RSA cross-certification of ed25519 keys differs from spec
Proposal 220 section 4.2 defines a means of certifying an ed25519 key using an RSA key:
Certificate type [07] (Cross-certification of Ed25519 identity with RSA key) contains the following data: ED25519_KEY [32 bytes] EXPIRATION_DATE [4 bytes] SIGNATURE [128 bytes] Here, the Ed25519 identity key is signed with router's RSA identity key, to indicate that authenticating with a key certified by the Ed25519 key counts as certifying with RSA identity key. (The signature is computed on the SHA256 hash of the non-signature parts of the certificate, prefixed with the string "Tor TLS RSA/Ed25519 cross-certificate".)
We implement this in the rsa_ed_crosscert_t trunnel structure and the tor_make_rsa_ed25519_crosscert function. There are two issues with this implementation, compared to the proposal:
Firstly, this code includes a 1 byte SIG_LEN field before the signature, and a signature of variable size. We should just change this in the proposal.
More significantly, this code signs the 36 byte structure directly rather than a SHA256 digest of the structure, and of course also doesn't have the prefix string in that signature. I doubt we can change this format easily now.