vincenzopalazzo
/
arti
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
arti/crates/tor-cert
History
Gabriela Moldovan 1d4069cc7f
Use the type system to enforce use of blinded keys. 
Hidden services use blinded singing keys derived from the identity key
to sign descriptor signing keys.

Before this patch, the hidden descriptor builder represented its blinded
signing keys (`blinded_id`) as plain `ed25519::Keypair`s. This was not
ideal, as there was nothing preventing the caller from accidentally
initializing `blinded_id` with an unblinded keypair.

This introduces a new `HsBlindKeypair` type to represent blinded
keypairs.

Signed-off-by: Gabriela Moldovan <gabi@torproject.org>
 		2023-03-27 11:45:51 +01:00
..
fuzz Do not .gitignore crates/*/fuzz/corpus 2023-01-20 17:29:00 +00:00
src Use the type system to enforce use of blinded keys. 2023-03-27 11:45:51 +01:00
tests Change tor_bytes::Error::BadMessage to a Cow. 2023-02-09 10:20:31 -05:00
Cargo.toml Patchlevel bumps for remaining changed crates. 2023-02-28 07:13:27 -05:00
README.md Complete our migration to base64ct. 2023-01-20 08:06:30 -05:00

README.md

tor-cert

Implementation for Tor certificates

Overview

The tor-cert crate implements the binary certificate types documented in Tor's cert-spec.txt, which are used when authenticating Tor channels. (Eventually, support for onion service certificate support will get added too.)

This crate is part of Arti, a project to implement Tor in Rust.

There are other types of certificate used by Tor as well, and they are implemented in other places. In particular, see [tor-netdoc::doc::authcert] for the certificate types used by authorities in the directory protocol.

Design notes

The tor-cert code is in its own separate crate because it is required by several other higher-level crates that do not depend upon each other. For example, [tor-netdoc] parses encoded certificates from router descriptors, while [tor-proto] uses certificates when authenticating relays.

Examples

Parsing, validating, and inspecting a certificate:

use base64ct::{Base64, Encoding as _};
use tor_cert::*;
use tor_checkable::*;
// Taken from a random relay on the Tor network.
let cert_base64 =
 "AQQABrntAThPWJ4nFH1L77Ar+emd4GPXZTPUYzIwmR2H6Zod5TvXAQAgBAC+vzqh
  VFO1SGATubxcrZzrsNr+8hrsdZtyGg/Dde/TqaY1FNbeMqtAPMziWOd6txzShER4
  qc/haDk5V45Qfk6kjcKw+k7cPwyJeu+UF/azdoqcszHRnUHRXpiPzudPoA4=";
// Remove the whitespace, so base64 doesn't choke on it.
let cert_base64: String = cert_base64.split_whitespace().collect();
// Decode the base64.
let cert_bin = Base64::decode_vec(&cert_base64).unwrap();

// Decode the cert and check its signature.
let cert = Ed25519Cert::decode(&cert_bin).unwrap()
    .check_key(None).unwrap()
    .check_signature().unwrap()
    .dangerously_assume_timely();
let signed_key = cert.subject_key();

License: MIT OR Apache-2.0