/**DOCDOC*/
int
generate_ed_link_cert(const or_options_t *options, time_t now)
{
const tor_x509_cert_t *link = NULL, *id = NULL;
tor_cert_t *link_cert = NULL;
if (tor_tls_get_my_certs(1, &link, &id) < 0 || link == NULL) {
log_warn(LD_OR, "Can't get my x509 link cert.");
return -1;
}
const digests_t *digests = tor_x509_cert_get_cert_digests(link);
if (link_cert_cert &&
! EXPIRES_SOON(link_cert_cert, options->TestingLinkKeySlop) &&
fast_memeq(digests->d[DIGEST_SHA256], link_cert_cert->signed_key.pubkey,
DIGEST256_LEN)) {
return 0;
}
ed25519_public_key_t dummy_key;
memcpy(dummy_key.pubkey, digests->d[DIGEST_SHA256], DIGEST256_LEN);
link_cert = tor_cert_create(get_master_signing_keypair(),
CERT_TYPE_SIGNING_LINK,
&dummy_key,
now,
options->TestingLinkCertLifetime, 0);
if (link_cert) {
SET_CERT(link_cert_cert, link_cert);
}
return 0;
}
int
should_make_new_ed_keys(const or_options_t *options, const time_t now)
{
if (!master_identity_key ||
!master_signing_key ||
!current_auth_key ||
!link_cert_cert ||
EXPIRES_SOON(signing_key_cert, options->TestingSigningKeySlop) ||
EXPIRES_SOON(auth_key_cert, options->TestingAuthKeySlop) ||
EXPIRES_SOON(link_cert_cert, options->TestingLinkKeySlop))
return 1;
const tor_x509_cert_t *link = NULL, *id = NULL;
if (tor_tls_get_my_certs(1, &link, &id) < 0 || link == NULL)
return 1;
const digests_t *digests = tor_x509_cert_get_cert_digests(link);
if (!fast_memeq(digests->d[DIGEST_SHA256],
link_cert_cert->signed_key.pubkey,
DIGEST256_LEN)) {
return 1;
}
return 0;
}
/**
* Retrieve our currently-in-use Ed25519 link certificate and id certificate,
* and, if they would expire soon (based on the time <b>now</b>, generate new
* certificates (without embedding the public part of the signing key inside).
* If <b>force</b> is true, always generate a new certificate.
*
* The signed_key from the current id->signing certificate will be used to
* sign the new key within newly generated X509 certificate.
*
* Returns -1 upon error. Otherwise, returns 0 upon success (either when the
* current certificate is still valid, or when a new certificate was
* successfully generated, or no certificate was needed).
*/
int
generate_ed_link_cert(const or_options_t *options, time_t now,
int force)
{
const tor_x509_cert_t *link_ = NULL, *id = NULL;
tor_cert_t *link_cert = NULL;
if (tor_tls_get_my_certs(1, &link_, &id) < 0 || link_ == NULL) {
if (!server_mode(options)) {
/* No need to make an Ed25519->Link cert: we are a client */
return 0;
}
log_warn(LD_OR, "Can't get my x509 link cert.");
return -1;
}
const common_digests_t *digests = tor_x509_cert_get_cert_digests(link_);
if (force == 0 &&
link_cert_cert &&
! EXPIRES_SOON(link_cert_cert, options->TestingLinkKeySlop) &&
fast_memeq(digests->d[DIGEST_SHA256], link_cert_cert->signed_key.pubkey,
DIGEST256_LEN)) {
return 0;
}
ed25519_public_key_t dummy_key;
memcpy(dummy_key.pubkey, digests->d[DIGEST_SHA256], DIGEST256_LEN);
link_cert = tor_cert_create(get_master_signing_keypair(),
CERT_TYPE_SIGNING_LINK,
&dummy_key,
now,
options->TestingLinkCertLifetime, 0);
if (link_cert) {
SET_CERT(link_cert_cert, link_cert);
}
return 0;
}
