torcert.c 23 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725
  1. /* Copyright (c) 2014-2017, The Tor Project, Inc. */
  2. /* See LICENSE for licensing information */
  3. /**
  4. * \file torcert.c
  5. *
  6. * \brief Implementation for ed25519-signed certificates as used in the Tor
  7. * protocol.
  8. *
  9. * This certificate format is designed to be simple and compact; it's
  10. * documented in tor-spec.txt in the torspec.git repository. All of the
  11. * certificates in this format are signed with an Ed25519 key; the
  12. * contents themselves may be another Ed25519 key, a digest of a
  13. * RSA key, or some other material.
  14. *
  15. * In this module there is also support for a crooss-certification of
  16. * Ed25519 identities using (older) RSA1024 identities.
  17. *
  18. * Tor uses other types of certificate too, beyond those described in this
  19. * module. Notably, our use of TLS requires us to touch X.509 certificates,
  20. * even though sensible people would stay away from those. Our X.509
  21. * certificates are represented with tor_x509_cert_t, and implemented in
  22. * tortls.c. We also have a separate certificate type that authorities
  23. * use to authenticate their RSA signing keys with their RSA identity keys:
  24. * that one is authority_cert_t, and it's mostly handled in routerlist.c.
  25. */
  26. #include "or.h"
  27. #include "config.h"
  28. #include "crypto.h"
  29. #include "torcert.h"
  30. #include "ed25519_cert.h"
  31. #include "torlog.h"
  32. #include "util.h"
  33. #include "compat.h"
  34. #include "link_handshake.h"
  35. /** Helper for tor_cert_create(): signs any 32 bytes, not just an ed25519
  36. * key.
  37. */
  38. static tor_cert_t *
  39. tor_cert_sign_impl(const ed25519_keypair_t *signing_key,
  40. uint8_t cert_type,
  41. uint8_t signed_key_type,
  42. const uint8_t signed_key_info[32],
  43. time_t now, time_t lifetime,
  44. uint32_t flags)
  45. {
  46. tor_cert_t *torcert = NULL;
  47. ed25519_cert_t *cert = ed25519_cert_new();
  48. cert->cert_type = cert_type;
  49. cert->exp_field = (uint32_t) CEIL_DIV(now + lifetime, 3600);
  50. cert->cert_key_type = signed_key_type;
  51. memcpy(cert->certified_key, signed_key_info, 32);
  52. if (flags & CERT_FLAG_INCLUDE_SIGNING_KEY) {
  53. ed25519_cert_extension_t *ext = ed25519_cert_extension_new();
  54. ext->ext_type = CERTEXT_SIGNED_WITH_KEY;
  55. memcpy(ext->un_signing_key, signing_key->pubkey.pubkey, 32);
  56. ed25519_cert_add_ext(cert, ext);
  57. ++cert->n_extensions;
  58. }
  59. const ssize_t alloc_len = ed25519_cert_encoded_len(cert);
  60. tor_assert(alloc_len > 0);
  61. uint8_t *encoded = tor_malloc(alloc_len);
  62. const ssize_t real_len = ed25519_cert_encode(encoded, alloc_len, cert);
  63. if (real_len < 0)
  64. goto err;
  65. tor_assert(real_len == alloc_len);
  66. tor_assert(real_len > ED25519_SIG_LEN);
  67. uint8_t *sig = encoded + (real_len - ED25519_SIG_LEN);
  68. tor_assert(tor_mem_is_zero((char*)sig, ED25519_SIG_LEN));
  69. ed25519_signature_t signature;
  70. if (ed25519_sign(&signature, encoded,
  71. real_len-ED25519_SIG_LEN, signing_key)<0) {
  72. /* LCOV_EXCL_START */
  73. log_warn(LD_BUG, "Can't sign certificate");
  74. goto err;
  75. /* LCOV_EXCL_STOP */
  76. }
  77. memcpy(sig, signature.sig, ED25519_SIG_LEN);
  78. torcert = tor_cert_parse(encoded, real_len);
  79. if (! torcert) {
  80. /* LCOV_EXCL_START */
  81. log_warn(LD_BUG, "Generated a certificate we cannot parse");
  82. goto err;
  83. /* LCOV_EXCL_STOP */
  84. }
  85. if (tor_cert_checksig(torcert, &signing_key->pubkey, now) < 0) {
  86. /* LCOV_EXCL_START */
  87. log_warn(LD_BUG, "Generated a certificate whose signature we can't "
  88. "check: %s", tor_cert_describe_signature_status(torcert));
  89. goto err;
  90. /* LCOV_EXCL_STOP */
  91. }
  92. tor_free(encoded);
  93. goto done;
  94. /* LCOV_EXCL_START */
  95. err:
  96. tor_cert_free(torcert);
  97. torcert = NULL;
  98. /* LCOV_EXCL_STOP */
  99. done:
  100. ed25519_cert_free(cert);
  101. tor_free(encoded);
  102. return torcert;
  103. }
  104. /**
  105. * Create and return a new new certificate of type <b>cert_type</b> to
  106. * authenticate <b>signed_key</b> using the key <b>signing_key</b>. The
  107. * certificate should remain valid for at least <b>lifetime</b> seconds after
  108. * <b>now</b>.
  109. *
  110. * If CERT_FLAG_INCLUDE_SIGNING_KEY is set in <b>flags</b>, embed
  111. * the public part of <b>signing_key</b> in the certificate.
  112. */
  113. tor_cert_t *
  114. tor_cert_create(const ed25519_keypair_t *signing_key,
  115. uint8_t cert_type,
  116. const ed25519_public_key_t *signed_key,
  117. time_t now, time_t lifetime,
  118. uint32_t flags)
  119. {
  120. return tor_cert_sign_impl(signing_key, cert_type,
  121. SIGNED_KEY_TYPE_ED25519, signed_key->pubkey,
  122. now, lifetime, flags);
  123. }
  124. /** Release all storage held for <b>cert</b>. */
  125. void
  126. tor_cert_free_(tor_cert_t *cert)
  127. {
  128. if (! cert)
  129. return;
  130. if (cert->encoded)
  131. memwipe(cert->encoded, 0, cert->encoded_len);
  132. tor_free(cert->encoded);
  133. memwipe(cert, 0, sizeof(tor_cert_t));
  134. tor_free(cert);
  135. }
  136. /** Parse a certificate encoded with <b>len</b> bytes in <b>encoded</b>. */
  137. tor_cert_t *
  138. tor_cert_parse(const uint8_t *encoded, const size_t len)
  139. {
  140. tor_cert_t *cert = NULL;
  141. ed25519_cert_t *parsed = NULL;
  142. ssize_t got_len = ed25519_cert_parse(&parsed, encoded, len);
  143. if (got_len < 0 || (size_t) got_len != len)
  144. goto err;
  145. cert = tor_malloc_zero(sizeof(tor_cert_t));
  146. cert->encoded = tor_memdup(encoded, len);
  147. cert->encoded_len = len;
  148. memcpy(cert->signed_key.pubkey, parsed->certified_key, 32);
  149. int64_t valid_until_64 = ((int64_t)parsed->exp_field) * 3600;
  150. #if SIZEOF_TIME_T < SIZEOF_INT64_T
  151. if (valid_until_64 > TIME_MAX)
  152. valid_until_64 = TIME_MAX - 1;
  153. #endif
  154. cert->valid_until = (time_t) valid_until_64;
  155. cert->cert_type = parsed->cert_type;
  156. for (unsigned i = 0; i < ed25519_cert_getlen_ext(parsed); ++i) {
  157. ed25519_cert_extension_t *ext = ed25519_cert_get_ext(parsed, i);
  158. if (ext->ext_type == CERTEXT_SIGNED_WITH_KEY) {
  159. if (cert->signing_key_included)
  160. goto err;
  161. cert->signing_key_included = 1;
  162. memcpy(cert->signing_key.pubkey, ext->un_signing_key, 32);
  163. } else if (ext->ext_flags & CERTEXT_FLAG_AFFECTS_VALIDATION) {
  164. /* Unrecognized extension with affects_validation set */
  165. goto err;
  166. }
  167. }
  168. goto done;
  169. err:
  170. tor_cert_free(cert);
  171. cert = NULL;
  172. done:
  173. ed25519_cert_free(parsed);
  174. return cert;
  175. }
  176. /** Fill in <b>checkable_out</b> with the information needed to check
  177. * the signature on <b>cert</b> with <b>pubkey</b>.
  178. *
  179. * On success, if <b>expiration_out</b> is provided, and it is some time
  180. * _after_ the expiration time of this certificate, set it to the
  181. * expiration time of this certificate.
  182. */
  183. int
  184. tor_cert_get_checkable_sig(ed25519_checkable_t *checkable_out,
  185. const tor_cert_t *cert,
  186. const ed25519_public_key_t *pubkey,
  187. time_t *expiration_out)
  188. {
  189. if (! pubkey) {
  190. if (cert->signing_key_included)
  191. pubkey = &cert->signing_key;
  192. else
  193. return -1;
  194. }
  195. checkable_out->msg = cert->encoded;
  196. checkable_out->pubkey = pubkey;
  197. tor_assert(cert->encoded_len > ED25519_SIG_LEN);
  198. const size_t signed_len = cert->encoded_len - ED25519_SIG_LEN;
  199. checkable_out->len = signed_len;
  200. memcpy(checkable_out->signature.sig,
  201. cert->encoded + signed_len, ED25519_SIG_LEN);
  202. if (expiration_out) {
  203. *expiration_out = MIN(*expiration_out, cert->valid_until);
  204. }
  205. return 0;
  206. }
  207. /** Validates the signature on <b>cert</b> with <b>pubkey</b> relative to the
  208. * current time <b>now</b>. (If <b>now</b> is 0, do not check the expiration
  209. * time.) Return 0 on success, -1 on failure. Sets flags in <b>cert</b> as
  210. * appropriate.
  211. */
  212. int
  213. tor_cert_checksig(tor_cert_t *cert,
  214. const ed25519_public_key_t *pubkey, time_t now)
  215. {
  216. ed25519_checkable_t checkable;
  217. int okay;
  218. time_t expires = TIME_MAX;
  219. if (tor_cert_get_checkable_sig(&checkable, cert, pubkey, &expires) < 0)
  220. return -1;
  221. if (now && now > expires) {
  222. cert->cert_expired = 1;
  223. return -1;
  224. }
  225. if (ed25519_checksig_batch(&okay, &checkable, 1) < 0) {
  226. cert->sig_bad = 1;
  227. return -1;
  228. } else {
  229. cert->sig_ok = 1;
  230. /* Only copy the checkable public key when it is different from the signing
  231. * key of the certificate to avoid undefined behavior. */
  232. if (cert->signing_key.pubkey != checkable.pubkey->pubkey) {
  233. memcpy(cert->signing_key.pubkey, checkable.pubkey->pubkey, 32);
  234. }
  235. cert->cert_valid = 1;
  236. return 0;
  237. }
  238. }
  239. /** Return a string describing the status of the signature on <b>cert</b>
  240. *
  241. * Will always be "unchecked" unless tor_cert_checksig has been called.
  242. */
  243. const char *
  244. tor_cert_describe_signature_status(const tor_cert_t *cert)
  245. {
  246. if (cert->cert_expired) {
  247. return "expired";
  248. } else if (cert->sig_bad) {
  249. return "mis-signed";
  250. } else if (cert->sig_ok) {
  251. return "okay";
  252. } else {
  253. return "unchecked";
  254. }
  255. }
  256. /** Return a new copy of <b>cert</b> */
  257. tor_cert_t *
  258. tor_cert_dup(const tor_cert_t *cert)
  259. {
  260. tor_cert_t *newcert = tor_memdup(cert, sizeof(tor_cert_t));
  261. if (cert->encoded)
  262. newcert->encoded = tor_memdup(cert->encoded, cert->encoded_len);
  263. return newcert;
  264. }
  265. /** Return true iff cert1 and cert2 are the same cert. */
  266. int
  267. tor_cert_eq(const tor_cert_t *cert1, const tor_cert_t *cert2)
  268. {
  269. tor_assert(cert1);
  270. tor_assert(cert2);
  271. return cert1->encoded_len == cert2->encoded_len &&
  272. tor_memeq(cert1->encoded, cert2->encoded, cert1->encoded_len);
  273. }
  274. /** Return true iff cert1 and cert2 are the same cert, or if they are both
  275. * NULL. */
  276. int
  277. tor_cert_opt_eq(const tor_cert_t *cert1, const tor_cert_t *cert2)
  278. {
  279. if (cert1 == NULL && cert2 == NULL)
  280. return 1;
  281. if (!cert1 || !cert2)
  282. return 0;
  283. return tor_cert_eq(cert1, cert2);
  284. }
  285. #define RSA_ED_CROSSCERT_PREFIX "Tor TLS RSA/Ed25519 cross-certificate"
  286. /** Create new cross-certification object to certify <b>ed_key</b> as the
  287. * master ed25519 identity key for the RSA identity key <b>rsa_key</b>.
  288. * Allocates and stores the encoded certificate in *<b>cert</b>, and returns
  289. * the number of bytes stored. Returns negative on error.*/
  290. ssize_t
  291. tor_make_rsa_ed25519_crosscert(const ed25519_public_key_t *ed_key,
  292. const crypto_pk_t *rsa_key,
  293. time_t expires,
  294. uint8_t **cert)
  295. {
  296. // It is later than 1985, since otherwise there would be no C89
  297. // compilers. (Try to diagnose #22466.)
  298. tor_assert_nonfatal(expires >= 15 * 365 * 86400);
  299. uint8_t *res;
  300. rsa_ed_crosscert_t *cc = rsa_ed_crosscert_new();
  301. memcpy(cc->ed_key, ed_key->pubkey, ED25519_PUBKEY_LEN);
  302. cc->expiration = (uint32_t) CEIL_DIV(expires, 3600);
  303. cc->sig_len = crypto_pk_keysize(rsa_key);
  304. rsa_ed_crosscert_setlen_sig(cc, crypto_pk_keysize(rsa_key));
  305. ssize_t alloc_sz = rsa_ed_crosscert_encoded_len(cc);
  306. tor_assert(alloc_sz > 0);
  307. res = tor_malloc_zero(alloc_sz);
  308. ssize_t sz = rsa_ed_crosscert_encode(res, alloc_sz, cc);
  309. tor_assert(sz > 0 && sz <= alloc_sz);
  310. crypto_digest_t *d = crypto_digest256_new(DIGEST_SHA256);
  311. crypto_digest_add_bytes(d, RSA_ED_CROSSCERT_PREFIX,
  312. strlen(RSA_ED_CROSSCERT_PREFIX));
  313. const int signed_part_len = 32 + 4;
  314. crypto_digest_add_bytes(d, (char*)res, signed_part_len);
  315. uint8_t digest[DIGEST256_LEN];
  316. crypto_digest_get_digest(d, (char*)digest, sizeof(digest));
  317. crypto_digest_free(d);
  318. int siglen = crypto_pk_private_sign(rsa_key,
  319. (char*)rsa_ed_crosscert_getarray_sig(cc),
  320. rsa_ed_crosscert_getlen_sig(cc),
  321. (char*)digest, sizeof(digest));
  322. tor_assert(siglen > 0 && siglen <= (int)crypto_pk_keysize(rsa_key));
  323. tor_assert(siglen <= UINT8_MAX);
  324. cc->sig_len = siglen;
  325. rsa_ed_crosscert_setlen_sig(cc, siglen);
  326. sz = rsa_ed_crosscert_encode(res, alloc_sz, cc);
  327. rsa_ed_crosscert_free(cc);
  328. *cert = res;
  329. return sz;
  330. }
  331. /**
  332. * Check whether the <b>crosscert_len</b> byte certificate in <b>crosscert</b>
  333. * is in fact a correct cross-certification of <b>master_key</b> using
  334. * the RSA key <b>rsa_id_key</b>.
  335. *
  336. * Also reject the certificate if it expired before
  337. * <b>reject_if_expired_before</b>.
  338. *
  339. * Return 0 on success, negative on failure.
  340. */
  341. MOCK_IMPL(int,
  342. rsa_ed25519_crosscert_check, (const uint8_t *crosscert,
  343. const size_t crosscert_len,
  344. const crypto_pk_t *rsa_id_key,
  345. const ed25519_public_key_t *master_key,
  346. const time_t reject_if_expired_before))
  347. {
  348. rsa_ed_crosscert_t *cc = NULL;
  349. int rv;
  350. #define ERR(code, s) \
  351. do { \
  352. log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, \
  353. "Received a bad RSA->Ed25519 crosscert: %s", \
  354. (s)); \
  355. rv = (code); \
  356. goto err; \
  357. } while (0)
  358. if (BUG(crypto_pk_keysize(rsa_id_key) > PK_BYTES))
  359. return -1;
  360. if (BUG(!crosscert))
  361. return -1;
  362. ssize_t parsed_len = rsa_ed_crosscert_parse(&cc, crosscert, crosscert_len);
  363. if (parsed_len < 0 || crosscert_len != (size_t)parsed_len) {
  364. ERR(-2, "Unparseable or overlong crosscert");
  365. }
  366. if (tor_memneq(rsa_ed_crosscert_getarray_ed_key(cc),
  367. master_key->pubkey,
  368. ED25519_PUBKEY_LEN)) {
  369. ERR(-3, "Crosscert did not match Ed25519 key");
  370. }
  371. const uint32_t expiration_date = rsa_ed_crosscert_get_expiration(cc);
  372. const uint64_t expiration_time = ((uint64_t)expiration_date) * 3600;
  373. if (reject_if_expired_before < 0 ||
  374. expiration_time < (uint64_t)reject_if_expired_before) {
  375. ERR(-4, "Crosscert is expired");
  376. }
  377. const uint8_t *eos = rsa_ed_crosscert_get_end_of_signed(cc);
  378. const uint8_t *sig = rsa_ed_crosscert_getarray_sig(cc);
  379. const uint8_t siglen = rsa_ed_crosscert_get_sig_len(cc);
  380. tor_assert(eos >= crosscert);
  381. tor_assert((size_t)(eos - crosscert) <= crosscert_len);
  382. tor_assert(siglen == rsa_ed_crosscert_getlen_sig(cc));
  383. /* Compute the digest */
  384. uint8_t digest[DIGEST256_LEN];
  385. crypto_digest_t *d = crypto_digest256_new(DIGEST_SHA256);
  386. crypto_digest_add_bytes(d, RSA_ED_CROSSCERT_PREFIX,
  387. strlen(RSA_ED_CROSSCERT_PREFIX));
  388. crypto_digest_add_bytes(d, (char*)crosscert, eos-crosscert);
  389. crypto_digest_get_digest(d, (char*)digest, sizeof(digest));
  390. crypto_digest_free(d);
  391. /* Now check the signature */
  392. uint8_t signed_[PK_BYTES];
  393. int signed_len = crypto_pk_public_checksig(rsa_id_key,
  394. (char*)signed_, sizeof(signed_),
  395. (char*)sig, siglen);
  396. if (signed_len < DIGEST256_LEN) {
  397. ERR(-5, "Bad signature, or length of signed data not as expected");
  398. }
  399. if (tor_memneq(digest, signed_, DIGEST256_LEN)) {
  400. ERR(-6, "The signature was good, but it didn't match the data");
  401. }
  402. rv = 0;
  403. err:
  404. rsa_ed_crosscert_free(cc);
  405. return rv;
  406. }
  407. /** Construct and return a new empty or_handshake_certs object */
  408. or_handshake_certs_t *
  409. or_handshake_certs_new(void)
  410. {
  411. return tor_malloc_zero(sizeof(or_handshake_certs_t));
  412. }
  413. /** Release all storage held in <b>certs</b> */
  414. void
  415. or_handshake_certs_free_(or_handshake_certs_t *certs)
  416. {
  417. if (!certs)
  418. return;
  419. tor_x509_cert_free(certs->auth_cert);
  420. tor_x509_cert_free(certs->link_cert);
  421. tor_x509_cert_free(certs->id_cert);
  422. tor_cert_free(certs->ed_id_sign);
  423. tor_cert_free(certs->ed_sign_link);
  424. tor_cert_free(certs->ed_sign_auth);
  425. tor_free(certs->ed_rsa_crosscert);
  426. memwipe(certs, 0xBD, sizeof(*certs));
  427. tor_free(certs);
  428. }
  429. #undef ERR
  430. #define ERR(s) \
  431. do { \
  432. log_fn(severity, LD_PROTOCOL, \
  433. "Received a bad CERTS cell: %s", \
  434. (s)); \
  435. return 0; \
  436. } while (0)
  437. int
  438. or_handshake_certs_rsa_ok(int severity,
  439. or_handshake_certs_t *certs,
  440. tor_tls_t *tls,
  441. time_t now)
  442. {
  443. tor_x509_cert_t *link_cert = certs->link_cert;
  444. tor_x509_cert_t *auth_cert = certs->auth_cert;
  445. tor_x509_cert_t *id_cert = certs->id_cert;
  446. if (certs->started_here) {
  447. if (! (id_cert && link_cert))
  448. ERR("The certs we wanted (ID, Link) were missing");
  449. if (! tor_tls_cert_matches_key(tls, link_cert))
  450. ERR("The link certificate didn't match the TLS public key");
  451. if (! tor_tls_cert_is_valid(severity, link_cert, id_cert, now, 0))
  452. ERR("The link certificate was not valid");
  453. if (! tor_tls_cert_is_valid(severity, id_cert, id_cert, now, 1))
  454. ERR("The ID certificate was not valid");
  455. } else {
  456. if (! (id_cert && auth_cert))
  457. ERR("The certs we wanted (ID, Auth) were missing");
  458. if (! tor_tls_cert_is_valid(LOG_PROTOCOL_WARN, auth_cert, id_cert, now, 1))
  459. ERR("The authentication certificate was not valid");
  460. if (! tor_tls_cert_is_valid(LOG_PROTOCOL_WARN, id_cert, id_cert, now, 1))
  461. ERR("The ID certificate was not valid");
  462. }
  463. return 1;
  464. }
  465. /** Check all the ed25519 certificates in <b>certs</b> against each other, and
  466. * against the peer certificate in <b>tls</b> if appropriate. On success,
  467. * return 0; on failure, return a negative value and warn at level
  468. * <b>severity</b> */
  469. int
  470. or_handshake_certs_ed25519_ok(int severity,
  471. or_handshake_certs_t *certs,
  472. tor_tls_t *tls,
  473. time_t now)
  474. {
  475. ed25519_checkable_t check[10];
  476. unsigned n_checkable = 0;
  477. time_t expiration = TIME_MAX;
  478. #define ADDCERT(cert, pk) \
  479. do { \
  480. tor_assert(n_checkable < ARRAY_LENGTH(check)); \
  481. if (tor_cert_get_checkable_sig(&check[n_checkable++], cert, pk, \
  482. &expiration) < 0) \
  483. ERR("Could not get checkable cert."); \
  484. } while (0)
  485. if (! certs->ed_id_sign || !certs->ed_id_sign->signing_key_included) {
  486. ERR("No Ed25519 signing key");
  487. }
  488. ADDCERT(certs->ed_id_sign, NULL);
  489. if (certs->started_here) {
  490. if (! certs->ed_sign_link)
  491. ERR("No Ed25519 link key");
  492. {
  493. /* check for a match with the TLS cert. */
  494. tor_x509_cert_t *peer_cert = tor_tls_get_peer_cert(tls);
  495. if (BUG(!peer_cert)) {
  496. /* This is a bug, because if we got to this point, we are a connection
  497. * that was initiated here, and we completed a TLS handshake. The
  498. * other side *must* have given us a certificate! */
  499. ERR("No x509 peer cert"); // LCOV_EXCL_LINE
  500. }
  501. const common_digests_t *peer_cert_digests =
  502. tor_x509_cert_get_cert_digests(peer_cert);
  503. int okay = tor_memeq(peer_cert_digests->d[DIGEST_SHA256],
  504. certs->ed_sign_link->signed_key.pubkey,
  505. DIGEST256_LEN);
  506. tor_x509_cert_free(peer_cert);
  507. if (!okay)
  508. ERR("Link certificate does not match TLS certificate");
  509. }
  510. ADDCERT(certs->ed_sign_link, &certs->ed_id_sign->signed_key);
  511. } else {
  512. if (! certs->ed_sign_auth)
  513. ERR("No Ed25519 link authentication key");
  514. ADDCERT(certs->ed_sign_auth, &certs->ed_id_sign->signed_key);
  515. }
  516. if (expiration < now) {
  517. ERR("At least one certificate expired.");
  518. }
  519. /* Okay, we've gotten ready to check all the Ed25519 certificates.
  520. * Now, we are going to check the RSA certificate's cross-certification
  521. * with the ED certificates.
  522. *
  523. * FFFF In the future, we might want to make this optional.
  524. */
  525. tor_x509_cert_t *rsa_id_cert = certs->id_cert;
  526. if (!rsa_id_cert) {
  527. ERR("Missing legacy RSA ID certificate");
  528. }
  529. if (! tor_tls_cert_is_valid(severity, rsa_id_cert, rsa_id_cert, now, 1)) {
  530. ERR("The legacy RSA ID certificate was not valid");
  531. }
  532. if (! certs->ed_rsa_crosscert) {
  533. ERR("Missing RSA->Ed25519 crosscert");
  534. }
  535. crypto_pk_t *rsa_id_key = tor_tls_cert_get_key(rsa_id_cert);
  536. if (!rsa_id_key) {
  537. ERR("RSA ID cert had no RSA key");
  538. }
  539. if (rsa_ed25519_crosscert_check(certs->ed_rsa_crosscert,
  540. certs->ed_rsa_crosscert_len,
  541. rsa_id_key,
  542. &certs->ed_id_sign->signing_key,
  543. now) < 0) {
  544. crypto_pk_free(rsa_id_key);
  545. ERR("Invalid RSA->Ed25519 crosscert");
  546. }
  547. crypto_pk_free(rsa_id_key);
  548. rsa_id_key = NULL;
  549. /* FFFF We could save a little time in the client case by queueing
  550. * this batch to check it later, along with the signature from the
  551. * AUTHENTICATE cell. That will change our data flow a bit, though,
  552. * so I say "postpone". */
  553. if (ed25519_checksig_batch(NULL, check, n_checkable) < 0) {
  554. ERR("At least one Ed25519 certificate was badly signed");
  555. }
  556. return 1;
  557. }
  558. /**
  559. * Check the Ed certificates and/or the RSA certificates, as appropriate. If
  560. * we obtained an Ed25519 identity, set *ed_id_out. If we obtained an RSA
  561. * identity, set *rs_id_out. Otherwise, set them both to NULL.
  562. */
  563. void
  564. or_handshake_certs_check_both(int severity,
  565. or_handshake_certs_t *certs,
  566. tor_tls_t *tls,
  567. time_t now,
  568. const ed25519_public_key_t **ed_id_out,
  569. const common_digests_t **rsa_id_out)
  570. {
  571. tor_assert(ed_id_out);
  572. tor_assert(rsa_id_out);
  573. *ed_id_out = NULL;
  574. *rsa_id_out = NULL;
  575. if (certs->ed_id_sign) {
  576. if (or_handshake_certs_ed25519_ok(severity, certs, tls, now)) {
  577. tor_assert(certs->ed_id_sign);
  578. tor_assert(certs->id_cert);
  579. *ed_id_out = &certs->ed_id_sign->signing_key;
  580. *rsa_id_out = tor_x509_cert_get_id_digests(certs->id_cert);
  581. /* If we reached this point, we did not look at any of the
  582. * subsidiary RSA certificates, so we'd better just remove them.
  583. */
  584. tor_x509_cert_free(certs->link_cert);
  585. tor_x509_cert_free(certs->auth_cert);
  586. certs->link_cert = certs->auth_cert = NULL;
  587. }
  588. /* We do _not_ fall through here. If you provided us Ed25519
  589. * certificates, we expect to verify them! */
  590. } else {
  591. /* No ed25519 keys given in the CERTS cell */
  592. if (or_handshake_certs_rsa_ok(severity, certs, tls, now)) {
  593. *rsa_id_out = tor_x509_cert_get_id_digests(certs->id_cert);
  594. }
  595. }
  596. }
  597. /* === ENCODING === */
  598. /* Encode the ed25519 certificate <b>cert</b> and put the newly allocated
  599. * string in <b>cert_str_out</b>. Return 0 on success else a negative value. */
  600. int
  601. tor_cert_encode_ed22519(const tor_cert_t *cert, char **cert_str_out)
  602. {
  603. int ret = -1;
  604. char *ed_cert_b64 = NULL;
  605. size_t ed_cert_b64_len;
  606. tor_assert(cert);
  607. tor_assert(cert_str_out);
  608. /* Get the encoded size and add the NUL byte. */
  609. ed_cert_b64_len = base64_encode_size(cert->encoded_len,
  610. BASE64_ENCODE_MULTILINE) + 1;
  611. ed_cert_b64 = tor_malloc_zero(ed_cert_b64_len);
  612. /* Base64 encode the encoded certificate. */
  613. if (base64_encode(ed_cert_b64, ed_cert_b64_len,
  614. (const char *) cert->encoded, cert->encoded_len,
  615. BASE64_ENCODE_MULTILINE) < 0) {
  616. /* LCOV_EXCL_START */
  617. log_err(LD_BUG, "Couldn't base64-encode ed22519 cert!");
  618. goto err;
  619. /* LCOV_EXCL_STOP */
  620. }
  621. /* Put everything together in a NUL terminated string. */
  622. tor_asprintf(cert_str_out,
  623. "-----BEGIN ED25519 CERT-----\n"
  624. "%s"
  625. "-----END ED25519 CERT-----",
  626. ed_cert_b64);
  627. /* Success! */
  628. ret = 0;
  629. err:
  630. tor_free(ed_cert_b64);
  631. return ret;
  632. }