Tor
0.4.7.0-alpha-dev
|
Read keys from disk, creating as needed. More...
#include "core/or/or.h"
#include "app/config/config.h"
#include "app/main/main.h"
#include "feature/keymgt/loadkey.h"
#include "feature/nodelist/torcert.h"
#include "lib/crypt_ops/crypto_pwbox.h"
#include "lib/crypt_ops/crypto_util.h"
#include "lib/term/getpass.h"
#include "lib/crypt_ops/crypto_format.h"
Go to the source code of this file.
Macros | |
#define | ENC_KEY_HEADER "Boxed Ed25519 key" |
#define | ENC_KEY_TAG "master" |
Functions | |
crypto_pk_t * | init_key_from_file (const char *fname, int generate, int severity, bool *created_out) |
static ssize_t | do_getpass (const char *prompt, char *buf, size_t buflen, int twice, const or_options_t *options) |
int | read_encrypted_secret_key (ed25519_secret_key_t *out, const char *fname) |
int | write_encrypted_secret_key (const ed25519_secret_key_t *key, const char *fname) |
static int | write_secret_key (const ed25519_secret_key_t *key, int encrypted, const char *fname, const char *fname_tag, const char *encrypted_fname) |
ed25519_keypair_t * | ed_key_init_from_file (const char *fname, uint32_t flags, int severity, const ed25519_keypair_t *signing_key, time_t now, time_t lifetime, uint8_t cert_type, struct tor_cert_st **cert_out, const or_options_t *options) |
ed25519_keypair_t * | ed_key_new (const ed25519_keypair_t *signing_key, uint32_t flags, time_t now, time_t lifetime, uint8_t cert_type, struct tor_cert_st **cert_out) |
Read keys from disk, creating as needed.
This code is shared by relays and onion services, which both need this functionality.
Definition in file loadkey.c.
ed25519_keypair_t* ed_key_init_from_file | ( | const char * | fname, |
uint32_t | flags, | ||
int | severity, | ||
const ed25519_keypair_t * | signing_key, | ||
time_t | now, | ||
time_t | lifetime, | ||
uint8_t | cert_type, | ||
struct tor_cert_st ** | cert_out, | ||
const or_options_t * | options | ||
) |
Read an ed25519 key and associated certificates from files beginning with fname, with certificate type cert_type. On failure, return NULL; on success return the keypair.
The options is used to look at the change_key_passphrase value when writing to disk a secret key. It is safe to be NULL even in that case.
If INIT_ED_KEY_CREATE is set in flags, then create the key (and certificate if requested) if it doesn't exist, and save it to disk.
If INIT_ED_KEY_NEEDCERT is set in flags, load/create a certificate too and store it in *cert_out. Fail if the cert can't be found/created. To create a certificate, signing_key must be set to the key that should sign it; now to the current time, and lifetime to the lifetime of the key.
If INIT_ED_KEY_REPLACE is set in flags, then create and save new key whether we can read the old one or not.
If INIT_ED_KEY_EXTRA_STRONG is set in flags, set the extra_strong flag when creating the secret key.
If INIT_ED_KEY_INCLUDE_SIGNING_KEY_IN_CERT is set in flags, and we create a new certificate, create it with the signing key embedded.
If INIT_ED_KEY_SPLIT is set in flags, and we create a new key, store the public key in a separate file from the secret key.
If INIT_ED_KEY_MISSING_SECRET_OK is set in flags, and we find a public key file but no secret key file, return successfully anyway.
If INIT_ED_KEY_OMIT_SECRET is set in flags, do not try to load a secret key unless no public key is found. Do not return a secret key. (but create and save one if needed).
If INIT_ED_KEY_TRY_ENCRYPTED is set, we look for an encrypted secret key and consider encrypting any new secret key.
If INIT_ED_KEY_NO_REPAIR is set, and there is any issue loading the keys from disk other than their absence (full or partial), we do not try to replace them.
If INIT_ED_KEY_SUGGEST_KEYGEN is set, have log messages about failures refer to the –keygen option.
If INIT_ED_KEY_EXPLICIT_FNAME is set, use the provided file name for the secret key file, encrypted or not.
If INIT_ED_KEY_OFFLINE_SECRET is set, we won't try to load the master secret key and we log a message at severity that we've done so.
ed25519_keypair_t* ed_key_new | ( | const ed25519_keypair_t * | signing_key, |
uint32_t | flags, | ||
time_t | now, | ||
time_t | lifetime, | ||
uint8_t | cert_type, | ||
struct tor_cert_st ** | cert_out | ||
) |
Create a new signing key and (optionally) certficiate; do not read or write from disk. See ed_key_init_from_file() for more information.
crypto_pk_t* init_key_from_file | ( | const char * | fname, |
int | generate, | ||
int | severity, | ||
bool * | created_out | ||
) |
Try to read an RSA key from fname. If fname doesn't exist and generate is true, create a new RSA key and save it in fname. Return the read/created key, or NULL on error. Log all errors at level severity. If created_out is non-NULL and a new key was created, set *created_out to true.