Commit 5d1d7afc authored by Nick Mathewson's avatar Nick Mathewson 🐻
Browse files

Use the correct SIGNED_KEY_TYPE value for signing->link certs

Our code was using [01] as for the key type of signed->link certs,
which was incorrect.  The value should be [03], to indicate that the
value as the SHA256 of an x.509 cert.

Fortunately, nothing cares about this value, so there shouldn't be
compatibility issues.

Fixes bug 40124; bugfix on 0.2.7.2-alpha.
parent 22643272
o Minor bugfixes (spec conformance):
- Use the correct key type when generating signing->link
certificates. Fixes bug 40124; bugfix on 0.2.7.2-alpha.
......@@ -37,11 +37,11 @@
#include "core/or/or_handshake_certs_st.h"
/** Helper for tor_cert_create_*(): signs any 32 bytes, not just an ed25519
* key.
/** As tor_cert_create(), but accept an arbitrary signed_key_type as the
* subject key -- not just an ed25519 key.
*/
static tor_cert_t *
tor_cert_sign_impl(const ed25519_keypair_t *signing_key,
tor_cert_t *
tor_cert_create_raw(const ed25519_keypair_t *signing_key,
uint8_t cert_type,
uint8_t signed_key_type,
const uint8_t signed_key_info[32],
......@@ -134,7 +134,7 @@ tor_cert_create_ed25519(const ed25519_keypair_t *signing_key,
time_t now, time_t lifetime,
uint32_t flags)
{
return tor_cert_sign_impl(signing_key, cert_type,
return tor_cert_create_raw(signing_key, cert_type,
SIGNED_KEY_TYPE_ED25519, signed_key->pubkey,
now, lifetime, flags);
}
......
......@@ -11,7 +11,9 @@
#include "lib/crypt_ops/crypto_ed25519.h"
#define SIGNED_KEY_TYPE_ED25519 0x01
#define SIGNED_KEY_TYPE_ED25519 0x01
#define SIGNED_KEY_TYPE_SHA256_OF_RSA 0x02
#define SIGNED_KEY_TYPE_SHA256_OF_X509 0x03
#define CERT_TYPE_ID_SIGNING 0x04
#define CERT_TYPE_SIGNING_LINK 0x05
......@@ -61,6 +63,12 @@ tor_cert_t *tor_cert_create_ed25519(const ed25519_keypair_t *signing_key,
const ed25519_public_key_t *signed_key,
time_t now, time_t lifetime,
uint32_t flags);
tor_cert_t * tor_cert_create_raw(const ed25519_keypair_t *signing_key,
uint8_t cert_type,
uint8_t signed_key_type,
const uint8_t signed_key_info[32],
time_t now, time_t lifetime,
uint32_t flags);
tor_cert_t *tor_cert_parse(const uint8_t *cert, size_t certlen);
......
......@@ -387,12 +387,10 @@ generate_ed_link_cert(const or_options_t *options, time_t now,
return 0;
}
ed25519_public_key_t dummy_key;
memcpy(dummy_key.pubkey, digests->d[DIGEST_SHA256], DIGEST256_LEN);
link_cert = tor_cert_create_ed25519(get_master_signing_keypair(),
link_cert = tor_cert_create_raw(get_master_signing_keypair(),
CERT_TYPE_SIGNING_LINK,
&dummy_key,
SIGNED_KEY_TYPE_SHA256_OF_X509,
(const uint8_t*)digests->d[DIGEST_SHA256],
now,
options->TestingLinkCertLifetime, 0);
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment