static void
test_routerkeys_cross_certify_ntor(void *args)
{
(void) args;
tor_cert_t *cert = NULL;
curve25519_keypair_t onion_keys;
ed25519_public_key_t master_key;
ed25519_public_key_t onion_check_key;
time_t now = time(NULL);
int sign;
tt_int_op(0, OP_EQ, ed25519_public_from_base64(&master_key,
"IamwritingthesetestsOnARainyAfternoonin2014"));
tt_int_op(0, OP_EQ, curve25519_keypair_generate(&onion_keys, 0));
cert = make_ntor_onion_key_crosscert(&onion_keys,
&master_key,
now, 10000,
&sign);
tt_assert(cert);
tt_assert(sign == 0 || sign == 1);
tt_int_op(cert->cert_type, OP_EQ, CERT_TYPE_ONION_ID);
tt_int_op(1, OP_EQ, ed25519_pubkey_eq(&cert->signed_key, &master_key));
tt_int_op(0, OP_EQ, ed25519_public_key_from_curve25519_public_key(
&onion_check_key, &onion_keys.pubkey, sign));
tt_int_op(0, OP_EQ, tor_cert_checksig(cert, &onion_check_key, now));
done:
tor_cert_free(cert);
}
/**
* Running as a server: load, reload, or refresh our ed25519 keys and
* certificates, creating and saving new ones as needed.
*/
int
load_ed_keys(const or_options_t *options, time_t now)
{
ed25519_keypair_t *id = NULL;
ed25519_keypair_t *sign = NULL;
ed25519_keypair_t *auth = NULL;
const ed25519_keypair_t *sign_signing_key_with_id = NULL;
const ed25519_keypair_t *use_signing = NULL;
const tor_cert_t *check_signing_cert = NULL;
tor_cert_t *sign_cert = NULL;
tor_cert_t *auth_cert = NULL;
#define FAIL(msg) do { \
log_warn(LD_OR, (msg)); \
goto err; \
} while (0)
#define SET_KEY(key, newval) do { \
if ((key) != (newval)) \
ed25519_keypair_free(key); \
key = (newval); \
} while (0)
#define SET_CERT(cert, newval) do { \
if ((cert) != (newval)) \
tor_cert_free(cert); \
cert = (newval); \
} while (0)
#define EXPIRES_SOON(cert, interval) \
(!(cert) || (cert)->valid_until < now + (interval))
/* XXXX support encrypted identity keys fully */
/* First try to get the signing key to see how it is. */
{
char *fname =
options_get_datadir_fname2(options, "keys", "ed25519_signing");
sign = ed_key_init_from_file(
fname,
INIT_ED_KEY_NEEDCERT|
INIT_ED_KEY_INCLUDE_SIGNING_KEY_IN_CERT,
LOG_INFO,
NULL, 0, 0, CERT_TYPE_ID_SIGNING, &sign_cert);
tor_free(fname);
check_signing_cert = sign_cert;
use_signing = sign;
}
if (!use_signing && master_signing_key) {
check_signing_cert = signing_key_cert;
use_signing = master_signing_key;
}
const int offline_master =
options->OfflineMasterKey && options->command != CMD_KEYGEN;
const int need_new_signing_key =
NULL == use_signing ||
EXPIRES_SOON(check_signing_cert, 0) ||
(options->command == CMD_KEYGEN && ! options->change_key_passphrase);
const int want_new_signing_key =
need_new_signing_key ||
EXPIRES_SOON(check_signing_cert, options->TestingSigningKeySlop);
/* We can only create a master key if we haven't been told that the
* master key will always be offline. Also, if we have a signing key,
* then we shouldn't make a new master ID key. */
const int can_make_master_id_key = !offline_master &&
NULL == use_signing;
if (need_new_signing_key) {
log_notice(LD_OR, "It looks like I need to generate and sign a new "
"medium-term signing key, because %s. To do that, I need to "
"load%s the permanent master identity key.",
(NULL == use_signing) ? "I don't have one" :
EXPIRES_SOON(check_signing_cert, 0) ? "the one I have is expired" :
"you asked me to make one with --keygen",
can_make_master_id_key ? " (or create)" : "");
} else if (want_new_signing_key && !offline_master) {
log_notice(LD_OR, "It looks like I should try to generate and sign a "
"new medium-term signing key, because the one I have is "
"going to expire soon. To do that, I'm going to have to try to "
"load the permanent master identity key.");
} else if (want_new_signing_key) {
log_notice(LD_OR, "It looks like I should try to generate and sign a "
"new medium-term signing key, because the one I have is "
"going to expire soon. But OfflineMasterKey is set, so I "
"won't try to load a permanent master identity key is set. "
"You will need to use 'tor --keygen' make a new signing key "
"and certificate.");
}
{
uint32_t flags =
(INIT_ED_KEY_SPLIT|
INIT_ED_KEY_EXTRA_STRONG|INIT_ED_KEY_NO_REPAIR);
if (can_make_master_id_key)
flags |= INIT_ED_KEY_CREATE;
if (! need_new_signing_key)
flags |= INIT_ED_KEY_MISSING_SECRET_OK;
if (! want_new_signing_key || offline_master)
flags |= INIT_ED_KEY_OMIT_SECRET;
if (offline_master)
flags |= INIT_ED_KEY_OFFLINE_SECRET;
if (options->command == CMD_KEYGEN)
flags |= INIT_ED_KEY_TRY_ENCRYPTED;
/* Check the key directory */
if (check_private_dir(options->DataDirectory, CPD_CREATE, options->User)) {
log_err(LD_OR, "Can't create/check datadirectory %s",
options->DataDirectory);
goto err;
}
char *fname = get_datadir_fname("keys");
if (check_private_dir(fname, CPD_CREATE, options->User) < 0) {
log_err(LD_OR, "Problem creating/checking key directory %s", fname);
tor_free(fname);
goto err;
}
tor_free(fname);
if (options->master_key_fname) {
fname = tor_strdup(options->master_key_fname);
flags |= INIT_ED_KEY_EXPLICIT_FNAME;
} else {
fname = options_get_datadir_fname2(options, "keys", "ed25519_master_id");
}
id = ed_key_init_from_file(
fname,
flags,
LOG_WARN, NULL, 0, 0, 0, NULL);
tor_free(fname);
if (!id) {
if (need_new_signing_key) {
if (offline_master)
FAIL("Can't load master identity key; OfflineMasterKey is set.");
else
FAIL("Missing identity key");
} else {
log_warn(LD_OR, "Master public key was absent; inferring from "
"public key in signing certificate and saving to disk.");
tor_assert(check_signing_cert);
id = tor_malloc_zero(sizeof(*id));
memcpy(&id->pubkey, &check_signing_cert->signing_key,
sizeof(ed25519_public_key_t));
fname = options_get_datadir_fname2(options, "keys",
"ed25519_master_id_public_key");
if (ed25519_pubkey_write_to_file(&id->pubkey, fname, "type0") < 0) {
log_warn(LD_OR, "Error while attempting to write master public key "
"to disk");
tor_free(fname);
goto err;
}
tor_free(fname);
}
}
if (tor_mem_is_zero((char*)id->seckey.seckey, sizeof(id->seckey)))
sign_signing_key_with_id = NULL;
else
sign_signing_key_with_id = id;
}
if (master_identity_key &&
!ed25519_pubkey_eq(&id->pubkey, &master_identity_key->pubkey)) {
FAIL("Identity key on disk does not match key we loaded earlier!");
}
if (need_new_signing_key && NULL == sign_signing_key_with_id)
FAIL("Can't load master key make a new signing key.");
if (sign_cert) {
if (! sign_cert->signing_key_included)
FAIL("Loaded a signing cert with no key included!");
if (! ed25519_pubkey_eq(&sign_cert->signing_key, &id->pubkey))
FAIL("The signing cert we have was not signed with the master key "
"we loaded!");
if (tor_cert_checksig(sign_cert, &id->pubkey, 0) < 0)
FAIL("The signing cert we loaded was not signed correctly!");
}
if (want_new_signing_key && sign_signing_key_with_id) {
uint32_t flags = (INIT_ED_KEY_CREATE|
INIT_ED_KEY_REPLACE|
INIT_ED_KEY_EXTRA_STRONG|
INIT_ED_KEY_NEEDCERT|
INIT_ED_KEY_INCLUDE_SIGNING_KEY_IN_CERT);
char *fname =
options_get_datadir_fname2(options, "keys", "ed25519_signing");
ed25519_keypair_free(sign);
tor_cert_free(sign_cert);
sign = ed_key_init_from_file(fname,
flags, LOG_WARN,
sign_signing_key_with_id, now,
options->SigningKeyLifetime,
CERT_TYPE_ID_SIGNING, &sign_cert);
tor_free(fname);
if (!sign)
FAIL("Missing signing key");
use_signing = sign;
tor_assert(sign_cert->signing_key_included);
tor_assert(ed25519_pubkey_eq(&sign_cert->signing_key, &id->pubkey));
tor_assert(ed25519_pubkey_eq(&sign_cert->signed_key, &sign->pubkey));
} else if (want_new_signing_key) {
static ratelim_t missing_master = RATELIM_INIT(3600);
log_fn_ratelim(&missing_master, LOG_WARN, LD_OR,
"Signing key will expire soon, but I can't load the "
"master key to sign a new one!");
}
tor_assert(use_signing);
/* At this point we no longer need our secret identity key. So wipe
* it, if we loaded it in the first place. */
memwipe(id->seckey.seckey, 0, sizeof(id->seckey));
if (options->command == CMD_KEYGEN)
goto end;
if (!rsa_ed_crosscert && server_mode(options)) {
uint8_t *crosscert;
ssize_t crosscert_len = tor_make_rsa_ed25519_crosscert(&id->pubkey,
get_server_identity_key(),
now+10*365*86400,/*XXXX*/
&crosscert);
rsa_ed_crosscert_len = crosscert_len;
rsa_ed_crosscert = crosscert;
}
if (!current_auth_key ||
EXPIRES_SOON(auth_key_cert, options->TestingAuthKeySlop)) {
auth = ed_key_new(use_signing, INIT_ED_KEY_NEEDCERT,
now,
options->TestingAuthKeyLifetime,
CERT_TYPE_SIGNING_AUTH, &auth_cert);
if (!auth)
FAIL("Can't create auth key");
}
/* We've generated or loaded everything. Put them in memory. */
end:
if (! master_identity_key) {
SET_KEY(master_identity_key, id);
} else {
tor_free(id);
}
if (sign) {
SET_KEY(master_signing_key, sign);
SET_CERT(signing_key_cert, sign_cert);
}
if (auth) {
SET_KEY(current_auth_key, auth);
SET_CERT(auth_key_cert, auth_cert);
}
return 0;
err:
ed25519_keypair_free(id);
ed25519_keypair_free(sign);
ed25519_keypair_free(auth);
tor_cert_free(sign_cert);
tor_cert_free(auth_cert);
return -1;
}
/**
* Read an ed25519 key and associated certificates from files beginning with
* <b>fname</b>, with certificate type <b>cert_type</b>. On failure, return
* NULL; on success return the keypair.
*
* If INIT_ED_KEY_CREATE is set in <b>flags</b>, then create the key (and
* certificate if requested) if it doesn't exist, and save it to disk.
*
* If INIT_ED_KEY_NEEDCERT is set in <b>flags</b>, load/create a certificate
* too and store it in *<b>cert_out</b>. Fail if the cert can't be
* found/created. To create a certificate, <b>signing_key</b> must be set to
* the key that should sign it; <b>now</b> to the current time, and
* <b>lifetime</b> to the lifetime of the key.
*
* If INIT_ED_KEY_REPLACE is set in <b>flags</b>, then create and save new key
* whether we can read the old one or not.
*
* If INIT_ED_KEY_EXTRA_STRONG is set in <b>flags</b>, set the extra_strong
* flag when creating the secret key.
*
* If INIT_ED_KEY_INCLUDE_SIGNING_KEY_IN_CERT is set in <b>flags</b>, and
* we create a new certificate, create it with the signing key embedded.
*
* If INIT_ED_KEY_SPLIT is set in <b>flags</b>, and we create a new key,
* store the public key in a separate file from the secret key.
*
* If INIT_ED_KEY_MISSING_SECRET_OK is set in <b>flags</b>, and we find a
* public key file but no secret key file, return successfully anyway.
*
* If INIT_ED_KEY_OMIT_SECRET is set in <b>flags</b>, do not try to load a
* secret key unless no public key is found. Do not return a secret key. (but
* create and save one if needed).
*
* If INIT_ED_KEY_NO_LOAD_SECRET is set in <b>flags</b>, don't try to load
* a secret key, no matter what.
*
* If INIT_ED_KEY_TRY_ENCRYPTED is set, we look for an encrypted secret key
* and consider encrypting any new secret key.
*
* If INIT_ED_KEY_NO_REPAIR is set, and there is any issue loading the keys
* from disk _other than their absence_ (full or partial), we do not try to
* replace them.
*
* If INIT_ED_KEY_SUGGEST_KEYGEN is set, have log messages about failures
* refer to the --keygen option.
*
* If INIT_ED_KEY_EXPLICIT_FNAME is set, use the provided file name for the
* secret key file, encrypted or not.
*/
ed25519_keypair_t *
ed_key_init_from_file(const char *fname, uint32_t flags,
int severity,
const ed25519_keypair_t *signing_key,
time_t now,
time_t lifetime,
uint8_t cert_type,
struct tor_cert_st **cert_out)
{
char *secret_fname = NULL;
char *encrypted_secret_fname = NULL;
char *public_fname = NULL;
char *cert_fname = NULL;
const char *loaded_secret_fname = NULL;
int created_pk = 0, created_sk = 0, created_cert = 0;
const int try_to_load = ! (flags & INIT_ED_KEY_REPLACE);
const int encrypt_key = !! (flags & INIT_ED_KEY_TRY_ENCRYPTED);
const int norepair = !! (flags & INIT_ED_KEY_NO_REPAIR);
const int split = !! (flags & INIT_ED_KEY_SPLIT);
const int omit_secret = !! (flags & INIT_ED_KEY_OMIT_SECRET);
const int offline_secret = !! (flags & INIT_ED_KEY_OFFLINE_SECRET);
const int explicit_fname = !! (flags & INIT_ED_KEY_EXPLICIT_FNAME);
/* we don't support setting both of these flags at once. */
tor_assert((flags & (INIT_ED_KEY_NO_REPAIR|INIT_ED_KEY_NEEDCERT)) !=
(INIT_ED_KEY_NO_REPAIR|INIT_ED_KEY_NEEDCERT));
char tag[8];
tor_snprintf(tag, sizeof(tag), "type%d", (int)cert_type);
tor_cert_t *cert = NULL;
char *got_tag = NULL;
ed25519_keypair_t *keypair = tor_malloc_zero(sizeof(ed25519_keypair_t));
if (explicit_fname) {
secret_fname = tor_strdup(fname);
encrypted_secret_fname = tor_strdup(fname);
} else {
tor_asprintf(&secret_fname, "%s_secret_key", fname);
tor_asprintf(&encrypted_secret_fname, "%s_secret_key_encrypted", fname);
}
tor_asprintf(&public_fname, "%s_public_key", fname);
tor_asprintf(&cert_fname, "%s_cert", fname);
/* Try to read the secret key. */
int have_secret = 0;
int load_secret = try_to_load &&
!offline_secret &&
(!omit_secret || file_status(public_fname)==FN_NOENT);
if (load_secret) {
int rv = ed25519_seckey_read_from_file(&keypair->seckey,
&got_tag, secret_fname);
if (rv == 0) {
have_secret = 1;
loaded_secret_fname = secret_fname;
tor_assert(got_tag);
} else {
if (errno != ENOENT && norepair) {
tor_log(severity, LD_OR, "Unable to read %s: %s", secret_fname,
strerror(errno));
goto err;
}
}
}
/* Should we try for an encrypted key? */
int have_encrypted_secret_file = 0;
if (!have_secret && try_to_load && encrypt_key) {
int r = read_encrypted_secret_key(&keypair->seckey,
encrypted_secret_fname);
if (r > 0) {
have_secret = 1;
have_encrypted_secret_file = 1;
tor_free(got_tag); /* convince coverity we aren't leaking */
got_tag = tor_strdup(tag);
loaded_secret_fname = encrypted_secret_fname;
} else if (errno != ENOENT && norepair) {
tor_log(severity, LD_OR, "Unable to read %s: %s",
encrypted_secret_fname, strerror(errno));
goto err;
}
} else {
if (try_to_load) {
/* Check if it's there anyway, so we don't replace it. */
if (file_status(encrypted_secret_fname) != FN_NOENT)
have_encrypted_secret_file = 1;
}
}
if (have_secret) {
if (strcmp(got_tag, tag)) {
tor_log(severity, LD_OR, "%s has wrong tag", loaded_secret_fname);
goto err;
}
/* Derive the public key */
if (ed25519_public_key_generate(&keypair->pubkey, &keypair->seckey)<0) {
tor_log(severity, LD_OR, "%s can't produce a public key",
loaded_secret_fname);
goto err;
}
}
/* If we do split keys here, try to read the pubkey. */
int found_public = 0;
if (try_to_load && (!have_secret || split)) {
ed25519_public_key_t pubkey_tmp;
tor_free(got_tag);
found_public = ed25519_pubkey_read_from_file(&pubkey_tmp,
&got_tag, public_fname) == 0;
if (!found_public && errno != ENOENT && norepair) {
tor_log(severity, LD_OR, "Unable to read %s: %s", public_fname,
strerror(errno));
goto err;
}
if (found_public && strcmp(got_tag, tag)) {
tor_log(severity, LD_OR, "%s has wrong tag", public_fname);
goto err;
}
if (found_public) {
if (have_secret) {
/* If we have a secret key and we're reloading the public key,
* the key must match! */
if (! ed25519_pubkey_eq(&keypair->pubkey, &pubkey_tmp)) {
tor_log(severity, LD_OR, "%s does not match %s! If you are trying "
"to restore from backup, make sure you didn't mix up the "
"key files. If you are absolutely sure that %s is the right "
"key for this relay, delete %s or move it out of the way.",
public_fname, loaded_secret_fname,
loaded_secret_fname, public_fname);
goto err;
}
} else {
/* We only have the public key; better use that. */
tor_assert(split);
memcpy(&keypair->pubkey, &pubkey_tmp, sizeof(pubkey_tmp));
}
} else {
/* We have no public key file, but we do have a secret key, make the
* public key file! */
if (have_secret) {
if (ed25519_pubkey_write_to_file(&keypair->pubkey, public_fname, tag)
< 0) {
tor_log(severity, LD_OR, "Couldn't repair %s", public_fname);
goto err;
} else {
tor_log(LOG_NOTICE, LD_OR,
"Found secret key but not %s. Regenerating.",
public_fname);
}
}
}
}
/* If the secret key is absent and it's not allowed to be, fail. */
if (!have_secret && found_public &&
!(flags & INIT_ED_KEY_MISSING_SECRET_OK)) {
if (have_encrypted_secret_file) {
tor_log(severity, LD_OR, "We needed to load a secret key from %s, "
"but it was encrypted. Try 'tor --keygen' instead, so you "
"can enter the passphrase.",
secret_fname);
} else {
tor_log(severity, LD_OR, "We needed to load a secret key from %s, "
"but couldn't find it. %s", secret_fname,
(flags & INIT_ED_KEY_SUGGEST_KEYGEN) ?
"If you're keeping your master secret key offline, you will "
"need to run 'tor --keygen' to generate new signing keys." :
"Did you forget to copy it over when you copied the rest of the "
"signing key material?");
}
goto err;
}
/* If it's absent, and we're not supposed to make a new keypair, fail. */
if (!have_secret && !found_public && !(flags & INIT_ED_KEY_CREATE)) {
if (split) {
tor_log(severity, LD_OR, "No key found in %s or %s.",
secret_fname, public_fname);
} else {
tor_log(severity, LD_OR, "No key found in %s.", secret_fname);
}
goto err;
}
/* If the secret key is absent, but the encrypted key would be present,
* that's an error */
if (!have_secret && !found_public && have_encrypted_secret_file) {
tor_assert(!encrypt_key);
tor_log(severity, LD_OR, "Found an encrypted secret key, "
"but not public key file %s!", public_fname);
goto err;
}
/* if it's absent, make a new keypair... */
if (!have_secret && !found_public) {
tor_free(keypair);
keypair = ed_key_new(signing_key, flags, now, lifetime,
cert_type, &cert);
if (!keypair) {
tor_log(severity, LD_OR, "Couldn't create keypair");
goto err;
}
created_pk = created_sk = created_cert = 1;
}
/* Write it to disk if we're supposed to do with a new passphrase, or if
* we just created it. */
if (created_sk || (have_secret && get_options()->change_key_passphrase)) {
if (write_secret_key(&keypair->seckey,
encrypt_key,
secret_fname, tag, encrypted_secret_fname) < 0
||
(split &&
ed25519_pubkey_write_to_file(&keypair->pubkey, public_fname, tag) < 0)
||
(cert &&
crypto_write_tagged_contents_to_file(cert_fname, "ed25519v1-cert",
tag, cert->encoded, cert->encoded_len) < 0)) {
tor_log(severity, LD_OR, "Couldn't write keys or cert to file.");
goto err;
}
goto done;
}
/* If we're not supposed to get a cert, we're done. */
if (! (flags & INIT_ED_KEY_NEEDCERT))
goto done;
/* Read a cert. */
tor_free(got_tag);
uint8_t certbuf[256];
ssize_t cert_body_len = crypto_read_tagged_contents_from_file(
cert_fname, "ed25519v1-cert",
&got_tag, certbuf, sizeof(certbuf));
if (cert_body_len >= 0 && !strcmp(got_tag, tag))
cert = tor_cert_parse(certbuf, cert_body_len);
/* If we got it, check it to the extent we can. */
int bad_cert = 0;
if (! cert) {
tor_log(severity, LD_OR, "Cert was unparseable");
bad_cert = 1;
} else if (!tor_memeq(cert->signed_key.pubkey, keypair->pubkey.pubkey,
ED25519_PUBKEY_LEN)) {
tor_log(severity, LD_OR, "Cert was for wrong key");
bad_cert = 1;
} else if (signing_key &&
tor_cert_checksig(cert, &signing_key->pubkey, now) < 0) {
tor_log(severity, LD_OR, "Can't check certificate");
bad_cert = 1;
} else if (cert->cert_expired) {
tor_log(severity, LD_OR, "Certificate is expired");
bad_cert = 1;
} else if (signing_key && cert->signing_key_included &&
! ed25519_pubkey_eq(&signing_key->pubkey, &cert->signing_key)) {
tor_log(severity, LD_OR, "Certificate signed by unexpectd key!");
bad_cert = 1;
}
if (bad_cert) {
tor_cert_free(cert);
cert = NULL;
}
/* If we got a cert, we're done. */
if (cert)
goto done;
/* If we didn't get a cert, and we're not supposed to make one, fail. */
if (!signing_key || !(flags & INIT_ED_KEY_CREATE)) {
tor_log(severity, LD_OR, "Without signing key, can't create certificate");
goto err;
}
/* We have keys but not a certificate, so make one. */
uint32_t cert_flags = 0;
if (flags & INIT_ED_KEY_INCLUDE_SIGNING_KEY_IN_CERT)
cert_flags |= CERT_FLAG_INCLUDE_SIGNING_KEY;
cert = tor_cert_create(signing_key, cert_type,
&keypair->pubkey,
now, lifetime,
cert_flags);
if (! cert) {
tor_log(severity, LD_OR, "Couldn't create certificate");
goto err;
}
/* Write it to disk. */
created_cert = 1;
if (crypto_write_tagged_contents_to_file(cert_fname, "ed25519v1-cert",
tag, cert->encoded, cert->encoded_len) < 0) {
tor_log(severity, LD_OR, "Couldn't write cert to disk.");
goto err;
}
done:
if (cert_out)
*cert_out = cert;
else
tor_cert_free(cert);
goto cleanup;
err:
if (keypair)
memwipe(keypair, 0, sizeof(*keypair));
tor_free(keypair);
tor_cert_free(cert);
if (cert_out)
*cert_out = NULL;
if (created_sk)
unlink(secret_fname);
if (created_pk)
unlink(public_fname);
if (created_cert)
unlink(cert_fname);
cleanup:
tor_free(encrypted_secret_fname);
tor_free(secret_fname);
tor_free(public_fname);
tor_free(cert_fname);
tor_free(got_tag);
return keypair;
}
/**
* Running as a server: load, reload, or refresh our ed25519 keys and
* certificates, creating and saving new ones as needed.
*
* Return -1 on failure; 0 on success if the signing key was not replaced;
* and 1 on success if the signing key was replaced.
*/
int
load_ed_keys(const or_options_t *options, time_t now)
{
ed25519_keypair_t *id = NULL;
ed25519_keypair_t *sign = NULL;
ed25519_keypair_t *auth = NULL;
const ed25519_keypair_t *sign_signing_key_with_id = NULL;
const ed25519_keypair_t *use_signing = NULL;
const tor_cert_t *check_signing_cert = NULL;
tor_cert_t *sign_cert = NULL;
tor_cert_t *auth_cert = NULL;
int signing_key_changed = 0;
// It is later than 1972, since otherwise there would be no C compilers.
// (Try to diagnose #22466.)
tor_assert_nonfatal(now >= 2 * 365 * 86400);
#define FAIL(msg) do { \
log_warn(LD_OR, (msg)); \
goto err; \
} while (0)
#define SET_KEY(key, newval) do { \
if ((key) != (newval)) \
ed25519_keypair_free(key); \
key = (newval); \
} while (0)
#define SET_CERT(cert, newval) do { \
if ((cert) != (newval)) \
tor_cert_free(cert); \
cert = (newval); \
} while (0)
#define HAPPENS_SOON(when, interval) \
((when) < now + (interval))
#define EXPIRES_SOON(cert, interval) \
(!(cert) || HAPPENS_SOON((cert)->valid_until, (interval)))
/* XXXX support encrypted identity keys fully */
/* First try to get the signing key to see how it is. */
{
char *fname =
options_get_keydir_fname(options, "ed25519_signing");
sign = ed_key_init_from_file(
fname,
INIT_ED_KEY_NEEDCERT|
INIT_ED_KEY_INCLUDE_SIGNING_KEY_IN_CERT,
LOG_INFO,
NULL, 0, 0, CERT_TYPE_ID_SIGNING, &sign_cert);
tor_free(fname);
check_signing_cert = sign_cert;
use_signing = sign;
}
if (use_signing) {
/* We loaded a signing key with its certificate. */
if (! master_signing_key) {
/* We didn't know one before! */
signing_key_changed = 1;
} else if (! ed25519_pubkey_eq(&use_signing->pubkey,
&master_signing_key->pubkey) ||
! tor_memeq(use_signing->seckey.seckey,
master_signing_key->seckey.seckey,
ED25519_SECKEY_LEN)) {
/* We loaded a different signing key than the one we knew before. */
signing_key_changed = 1;
}
}
if (!use_signing && master_signing_key) {
/* We couldn't load a signing key, but we already had one loaded */
check_signing_cert = signing_key_cert;
use_signing = master_signing_key;
}
const int offline_master =
options->OfflineMasterKey && options->command != CMD_KEYGEN;
const int need_new_signing_key =
NULL == use_signing ||
EXPIRES_SOON(check_signing_cert, 0) ||
(options->command == CMD_KEYGEN && ! options->change_key_passphrase);
const int want_new_signing_key =
need_new_signing_key ||
EXPIRES_SOON(check_signing_cert, options->TestingSigningKeySlop);
/* We can only create a master key if we haven't been told that the
* master key will always be offline. Also, if we have a signing key,
* then we shouldn't make a new master ID key. */
const int can_make_master_id_key = !offline_master &&
NULL == use_signing;
if (need_new_signing_key) {
log_notice(LD_OR, "It looks like I need to generate and sign a new "
"medium-term signing key, because %s. To do that, I "
"need to load%s the permanent master identity key. "
"If the master identity key was not moved or encrypted "
"with a passphrase, this will be done automatically and "
"no further action is required. Otherwise, provide the "
"necessary data using 'tor --keygen' to do it manually.",
(NULL == use_signing) ? "I don't have one" :
EXPIRES_SOON(check_signing_cert, 0) ? "the one I have is expired" :
"you asked me to make one with --keygen",
can_make_master_id_key ? " (or create)" : "");
} else if (want_new_signing_key && !offline_master) {
log_notice(LD_OR, "It looks like I should try to generate and sign a "
"new medium-term signing key, because the one I have is "
"going to expire soon. To do that, I'm going to have to "
"try to load the permanent master identity key. "
"If the master identity key was not moved or encrypted "
"with a passphrase, this will be done automatically and "
"no further action is required. Otherwise, provide the "
"necessary data using 'tor --keygen' to do it manually.");
} else if (want_new_signing_key) {
log_notice(LD_OR, "It looks like I should try to generate and sign a "
"new medium-term signing key, because the one I have is "
"going to expire soon. But OfflineMasterKey is set, so I "
"won't try to load a permanent master identity key. You "
"will need to use 'tor --keygen' to make a new signing "
"key and certificate.");
}
{
uint32_t flags =
(INIT_ED_KEY_SPLIT|
INIT_ED_KEY_EXTRA_STRONG|INIT_ED_KEY_NO_REPAIR);
if (can_make_master_id_key)
flags |= INIT_ED_KEY_CREATE;
if (! need_new_signing_key)
flags |= INIT_ED_KEY_MISSING_SECRET_OK;
if (! want_new_signing_key || offline_master)
flags |= INIT_ED_KEY_OMIT_SECRET;
if (offline_master)
flags |= INIT_ED_KEY_OFFLINE_SECRET;
if (options->command == CMD_KEYGEN)
flags |= INIT_ED_KEY_TRY_ENCRYPTED;
/* Check/Create the key directory */
if (create_keys_directory(options) < 0)
return -1;
char *fname;
if (options->master_key_fname) {
fname = tor_strdup(options->master_key_fname);
flags |= INIT_ED_KEY_EXPLICIT_FNAME;
} else {
fname = options_get_keydir_fname(options, "ed25519_master_id");
}
id = ed_key_init_from_file(
fname,
flags,
LOG_WARN, NULL, 0, 0, 0, NULL);
tor_free(fname);
if (!id) {
if (need_new_signing_key) {
if (offline_master)
FAIL("Can't load master identity key; OfflineMasterKey is set.");
else
FAIL("Missing identity key");
} else {
log_warn(LD_OR, "Master public key was absent; inferring from "
"public key in signing certificate and saving to disk.");
tor_assert(check_signing_cert);
id = tor_malloc_zero(sizeof(*id));
memcpy(&id->pubkey, &check_signing_cert->signing_key,
sizeof(ed25519_public_key_t));
fname = options_get_keydir_fname(options,
"ed25519_master_id_public_key");
if (ed25519_pubkey_write_to_file(&id->pubkey, fname, "type0") < 0) {
log_warn(LD_OR, "Error while attempting to write master public key "
"to disk");
tor_free(fname);
goto err;
}
tor_free(fname);
}
}
if (tor_mem_is_zero((char*)id->seckey.seckey, sizeof(id->seckey)))
sign_signing_key_with_id = NULL;
else
sign_signing_key_with_id = id;
}
if (master_identity_key &&
!ed25519_pubkey_eq(&id->pubkey, &master_identity_key->pubkey)) {
FAIL("Identity key on disk does not match key we loaded earlier!");
}
if (need_new_signing_key && NULL == sign_signing_key_with_id)
FAIL("Can't load master key make a new signing key.");
if (sign_cert) {
if (! sign_cert->signing_key_included)
FAIL("Loaded a signing cert with no key included!");
if (! ed25519_pubkey_eq(&sign_cert->signing_key, &id->pubkey))
FAIL("The signing cert we have was not signed with the master key "
"we loaded!");
if (tor_cert_checksig(sign_cert, &id->pubkey, 0) < 0) {
log_warn(LD_OR, "The signing cert we loaded was not signed "
"correctly: %s!",
tor_cert_describe_signature_status(sign_cert));
goto err;
}
}
if (want_new_signing_key && sign_signing_key_with_id) {
uint32_t flags = (INIT_ED_KEY_CREATE|
INIT_ED_KEY_REPLACE|
INIT_ED_KEY_EXTRA_STRONG|
INIT_ED_KEY_NEEDCERT|
INIT_ED_KEY_INCLUDE_SIGNING_KEY_IN_CERT);
char *fname =
options_get_keydir_fname(options, "ed25519_signing");
ed25519_keypair_free(sign);
tor_cert_free(sign_cert);
sign = ed_key_init_from_file(fname,
flags, LOG_WARN,
sign_signing_key_with_id, now,
options->SigningKeyLifetime,
CERT_TYPE_ID_SIGNING, &sign_cert);
tor_free(fname);
if (!sign)
FAIL("Missing signing key");
use_signing = sign;
signing_key_changed = 1;
tor_assert(sign_cert->signing_key_included);
tor_assert(ed25519_pubkey_eq(&sign_cert->signing_key, &id->pubkey));
tor_assert(ed25519_pubkey_eq(&sign_cert->signed_key, &sign->pubkey));
} else if (want_new_signing_key) {
static ratelim_t missing_master = RATELIM_INIT(3600);
log_fn_ratelim(&missing_master, LOG_WARN, LD_OR,
"Signing key will expire soon, but I can't load the "
"master key to sign a new one!");
}
tor_assert(use_signing);
/* At this point we no longer need our secret identity key. So wipe
* it, if we loaded it in the first place. */
memwipe(id->seckey.seckey, 0, sizeof(id->seckey));
if (options->command == CMD_KEYGEN)
goto end;
if (server_mode(options) &&
(!rsa_ed_crosscert ||
HAPPENS_SOON(rsa_ed_crosscert_expiration, 30*86400))) {
uint8_t *crosscert;
time_t expiration = now+6*30*86400; /* 6 months in the future. */
ssize_t crosscert_len = tor_make_rsa_ed25519_crosscert(&id->pubkey,
get_server_identity_key(),
expiration,
&crosscert);
tor_free(rsa_ed_crosscert);
rsa_ed_crosscert_len = crosscert_len;
rsa_ed_crosscert = crosscert;
rsa_ed_crosscert_expiration = expiration;
}
if (!current_auth_key ||
signing_key_changed ||
EXPIRES_SOON(auth_key_cert, options->TestingAuthKeySlop)) {
auth = ed_key_new(use_signing, INIT_ED_KEY_NEEDCERT,
now,
options->TestingAuthKeyLifetime,
CERT_TYPE_SIGNING_AUTH, &auth_cert);
if (!auth)
FAIL("Can't create auth key");
}
/* We've generated or loaded everything. Put them in memory. */
end:
if (! master_identity_key) {
SET_KEY(master_identity_key, id);
} else {
tor_free(id);
}
if (sign) {
SET_KEY(master_signing_key, sign);
SET_CERT(signing_key_cert, sign_cert);
}
if (auth) {
SET_KEY(current_auth_key, auth);
SET_CERT(auth_key_cert, auth_cert);
}
return signing_key_changed;
err:
ed25519_keypair_free(id);
ed25519_keypair_free(sign);
ed25519_keypair_free(auth);
tor_cert_free(sign_cert);
tor_cert_free(auth_cert);
return -1;
}
/** Helper for tor_cert_create(): signs any 32 bytes, not just an ed25519
* key.
*/
static tor_cert_t *
tor_cert_sign_impl(const ed25519_keypair_t *signing_key,
uint8_t cert_type,
uint8_t signed_key_type,
const uint8_t signed_key_info[32],
time_t now, time_t lifetime,
uint32_t flags)
{
tor_cert_t *torcert = NULL;
ed25519_cert_t *cert = ed25519_cert_new();
cert->cert_type = cert_type;
cert->exp_field = (uint32_t) CEIL_DIV(now + lifetime, 3600);
cert->cert_key_type = signed_key_type;
memcpy(cert->certified_key, signed_key_info, 32);
if (flags & CERT_FLAG_INCLUDE_SIGNING_KEY) {
ed25519_cert_extension_t *ext = ed25519_cert_extension_new();
ext->ext_type = CERTEXT_SIGNED_WITH_KEY;
memcpy(ext->un_signing_key, signing_key->pubkey.pubkey, 32);
ed25519_cert_add_ext(cert, ext);
++cert->n_extensions;
}
const ssize_t alloc_len = ed25519_cert_encoded_len(cert);
tor_assert(alloc_len > 0);
uint8_t *encoded = tor_malloc(alloc_len);
const ssize_t real_len = ed25519_cert_encode(encoded, alloc_len, cert);
if (real_len < 0)
goto err;
tor_assert(real_len == alloc_len);
tor_assert(real_len > ED25519_SIG_LEN);
uint8_t *sig = encoded + (real_len - ED25519_SIG_LEN);
tor_assert(tor_mem_is_zero((char*)sig, ED25519_SIG_LEN));
ed25519_signature_t signature;
if (ed25519_sign(&signature, encoded,
real_len-ED25519_SIG_LEN, signing_key)<0) {
log_warn(LD_BUG, "Can't sign certificate");
goto err;
}
memcpy(sig, signature.sig, ED25519_SIG_LEN);
torcert = tor_cert_parse(encoded, real_len);
if (! torcert) {
log_warn(LD_BUG, "Generated a certificate we cannot parse");
goto err;
}
if (tor_cert_checksig(torcert, &signing_key->pubkey, now) < 0) {
log_warn(LD_BUG, "Generated a certificate whose signature we can't check");
goto err;
}
tor_free(encoded);
goto done;
err:
tor_cert_free(torcert);
torcert = NULL;
done:
ed25519_cert_free(cert);
tor_free(encoded);
return torcert;
}
static void
test_routerkeys_ed_certs(void *args)
{
(void)args;
ed25519_keypair_t kp1, kp2;
tor_cert_t *cert[2] = {NULL, NULL}, *nocert = NULL;
tor_cert_t *parsed_cert[2] = {NULL, NULL};
time_t now = 1412094534;
uint8_t *junk = NULL;
char *base64 = NULL;
tt_int_op(0,OP_EQ,ed25519_keypair_generate(&kp1, 0));
tt_int_op(0,OP_EQ,ed25519_keypair_generate(&kp2, 0));
for (int i = 0; i <= 1; ++i) {
uint32_t flags = i ? CERT_FLAG_INCLUDE_SIGNING_KEY : 0;
cert[i] = tor_cert_create(&kp1, 5, &kp2.pubkey, now, 10000, flags);
tt_assert(cert[i]);
tt_uint_op(cert[i]->sig_bad, OP_EQ, 0);
tt_uint_op(cert[i]->sig_ok, OP_EQ, 1);
tt_uint_op(cert[i]->cert_expired, OP_EQ, 0);
tt_uint_op(cert[i]->cert_valid, OP_EQ, 1);
tt_int_op(cert[i]->cert_type, OP_EQ, 5);
tt_mem_op(cert[i]->signed_key.pubkey, OP_EQ, &kp2.pubkey.pubkey, 32);
tt_mem_op(cert[i]->signing_key.pubkey, OP_EQ, &kp1.pubkey.pubkey, 32);
tt_int_op(cert[i]->signing_key_included, OP_EQ, i);
tt_assert(cert[i]->encoded);
tt_int_op(cert[i]->encoded_len, OP_EQ, 104 + 36 * i);
tt_int_op(cert[i]->encoded[0], OP_EQ, 1);
tt_int_op(cert[i]->encoded[1], OP_EQ, 5);
parsed_cert[i] = tor_cert_parse(cert[i]->encoded, cert[i]->encoded_len);
tt_assert(parsed_cert[i]);
tt_int_op(cert[i]->encoded_len, OP_EQ, parsed_cert[i]->encoded_len);
tt_mem_op(cert[i]->encoded, OP_EQ, parsed_cert[i]->encoded,
cert[i]->encoded_len);
tt_uint_op(parsed_cert[i]->sig_bad, OP_EQ, 0);
tt_uint_op(parsed_cert[i]->sig_ok, OP_EQ, 0);
tt_uint_op(parsed_cert[i]->cert_expired, OP_EQ, 0);
tt_uint_op(parsed_cert[i]->cert_valid, OP_EQ, 0);
/* Expired */
tt_int_op(tor_cert_checksig(parsed_cert[i], &kp1.pubkey, now + 30000),
OP_LT, 0);
tt_uint_op(parsed_cert[i]->cert_expired, OP_EQ, 1);
parsed_cert[i]->cert_expired = 0;
/* Wrong key */
tt_int_op(tor_cert_checksig(parsed_cert[i], &kp2.pubkey, now), OP_LT, 0);
tt_uint_op(parsed_cert[i]->sig_bad, OP_EQ, 1);
parsed_cert[i]->sig_bad = 0;
/* Missing key */
int ok = tor_cert_checksig(parsed_cert[i], NULL, now);
tt_int_op(ok < 0, OP_EQ, i == 0);
tt_uint_op(parsed_cert[i]->sig_bad, OP_EQ, 0);
tt_assert(parsed_cert[i]->sig_ok == (i != 0));
tt_assert(parsed_cert[i]->cert_valid == (i != 0));
parsed_cert[i]->sig_bad = 0;
parsed_cert[i]->sig_ok = 0;
parsed_cert[i]->cert_valid = 0;
/* Right key */
tt_int_op(tor_cert_checksig(parsed_cert[i], &kp1.pubkey, now), OP_EQ, 0);
tt_uint_op(parsed_cert[i]->sig_bad, OP_EQ, 0);
tt_uint_op(parsed_cert[i]->sig_ok, OP_EQ, 1);
tt_uint_op(parsed_cert[i]->cert_expired, OP_EQ, 0);
tt_uint_op(parsed_cert[i]->cert_valid, OP_EQ, 1);
}
/* Now try some junky certs. */
/* - Truncated */
nocert = tor_cert_parse(cert[0]->encoded, cert[0]->encoded_len-1);
tt_ptr_op(NULL, OP_EQ, nocert);
/* - First byte modified */
cert[0]->encoded[0] = 99;
nocert = tor_cert_parse(cert[0]->encoded, cert[0]->encoded_len);
tt_ptr_op(NULL, OP_EQ, nocert);
cert[0]->encoded[0] = 1;
/* - Extra byte at the end*/
junk = tor_malloc_zero(cert[0]->encoded_len + 1);
memcpy(junk, cert[0]->encoded, cert[0]->encoded_len);
nocert = tor_cert_parse(junk, cert[0]->encoded_len+1);
tt_ptr_op(NULL, OP_EQ, nocert);
/* - Multiple signing key instances */
tor_free(junk);
junk = tor_malloc_zero(104 + 36 * 2);
junk[0] = 1; /* version */
junk[1] = 5; /* cert type */
junk[6] = 1; /* key type */
junk[39] = 2; /* n_extensions */
junk[41] = 32; /* extlen */
junk[42] = 4; /* exttype */
junk[77] = 32; /* extlen */
junk[78] = 4; /* exttype */
nocert = tor_cert_parse(junk, 104 + 36 * 2);
tt_ptr_op(NULL, OP_EQ, nocert);
done:
tor_cert_free(cert[0]);
tor_cert_free(cert[1]);
tor_cert_free(parsed_cert[0]);
tor_cert_free(parsed_cert[1]);
tor_cert_free(nocert);
tor_free(junk);
tor_free(base64);
}
