torcert.h 4.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102
  1. /* Copyright (c) 2014-2016, The Tor Project, Inc. */
  2. /* See LICENSE for licensing information */
  3. #ifndef TORCERT_H_INCLUDED
  4. #define TORCERT_H_INCLUDED
  5. #include "crypto_ed25519.h"
  6. #define SIGNED_KEY_TYPE_ED25519 0x01
  7. #define CERT_TYPE_ID_SIGNING 0x04
  8. #define CERT_TYPE_SIGNING_LINK 0x05
  9. #define CERT_TYPE_SIGNING_AUTH 0x06
  10. #define CERT_TYPE_SIGNING_HS_DESC 0x08
  11. #define CERT_TYPE_AUTH_HS_IP_KEY 0x09
  12. #define CERT_TYPE_ONION_ID 0x0A
  13. #define CERT_TYPE_CROSS_HS_IP_KEYS 0x0B
  14. #define CERT_FLAG_INCLUDE_SIGNING_KEY 0x1
  15. /** An ed25519-signed certificate as used throughout the Tor protocol.
  16. **/
  17. typedef struct tor_cert_st {
  18. /** The key authenticated by this certificate */
  19. ed25519_public_key_t signed_key;
  20. /** The key that signed this certificate. This value may be unset if the
  21. * certificate has never been checked, and didn't include its own key. */
  22. ed25519_public_key_t signing_key;
  23. /** A time after which this certificate will no longer be valid. */
  24. time_t valid_until;
  25. /** The encoded representation of this certificate */
  26. uint8_t *encoded;
  27. /** The length of <b>encoded</b> */
  28. size_t encoded_len;
  29. /** One of CERT_TYPE_... */
  30. uint8_t cert_type;
  31. /** True iff we received a signing key embedded in this certificate */
  32. unsigned signing_key_included : 1;
  33. /** True iff we checked the signature and found it bad */
  34. unsigned sig_bad : 1;
  35. /** True iff we checked the signature and found it correct */
  36. unsigned sig_ok : 1;
  37. /** True iff we checked the signature and first found that the cert
  38. * had expired */
  39. unsigned cert_expired : 1;
  40. /** True iff we checked the signature and found the whole cert valid */
  41. unsigned cert_valid : 1;
  42. } tor_cert_t;
  43. tor_cert_t *tor_cert_create(const ed25519_keypair_t *signing_key,
  44. uint8_t cert_type,
  45. const ed25519_public_key_t *signed_key,
  46. time_t now, time_t lifetime,
  47. uint32_t flags);
  48. tor_cert_t *tor_cert_parse(const uint8_t *cert, size_t certlen);
  49. void tor_cert_free(tor_cert_t *cert);
  50. int tor_cert_get_checkable_sig(ed25519_checkable_t *checkable_out,
  51. const tor_cert_t *out,
  52. const ed25519_public_key_t *pubkey,
  53. time_t *expiration_out);
  54. int tor_cert_checksig(tor_cert_t *cert,
  55. const ed25519_public_key_t *pubkey, time_t now);
  56. tor_cert_t *tor_cert_dup(const tor_cert_t *cert);
  57. int tor_cert_eq(const tor_cert_t *cert1, const tor_cert_t *cert2);
  58. int tor_cert_opt_eq(const tor_cert_t *cert1, const tor_cert_t *cert2);
  59. ssize_t tor_make_rsa_ed25519_crosscert(const ed25519_public_key_t *ed_key,
  60. const crypto_pk_t *rsa_key,
  61. time_t expires,
  62. uint8_t **cert);
  63. int rsa_ed25519_crosscert_check(const uint8_t *crosscert,
  64. const size_t crosscert_len,
  65. const crypto_pk_t *rsa_id_key,
  66. const ed25519_public_key_t *master_key,
  67. const time_t reject_if_expired_before);
  68. or_handshake_certs_t *or_handshake_certs_new(void);
  69. void or_handshake_certs_free(or_handshake_certs_t *certs);
  70. int or_handshake_certs_rsa_ok(int severity,
  71. or_handshake_certs_t *certs,
  72. tor_tls_t *tls,
  73. time_t now);
  74. int or_handshake_certs_ed25519_ok(int severity,
  75. or_handshake_certs_t *certs,
  76. tor_tls_t *tls,
  77. time_t now);
  78. void or_handshake_certs_check_both(int severity,
  79. or_handshake_certs_t *certs,
  80. tor_tls_t *tls,
  81. time_t now,
  82. const ed25519_public_key_t **ed_id_out,
  83. const common_digests_t **rsa_id_out);
  84. #endif