, LD_OR
, "Couldn't create keypair");
492 created_pk
= created_sk
= created_cert
= 1;
495 /* Write it to disk if we're supposed to do with a new passphrase, or if
496 * we just created it. */
497 if (created_sk
|| (have_secret
&& get_options()->change_key_passphrase
)) {
498 if (write_secret_key(&keypair
->seckey
,
500 secret_fname
, tag
, encrypted_secret_fname
) < 0
503 ed25519_pubkey_write_to_file(&keypair
->pubkey
, public_fname
, tag
) < 0)
506 crypto_write_tagged_contents_to_file(cert_fname
, "ed25519v1-cert",
507 tag
, cert
->encoded
, cert
->encoded_len
) < 0)) {
508 tor_log(severity
, LD_OR
, "Couldn't write keys or cert to file.");
514 /* If we're not supposed to get a cert, we're done. */
515 if (! (flags
& INIT_ED_KEY_NEEDCERT
))
520 uint8_t certbuf
[256];
521 ssize_t cert_body_len
= crypto_read_tagged_contents_from_file(
522 cert_fname
, "ed25519v1-cert",
523 &got_tag
, certbuf
, sizeof(certbuf
));
524 if (cert_body_len
>= 0 && !strcmp(got_tag
, tag
))
525 cert
= tor_cert_parse(certbuf
, cert_body_len
);
527 /* If we got it, check it to the extent we can. */
531 tor_log(severity
, LD_OR
, "Cert was unparseable");
533 } else if (!tor_memeq(cert
->signed_key
.pubkey
, keypair
->pubkey
.pubkey
,
534 ED25519_PUBKEY_LEN
)) {
535 tor_log(severity
, LD_OR
, "Cert was for wrong key");
537 } else if (signing_key
&&
538 tor_cert_checksig(cert
, &signing_key
->pubkey
, now
) < 0) {
539 tor_log(severity
, LD_OR
, "Can't check certificate");
541 } else if (cert
->cert_expired
) {
542 tor_log(severity
, LD_OR
, "Certificate is expired");
544 } else if (signing_key
&& cert
->signing_key_included
&&
545 ! ed25519_pubkey_eq(&signing_key
->pubkey
, &cert
->signing_key
)) {
546 tor_log(severity
, LD_OR
, "Certificate signed by unexpectd key!");
555 /* If we got a cert, we're done. */
559 /* If we didn't get a cert, and we're not supposed to make one, fail. */
560 if (!signing_key
|| !(flags
& INIT_ED_KEY_CREATE
)) {
561 tor_log(severity
, LD_OR
, "Without signing key, can't create certificate");
565 /* We have keys but not a certificate, so make one. */
566 uint32_t cert_flags
= 0;
567 if (flags
& INIT_ED_KEY_INCLUDE_SIGNING_KEY_IN_CERT
)
568 cert_flags
|= CERT_FLAG_INCLUDE_SIGNING_KEY
;
569 cert
= tor_cert_create(signing_key
, cert_type
,
575 tor_log(severity
, LD_OR
, "Couldn't create certificate");
579 /* Write it to disk. */
581 if (crypto_write_tagged_contents_to_file(cert_fname
, "ed25519v1-cert",
582 tag
, cert
->encoded
, cert
->encoded_len
) < 0) {
583 tor_log(severity
, LD_OR
, "Couldn't write cert to disk.");
597 memwipe(keypair
, 0, sizeof(*keypair
));
603 unlink(secret_fname
);
605 unlink(public_fname
);
610 tor_free(encrypted_secret_fname
);
611 tor_free(secret_fname
);
612 tor_free(public_fname
);
613 tor_free(cert_fname
);
620 * Create a new signing key and (optionally) certficiate; do not read or write
621 * from disk. See ed_key_init_from_file() for more information.
624 ed_key_new(const ed25519_keypair_t
*signing_key
,
629 struct tor_cert_st
**cert_out
)
634 const int extra_strong
= !! (flags
& INIT_ED_KEY_EXTRA_STRONG
);
635 ed25519_keypair_t
*keypair
= tor_malloc_zero(sizeof(ed25519_keypair_t
));
636 if (ed25519_keypair_generate(keypair
, extra_strong
) < 0)
639 if (! (flags
& INIT_ED_KEY_NEEDCERT
))
642 tor_assert(signing_key
);
643 tor_assert(cert_out
);
644 uint32_t cert_flags
= 0;
645 if (flags
& INIT_ED_KEY_INCLUDE_SIGNING_KEY_IN_CERT
)
646 cert_flags
|= CERT_FLAG_INCLUDE_SIGNING_KEY
;
647 tor_cert_t
*cert
= tor_cert_create(signing_key
, cert_type
,
662 static ed25519_keypair_t
*master_identity_key
= NULL
;
663 static ed25519_keypair_t
*master_signing_key
= NULL
;
664 static ed25519_keypair_t
*current_auth_key
= NULL
;
665 static tor_cert_t
*signing_key_cert
= NULL
;
666 static tor_cert_t
*link_cert_cert
= NULL
;
667 static tor_cert_t
*auth_key_cert
= NULL
;
669 static uint8_t *rsa_ed_crosscert
= NULL
;
670 static size_t rsa_ed_crosscert_len
= 0;
671 static time_t rsa_ed_crosscert_expiration
= 0;
674 * Running as a server: load, reload, or refresh our ed25519 keys and
675 * certificates, creating and saving new ones as needed.
677 * Return -1 on failure; 0 on success if the signing key was not replaced;
678 * and 1 on success if the signing key was replaced.
681 load_ed_keys(const or_options_t
*options
, time_t now
)
683 ed25519_keypair_t
*id
= NULL
;
684 ed25519_keypair_t
*sign
= NULL
;
685 ed25519_keypair_t
*auth
= NULL
;
686 const ed25519_keypair_t
*sign_signing_key_with_id
= NULL
;
687 const ed25519_keypair_t
*use_signing
= NULL
;
688 const tor_cert_t
*check_signing_cert
= NULL
;
689 tor_cert_t
*sign_cert
= NULL
;
690 tor_cert_t
*auth_cert
= NULL
;
691 int signing_key_changed
= 0;
693 // It is later than 1972, since otherwise there would be no C compilers.
694 // (Try to diagnose #22466.)
695 tor_assert_nonfatal(now
>= 2 * 365 * 86400);
697 #define FAIL(msg) do { \
698 log_warn(LD_OR, (msg)); \
701 #define SET_KEY(key, newval) do { \
702 if ((key) != (newval)) \
703 ed25519_keypair_free(key); \
706 #define SET_CERT(cert, newval) do { \
707 if ((cert) != (newval)) \
708 tor_cert_free(cert); \
711 #define HAPPENS_SOON(when, interval) \
712 ((when) < now + (interval))
713 #define EXPIRES_SOON(cert, interval) \
714 (!(cert) || HAPPENS_SOON((cert)->valid_until, (interval)))
716 /* XXXX support encrypted identity keys fully */
718 /* First try to get the signing key to see how it is. */
721 options_get_datadir_fname2(options
, "keys", "ed25519_signing");
722 sign
= ed_key_init_from_file(
724 INIT_ED_KEY_NEEDCERT
|
725 INIT_ED_KEY_INCLUDE_SIGNING_KEY_IN_CERT
,
727 NULL
, 0, 0, CERT_TYPE_ID_SIGNING
, &sign_cert
);
729 check_signing_cert
= sign_cert
;
734 /* We loaded a signing key with its certificate. */
735 if (! master_signing_key
) {
736 /* We didn't know one before! */
737 signing_key_changed
= 1;
738 } else if (! ed25519_pubkey_eq(&use_signing
->pubkey
,
739 &master_signing_key
->pubkey
) ||
740 ! tor_memeq(use_signing
->seckey
.seckey
,
741 master_signing_key
->seckey
.seckey
,
742 ED25519_SECKEY_LEN
)) {
743 /* We loaded a different signing key than the one we knew before. */
744 signing_key_changed
= 1;
748 if (!use_signing
&& master_signing_key
) {
749 /* We couldn't load a signing key, but we already had one loaded */
750 check_signing_cert
= signing_key_cert
;
751 use_signing
= master_signing_key
;
754 const int offline_master
=
755 options
->OfflineMasterKey
&& options
->command
!= CMD_KEYGEN
;
756 const int need_new_signing_key
=
757 NULL
== use_signing
||
758 EXPIRES_SOON(check_signing_cert
, 0) ||
759 (options
->command
== CMD_KEYGEN
&& ! options
->change_key_passphrase
);
760 const int want_new_signing_key
=
761 need_new_signing_key
||
762 EXPIRES_SOON(check_signing_cert
, options
->TestingSigningKeySlop
);
764 /* We can only create a master key if we haven't been told that the
765 * master key will always be offline. Also, if we have a signing key,
766 * then we shouldn't make a new master ID key. */
767 const int can_make_master_id_key
= !offline_master
&&
770 if (need_new_signing_key
) {
771 log_notice(LD_OR
, "It looks like I need to generate and sign a new "
772 "medium-term signing key, because %s. To do that, I "
773 "need to load%s the permanent master identity key. "
774 "If the master identity key was not moved or encrypted "
775 "with a passphrase, this will be done automatically and "
776 "no further action is required. Otherwise, provide the "
777 "necessary data using 'tor --keygen' to do it manually.",
778 (NULL
== use_signing
) ? "I don't have one" :
779 EXPIRES_SOON(check_signing_cert
, 0) ? "the one I have is expired" :
780 "you asked me to make one with --keygen",
781 can_make_master_id_key
? " (or create)" : "");
782 } else if (want_new_signing_key
&& !offline_master
) {
783 log_notice(LD_OR
, "It looks like I should try to generate and sign a "
784 "new medium-term signing key, because the one I have is "
785 "going to expire soon. To do that, I'm going to have to "
786 "try to load the permanent master identity key. "
787 "If the master identity key was not moved or encrypted "
788 "with a passphrase, this will be done automatically and "
789 "no further action is required. Otherwise, provide the "
790 "necessary data using 'tor --keygen' to do it manually.");
791 } else if (want_new_signing_key
) {
792 log_notice(LD_OR
, "It looks like I should try to generate and sign a "
793 "new medium-term signing key, because the one I have is "
794 "going to expire soon. But OfflineMasterKey is set, so I "
795 "won't try to load a permanent master identity key. You "
796 "will need to use 'tor --keygen' to make a new signing "
797 "key and certificate.");
803 INIT_ED_KEY_EXTRA_STRONG
|INIT_ED_KEY_NO_REPAIR
);
804 if (can_make_master_id_key
)
805 flags
|= INIT_ED_KEY_CREATE
;
806 if (! need_new_signing_key
)
807 flags
|= INIT_ED_KEY_MISSING_SECRET_OK
;
808 if (! want_new_signing_key
|| offline_master
)
809 flags
|= INIT_ED_KEY_OMIT_SECRET
;
811 flags
|= INIT_ED_KEY_OFFLINE_SECRET
;
812 if (options
->command
== CMD_KEYGEN
)
813 flags
|= INIT_ED_KEY_TRY_ENCRYPTED
;
815 /* Check/Create the key directory */
816 cpd_check_t cpd_opts
= CPD_CREATE
;
817 if (options
->DataDirectoryGroupReadable
)
818 cpd_opts
|= CPD_GROUP_READ
;
819 if (check_private_dir(options
->DataDirectory
, cpd_opts
, options
->User
)) {
820 log_err(LD_OR
, "Can't create/check datadirectory %s",
821 options
->DataDirectory
);
824 char *fname
= get_datadir_fname("keys");
825 if (check_private_dir(fname
, CPD_CREATE
, options
->User
) < 0) {
826 log_err(LD_OR
, "Problem creating/checking key directory %s", fname
);
831 if (options
->master_key_fname
) {
832 fname
= tor_strdup(options
->master_key_fname
);
833 flags
|= INIT_ED_KEY_EXPLICIT_FNAME
;
835 fname
= options_get_datadir_fname2(options
, "keys", "ed25519_master_id");
837 id
= ed_key_init_from_file(
840 LOG_WARN
, NULL
, 0, 0, 0, NULL
);
843 if (need_new_signing_key
) {
845 FAIL("Can't load master identity key; OfflineMasterKey is set.");
847 FAIL("Missing identity key");
849 log_warn(LD_OR
, "Master public key was absent; inferring from "
850 "public key in signing certificate and saving to disk.");
851 tor_assert(check_signing_cert
);
852 id
= tor_malloc_zero(sizeof(*id
));
853 memcpy(&id
->pubkey
, &check_signing_cert
->signing_key
,
854 sizeof(ed25519_public_key_t
));
855 fname
= options_get_datadir_fname2(options
, "keys",
856 "ed25519_master_id_public_key");
857 if (ed25519_pubkey_write_to_file(&id
->pubkey
, fname
, "type0") < 0) {
858 log_warn(LD_OR
, "Error while attempting to write master public key "
866 if (tor_mem_is_zero((char*)id
->seckey
.seckey
, sizeof(id
->seckey
)))
867 sign_signing_key_with_id
= NULL
;
869 sign_signing_key_with_id
= id
;
872 if (master_identity_key
&&
873 !ed25519_pubkey_eq(&id
->pubkey
, &master_identity_key
->pubkey
)) {
874 FAIL("Identity key on disk does not match key we loaded earlier!");
877 if (need_new_signing_key
&& NULL
== sign_signing_key_with_id
)
878 FAIL("Can't load master key make a new signing key.");
881 if (! sign_cert
->signing_key_included
)
882 FAIL("Loaded a signing cert with no key included!");
883 if (! ed25519_pubkey_eq(&sign_cert
->signing_key
, &id
->pubkey
))
884 FAIL("The signing cert we have was not signed with the master key "
886 if (tor_cert_checksig(sign_cert
, &id
->pubkey
, 0) < 0)
887 FAIL("The signing cert we loaded was not signed correctly!");
890 if (want_new_signing_key
&& sign_signing_key_with_id
) {
891 uint32_t flags
= (INIT_ED_KEY_CREATE
|
893 INIT_ED_KEY_EXTRA_STRONG
|
894 INIT_ED_KEY_NEEDCERT
|
895 INIT_ED_KEY_INCLUDE_SIGNING_KEY_IN_CERT
);
897 options_get_datadir_fname2(options
, "keys", "ed25519_signing");
898 ed25519_keypair_free(sign
);
899 tor_cert_free(sign_cert
);
900 sign
= ed_key_init_from_file(fname
,
902 sign_signing_key_with_id
, now
,
903 options
->SigningKeyLifetime
,
904 CERT_TYPE_ID_SIGNING
, &sign_cert
);
907 FAIL("Missing signing key");
909 signing_key_changed
= 1;
911 tor_assert(sign_cert
->signing_key_included
);
912 tor_assert(ed25519_pubkey_eq(&sign_cert
->signing_key
, &id
->pubkey
));
913 tor_assert(ed25519_pubkey_eq(&sign_cert
->signed_key
, &sign
->pubkey
));
914 } else if (want_new_signing_key
) {
915 static ratelim_t missing_master
= RATELIM_INIT(3600);
916 log_fn_ratelim(&missing_master
, LOG_WARN
, LD_OR
,
917 "Signing key will expire soon, but I can't load the "
918 "master key to sign a new one!");
921 tor_assert(use_signing
);
923 /* At this point we no longer need our secret identity key. So wipe
924 * it, if we loaded it in the first place. */
925 memwipe(id
->seckey
.seckey
, 0, sizeof(id
->seckey
));
927 if (options
->command
== CMD_KEYGEN
)
930 if (server_mode(options
) &&
931 (!rsa_ed_crosscert
||
932 HAPPENS_SOON(rsa_ed_crosscert_expiration
, 30*86400))) {
934 time_t expiration
= now
+6*30*86400; /* 6 months in the future. */
935 ssize_t crosscert_len
= tor_make_rsa_ed25519_crosscert(&id
->pubkey
,
936 get_server_identity_key(),
939 tor_free(rsa_ed_crosscert
);
940 rsa_ed_crosscert_len
= crosscert_len
;
941 rsa_ed_crosscert
= crosscert
;
942 rsa_ed_crosscert_expiration
= expiration
;
945 if (!current_auth_key
||
946 signing_key_changed
||
947 EXPIRES_SOON(auth_key_cert
, options
->TestingAuthKeySlop
)) {
948 auth
= ed_key_new(use_signing
, INIT_ED_KEY_NEEDCERT
,
950 options
->TestingAuthKeyLifetime
,
951 CERT_TYPE_SIGNING_AUTH
, &auth_cert
);
954 FAIL("Can't create auth key");
957 /* We've generated or loaded everything. Put them in memory. */
960 if (! master_identity_key
) {
961 SET_KEY(master_identity_key
, id
);
966 SET_KEY(master_signing_key
, sign
);
967 SET_CERT(signing_key_cert
, sign_cert
);
970 SET_KEY(current_auth_key
, auth
);
971 SET_CERT(auth_key_cert
, auth_cert
);
974 return signing_key_changed
;
976 ed25519_keypair_free(id
);
977 ed25519_keypair_free(sign
);
978 ed25519_keypair_free(auth
);
979 tor_cert_free(sign_cert
);
980 tor_cert_free(auth_cert
);
985 * Retrieve our currently-in-use Ed25519 link certificate and id certificate,
986 * and, if they would expire soon (based on the time <b>now</b>, generate new
987 * certificates (without embedding the public part of the signing key inside).
988 * If <b>force</b> is true, always generate a new certificate.
990 * The signed_key from the current id->signing certificate will be used to
991 * sign the new key within newly generated X509 certificate.
993 * Returns -1 upon error. Otherwise, returns 0 upon success (either when the
994 * current certificate is still valid, or when a new certificate was
995 * successfully generated, or no certificate was needed).
998 generate_ed_link_cert(const or_options_t
*options
, time_t now
,
1001 const tor_x509_cert_t
*link_
= NULL
, *id
= NULL
;
1002 tor_cert_t
*link_cert
= NULL
;
1004 if (tor_tls_get_my_certs(1, &link_
, &id
) < 0 || link_
== NULL
) {
1005 if (!server_mode(options
)) {
1006 /* No need to make an Ed25519->Link cert: we are a client */
1009 log_warn(LD_OR
, "Can't get my x509 link cert.");
1013 const common_digests_t
*digests
= tor_x509_cert_get_cert_digests(link_
);
1017 ! EXPIRES_SOON(link_cert_cert
, options
->TestingLinkKeySlop
) &&
1018 fast_memeq(digests
->d
[DIGEST_SHA256
], link_cert_cert
->signed_key
.pubkey
,
1023 ed25519_public_key_t dummy_key
;
1024 memcpy(dummy_key
.pubkey
, digests
->d
[DIGEST_SHA256
], DIGEST256_LEN
);
1026 link_cert
= tor_cert_create(get_master_signing_keypair(),
1027 CERT_TYPE_SIGNING_LINK
,
1030 options
->TestingLinkCertLifetime
, 0);
1033 SET_CERT(link_cert_cert
, link_cert
);
1043 * Return 1 if any of the following are true:
1045 * - if one of our Ed25519 signing, auth, or link certificates would expire
1046 * soon w.r.t. the time <b>now</b>,
1047 * - if we do not currently have a link certificate, or
1048 * - if our cached Ed25519 link certificate is not same as the one we're
1051 * Otherwise, returns 0.
1054 should_make_new_ed_keys(const or_options_t
*options
, const time_t now
)
1056 if (!master_identity_key
||
1057 !master_signing_key
||
1058 !current_auth_key
||
1060 EXPIRES_SOON(signing_key_cert
, options
->TestingSigningKeySlop
) ||
1061 EXPIRES_SOON(auth_key_cert
, options
->TestingAuthKeySlop
) ||
1062 EXPIRES_SOON(link_cert_cert
, options
->TestingLinkKeySlop
))
1065 const tor_x509_cert_t
*link_
= NULL
, *id
= NULL
;
1067 if (tor_tls_get_my_certs(1, &link_
, &id
) < 0 || link_
== NULL
)
1070 const common_digests_t
*digests
= tor_x509_cert_get_cert_digests(link_
);
1072 if (!fast_memeq(digests
->d
[DIGEST_SHA256
],
1073 link_cert_cert
->signed_key
.pubkey
,
1084 #ifdef TOR_UNIT_TESTS
1085 /* Helper for unit tests: populate the ed25519 keys without saving or
1088 init_mock_ed_keys(const crypto_pk_t
*rsa_identity_key
)
1090 routerkeys_free_all();
1092 #define MAKEKEY(k) \
1093 k = tor_malloc_zero(sizeof(*k)); \
1094 if (ed25519_keypair_generate(k, 0) < 0) { \
1095 log_warn(LD_BUG, "Couldn't make a keypair"); \
1098 MAKEKEY(master_identity_key
);
1099 MAKEKEY(master_signing_key
);
1100 MAKEKEY(current_auth_key
);
1101 #define MAKECERT(cert, signing, signed_, type, flags) \
1102 cert = tor_cert_create(signing, \
1105 time(NULL), 86400, \
1108 log_warn(LD_BUG, "Couldn't make a %s certificate!", #cert); \
1112 MAKECERT(signing_key_cert
,
1113 master_identity_key
, master_signing_key
, CERT_TYPE_ID_SIGNING
,
1114 CERT_FLAG_INCLUDE_SIGNING_KEY
);
1115 MAKECERT(auth_key_cert
,
1116 master_signing_key
, current_auth_key
, CERT_TYPE_SIGNING_AUTH
, 0);
1118 if (generate_ed_link_cert(get_options(), time(NULL
), 0) < 0) {
1119 log_warn(LD_BUG
, "Couldn't make link certificate");
1123 rsa_ed_crosscert_len
= tor_make_rsa_ed25519_crosscert(
1124 &master_identity_key
->pubkey
,
1132 routerkeys_free_all();
1133 tor_assert_nonfatal_unreached();
1137 #endif /* defined(TOR_UNIT_TESTS) */
1140 * Print the ISO8601-formated <b>expiration</b> for a certificate with
1141 * some <b>description</b> to stdout.
1143 * For example, for a signing certificate, this might print out:
1144 * signing-cert-expiry: 2017-07-25 08:30:15 UTC
1147 print_cert_expiration(const char *expiration
,
1148 const char *description
)
1150 fprintf(stderr
, "%s-cert-expiry: %s\n", description
, expiration
);
1154 * Log when a certificate, <b>cert</b>, with some <b>description</b> and
1155 * stored in a file named <b>fname</b>, is going to expire.
1158 log_ed_cert_expiration(const tor_cert_t
*cert
,
1159 const char *description
,
1160 const char *fname
) {
1161 char expiration
[ISO_TIME_LEN
+1];
1163 if (BUG(!cert
)) { /* If the specified key hasn't been loaded */
1164 log_warn(LD_OR
, "No %s key loaded; can't get certificate expiration.",
1167 format_local_iso_time(expiration
, cert
->valid_until
);
1168 log_notice(LD_OR
, "The %s certificate stored in %s is valid until %s.",
1169 description
, fname
, expiration
);
1170 print_cert_expiration(expiration
, description
);
1175 * Log when our master signing key certificate expires. Used when tor is given
1176 * the --key-expiration command-line option.
1178 * Returns 0 on success and 1 on failure.
1181 log_master_signing_key_cert_expiration(const or_options_t
*options
)
1183 const tor_cert_t
*signing_key
;
1186 time_t now
= approx_time();
1188 fn
= options_get_datadir_fname2(options
, "keys", "ed25519_signing_cert");
1190 /* Try to grab our cached copy of the key. */
1191 signing_key
= get_master_signing_key_cert();
1193 tor_assert(server_identity_key_is_set());
1195 /* Load our keys from disk, if necessary. */
1197 failed
= load_ed_keys(options
, now
) < 0;
1198 signing_key
= get_master_signing_key_cert();
1201 /* If we do have a signing key, log the expiration time. */
1203 log_ed_cert_expiration(signing_key
, "signing", fn
);
1205 log_warn(LD_OR
, "Could not load signing key certificate from %s, so " \
1206 "we couldn't learn anything about certificate expiration.", fn
);
1215 * Log when a key certificate expires. Used when tor is given the
1216 * --key-expiration command-line option.
1218 * If an command argument is given, which should specify the type of
1219 * key to get expiry information about (currently supported arguments
1220 * are "sign"), get info about that type of certificate. Otherwise,
1221 * print info about the supported arguments.
1223 * Returns 0 on success and -1 on failure.
1226 log_cert_expiration(void)
1228 const or_options_t
*options
= get_options();
1229 const char *arg
= options
->command_arg
;
1231 if (!strcmp(arg
, "sign")) {
1232 return log_master_signing_key_cert_expiration(options
);
1234 fprintf(stderr
, "No valid argument to --key-expiration found!\n");
1235 fprintf(stderr
, "Currently recognised arguments are: 'sign'\n");
1241 const ed25519_public_key_t
*
1242 get_master_identity_key(void)
1244 if (!master_identity_key
)
1246 return &master_identity_key
->pubkey
;
1249 /** Return true iff <b>id</b> is our Ed25519 master identity key. */
1251 router_ed25519_id_is_me(const ed25519_public_key_t
*id
)
1253 return id
&& master_identity_key
&&
1254 ed25519_pubkey_eq(id
, &master_identity_key
->pubkey
);
1257 #ifdef TOR_UNIT_TESTS
1258 /* only exists for the unit tests, since otherwise the identity key
1259 * should be used to sign nothing but the signing key. */
1260 const ed25519_keypair_t
*
1261 get_master_identity_keypair(void)
1263 return master_identity_key
;
1265 #endif /* defined(TOR_UNIT_TESTS) */
1267 const ed25519_keypair_t
*
1268 get_master_signing_keypair(void)
1270 return master_signing_key
;
1273 const struct tor_cert_st
*
1274 get_master_signing_key_cert(void)
1276 return signing_key_cert
;
1279 const ed25519_keypair_t
*
1280 get_current_auth_keypair(void)
1282 return current_auth_key
;
1286 get_current_link_cert_cert(void)
1288 return link_cert_cert
;
1292 get_current_auth_key_cert(void)
1294 return auth_key_cert
;
1298 get_master_rsa_crosscert(const uint8_t **cert_out
,
1301 *cert_out
= rsa_ed_crosscert
;
1302 *size_out
= rsa_ed_crosscert_len
;
1305 /** Construct cross-certification for the master identity key with
1306 * the ntor onion key. Store the sign of the corresponding ed25519 public key
1307 * in *<b>sign_out</b>. */
1309 make_ntor_onion_key_crosscert(const curve25519_keypair_t
*onion_key
,
1310 const ed25519_public_key_t
*master_id_key
, time_t now
, time_t lifetime
,
1313 tor_cert_t
*cert
= NULL
;
1314 ed25519_keypair_t ed_onion_key
;
1316 if (ed25519_keypair_from_curve25519_keypair(&ed_onion_key
, sign_out
,
1320 cert
= tor_cert_create(&ed_onion_key
, CERT_TYPE_ONION_ID
, master_id_key
,
1324 memwipe(&ed_onion_key
, 0, sizeof(ed_onion_key
));
1328 /** Construct and return an RSA signature for the TAP onion key to
1329 * cross-certify the RSA and Ed25519 identity keys. Set <b>len_out</b> to its
1332 make_tap_onion_key_crosscert(const crypto_pk_t
*onion_key
,
1333 const ed25519_public_key_t
*master_id_key
,
1334 const crypto_pk_t
*rsa_id_key
,
1337 uint8_t signature
[PK_BYTES
];
1338 uint8_t signed_data
[DIGEST_LEN
+ ED25519_PUBKEY_LEN
];
1341 if (crypto_pk_get_digest(rsa_id_key
, (char*)signed_data
) < 0) {
1344 memcpy(signed_data
+ DIGEST_LEN
, master_id_key
->pubkey
, ED25519_PUBKEY_LEN
);
1346 int r
= crypto_pk_private_sign(onion_key
,
1347 (char*)signature
, sizeof(signature
),
1348 (const char*)signed_data
, sizeof(signed_data
));
1354 return tor_memdup(signature
, r
);
1357 /** Check whether an RSA-TAP cross-certification is correct. Return 0 if it
1358 * is, -1 if it isn't. */
1360 check_tap_onion_key_crosscert
,(const uint8_t *crosscert
,
1362 const crypto_pk_t
*onion_pkey
,
1363 const ed25519_public_key_t
*master_id_pkey
,
1364 const uint8_t *rsa_id_digest
))
1366 uint8_t *cc
= tor_malloc(crypto_pk_keysize(onion_pkey
));
1368 crypto_pk_public_checksig(onion_pkey
,
1370 crypto_pk_keysize(onion_pkey
),
1371 (const char*)crosscert
,
1376 if (cc_len
< DIGEST_LEN
+ ED25519_PUBKEY_LEN
) {
1377 log_warn(LD_DIR
, "Short signature on cross-certification with TAP key");
1380 if (tor_memneq(cc
, rsa_id_digest
, DIGEST_LEN
) ||
1381 tor_memneq(cc
+ DIGEST_LEN
, master_id_pkey
->pubkey
,
1382 ED25519_PUBKEY_LEN
)) {
1383 log_warn(LD_DIR
, "Incorrect cross-certification with TAP key");
1395 routerkeys_free_all(void)
1397 ed25519_keypair_free(master_identity_key
);
1398 ed25519_keypair_free(master_signing_key
);
1399 ed25519_keypair_free(current_auth_key
);
1400 tor_cert_free(signing_key_cert
);
1401 tor_cert_free(link_cert_cert
);
1402 tor_cert_free(auth_key_cert
);
1403 tor_free(rsa_ed_crosscert
);
1405 master_identity_key
= master_signing_key
= NULL
;
1406 current_auth_key
= NULL
;
1407 signing_key_cert
= link_cert_cert
= auth_key_cert
= NULL
;
1408 rsa_ed_crosscert
= NULL
; // redundant
1409 rsa_ed_crosscert_len
= 0;