torcert.c 8.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285
  1. /* Copyright (c) 2014, The Tor Project, Inc. */
  2. /* See LICENSE for licensing information */
  3. #include "crypto.h"
  4. #include "torcert.h"
  5. #include "ed25519_cert.h"
  6. #include "torlog.h"
  7. #include "util.h"
  8. #include "compat.h"
  9. #include "link_handshake.h"
  10. /** Helper for tor_cert_create(): signs any 32 bytes, not just an ed25519
  11. * key.
  12. */
  13. static tor_cert_t *
  14. tor_cert_sign_impl(const ed25519_keypair_t *signing_key,
  15. uint8_t cert_type,
  16. uint8_t signed_key_type,
  17. const uint8_t signed_key_info[32],
  18. time_t now, time_t lifetime,
  19. uint32_t flags)
  20. {
  21. tor_cert_t *torcert = NULL;
  22. ed25519_cert_t *cert = ed25519_cert_new();
  23. cert->cert_type = cert_type;
  24. cert->exp_field = (uint32_t) CEIL_DIV(now + lifetime, 3600);
  25. cert->cert_key_type = signed_key_type;
  26. memcpy(cert->certified_key, signed_key_info, 32);
  27. if (flags & CERT_FLAG_INCLUDE_SIGNING_KEY) {
  28. ed25519_cert_extension_t *ext = ed25519_cert_extension_new();
  29. ext->ext_type = CERTEXT_SIGNED_WITH_KEY;
  30. memcpy(ext->un_signing_key, signing_key->pubkey.pubkey, 32);
  31. ed25519_cert_add_ext(cert, ext);
  32. ++cert->n_extensions;
  33. }
  34. const ssize_t alloc_len = ed25519_cert_encoded_len(cert);
  35. tor_assert(alloc_len > 0);
  36. uint8_t *encoded = tor_malloc(alloc_len);
  37. const ssize_t real_len = ed25519_cert_encode(encoded, alloc_len, cert);
  38. if (real_len < 0)
  39. goto err;
  40. tor_assert(real_len == alloc_len);
  41. tor_assert(real_len > ED25519_SIG_LEN);
  42. uint8_t *sig = encoded + (real_len - ED25519_SIG_LEN);
  43. tor_assert(tor_mem_is_zero((char*)sig, ED25519_SIG_LEN));
  44. ed25519_signature_t signature;
  45. if (ed25519_sign(&signature, encoded,
  46. real_len-ED25519_SIG_LEN, signing_key)<0) {
  47. log_warn(LD_BUG, "Can't sign certificate");
  48. goto err;
  49. }
  50. memcpy(sig, signature.sig, ED25519_SIG_LEN);
  51. torcert = tor_cert_parse(encoded, real_len);
  52. if (! torcert) {
  53. log_warn(LD_BUG, "Generated a certificate we cannot parse");
  54. goto err;
  55. }
  56. if (tor_cert_checksig(torcert, &signing_key->pubkey, now) < 0) {
  57. log_warn(LD_BUG, "Generated a certificate whose signature we can't check");
  58. goto err;
  59. }
  60. tor_free(encoded);
  61. goto done;
  62. err:
  63. tor_cert_free(torcert);
  64. torcert = NULL;
  65. done:
  66. ed25519_cert_free(cert);
  67. tor_free(encoded);
  68. return torcert;
  69. }
  70. /**
  71. * Create and return a new new certificate of type <b>cert_type</b> to
  72. * authenticate <b>signed_key</b> using the key <b>signing_key</b>. The
  73. * certificate should remain valid for at least <b>lifetime</b> seconds after
  74. * <b>now</b>.
  75. *
  76. * If CERT_FLAG_INCLUDE_SIGNING_KEY is set in <b>flags</b>, embed
  77. * the public part of <b>signing_key</b> in the certificate.
  78. */
  79. tor_cert_t *
  80. tor_cert_create(const ed25519_keypair_t *signing_key,
  81. uint8_t cert_type,
  82. const ed25519_public_key_t *signed_key,
  83. time_t now, time_t lifetime,
  84. uint32_t flags)
  85. {
  86. return tor_cert_sign_impl(signing_key, cert_type,
  87. SIGNED_KEY_TYPE_ED25519, signed_key->pubkey,
  88. now, lifetime, flags);
  89. }
  90. /** Release all storage held for <b>cert</>. */
  91. void
  92. tor_cert_free(tor_cert_t *cert)
  93. {
  94. if (! cert)
  95. return;
  96. if (cert->encoded)
  97. memwipe(cert->encoded, 0, cert->encoded_len);
  98. tor_free(cert->encoded);
  99. memwipe(cert, 0, sizeof(tor_cert_t));
  100. tor_free(cert);
  101. }
  102. /** Parse a certificate encoded with <b>len</b> bytes in <b>encoded</b>. */
  103. tor_cert_t *
  104. tor_cert_parse(const uint8_t *encoded, const size_t len)
  105. {
  106. tor_cert_t *cert = NULL;
  107. ed25519_cert_t *parsed = NULL;
  108. ssize_t got_len = ed25519_cert_parse(&parsed, encoded, len);
  109. if (got_len < 0 || (size_t) got_len != len)
  110. goto err;
  111. cert = tor_malloc_zero(sizeof(tor_cert_t));
  112. cert->encoded = tor_memdup(encoded, len);
  113. cert->encoded_len = len;
  114. memcpy(cert->signed_key.pubkey, parsed->certified_key, 32);
  115. cert->valid_until = parsed->exp_field * 3600;
  116. cert->cert_type = parsed->cert_type;
  117. for (unsigned i = 0; i < ed25519_cert_getlen_ext(parsed); ++i) {
  118. ed25519_cert_extension_t *ext = ed25519_cert_get_ext(parsed, i);
  119. if (ext->ext_type == CERTEXT_SIGNED_WITH_KEY) {
  120. if (cert->signing_key_included)
  121. goto err;
  122. cert->signing_key_included = 1;
  123. memcpy(cert->signing_key.pubkey, ext->un_signing_key, 32);
  124. } else if (ext->ext_flags & CERTEXT_FLAG_AFFECTS_VALIDATION) {
  125. /* Unrecognized extension with affects_validation set */
  126. goto err;
  127. }
  128. }
  129. goto done;
  130. err:
  131. tor_cert_free(cert);
  132. cert = NULL;
  133. done:
  134. ed25519_cert_free(parsed);
  135. return cert;
  136. }
  137. /** Fill in <b>checkable_out</b> with the information needed to check
  138. * the signature on <b>cert</b> with <b>pubkey</b>. */
  139. int
  140. tor_cert_get_checkable_sig(ed25519_checkable_t *checkable_out,
  141. const tor_cert_t *cert,
  142. const ed25519_public_key_t *pubkey)
  143. {
  144. if (! pubkey) {
  145. if (cert->signing_key_included)
  146. pubkey = &cert->signing_key;
  147. else
  148. return -1;
  149. }
  150. checkable_out->msg = cert->encoded;
  151. checkable_out->pubkey = pubkey;
  152. tor_assert(cert->encoded_len > ED25519_SIG_LEN);
  153. const size_t signed_len = cert->encoded_len - ED25519_SIG_LEN;
  154. checkable_out->len = signed_len;
  155. memcpy(checkable_out->signature.sig,
  156. cert->encoded + signed_len, ED25519_SIG_LEN);
  157. return 0;
  158. }
  159. /** Validates the signature on <b>cert</b> with <b>pubkey</b> relative to
  160. * the current time <b>now</b>. Return 0 on success, -1 on failure.
  161. * Sets flags in <b>cert</b> as appropriate.
  162. */
  163. int
  164. tor_cert_checksig(tor_cert_t *cert,
  165. const ed25519_public_key_t *pubkey, time_t now)
  166. {
  167. ed25519_checkable_t checkable;
  168. int okay;
  169. if (now > cert->valid_until) {
  170. cert->cert_expired = 1;
  171. return -1;
  172. }
  173. if (tor_cert_get_checkable_sig(&checkable, cert, pubkey) < 0)
  174. return -1;
  175. if (ed25519_checksig_batch(&okay, &checkable, 1) < 0) {
  176. cert->sig_bad = 1;
  177. return -1;
  178. } else {
  179. cert->sig_ok = 1;
  180. memcpy(cert->signing_key.pubkey, checkable.pubkey->pubkey, 32);
  181. cert->cert_valid = 1;
  182. return 0;
  183. }
  184. }
  185. /** Return a new copy of <b>cert</b> */
  186. tor_cert_t *
  187. tor_cert_dup(const tor_cert_t *cert)
  188. {
  189. tor_cert_t *newcert = tor_memdup(cert, sizeof(tor_cert_t));
  190. if (cert->encoded)
  191. newcert->encoded = tor_memdup(cert->encoded, cert->encoded_len);
  192. return newcert;
  193. }
  194. /** Return true iff cert1 and cert2 are the same cert. */
  195. int
  196. tor_cert_eq(const tor_cert_t *cert1, const tor_cert_t *cert2)
  197. {
  198. tor_assert(cert1);
  199. tor_assert(cert2);
  200. return cert1->encoded_len == cert2->encoded_len &&
  201. tor_memeq(cert1->encoded, cert2->encoded, cert1->encoded_len);
  202. }
  203. /** Return true iff cert1 and cert2 are the same cert, or if they are both
  204. * NULL. */
  205. int
  206. tor_cert_opt_eq(const tor_cert_t *cert1, const tor_cert_t *cert2)
  207. {
  208. if (cert1 == NULL && cert2 == NULL)
  209. return 1;
  210. if (!cert1 || !cert2)
  211. return 0;
  212. return tor_cert_eq(cert1, cert2);
  213. }
  214. /** Create new cross-certification object to certify <b>ed_key</b> as the
  215. * master ed25519 identity key for the RSA identity key <b>rsa_key</b>.
  216. * Allocates and stores the encoded certificate in *<b>cert</b>, and returns
  217. * the number of bytes stored. Returns negative on error.*/
  218. ssize_t
  219. tor_make_rsa_ed25519_crosscert(const ed25519_public_key_t *ed_key,
  220. const crypto_pk_t *rsa_key,
  221. time_t expires,
  222. uint8_t **cert)
  223. {
  224. uint8_t *res;
  225. rsa_ed_crosscert_t *cc = rsa_ed_crosscert_new();
  226. memcpy(cc->ed_key, ed_key->pubkey, ED25519_PUBKEY_LEN);
  227. cc->expiration = (uint32_t) CEIL_DIV(expires, 3600);
  228. cc->sig_len = crypto_pk_keysize(rsa_key);
  229. rsa_ed_crosscert_setlen_sig(cc, crypto_pk_keysize(rsa_key));
  230. ssize_t alloc_sz = rsa_ed_crosscert_encoded_len(cc);
  231. tor_assert(alloc_sz > 0);
  232. res = tor_malloc_zero(alloc_sz);
  233. ssize_t sz = rsa_ed_crosscert_encode(res, alloc_sz, cc);
  234. tor_assert(sz > 0 && sz <= alloc_sz);
  235. const int signed_part_len = 32 + 4;
  236. int siglen = crypto_pk_private_sign(rsa_key,
  237. (char*)rsa_ed_crosscert_getarray_sig(cc),
  238. rsa_ed_crosscert_getlen_sig(cc),
  239. (char*)res, signed_part_len);
  240. tor_assert(siglen > 0 && siglen <= (int)crypto_pk_keysize(rsa_key));
  241. tor_assert(siglen <= UINT8_MAX);
  242. cc->sig_len = siglen;
  243. rsa_ed_crosscert_setlen_sig(cc, siglen);
  244. sz = rsa_ed_crosscert_encode(res, alloc_sz, cc);
  245. rsa_ed_crosscert_free(cc);
  246. *cert = res;
  247. return sz;
  248. }