routerkeys.c File Reference

Functions and structures to handle generating and maintaining the set of keypairs necessary to be an OR. More...

#include "core/or/or.h"
#include "app/config/config.h"
#include "feature/relay/router.h"
#include "feature/relay/routerkeys.h"
#include "feature/relay/routermode.h"
#include "feature/keymgt/loadkey.h"
#include "feature/nodelist/torcert.h"
#include "lib/crypt_ops/crypto_util.h"
#include "lib/tls/tortls.h"
#include "lib/tls/x509.h"

Go to the source code of this file.

Macros
#define	ENC_KEY_HEADER   "Boxed Ed25519 key"
#define	ENC_KEY_TAG   "master"
#define	FAIL(msg)
#define	SET_KEY(key, newval)
#define	SET_CERT(cert, newval)
#define	HAPPENS_SOON(when, interval)    ((when) < now + (interval))
#define	EXPIRES_SOON(cert, interval)    (!(cert) || HAPPENS_SOON((cert)->valid_until, (interval)))

Functions
int	load_ed_keys (const or_options_t *options, time_t now)
int	generate_ed_link_cert (const or_options_t *options, time_t now, int force)
int	should_make_new_ed_keys (const or_options_t *options, const time_t now)
static void	print_cert_expiration (const char *expiration, const char *description)
static void	log_ed_cert_expiration (const tor_cert_t *cert, const char *description, const char *fname, key_expiration_format_t time_format)
static int	log_master_signing_key_cert_expiration (const or_options_t *options)
int	log_cert_expiration (void)
const ed25519_public_key_t *	get_master_identity_key (void)
int	router_ed25519_id_is_me (const ed25519_public_key_t *id)
const ed25519_keypair_t *	get_master_signing_keypair (void)
const struct tor_cert_st *	get_master_signing_key_cert (void)
const ed25519_keypair_t *	get_current_auth_keypair (void)
const tor_cert_t *	get_current_link_cert_cert (void)
const tor_cert_t *	get_current_auth_key_cert (void)
void	get_master_rsa_crosscert (const uint8_t **cert_out, size_t *size_out)
tor_cert_t *	make_ntor_onion_key_crosscert (const curve25519_keypair_t *onion_key, const ed25519_public_key_t *master_id_key, time_t now, time_t lifetime, int *sign_out)
uint8_t *	make_tap_onion_key_crosscert (const crypto_pk_t *onion_key, const ed25519_public_key_t *master_id_key, const crypto_pk_t *rsa_id_key, int *len_out)
void	routerkeys_free_all (void)

Variables
static ed25519_keypair_t *	master_identity_key = NULL
static ed25519_keypair_t *	master_signing_key = NULL
static ed25519_keypair_t *	current_auth_key = NULL
static tor_cert_t *	signing_key_cert = NULL
static tor_cert_t *	link_cert_cert = NULL
static tor_cert_t *	auth_key_cert = NULL
static uint8_t *	rsa_ed_crosscert = NULL
static size_t	rsa_ed_crosscert_len = 0
static time_t	rsa_ed_crosscert_expiration = 0

Detailed Description

Functions and structures to handle generating and maintaining the set of keypairs necessary to be an OR.

The keys handled here now are the Ed25519 keys that Tor relays use to sign descriptors, authenticate themselves on links, and identify one another uniquely. Other keys are maintained in router.c and rendservice.c.

(TODO: The keys in router.c should go here too.)

Definition in file routerkeys.c.

Macro Definition Documentation

FAIL

#define FAIL

(

msg

)

Value:

    do {                          \
    log_warn(LD_OR, (msg));                     \
    goto err;                                   \
  } while (0)

SET_CERT

#define SET_CERT	(		cert,
			newval
	)

Value:

    do {             \
    if ((cert) != (newval))                     \
      tor_cert_free(cert);                      \
    cert = (newval);                            \
  } while (0)

SET_KEY

#define SET_KEY	(		key,
			newval
	)

Value:

    do {               \
    if ((key) != (newval))                      \
      ed25519_keypair_free(key);                \
    key = (newval);                             \
  } while (0)

Function Documentation

generate_ed_link_cert()

int generate_ed_link_cert	(	const or_options_t *	options,
		time_t	now,
		int	force
	)

Retrieve our currently-in-use Ed25519 link certificate and id certificate, and, if they would expire soon (based on the time now, generate new certificates (without embedding the public part of the signing key inside). If force is true, always generate a new certificate.

The signed_key from the current id->signing certificate will be used to sign the new key within newly generated X509 certificate.

Returns -1 upon error. Otherwise, returns 0 upon success (either when the current certificate is still valid, or when a new certificate was successfully generated, or no certificate was needed).

Definition at line 365 of file routerkeys.c.

load_ed_keys()

int load_ed_keys	(	const or_options_t *	options,
		time_t	now
	)

Running as a server: load, reload, or refresh our ed25519 keys and certificates, creating and saving new ones as needed.

Return -1 on failure; 0 on success if the signing key was not replaced; and 1 on success if the signing key was replaced.

Definition at line 55 of file routerkeys.c.

log_cert_expiration()

int log_cert_expiration

(

void

)

Log when a key certificate expires. Used when tor is given the –key-expiration command-line option.

If an command argument is given, which should specify the type of key to get expiry information about (currently supported arguments are "sign"), get info about that type of certificate. Otherwise, print info about the supported arguments.

Returns 0 on success and -1 on failure.

Definition at line 606 of file routerkeys.c.

log_ed_cert_expiration()

static void log_ed_cert_expiration ( const tor_cert_t *  cert, const char *  description, const char *  fname, key_expiration_format_t  time_format  )

static

Log when a certificate, cert, with some description and stored in a file named fname, is going to expire. Formats the expire time according to time_format.

Definition at line 524 of file routerkeys.c.

log_master_signing_key_cert_expiration()

static int log_master_signing_key_cert_expiration ( const or_options_t *  options )

static

Log when our master signing key certificate expires. Used when tor is given the –key-expiration command-line option.

Returns 0 on success and 1 on failure.

Definition at line 560 of file routerkeys.c.

Referenced by log_cert_expiration().

make_ntor_onion_key_crosscert()

tor_cert_t* make_ntor_onion_key_crosscert	(	const curve25519_keypair_t *	onion_key,
		const ed25519_public_key_t *	master_id_key,
		time_t	now,
		time_t	lifetime,
		int *	sign_out
	)

Construct cross-certification for the master identity key with the ntor onion key. Store the sign of the corresponding ed25519 public key in *sign_out.

Definition at line 689 of file routerkeys.c.

make_tap_onion_key_crosscert()

uint8_t* make_tap_onion_key_crosscert	(	const crypto_pk_t *	onion_key,
		const ed25519_public_key_t *	master_id_key,
		const crypto_pk_t *	rsa_id_key,
		int *	len_out
	)

Construct and return an RSA signature for the TAP onion key to cross-certify the RSA and Ed25519 identity keys. Set len_out to its length.

Definition at line 712 of file routerkeys.c.

print_cert_expiration()

static void print_cert_expiration ( const char *  expiration, const char *  description  )

static

Print the ISO8601-formated expiration for a certificate with some description to stdout.

For example, for a signing certificate, this might print out: signing-cert-expiry: 2017-07-25 08:30:15 UTC

Definition at line 512 of file routerkeys.c.

router_ed25519_id_is_me()

int router_ed25519_id_is_me

(

const ed25519_public_key_t *

id

)

Return true iff id is our Ed25519 master identity key.

Definition at line 631 of file routerkeys.c.

should_make_new_ed_keys()

int should_make_new_ed_keys	(	const or_options_t *	options,
		const time_t	now
	)

Return 1 if any of the following are true:

• if one of our Ed25519 signing, auth, or link certificates would expire soon w.r.t. the time now,
• if we do not currently have a link certificate, or
• if our cached Ed25519 link certificate is not same as the one we're currently using.

Otherwise, returns 0.

Definition at line 419 of file routerkeys.c.