int should_make_new_ed_keys(const or_options_t *options, const time_t now) { if (!master_identity_key || !master_signing_key || !current_auth_key || !link_cert_cert || EXPIRES_SOON(signing_key_cert, options->TestingSigningKeySlop) || EXPIRES_SOON(auth_key_cert, options->TestingAuthKeySlop) || EXPIRES_SOON(link_cert_cert, options->TestingLinkKeySlop)) return 1; const tor_x509_cert_t *link = NULL, *id = NULL; if (tor_tls_get_my_certs(1, &link, &id) < 0 || link == NULL) return 1; const digests_t *digests = tor_x509_cert_get_cert_digests(link); if (!fast_memeq(digests->d[DIGEST_SHA256], link_cert_cert->signed_key.pubkey, DIGEST256_LEN)) { return 1; } return 0; }
/**DOCDOC*/ int generate_ed_link_cert(const or_options_t *options, time_t now) { const tor_x509_cert_t *link = NULL, *id = NULL; tor_cert_t *link_cert = NULL; if (tor_tls_get_my_certs(1, &link, &id) < 0 || link == NULL) { log_warn(LD_OR, "Can't get my x509 link cert."); return -1; } const digests_t *digests = tor_x509_cert_get_cert_digests(link); if (link_cert_cert && ! EXPIRES_SOON(link_cert_cert, options->TestingLinkKeySlop) && fast_memeq(digests->d[DIGEST_SHA256], link_cert_cert->signed_key.pubkey, DIGEST256_LEN)) { return 0; } ed25519_public_key_t dummy_key; memcpy(dummy_key.pubkey, digests->d[DIGEST_SHA256], DIGEST256_LEN); link_cert = tor_cert_create(get_master_signing_keypair(), CERT_TYPE_SIGNING_LINK, &dummy_key, now, options->TestingLinkCertLifetime, 0); if (link_cert) { SET_CERT(link_cert_cert, link_cert); } return 0; }
/** * Retrieve our currently-in-use Ed25519 link certificate and id certificate, * and, if they would expire soon (based on the time <b>now</b>, generate new * certificates (without embedding the public part of the signing key inside). * If <b>force</b> is true, always generate a new certificate. * * The signed_key from the current id->signing certificate will be used to * sign the new key within newly generated X509 certificate. * * Returns -1 upon error. Otherwise, returns 0 upon success (either when the * current certificate is still valid, or when a new certificate was * successfully generated, or no certificate was needed). */ int generate_ed_link_cert(const or_options_t *options, time_t now, int force) { const tor_x509_cert_t *link_ = NULL, *id = NULL; tor_cert_t *link_cert = NULL; if (tor_tls_get_my_certs(1, &link_, &id) < 0 || link_ == NULL) { if (!server_mode(options)) { /* No need to make an Ed25519->Link cert: we are a client */ return 0; } log_warn(LD_OR, "Can't get my x509 link cert."); return -1; } const common_digests_t *digests = tor_x509_cert_get_cert_digests(link_); if (force == 0 && link_cert_cert && ! EXPIRES_SOON(link_cert_cert, options->TestingLinkKeySlop) && fast_memeq(digests->d[DIGEST_SHA256], link_cert_cert->signed_key.pubkey, DIGEST256_LEN)) { return 0; } ed25519_public_key_t dummy_key; memcpy(dummy_key.pubkey, digests->d[DIGEST_SHA256], DIGEST256_LEN); link_cert = tor_cert_create(get_master_signing_keypair(), CERT_TYPE_SIGNING_LINK, &dummy_key, now, options->TestingLinkCertLifetime, 0); if (link_cert) { SET_CERT(link_cert_cert, link_cert); } return 0; }
static void * recv_certs_setup(const struct testcase_t *test) { (void)test; certs_data_t *d = tor_malloc_zero(sizeof(*d)); certs_cell_cert_t *ccc1 = NULL; certs_cell_cert_t *ccc2 = NULL; ssize_t n; d->c = or_connection_new(CONN_TYPE_OR, AF_INET); d->chan = tor_malloc_zero(sizeof(*d->chan)); d->c->chan = d->chan; d->c->base_.address = tor_strdup("HaveAnAddress"); d->c->base_.state = OR_CONN_STATE_OR_HANDSHAKING_V3; d->chan->conn = d->c; tt_int_op(connection_init_or_handshake_state(d->c, 1), ==, 0); d->c->link_proto = 4; d->key1 = pk_generate(2); d->key2 = pk_generate(3); tt_int_op(tor_tls_context_init(TOR_TLS_CTX_IS_PUBLIC_SERVER, d->key1, d->key2, 86400), ==, 0); d->ccell = certs_cell_new(); ccc1 = certs_cell_cert_new(); certs_cell_add_certs(d->ccell, ccc1); ccc2 = certs_cell_cert_new(); certs_cell_add_certs(d->ccell, ccc2); d->ccell->n_certs = 2; ccc1->cert_type = 1; ccc2->cert_type = 2; const tor_x509_cert_t *a,*b; const uint8_t *enca, *encb; size_t lena, lenb; tor_tls_get_my_certs(1, &a, &b); tor_x509_cert_get_der(a, &enca, &lena); tor_x509_cert_get_der(b, &encb, &lenb); certs_cell_cert_setlen_body(ccc1, lena); ccc1->cert_len = lena; certs_cell_cert_setlen_body(ccc2, lenb); ccc2->cert_len = lenb; memcpy(certs_cell_cert_getarray_body(ccc1), enca, lena); memcpy(certs_cell_cert_getarray_body(ccc2), encb, lenb); d->cell = var_cell_new(4096); d->cell->command = CELL_CERTS; n = certs_cell_encode(d->cell->payload, 4096, d->ccell); tt_int_op(n, >, 0); d->cell->payload_len = n; MOCK(tor_tls_cert_matches_key, mock_tls_cert_matches_key); MOCK(connection_or_send_netinfo, mock_send_netinfo); MOCK(connection_or_close_for_error, mock_close_for_err); tt_int_op(0, ==, d->c->handshake_state->received_certs_cell); tt_int_op(0, ==, mock_send_authenticate_called); tt_int_op(0, ==, mock_send_netinfo_called); return d; done: recv_certs_cleanup(test, d); return NULL; }