routerkeys.c 45 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406
  1. /* Copyright (c) 2014-2018, The Tor Project, Inc. */
  2. /* See LICENSE for licensing information */
  3. /**
  4. * \file routerkeys.c
  5. *
  6. * \brief Functions and structures to handle generating and maintaining the
  7. * set of keypairs necessary to be an OR.
  8. *
  9. * The keys handled here now are the Ed25519 keys that Tor relays use to sign
  10. * descriptors, authenticate themselves on links, and identify one another
  11. * uniquely. Other keys are maintained in router.c and rendservice.c.
  12. *
  13. * (TODO: The keys in router.c should go here too.)
  14. */
  15. #include "or/or.h"
  16. #include "or/config.h"
  17. #include "common/crypto_util.h"
  18. #include "or/router.h"
  19. #include "common/crypto_pwbox.h"
  20. #include "or/routerkeys.h"
  21. #include "or/torcert.h"
  22. #define ENC_KEY_HEADER "Boxed Ed25519 key"
  23. #define ENC_KEY_TAG "master"
  24. /* DOCDOC */
  25. static ssize_t
  26. do_getpass(const char *prompt, char *buf, size_t buflen,
  27. int twice, const or_options_t *options)
  28. {
  29. if (options->keygen_force_passphrase == FORCE_PASSPHRASE_OFF) {
  30. tor_assert(buflen);
  31. buf[0] = 0;
  32. return 0;
  33. }
  34. char *prompt2 = NULL;
  35. char *buf2 = NULL;
  36. int fd = -1;
  37. ssize_t length = -1;
  38. if (options->use_keygen_passphrase_fd) {
  39. twice = 0;
  40. fd = options->keygen_passphrase_fd;
  41. length = read_all(fd, buf, buflen-1, 0);
  42. if (length >= 0)
  43. buf[length] = 0;
  44. goto done_reading;
  45. }
  46. if (twice) {
  47. const char msg[] = "One more time:";
  48. size_t p2len = strlen(prompt) + 1;
  49. if (p2len < sizeof(msg))
  50. p2len = sizeof(msg);
  51. prompt2 = tor_malloc(p2len);
  52. memset(prompt2, ' ', p2len);
  53. memcpy(prompt2 + p2len - sizeof(msg), msg, sizeof(msg));
  54. buf2 = tor_malloc_zero(buflen);
  55. }
  56. while (1) {
  57. length = tor_getpass(prompt, buf, buflen);
  58. if (length < 0)
  59. goto done_reading;
  60. if (! twice)
  61. break;
  62. ssize_t length2 = tor_getpass(prompt2, buf2, buflen);
  63. if (length != length2 || tor_memneq(buf, buf2, length)) {
  64. fprintf(stderr, "That didn't match.\n");
  65. } else {
  66. break;
  67. }
  68. }
  69. done_reading:
  70. if (twice) {
  71. tor_free(prompt2);
  72. memwipe(buf2, 0, buflen);
  73. tor_free(buf2);
  74. }
  75. if (options->keygen_force_passphrase == FORCE_PASSPHRASE_ON && length == 0)
  76. return -1;
  77. return length;
  78. }
  79. /* DOCDOC */
  80. int
  81. read_encrypted_secret_key(ed25519_secret_key_t *out,
  82. const char *fname)
  83. {
  84. int r = -1;
  85. uint8_t *secret = NULL;
  86. size_t secret_len = 0;
  87. char pwbuf[256];
  88. uint8_t encrypted_key[256];
  89. char *tag = NULL;
  90. int saved_errno = 0;
  91. ssize_t encrypted_len = crypto_read_tagged_contents_from_file(fname,
  92. ENC_KEY_HEADER,
  93. &tag,
  94. encrypted_key,
  95. sizeof(encrypted_key));
  96. if (encrypted_len < 0) {
  97. saved_errno = errno;
  98. log_info(LD_OR, "%s is missing", fname);
  99. r = 0;
  100. goto done;
  101. }
  102. if (strcmp(tag, ENC_KEY_TAG)) {
  103. saved_errno = EINVAL;
  104. goto done;
  105. }
  106. while (1) {
  107. ssize_t pwlen =
  108. do_getpass("Enter passphrase for master key:", pwbuf, sizeof(pwbuf), 0,
  109. get_options());
  110. if (pwlen < 0) {
  111. saved_errno = EINVAL;
  112. goto done;
  113. }
  114. const int r_unbox = crypto_unpwbox(&secret, &secret_len,
  115. encrypted_key, encrypted_len,
  116. pwbuf, pwlen);
  117. if (r_unbox == UNPWBOX_CORRUPTED) {
  118. log_err(LD_OR, "%s is corrupted.", fname);
  119. saved_errno = EINVAL;
  120. goto done;
  121. } else if (r_unbox == UNPWBOX_OKAY) {
  122. break;
  123. }
  124. /* Otherwise, passphrase is bad, so try again till user does ctrl-c or gets
  125. * it right. */
  126. }
  127. if (secret_len != ED25519_SECKEY_LEN) {
  128. log_err(LD_OR, "%s is corrupted.", fname);
  129. saved_errno = EINVAL;
  130. goto done;
  131. }
  132. memcpy(out->seckey, secret, ED25519_SECKEY_LEN);
  133. r = 1;
  134. done:
  135. memwipe(encrypted_key, 0, sizeof(encrypted_key));
  136. memwipe(pwbuf, 0, sizeof(pwbuf));
  137. tor_free(tag);
  138. if (secret) {
  139. memwipe(secret, 0, secret_len);
  140. tor_free(secret);
  141. }
  142. if (saved_errno)
  143. errno = saved_errno;
  144. return r;
  145. }
  146. /* DOCDOC */
  147. int
  148. write_encrypted_secret_key(const ed25519_secret_key_t *key,
  149. const char *fname)
  150. {
  151. int r = -1;
  152. char pwbuf0[256];
  153. uint8_t *encrypted_key = NULL;
  154. size_t encrypted_len = 0;
  155. if (do_getpass("Enter new passphrase:", pwbuf0, sizeof(pwbuf0), 1,
  156. get_options()) < 0) {
  157. log_warn(LD_OR, "NO/failed passphrase");
  158. return -1;
  159. }
  160. if (strlen(pwbuf0) == 0) {
  161. if (get_options()->keygen_force_passphrase == FORCE_PASSPHRASE_ON)
  162. return -1;
  163. else
  164. return 0;
  165. }
  166. if (crypto_pwbox(&encrypted_key, &encrypted_len,
  167. key->seckey, sizeof(key->seckey),
  168. pwbuf0, strlen(pwbuf0), 0) < 0) {
  169. log_warn(LD_OR, "crypto_pwbox failed!?");
  170. goto done;
  171. }
  172. if (crypto_write_tagged_contents_to_file(fname,
  173. ENC_KEY_HEADER,
  174. ENC_KEY_TAG,
  175. encrypted_key, encrypted_len) < 0)
  176. goto done;
  177. r = 1;
  178. done:
  179. if (encrypted_key) {
  180. memwipe(encrypted_key, 0, encrypted_len);
  181. tor_free(encrypted_key);
  182. }
  183. memwipe(pwbuf0, 0, sizeof(pwbuf0));
  184. return r;
  185. }
  186. /* DOCDOC */
  187. static int
  188. write_secret_key(const ed25519_secret_key_t *key, int encrypted,
  189. const char *fname,
  190. const char *fname_tag,
  191. const char *encrypted_fname)
  192. {
  193. if (encrypted) {
  194. int r = write_encrypted_secret_key(key, encrypted_fname);
  195. if (r == 1) {
  196. /* Success! */
  197. /* Try to unlink the unencrypted key, if any existed before */
  198. if (strcmp(fname, encrypted_fname))
  199. unlink(fname);
  200. return r;
  201. } else if (r != 0) {
  202. /* Unrecoverable failure! */
  203. return r;
  204. }
  205. fprintf(stderr, "Not encrypting the secret key.\n");
  206. }
  207. return ed25519_seckey_write_to_file(key, fname, fname_tag);
  208. }
  209. /**
  210. * Read an ed25519 key and associated certificates from files beginning with
  211. * <b>fname</b>, with certificate type <b>cert_type</b>. On failure, return
  212. * NULL; on success return the keypair.
  213. *
  214. * If INIT_ED_KEY_CREATE is set in <b>flags</b>, then create the key (and
  215. * certificate if requested) if it doesn't exist, and save it to disk.
  216. *
  217. * If INIT_ED_KEY_NEEDCERT is set in <b>flags</b>, load/create a certificate
  218. * too and store it in *<b>cert_out</b>. Fail if the cert can't be
  219. * found/created. To create a certificate, <b>signing_key</b> must be set to
  220. * the key that should sign it; <b>now</b> to the current time, and
  221. * <b>lifetime</b> to the lifetime of the key.
  222. *
  223. * If INIT_ED_KEY_REPLACE is set in <b>flags</b>, then create and save new key
  224. * whether we can read the old one or not.
  225. *
  226. * If INIT_ED_KEY_EXTRA_STRONG is set in <b>flags</b>, set the extra_strong
  227. * flag when creating the secret key.
  228. *
  229. * If INIT_ED_KEY_INCLUDE_SIGNING_KEY_IN_CERT is set in <b>flags</b>, and
  230. * we create a new certificate, create it with the signing key embedded.
  231. *
  232. * If INIT_ED_KEY_SPLIT is set in <b>flags</b>, and we create a new key,
  233. * store the public key in a separate file from the secret key.
  234. *
  235. * If INIT_ED_KEY_MISSING_SECRET_OK is set in <b>flags</b>, and we find a
  236. * public key file but no secret key file, return successfully anyway.
  237. *
  238. * If INIT_ED_KEY_OMIT_SECRET is set in <b>flags</b>, do not try to load a
  239. * secret key unless no public key is found. Do not return a secret key. (but
  240. * create and save one if needed).
  241. *
  242. * If INIT_ED_KEY_NO_LOAD_SECRET is set in <b>flags</b>, don't try to load
  243. * a secret key, no matter what.
  244. *
  245. * If INIT_ED_KEY_TRY_ENCRYPTED is set, we look for an encrypted secret key
  246. * and consider encrypting any new secret key.
  247. *
  248. * If INIT_ED_KEY_NO_REPAIR is set, and there is any issue loading the keys
  249. * from disk _other than their absence_ (full or partial), we do not try to
  250. * replace them.
  251. *
  252. * If INIT_ED_KEY_SUGGEST_KEYGEN is set, have log messages about failures
  253. * refer to the --keygen option.
  254. *
  255. * If INIT_ED_KEY_EXPLICIT_FNAME is set, use the provided file name for the
  256. * secret key file, encrypted or not.
  257. */
  258. ed25519_keypair_t *
  259. ed_key_init_from_file(const char *fname, uint32_t flags,
  260. int severity,
  261. const ed25519_keypair_t *signing_key,
  262. time_t now,
  263. time_t lifetime,
  264. uint8_t cert_type,
  265. struct tor_cert_st **cert_out)
  266. {
  267. char *secret_fname = NULL;
  268. char *encrypted_secret_fname = NULL;
  269. char *public_fname = NULL;
  270. char *cert_fname = NULL;
  271. const char *loaded_secret_fname = NULL;
  272. int created_pk = 0, created_sk = 0, created_cert = 0;
  273. const int try_to_load = ! (flags & INIT_ED_KEY_REPLACE);
  274. const int encrypt_key = !! (flags & INIT_ED_KEY_TRY_ENCRYPTED);
  275. const int norepair = !! (flags & INIT_ED_KEY_NO_REPAIR);
  276. const int split = !! (flags & INIT_ED_KEY_SPLIT);
  277. const int omit_secret = !! (flags & INIT_ED_KEY_OMIT_SECRET);
  278. const int offline_secret = !! (flags & INIT_ED_KEY_OFFLINE_SECRET);
  279. const int explicit_fname = !! (flags & INIT_ED_KEY_EXPLICIT_FNAME);
  280. /* we don't support setting both of these flags at once. */
  281. tor_assert((flags & (INIT_ED_KEY_NO_REPAIR|INIT_ED_KEY_NEEDCERT)) !=
  282. (INIT_ED_KEY_NO_REPAIR|INIT_ED_KEY_NEEDCERT));
  283. char tag[8];
  284. tor_snprintf(tag, sizeof(tag), "type%d", (int)cert_type);
  285. tor_cert_t *cert = NULL;
  286. char *got_tag = NULL;
  287. ed25519_keypair_t *keypair = tor_malloc_zero(sizeof(ed25519_keypair_t));
  288. if (explicit_fname) {
  289. secret_fname = tor_strdup(fname);
  290. encrypted_secret_fname = tor_strdup(fname);
  291. } else {
  292. tor_asprintf(&secret_fname, "%s_secret_key", fname);
  293. tor_asprintf(&encrypted_secret_fname, "%s_secret_key_encrypted", fname);
  294. }
  295. tor_asprintf(&public_fname, "%s_public_key", fname);
  296. tor_asprintf(&cert_fname, "%s_cert", fname);
  297. /* Try to read the secret key. */
  298. int have_secret = 0;
  299. int load_secret = try_to_load &&
  300. !offline_secret &&
  301. (!omit_secret || file_status(public_fname)==FN_NOENT);
  302. if (load_secret) {
  303. int rv = ed25519_seckey_read_from_file(&keypair->seckey,
  304. &got_tag, secret_fname);
  305. if (rv == 0) {
  306. have_secret = 1;
  307. loaded_secret_fname = secret_fname;
  308. tor_assert(got_tag);
  309. } else {
  310. if (errno != ENOENT && norepair) {
  311. tor_log(severity, LD_OR, "Unable to read %s: %s", secret_fname,
  312. strerror(errno));
  313. goto err;
  314. }
  315. }
  316. }
  317. /* Should we try for an encrypted key? */
  318. int have_encrypted_secret_file = 0;
  319. if (!have_secret && try_to_load && encrypt_key) {
  320. int r = read_encrypted_secret_key(&keypair->seckey,
  321. encrypted_secret_fname);
  322. if (r > 0) {
  323. have_secret = 1;
  324. have_encrypted_secret_file = 1;
  325. tor_free(got_tag); /* convince coverity we aren't leaking */
  326. got_tag = tor_strdup(tag);
  327. loaded_secret_fname = encrypted_secret_fname;
  328. } else if (errno != ENOENT && norepair) {
  329. tor_log(severity, LD_OR, "Unable to read %s: %s",
  330. encrypted_secret_fname, strerror(errno));
  331. goto err;
  332. }
  333. } else {
  334. if (try_to_load) {
  335. /* Check if it's there anyway, so we don't replace it. */
  336. if (file_status(encrypted_secret_fname) != FN_NOENT)
  337. have_encrypted_secret_file = 1;
  338. }
  339. }
  340. if (have_secret) {
  341. if (strcmp(got_tag, tag)) {
  342. tor_log(severity, LD_OR, "%s has wrong tag", loaded_secret_fname);
  343. goto err;
  344. }
  345. /* Derive the public key */
  346. if (ed25519_public_key_generate(&keypair->pubkey, &keypair->seckey)<0) {
  347. tor_log(severity, LD_OR, "%s can't produce a public key",
  348. loaded_secret_fname);
  349. goto err;
  350. }
  351. }
  352. /* If we do split keys here, try to read the pubkey. */
  353. int found_public = 0;
  354. if (try_to_load && (!have_secret || split)) {
  355. ed25519_public_key_t pubkey_tmp;
  356. tor_free(got_tag);
  357. found_public = ed25519_pubkey_read_from_file(&pubkey_tmp,
  358. &got_tag, public_fname) == 0;
  359. if (!found_public && errno != ENOENT && norepair) {
  360. tor_log(severity, LD_OR, "Unable to read %s: %s", public_fname,
  361. strerror(errno));
  362. goto err;
  363. }
  364. if (found_public && strcmp(got_tag, tag)) {
  365. tor_log(severity, LD_OR, "%s has wrong tag", public_fname);
  366. goto err;
  367. }
  368. if (found_public) {
  369. if (have_secret) {
  370. /* If we have a secret key and we're reloading the public key,
  371. * the key must match! */
  372. if (! ed25519_pubkey_eq(&keypair->pubkey, &pubkey_tmp)) {
  373. tor_log(severity, LD_OR, "%s does not match %s! If you are trying "
  374. "to restore from backup, make sure you didn't mix up the "
  375. "key files. If you are absolutely sure that %s is the right "
  376. "key for this relay, delete %s or move it out of the way.",
  377. public_fname, loaded_secret_fname,
  378. loaded_secret_fname, public_fname);
  379. goto err;
  380. }
  381. } else {
  382. /* We only have the public key; better use that. */
  383. tor_assert(split);
  384. memcpy(&keypair->pubkey, &pubkey_tmp, sizeof(pubkey_tmp));
  385. }
  386. } else {
  387. /* We have no public key file, but we do have a secret key, make the
  388. * public key file! */
  389. if (have_secret) {
  390. if (ed25519_pubkey_write_to_file(&keypair->pubkey, public_fname, tag)
  391. < 0) {
  392. tor_log(severity, LD_OR, "Couldn't repair %s", public_fname);
  393. goto err;
  394. } else {
  395. tor_log(LOG_NOTICE, LD_OR,
  396. "Found secret key but not %s. Regenerating.",
  397. public_fname);
  398. }
  399. }
  400. }
  401. }
  402. /* If the secret key is absent and it's not allowed to be, fail. */
  403. if (!have_secret && found_public &&
  404. !(flags & INIT_ED_KEY_MISSING_SECRET_OK)) {
  405. if (have_encrypted_secret_file) {
  406. tor_log(severity, LD_OR, "We needed to load a secret key from %s, "
  407. "but it was encrypted. Try 'tor --keygen' instead, so you "
  408. "can enter the passphrase.",
  409. secret_fname);
  410. } else if (offline_secret) {
  411. tor_log(severity, LD_OR, "We wanted to load a secret key from %s, "
  412. "but you're keeping it offline. (OfflineMasterKey is set.)",
  413. secret_fname);
  414. } else {
  415. tor_log(severity, LD_OR, "We needed to load a secret key from %s, "
  416. "but couldn't find it. %s", secret_fname,
  417. (flags & INIT_ED_KEY_SUGGEST_KEYGEN) ?
  418. "If you're keeping your master secret key offline, you will "
  419. "need to run 'tor --keygen' to generate new signing keys." :
  420. "Did you forget to copy it over when you copied the rest of the "
  421. "signing key material?");
  422. }
  423. goto err;
  424. }
  425. /* If it's absent, and we're not supposed to make a new keypair, fail. */
  426. if (!have_secret && !found_public && !(flags & INIT_ED_KEY_CREATE)) {
  427. if (split) {
  428. tor_log(severity, LD_OR, "No key found in %s or %s.",
  429. secret_fname, public_fname);
  430. } else {
  431. tor_log(severity, LD_OR, "No key found in %s.", secret_fname);
  432. }
  433. goto err;
  434. }
  435. /* If the secret key is absent, but the encrypted key would be present,
  436. * that's an error */
  437. if (!have_secret && !found_public && have_encrypted_secret_file) {
  438. tor_assert(!encrypt_key);
  439. tor_log(severity, LD_OR, "Found an encrypted secret key, "
  440. "but not public key file %s!", public_fname);
  441. goto err;
  442. }
  443. /* if it's absent, make a new keypair... */
  444. if (!have_secret && !found_public) {
  445. tor_free(keypair);
  446. keypair = ed_key_new(signing_key, flags, now, lifetime,
  447. cert_type, &cert);
  448. if (!keypair) {
  449. tor_log(severity, LD_OR, "Couldn't create keypair");
  450. goto err;
  451. }
  452. created_pk = created_sk = created_cert = 1;
  453. }
  454. /* Write it to disk if we're supposed to do with a new passphrase, or if
  455. * we just created it. */
  456. if (created_sk || (have_secret && get_options()->change_key_passphrase)) {
  457. if (write_secret_key(&keypair->seckey,
  458. encrypt_key,
  459. secret_fname, tag, encrypted_secret_fname) < 0
  460. ||
  461. (split &&
  462. ed25519_pubkey_write_to_file(&keypair->pubkey, public_fname, tag) < 0)
  463. ||
  464. (cert &&
  465. crypto_write_tagged_contents_to_file(cert_fname, "ed25519v1-cert",
  466. tag, cert->encoded, cert->encoded_len) < 0)) {
  467. tor_log(severity, LD_OR, "Couldn't write keys or cert to file.");
  468. goto err;
  469. }
  470. goto done;
  471. }
  472. /* If we're not supposed to get a cert, we're done. */
  473. if (! (flags & INIT_ED_KEY_NEEDCERT))
  474. goto done;
  475. /* Read a cert. */
  476. tor_free(got_tag);
  477. uint8_t certbuf[256];
  478. ssize_t cert_body_len = crypto_read_tagged_contents_from_file(
  479. cert_fname, "ed25519v1-cert",
  480. &got_tag, certbuf, sizeof(certbuf));
  481. if (cert_body_len >= 0 && !strcmp(got_tag, tag))
  482. cert = tor_cert_parse(certbuf, cert_body_len);
  483. /* If we got it, check it to the extent we can. */
  484. int bad_cert = 0;
  485. if (! cert) {
  486. tor_log(severity, LD_OR, "Cert was unparseable");
  487. bad_cert = 1;
  488. } else if (!tor_memeq(cert->signed_key.pubkey, keypair->pubkey.pubkey,
  489. ED25519_PUBKEY_LEN)) {
  490. tor_log(severity, LD_OR, "Cert was for wrong key");
  491. bad_cert = 1;
  492. } else if (signing_key &&
  493. tor_cert_checksig(cert, &signing_key->pubkey, now) < 0) {
  494. tor_log(severity, LD_OR, "Can't check certificate: %s",
  495. tor_cert_describe_signature_status(cert));
  496. bad_cert = 1;
  497. } else if (cert->cert_expired) {
  498. tor_log(severity, LD_OR, "Certificate is expired");
  499. bad_cert = 1;
  500. } else if (signing_key && cert->signing_key_included &&
  501. ! ed25519_pubkey_eq(&signing_key->pubkey, &cert->signing_key)) {
  502. tor_log(severity, LD_OR, "Certificate signed by unexpectd key!");
  503. bad_cert = 1;
  504. }
  505. if (bad_cert) {
  506. tor_cert_free(cert);
  507. cert = NULL;
  508. }
  509. /* If we got a cert, we're done. */
  510. if (cert)
  511. goto done;
  512. /* If we didn't get a cert, and we're not supposed to make one, fail. */
  513. if (!signing_key || !(flags & INIT_ED_KEY_CREATE)) {
  514. tor_log(severity, LD_OR, "Without signing key, can't create certificate");
  515. goto err;
  516. }
  517. /* We have keys but not a certificate, so make one. */
  518. uint32_t cert_flags = 0;
  519. if (flags & INIT_ED_KEY_INCLUDE_SIGNING_KEY_IN_CERT)
  520. cert_flags |= CERT_FLAG_INCLUDE_SIGNING_KEY;
  521. cert = tor_cert_create(signing_key, cert_type,
  522. &keypair->pubkey,
  523. now, lifetime,
  524. cert_flags);
  525. if (! cert) {
  526. tor_log(severity, LD_OR, "Couldn't create certificate");
  527. goto err;
  528. }
  529. /* Write it to disk. */
  530. created_cert = 1;
  531. if (crypto_write_tagged_contents_to_file(cert_fname, "ed25519v1-cert",
  532. tag, cert->encoded, cert->encoded_len) < 0) {
  533. tor_log(severity, LD_OR, "Couldn't write cert to disk.");
  534. goto err;
  535. }
  536. done:
  537. if (cert_out)
  538. *cert_out = cert;
  539. else
  540. tor_cert_free(cert);
  541. goto cleanup;
  542. err:
  543. if (keypair)
  544. memwipe(keypair, 0, sizeof(*keypair));
  545. tor_free(keypair);
  546. tor_cert_free(cert);
  547. if (cert_out)
  548. *cert_out = NULL;
  549. if (created_sk)
  550. unlink(secret_fname);
  551. if (created_pk)
  552. unlink(public_fname);
  553. if (created_cert)
  554. unlink(cert_fname);
  555. cleanup:
  556. tor_free(encrypted_secret_fname);
  557. tor_free(secret_fname);
  558. tor_free(public_fname);
  559. tor_free(cert_fname);
  560. tor_free(got_tag);
  561. return keypair;
  562. }
  563. /**
  564. * Create a new signing key and (optionally) certficiate; do not read or write
  565. * from disk. See ed_key_init_from_file() for more information.
  566. */
  567. ed25519_keypair_t *
  568. ed_key_new(const ed25519_keypair_t *signing_key,
  569. uint32_t flags,
  570. time_t now,
  571. time_t lifetime,
  572. uint8_t cert_type,
  573. struct tor_cert_st **cert_out)
  574. {
  575. if (cert_out)
  576. *cert_out = NULL;
  577. const int extra_strong = !! (flags & INIT_ED_KEY_EXTRA_STRONG);
  578. ed25519_keypair_t *keypair = tor_malloc_zero(sizeof(ed25519_keypair_t));
  579. if (ed25519_keypair_generate(keypair, extra_strong) < 0)
  580. goto err;
  581. if (! (flags & INIT_ED_KEY_NEEDCERT))
  582. return keypair;
  583. tor_assert(signing_key);
  584. tor_assert(cert_out);
  585. uint32_t cert_flags = 0;
  586. if (flags & INIT_ED_KEY_INCLUDE_SIGNING_KEY_IN_CERT)
  587. cert_flags |= CERT_FLAG_INCLUDE_SIGNING_KEY;
  588. tor_cert_t *cert = tor_cert_create(signing_key, cert_type,
  589. &keypair->pubkey,
  590. now, lifetime,
  591. cert_flags);
  592. if (! cert)
  593. goto err;
  594. *cert_out = cert;
  595. return keypair;
  596. err:
  597. tor_free(keypair);
  598. return NULL;
  599. }
  600. static ed25519_keypair_t *master_identity_key = NULL;
  601. static ed25519_keypair_t *master_signing_key = NULL;
  602. static ed25519_keypair_t *current_auth_key = NULL;
  603. static tor_cert_t *signing_key_cert = NULL;
  604. static tor_cert_t *link_cert_cert = NULL;
  605. static tor_cert_t *auth_key_cert = NULL;
  606. static uint8_t *rsa_ed_crosscert = NULL;
  607. static size_t rsa_ed_crosscert_len = 0;
  608. static time_t rsa_ed_crosscert_expiration = 0;
  609. /**
  610. * Running as a server: load, reload, or refresh our ed25519 keys and
  611. * certificates, creating and saving new ones as needed.
  612. *
  613. * Return -1 on failure; 0 on success if the signing key was not replaced;
  614. * and 1 on success if the signing key was replaced.
  615. */
  616. int
  617. load_ed_keys(const or_options_t *options, time_t now)
  618. {
  619. ed25519_keypair_t *id = NULL;
  620. ed25519_keypair_t *sign = NULL;
  621. ed25519_keypair_t *auth = NULL;
  622. const ed25519_keypair_t *sign_signing_key_with_id = NULL;
  623. const ed25519_keypair_t *use_signing = NULL;
  624. const tor_cert_t *check_signing_cert = NULL;
  625. tor_cert_t *sign_cert = NULL;
  626. tor_cert_t *auth_cert = NULL;
  627. int signing_key_changed = 0;
  628. // It is later than 1972, since otherwise there would be no C compilers.
  629. // (Try to diagnose #22466.)
  630. tor_assert_nonfatal(now >= 2 * 365 * 86400);
  631. #define FAIL(msg) do { \
  632. log_warn(LD_OR, (msg)); \
  633. goto err; \
  634. } while (0)
  635. #define SET_KEY(key, newval) do { \
  636. if ((key) != (newval)) \
  637. ed25519_keypair_free(key); \
  638. key = (newval); \
  639. } while (0)
  640. #define SET_CERT(cert, newval) do { \
  641. if ((cert) != (newval)) \
  642. tor_cert_free(cert); \
  643. cert = (newval); \
  644. } while (0)
  645. #define HAPPENS_SOON(when, interval) \
  646. ((when) < now + (interval))
  647. #define EXPIRES_SOON(cert, interval) \
  648. (!(cert) || HAPPENS_SOON((cert)->valid_until, (interval)))
  649. /* XXXX support encrypted identity keys fully */
  650. /* First try to get the signing key to see how it is. */
  651. {
  652. char *fname =
  653. options_get_keydir_fname(options, "ed25519_signing");
  654. sign = ed_key_init_from_file(
  655. fname,
  656. INIT_ED_KEY_NEEDCERT|
  657. INIT_ED_KEY_INCLUDE_SIGNING_KEY_IN_CERT,
  658. LOG_INFO,
  659. NULL, 0, 0, CERT_TYPE_ID_SIGNING, &sign_cert);
  660. tor_free(fname);
  661. check_signing_cert = sign_cert;
  662. use_signing = sign;
  663. }
  664. if (use_signing) {
  665. /* We loaded a signing key with its certificate. */
  666. if (! master_signing_key) {
  667. /* We didn't know one before! */
  668. signing_key_changed = 1;
  669. } else if (! ed25519_pubkey_eq(&use_signing->pubkey,
  670. &master_signing_key->pubkey) ||
  671. ! tor_memeq(use_signing->seckey.seckey,
  672. master_signing_key->seckey.seckey,
  673. ED25519_SECKEY_LEN)) {
  674. /* We loaded a different signing key than the one we knew before. */
  675. signing_key_changed = 1;
  676. }
  677. }
  678. if (!use_signing && master_signing_key) {
  679. /* We couldn't load a signing key, but we already had one loaded */
  680. check_signing_cert = signing_key_cert;
  681. use_signing = master_signing_key;
  682. }
  683. const int offline_master =
  684. options->OfflineMasterKey && options->command != CMD_KEYGEN;
  685. const int need_new_signing_key =
  686. NULL == use_signing ||
  687. EXPIRES_SOON(check_signing_cert, 0) ||
  688. (options->command == CMD_KEYGEN && ! options->change_key_passphrase);
  689. const int want_new_signing_key =
  690. need_new_signing_key ||
  691. EXPIRES_SOON(check_signing_cert, options->TestingSigningKeySlop);
  692. /* We can only create a master key if we haven't been told that the
  693. * master key will always be offline. Also, if we have a signing key,
  694. * then we shouldn't make a new master ID key. */
  695. const int can_make_master_id_key = !offline_master &&
  696. NULL == use_signing;
  697. if (need_new_signing_key) {
  698. log_notice(LD_OR, "It looks like I need to generate and sign a new "
  699. "medium-term signing key, because %s. To do that, I "
  700. "need to load%s the permanent master identity key. "
  701. "If the master identity key was not moved or encrypted "
  702. "with a passphrase, this will be done automatically and "
  703. "no further action is required. Otherwise, provide the "
  704. "necessary data using 'tor --keygen' to do it manually.",
  705. (NULL == use_signing) ? "I don't have one" :
  706. EXPIRES_SOON(check_signing_cert, 0) ? "the one I have is expired" :
  707. "you asked me to make one with --keygen",
  708. can_make_master_id_key ? " (or create)" : "");
  709. } else if (want_new_signing_key && !offline_master) {
  710. log_notice(LD_OR, "It looks like I should try to generate and sign a "
  711. "new medium-term signing key, because the one I have is "
  712. "going to expire soon. To do that, I'm going to have to "
  713. "try to load the permanent master identity key. "
  714. "If the master identity key was not moved or encrypted "
  715. "with a passphrase, this will be done automatically and "
  716. "no further action is required. Otherwise, provide the "
  717. "necessary data using 'tor --keygen' to do it manually.");
  718. } else if (want_new_signing_key) {
  719. log_notice(LD_OR, "It looks like I should try to generate and sign a "
  720. "new medium-term signing key, because the one I have is "
  721. "going to expire soon. But OfflineMasterKey is set, so I "
  722. "won't try to load a permanent master identity key. You "
  723. "will need to use 'tor --keygen' to make a new signing "
  724. "key and certificate.");
  725. }
  726. {
  727. uint32_t flags =
  728. (INIT_ED_KEY_SPLIT|
  729. INIT_ED_KEY_EXTRA_STRONG|INIT_ED_KEY_NO_REPAIR);
  730. if (can_make_master_id_key)
  731. flags |= INIT_ED_KEY_CREATE;
  732. if (! need_new_signing_key)
  733. flags |= INIT_ED_KEY_MISSING_SECRET_OK;
  734. if (! want_new_signing_key || offline_master)
  735. flags |= INIT_ED_KEY_OMIT_SECRET;
  736. if (offline_master)
  737. flags |= INIT_ED_KEY_OFFLINE_SECRET;
  738. if (options->command == CMD_KEYGEN)
  739. flags |= INIT_ED_KEY_TRY_ENCRYPTED;
  740. /* Check/Create the key directory */
  741. if (create_keys_directory(options) < 0)
  742. return -1;
  743. char *fname;
  744. if (options->master_key_fname) {
  745. fname = tor_strdup(options->master_key_fname);
  746. flags |= INIT_ED_KEY_EXPLICIT_FNAME;
  747. } else {
  748. fname = options_get_keydir_fname(options, "ed25519_master_id");
  749. }
  750. id = ed_key_init_from_file(
  751. fname,
  752. flags,
  753. LOG_WARN, NULL, 0, 0, 0, NULL);
  754. tor_free(fname);
  755. if (!id) {
  756. if (need_new_signing_key) {
  757. if (offline_master)
  758. FAIL("Can't load master identity key; OfflineMasterKey is set.");
  759. else
  760. FAIL("Missing identity key");
  761. } else {
  762. log_warn(LD_OR, "Master public key was absent; inferring from "
  763. "public key in signing certificate and saving to disk.");
  764. tor_assert(check_signing_cert);
  765. id = tor_malloc_zero(sizeof(*id));
  766. memcpy(&id->pubkey, &check_signing_cert->signing_key,
  767. sizeof(ed25519_public_key_t));
  768. fname = options_get_keydir_fname(options,
  769. "ed25519_master_id_public_key");
  770. if (ed25519_pubkey_write_to_file(&id->pubkey, fname, "type0") < 0) {
  771. log_warn(LD_OR, "Error while attempting to write master public key "
  772. "to disk");
  773. tor_free(fname);
  774. goto err;
  775. }
  776. tor_free(fname);
  777. }
  778. }
  779. if (tor_mem_is_zero((char*)id->seckey.seckey, sizeof(id->seckey)))
  780. sign_signing_key_with_id = NULL;
  781. else
  782. sign_signing_key_with_id = id;
  783. }
  784. if (master_identity_key &&
  785. !ed25519_pubkey_eq(&id->pubkey, &master_identity_key->pubkey)) {
  786. FAIL("Identity key on disk does not match key we loaded earlier!");
  787. }
  788. if (need_new_signing_key && NULL == sign_signing_key_with_id)
  789. FAIL("Can't load master key make a new signing key.");
  790. if (sign_cert) {
  791. if (! sign_cert->signing_key_included)
  792. FAIL("Loaded a signing cert with no key included!");
  793. if (! ed25519_pubkey_eq(&sign_cert->signing_key, &id->pubkey))
  794. FAIL("The signing cert we have was not signed with the master key "
  795. "we loaded!");
  796. if (tor_cert_checksig(sign_cert, &id->pubkey, 0) < 0) {
  797. log_warn(LD_OR, "The signing cert we loaded was not signed "
  798. "correctly: %s!",
  799. tor_cert_describe_signature_status(sign_cert));
  800. goto err;
  801. }
  802. }
  803. if (want_new_signing_key && sign_signing_key_with_id) {
  804. uint32_t flags = (INIT_ED_KEY_CREATE|
  805. INIT_ED_KEY_REPLACE|
  806. INIT_ED_KEY_EXTRA_STRONG|
  807. INIT_ED_KEY_NEEDCERT|
  808. INIT_ED_KEY_INCLUDE_SIGNING_KEY_IN_CERT);
  809. char *fname =
  810. options_get_keydir_fname(options, "ed25519_signing");
  811. ed25519_keypair_free(sign);
  812. tor_cert_free(sign_cert);
  813. sign = ed_key_init_from_file(fname,
  814. flags, LOG_WARN,
  815. sign_signing_key_with_id, now,
  816. options->SigningKeyLifetime,
  817. CERT_TYPE_ID_SIGNING, &sign_cert);
  818. tor_free(fname);
  819. if (!sign)
  820. FAIL("Missing signing key");
  821. use_signing = sign;
  822. signing_key_changed = 1;
  823. tor_assert(sign_cert->signing_key_included);
  824. tor_assert(ed25519_pubkey_eq(&sign_cert->signing_key, &id->pubkey));
  825. tor_assert(ed25519_pubkey_eq(&sign_cert->signed_key, &sign->pubkey));
  826. } else if (want_new_signing_key) {
  827. static ratelim_t missing_master = RATELIM_INIT(3600);
  828. log_fn_ratelim(&missing_master, LOG_WARN, LD_OR,
  829. "Signing key will expire soon, but I can't load the "
  830. "master key to sign a new one!");
  831. }
  832. tor_assert(use_signing);
  833. /* At this point we no longer need our secret identity key. So wipe
  834. * it, if we loaded it in the first place. */
  835. memwipe(id->seckey.seckey, 0, sizeof(id->seckey));
  836. if (options->command == CMD_KEYGEN)
  837. goto end;
  838. if (server_mode(options) &&
  839. (!rsa_ed_crosscert ||
  840. HAPPENS_SOON(rsa_ed_crosscert_expiration, 30*86400))) {
  841. uint8_t *crosscert;
  842. time_t expiration = now+6*30*86400; /* 6 months in the future. */
  843. ssize_t crosscert_len = tor_make_rsa_ed25519_crosscert(&id->pubkey,
  844. get_server_identity_key(),
  845. expiration,
  846. &crosscert);
  847. tor_free(rsa_ed_crosscert);
  848. rsa_ed_crosscert_len = crosscert_len;
  849. rsa_ed_crosscert = crosscert;
  850. rsa_ed_crosscert_expiration = expiration;
  851. }
  852. if (!current_auth_key ||
  853. signing_key_changed ||
  854. EXPIRES_SOON(auth_key_cert, options->TestingAuthKeySlop)) {
  855. auth = ed_key_new(use_signing, INIT_ED_KEY_NEEDCERT,
  856. now,
  857. options->TestingAuthKeyLifetime,
  858. CERT_TYPE_SIGNING_AUTH, &auth_cert);
  859. if (!auth)
  860. FAIL("Can't create auth key");
  861. }
  862. /* We've generated or loaded everything. Put them in memory. */
  863. end:
  864. if (! master_identity_key) {
  865. SET_KEY(master_identity_key, id);
  866. } else {
  867. tor_free(id);
  868. }
  869. if (sign) {
  870. SET_KEY(master_signing_key, sign);
  871. SET_CERT(signing_key_cert, sign_cert);
  872. }
  873. if (auth) {
  874. SET_KEY(current_auth_key, auth);
  875. SET_CERT(auth_key_cert, auth_cert);
  876. }
  877. return signing_key_changed;
  878. err:
  879. ed25519_keypair_free(id);
  880. ed25519_keypair_free(sign);
  881. ed25519_keypair_free(auth);
  882. tor_cert_free(sign_cert);
  883. tor_cert_free(auth_cert);
  884. return -1;
  885. }
  886. /**
  887. * Retrieve our currently-in-use Ed25519 link certificate and id certificate,
  888. * and, if they would expire soon (based on the time <b>now</b>, generate new
  889. * certificates (without embedding the public part of the signing key inside).
  890. * If <b>force</b> is true, always generate a new certificate.
  891. *
  892. * The signed_key from the current id->signing certificate will be used to
  893. * sign the new key within newly generated X509 certificate.
  894. *
  895. * Returns -1 upon error. Otherwise, returns 0 upon success (either when the
  896. * current certificate is still valid, or when a new certificate was
  897. * successfully generated, or no certificate was needed).
  898. */
  899. int
  900. generate_ed_link_cert(const or_options_t *options, time_t now,
  901. int force)
  902. {
  903. const tor_x509_cert_t *link_ = NULL, *id = NULL;
  904. tor_cert_t *link_cert = NULL;
  905. if (tor_tls_get_my_certs(1, &link_, &id) < 0 || link_ == NULL) {
  906. if (!server_mode(options)) {
  907. /* No need to make an Ed25519->Link cert: we are a client */
  908. return 0;
  909. }
  910. log_warn(LD_OR, "Can't get my x509 link cert.");
  911. return -1;
  912. }
  913. const common_digests_t *digests = tor_x509_cert_get_cert_digests(link_);
  914. if (force == 0 &&
  915. link_cert_cert &&
  916. ! EXPIRES_SOON(link_cert_cert, options->TestingLinkKeySlop) &&
  917. fast_memeq(digests->d[DIGEST_SHA256], link_cert_cert->signed_key.pubkey,
  918. DIGEST256_LEN)) {
  919. return 0;
  920. }
  921. ed25519_public_key_t dummy_key;
  922. memcpy(dummy_key.pubkey, digests->d[DIGEST_SHA256], DIGEST256_LEN);
  923. link_cert = tor_cert_create(get_master_signing_keypair(),
  924. CERT_TYPE_SIGNING_LINK,
  925. &dummy_key,
  926. now,
  927. options->TestingLinkCertLifetime, 0);
  928. if (link_cert) {
  929. SET_CERT(link_cert_cert, link_cert);
  930. }
  931. return 0;
  932. }
  933. #undef FAIL
  934. #undef SET_KEY
  935. #undef SET_CERT
  936. /**
  937. * Return 1 if any of the following are true:
  938. *
  939. * - if one of our Ed25519 signing, auth, or link certificates would expire
  940. * soon w.r.t. the time <b>now</b>,
  941. * - if we do not currently have a link certificate, or
  942. * - if our cached Ed25519 link certificate is not same as the one we're
  943. * currently using.
  944. *
  945. * Otherwise, returns 0.
  946. */
  947. int
  948. should_make_new_ed_keys(const or_options_t *options, const time_t now)
  949. {
  950. if (!master_identity_key ||
  951. !master_signing_key ||
  952. !current_auth_key ||
  953. !link_cert_cert ||
  954. EXPIRES_SOON(signing_key_cert, options->TestingSigningKeySlop) ||
  955. EXPIRES_SOON(auth_key_cert, options->TestingAuthKeySlop) ||
  956. EXPIRES_SOON(link_cert_cert, options->TestingLinkKeySlop))
  957. return 1;
  958. const tor_x509_cert_t *link_ = NULL, *id = NULL;
  959. if (tor_tls_get_my_certs(1, &link_, &id) < 0 || link_ == NULL)
  960. return 1;
  961. const common_digests_t *digests = tor_x509_cert_get_cert_digests(link_);
  962. if (!fast_memeq(digests->d[DIGEST_SHA256],
  963. link_cert_cert->signed_key.pubkey,
  964. DIGEST256_LEN)) {
  965. return 1;
  966. }
  967. return 0;
  968. }
  969. #undef EXPIRES_SOON
  970. #undef HAPPENS_SOON
  971. #ifdef TOR_UNIT_TESTS
  972. /* Helper for unit tests: populate the ed25519 keys without saving or
  973. * loading */
  974. void
  975. init_mock_ed_keys(const crypto_pk_t *rsa_identity_key)
  976. {
  977. routerkeys_free_all();
  978. #define MAKEKEY(k) \
  979. k = tor_malloc_zero(sizeof(*k)); \
  980. if (ed25519_keypair_generate(k, 0) < 0) { \
  981. log_warn(LD_BUG, "Couldn't make a keypair"); \
  982. goto err; \
  983. }
  984. MAKEKEY(master_identity_key);
  985. MAKEKEY(master_signing_key);
  986. MAKEKEY(current_auth_key);
  987. #define MAKECERT(cert, signing, signed_, type, flags) \
  988. cert = tor_cert_create(signing, \
  989. type, \
  990. &signed_->pubkey, \
  991. time(NULL), 86400, \
  992. flags); \
  993. if (!cert) { \
  994. log_warn(LD_BUG, "Couldn't make a %s certificate!", #cert); \
  995. goto err; \
  996. }
  997. MAKECERT(signing_key_cert,
  998. master_identity_key, master_signing_key, CERT_TYPE_ID_SIGNING,
  999. CERT_FLAG_INCLUDE_SIGNING_KEY);
  1000. MAKECERT(auth_key_cert,
  1001. master_signing_key, current_auth_key, CERT_TYPE_SIGNING_AUTH, 0);
  1002. if (generate_ed_link_cert(get_options(), time(NULL), 0) < 0) {
  1003. log_warn(LD_BUG, "Couldn't make link certificate");
  1004. goto err;
  1005. }
  1006. rsa_ed_crosscert_len = tor_make_rsa_ed25519_crosscert(
  1007. &master_identity_key->pubkey,
  1008. rsa_identity_key,
  1009. time(NULL)+86400,
  1010. &rsa_ed_crosscert);
  1011. return;
  1012. err:
  1013. routerkeys_free_all();
  1014. tor_assert_nonfatal_unreached();
  1015. }
  1016. #undef MAKEKEY
  1017. #undef MAKECERT
  1018. #endif /* defined(TOR_UNIT_TESTS) */
  1019. /**
  1020. * Print the ISO8601-formated <b>expiration</b> for a certificate with
  1021. * some <b>description</b> to stdout.
  1022. *
  1023. * For example, for a signing certificate, this might print out:
  1024. * signing-cert-expiry: 2017-07-25 08:30:15 UTC
  1025. */
  1026. static void
  1027. print_cert_expiration(const char *expiration,
  1028. const char *description)
  1029. {
  1030. fprintf(stderr, "%s-cert-expiry: %s\n", description, expiration);
  1031. }
  1032. /**
  1033. * Log when a certificate, <b>cert</b>, with some <b>description</b> and
  1034. * stored in a file named <b>fname</b>, is going to expire.
  1035. */
  1036. static void
  1037. log_ed_cert_expiration(const tor_cert_t *cert,
  1038. const char *description,
  1039. const char *fname) {
  1040. char expiration[ISO_TIME_LEN+1];
  1041. if (BUG(!cert)) { /* If the specified key hasn't been loaded */
  1042. log_warn(LD_OR, "No %s key loaded; can't get certificate expiration.",
  1043. description);
  1044. } else {
  1045. format_local_iso_time(expiration, cert->valid_until);
  1046. log_notice(LD_OR, "The %s certificate stored in %s is valid until %s.",
  1047. description, fname, expiration);
  1048. print_cert_expiration(expiration, description);
  1049. }
  1050. }
  1051. /**
  1052. * Log when our master signing key certificate expires. Used when tor is given
  1053. * the --key-expiration command-line option.
  1054. *
  1055. * Returns 0 on success and 1 on failure.
  1056. */
  1057. static int
  1058. log_master_signing_key_cert_expiration(const or_options_t *options)
  1059. {
  1060. const tor_cert_t *signing_key;
  1061. char *fn = NULL;
  1062. int failed = 0;
  1063. time_t now = approx_time();
  1064. fn = options_get_keydir_fname(options, "ed25519_signing_cert");
  1065. /* Try to grab our cached copy of the key. */
  1066. signing_key = get_master_signing_key_cert();
  1067. tor_assert(server_identity_key_is_set());
  1068. /* Load our keys from disk, if necessary. */
  1069. if (!signing_key) {
  1070. failed = load_ed_keys(options, now) < 0;
  1071. signing_key = get_master_signing_key_cert();
  1072. }
  1073. /* If we do have a signing key, log the expiration time. */
  1074. if (signing_key) {
  1075. log_ed_cert_expiration(signing_key, "signing", fn);
  1076. } else {
  1077. log_warn(LD_OR, "Could not load signing key certificate from %s, so " \
  1078. "we couldn't learn anything about certificate expiration.", fn);
  1079. }
  1080. tor_free(fn);
  1081. return failed;
  1082. }
  1083. /**
  1084. * Log when a key certificate expires. Used when tor is given the
  1085. * --key-expiration command-line option.
  1086. *
  1087. * If an command argument is given, which should specify the type of
  1088. * key to get expiry information about (currently supported arguments
  1089. * are "sign"), get info about that type of certificate. Otherwise,
  1090. * print info about the supported arguments.
  1091. *
  1092. * Returns 0 on success and -1 on failure.
  1093. */
  1094. int
  1095. log_cert_expiration(void)
  1096. {
  1097. const or_options_t *options = get_options();
  1098. const char *arg = options->command_arg;
  1099. if (!strcmp(arg, "sign")) {
  1100. return log_master_signing_key_cert_expiration(options);
  1101. } else {
  1102. fprintf(stderr, "No valid argument to --key-expiration found!\n");
  1103. fprintf(stderr, "Currently recognised arguments are: 'sign'\n");
  1104. return -1;
  1105. }
  1106. }
  1107. const ed25519_public_key_t *
  1108. get_master_identity_key(void)
  1109. {
  1110. if (!master_identity_key)
  1111. return NULL;
  1112. return &master_identity_key->pubkey;
  1113. }
  1114. /** Return true iff <b>id</b> is our Ed25519 master identity key. */
  1115. int
  1116. router_ed25519_id_is_me(const ed25519_public_key_t *id)
  1117. {
  1118. return id && master_identity_key &&
  1119. ed25519_pubkey_eq(id, &master_identity_key->pubkey);
  1120. }
  1121. #ifdef TOR_UNIT_TESTS
  1122. /* only exists for the unit tests, since otherwise the identity key
  1123. * should be used to sign nothing but the signing key. */
  1124. const ed25519_keypair_t *
  1125. get_master_identity_keypair(void)
  1126. {
  1127. return master_identity_key;
  1128. }
  1129. #endif /* defined(TOR_UNIT_TESTS) */
  1130. const ed25519_keypair_t *
  1131. get_master_signing_keypair(void)
  1132. {
  1133. return master_signing_key;
  1134. }
  1135. const struct tor_cert_st *
  1136. get_master_signing_key_cert(void)
  1137. {
  1138. return signing_key_cert;
  1139. }
  1140. const ed25519_keypair_t *
  1141. get_current_auth_keypair(void)
  1142. {
  1143. return current_auth_key;
  1144. }
  1145. const tor_cert_t *
  1146. get_current_link_cert_cert(void)
  1147. {
  1148. return link_cert_cert;
  1149. }
  1150. const tor_cert_t *
  1151. get_current_auth_key_cert(void)
  1152. {
  1153. return auth_key_cert;
  1154. }
  1155. void
  1156. get_master_rsa_crosscert(const uint8_t **cert_out,
  1157. size_t *size_out)
  1158. {
  1159. *cert_out = rsa_ed_crosscert;
  1160. *size_out = rsa_ed_crosscert_len;
  1161. }
  1162. /** Construct cross-certification for the master identity key with
  1163. * the ntor onion key. Store the sign of the corresponding ed25519 public key
  1164. * in *<b>sign_out</b>. */
  1165. tor_cert_t *
  1166. make_ntor_onion_key_crosscert(const curve25519_keypair_t *onion_key,
  1167. const ed25519_public_key_t *master_id_key, time_t now, time_t lifetime,
  1168. int *sign_out)
  1169. {
  1170. tor_cert_t *cert = NULL;
  1171. ed25519_keypair_t ed_onion_key;
  1172. if (ed25519_keypair_from_curve25519_keypair(&ed_onion_key, sign_out,
  1173. onion_key) < 0)
  1174. goto end;
  1175. cert = tor_cert_create(&ed_onion_key, CERT_TYPE_ONION_ID, master_id_key,
  1176. now, lifetime, 0);
  1177. end:
  1178. memwipe(&ed_onion_key, 0, sizeof(ed_onion_key));
  1179. return cert;
  1180. }
  1181. /** Construct and return an RSA signature for the TAP onion key to
  1182. * cross-certify the RSA and Ed25519 identity keys. Set <b>len_out</b> to its
  1183. * length. */
  1184. uint8_t *
  1185. make_tap_onion_key_crosscert(const crypto_pk_t *onion_key,
  1186. const ed25519_public_key_t *master_id_key,
  1187. const crypto_pk_t *rsa_id_key,
  1188. int *len_out)
  1189. {
  1190. uint8_t signature[PK_BYTES];
  1191. uint8_t signed_data[DIGEST_LEN + ED25519_PUBKEY_LEN];
  1192. *len_out = 0;
  1193. if (crypto_pk_get_digest(rsa_id_key, (char*)signed_data) < 0) {
  1194. return NULL;
  1195. }
  1196. memcpy(signed_data + DIGEST_LEN, master_id_key->pubkey, ED25519_PUBKEY_LEN);
  1197. int r = crypto_pk_private_sign(onion_key,
  1198. (char*)signature, sizeof(signature),
  1199. (const char*)signed_data, sizeof(signed_data));
  1200. if (r < 0)
  1201. return NULL;
  1202. *len_out = r;
  1203. return tor_memdup(signature, r);
  1204. }
  1205. /** Check whether an RSA-TAP cross-certification is correct. Return 0 if it
  1206. * is, -1 if it isn't. */
  1207. MOCK_IMPL(int,
  1208. check_tap_onion_key_crosscert,(const uint8_t *crosscert,
  1209. int crosscert_len,
  1210. const crypto_pk_t *onion_pkey,
  1211. const ed25519_public_key_t *master_id_pkey,
  1212. const uint8_t *rsa_id_digest))
  1213. {
  1214. uint8_t *cc = tor_malloc(crypto_pk_keysize(onion_pkey));
  1215. int cc_len =
  1216. crypto_pk_public_checksig(onion_pkey,
  1217. (char*)cc,
  1218. crypto_pk_keysize(onion_pkey),
  1219. (const char*)crosscert,
  1220. crosscert_len);
  1221. if (cc_len < 0) {
  1222. goto err;
  1223. }
  1224. if (cc_len < DIGEST_LEN + ED25519_PUBKEY_LEN) {
  1225. log_warn(LD_DIR, "Short signature on cross-certification with TAP key");
  1226. goto err;
  1227. }
  1228. if (tor_memneq(cc, rsa_id_digest, DIGEST_LEN) ||
  1229. tor_memneq(cc + DIGEST_LEN, master_id_pkey->pubkey,
  1230. ED25519_PUBKEY_LEN)) {
  1231. log_warn(LD_DIR, "Incorrect cross-certification with TAP key");
  1232. goto err;
  1233. }
  1234. tor_free(cc);
  1235. return 0;
  1236. err:
  1237. tor_free(cc);
  1238. return -1;
  1239. }
  1240. void
  1241. routerkeys_free_all(void)
  1242. {
  1243. ed25519_keypair_free(master_identity_key);
  1244. ed25519_keypair_free(master_signing_key);
  1245. ed25519_keypair_free(current_auth_key);
  1246. tor_cert_free(signing_key_cert);
  1247. tor_cert_free(link_cert_cert);
  1248. tor_cert_free(auth_key_cert);
  1249. tor_free(rsa_ed_crosscert);
  1250. master_identity_key = master_signing_key = NULL;
  1251. current_auth_key = NULL;
  1252. signing_key_cert = link_cert_cert = auth_key_cert = NULL;
  1253. rsa_ed_crosscert = NULL; // redundant
  1254. rsa_ed_crosscert_len = 0;
  1255. }