/* Copyright (c) 2014, The Tor Project, Inc. */ /* See LICENSE for licensing information */ /** * \file torcert.c * * \brief Implementation for ed25519-signed certificates as used in the Tor * protocol. */ #include "crypto.h" #include "torcert.h" #include "ed25519_cert.h" #include "torlog.h" #include "util.h" #include "compat.h" #include "link_handshake.h" /** Helper for tor_cert_create(): signs any 32 bytes, not just an ed25519 * key. */ static tor_cert_t * tor_cert_sign_impl(const ed25519_keypair_t *signing_key, uint8_t cert_type, uint8_t signed_key_type, const uint8_t signed_key_info[32], time_t now, time_t lifetime, uint32_t flags) { tor_cert_t *torcert = NULL; ed25519_cert_t *cert = ed25519_cert_new(); cert->cert_type = cert_type; cert->exp_field = (uint32_t) CEIL_DIV(now + lifetime, 3600); cert->cert_key_type = signed_key_type; memcpy(cert->certified_key, signed_key_info, 32); if (flags & CERT_FLAG_INCLUDE_SIGNING_KEY) { ed25519_cert_extension_t *ext = ed25519_cert_extension_new(); ext->ext_type = CERTEXT_SIGNED_WITH_KEY; memcpy(ext->un_signing_key, signing_key->pubkey.pubkey, 32); ed25519_cert_add_ext(cert, ext); ++cert->n_extensions; } const ssize_t alloc_len = ed25519_cert_encoded_len(cert); tor_assert(alloc_len > 0); uint8_t *encoded = tor_malloc(alloc_len); const ssize_t real_len = ed25519_cert_encode(encoded, alloc_len, cert); if (real_len < 0) goto err; tor_assert(real_len == alloc_len); tor_assert(real_len > ED25519_SIG_LEN); uint8_t *sig = encoded + (real_len - ED25519_SIG_LEN); tor_assert(tor_mem_is_zero((char*)sig, ED25519_SIG_LEN)); ed25519_signature_t signature; if (ed25519_sign(&signature, encoded, real_len-ED25519_SIG_LEN, signing_key)<0) { log_warn(LD_BUG, "Can't sign certificate"); goto err; } memcpy(sig, signature.sig, ED25519_SIG_LEN); torcert = tor_cert_parse(encoded, real_len); if (! torcert) { log_warn(LD_BUG, "Generated a certificate we cannot parse"); goto err; } if (tor_cert_checksig(torcert, &signing_key->pubkey, now) < 0) { log_warn(LD_BUG, "Generated a certificate whose signature we can't check"); goto err; } tor_free(encoded); goto done; err: tor_cert_free(torcert); torcert = NULL; done: ed25519_cert_free(cert); tor_free(encoded); return torcert; } /** * Create and return a new new certificate of type cert_type to * authenticate signed_key using the key signing_key. The * certificate should remain valid for at least lifetime seconds after * now. * * If CERT_FLAG_INCLUDE_SIGNING_KEY is set in flags, embed * the public part of signing_key in the certificate. */ tor_cert_t * tor_cert_create(const ed25519_keypair_t *signing_key, uint8_t cert_type, const ed25519_public_key_t *signed_key, time_t now, time_t lifetime, uint32_t flags) { return tor_cert_sign_impl(signing_key, cert_type, SIGNED_KEY_TYPE_ED25519, signed_key->pubkey, now, lifetime, flags); } /** Release all storage held for cert. */ void tor_cert_free(tor_cert_t *cert) { if (! cert) return; if (cert->encoded) memwipe(cert->encoded, 0, cert->encoded_len); tor_free(cert->encoded); memwipe(cert, 0, sizeof(tor_cert_t)); tor_free(cert); } /** Parse a certificate encoded with len bytes in encoded. */ tor_cert_t * tor_cert_parse(const uint8_t *encoded, const size_t len) { tor_cert_t *cert = NULL; ed25519_cert_t *parsed = NULL; ssize_t got_len = ed25519_cert_parse(&parsed, encoded, len); if (got_len < 0 || (size_t) got_len != len) goto err; cert = tor_malloc_zero(sizeof(tor_cert_t)); cert->encoded = tor_memdup(encoded, len); cert->encoded_len = len; memcpy(cert->signed_key.pubkey, parsed->certified_key, 32); cert->valid_until = parsed->exp_field * 3600; cert->cert_type = parsed->cert_type; for (unsigned i = 0; i < ed25519_cert_getlen_ext(parsed); ++i) { ed25519_cert_extension_t *ext = ed25519_cert_get_ext(parsed, i); if (ext->ext_type == CERTEXT_SIGNED_WITH_KEY) { if (cert->signing_key_included) goto err; cert->signing_key_included = 1; memcpy(cert->signing_key.pubkey, ext->un_signing_key, 32); } else if (ext->ext_flags & CERTEXT_FLAG_AFFECTS_VALIDATION) { /* Unrecognized extension with affects_validation set */ goto err; } } goto done; err: tor_cert_free(cert); cert = NULL; done: ed25519_cert_free(parsed); return cert; } /** Fill in checkable_out with the information needed to check * the signature on cert with pubkey. */ int tor_cert_get_checkable_sig(ed25519_checkable_t *checkable_out, const tor_cert_t *cert, const ed25519_public_key_t *pubkey) { if (! pubkey) { if (cert->signing_key_included) pubkey = &cert->signing_key; else return -1; } checkable_out->msg = cert->encoded; checkable_out->pubkey = pubkey; tor_assert(cert->encoded_len > ED25519_SIG_LEN); const size_t signed_len = cert->encoded_len - ED25519_SIG_LEN; checkable_out->len = signed_len; memcpy(checkable_out->signature.sig, cert->encoded + signed_len, ED25519_SIG_LEN); return 0; } /** Validates the signature on cert with pubkey relative to the * current time now. (If now is 0, do not check the expiration * time.) Return 0 on success, -1 on failure. Sets flags in cert as * appropriate. */ int tor_cert_checksig(tor_cert_t *cert, const ed25519_public_key_t *pubkey, time_t now) { ed25519_checkable_t checkable; int okay; if (now && now > cert->valid_until) { cert->cert_expired = 1; return -1; } if (tor_cert_get_checkable_sig(&checkable, cert, pubkey) < 0) return -1; if (ed25519_checksig_batch(&okay, &checkable, 1) < 0) { cert->sig_bad = 1; return -1; } else { cert->sig_ok = 1; /* Only copy the checkable public key when it is different from the signing * key of the certificate to avoid undefined behavior. */ if (cert->signing_key.pubkey != checkable.pubkey->pubkey) { memcpy(cert->signing_key.pubkey, checkable.pubkey->pubkey, 32); } cert->cert_valid = 1; return 0; } } /** Return a new copy of cert */ tor_cert_t * tor_cert_dup(const tor_cert_t *cert) { tor_cert_t *newcert = tor_memdup(cert, sizeof(tor_cert_t)); if (cert->encoded) newcert->encoded = tor_memdup(cert->encoded, cert->encoded_len); return newcert; } /** Return true iff cert1 and cert2 are the same cert. */ int tor_cert_eq(const tor_cert_t *cert1, const tor_cert_t *cert2) { tor_assert(cert1); tor_assert(cert2); return cert1->encoded_len == cert2->encoded_len && tor_memeq(cert1->encoded, cert2->encoded, cert1->encoded_len); } /** Return true iff cert1 and cert2 are the same cert, or if they are both * NULL. */ int tor_cert_opt_eq(const tor_cert_t *cert1, const tor_cert_t *cert2) { if (cert1 == NULL && cert2 == NULL) return 1; if (!cert1 || !cert2) return 0; return tor_cert_eq(cert1, cert2); } /** Create new cross-certification object to certify ed_key as the * master ed25519 identity key for the RSA identity key rsa_key. * Allocates and stores the encoded certificate in *cert, and returns * the number of bytes stored. Returns negative on error.*/ ssize_t tor_make_rsa_ed25519_crosscert(const ed25519_public_key_t *ed_key, const crypto_pk_t *rsa_key, time_t expires, uint8_t **cert) { uint8_t *res; rsa_ed_crosscert_t *cc = rsa_ed_crosscert_new(); memcpy(cc->ed_key, ed_key->pubkey, ED25519_PUBKEY_LEN); cc->expiration = (uint32_t) CEIL_DIV(expires, 3600); cc->sig_len = crypto_pk_keysize(rsa_key); rsa_ed_crosscert_setlen_sig(cc, crypto_pk_keysize(rsa_key)); ssize_t alloc_sz = rsa_ed_crosscert_encoded_len(cc); tor_assert(alloc_sz > 0); res = tor_malloc_zero(alloc_sz); ssize_t sz = rsa_ed_crosscert_encode(res, alloc_sz, cc); tor_assert(sz > 0 && sz <= alloc_sz); const int signed_part_len = 32 + 4; int siglen = crypto_pk_private_sign(rsa_key, (char*)rsa_ed_crosscert_getarray_sig(cc), rsa_ed_crosscert_getlen_sig(cc), (char*)res, signed_part_len); tor_assert(siglen > 0 && siglen <= (int)crypto_pk_keysize(rsa_key)); tor_assert(siglen <= UINT8_MAX); cc->sig_len = siglen; rsa_ed_crosscert_setlen_sig(cc, siglen); sz = rsa_ed_crosscert_encode(res, alloc_sz, cc); rsa_ed_crosscert_free(cc); *cert = res; return sz; }