Macros | Functions | Variables
routerkeys.c File Reference

Functions and structures to handle generating and maintaining the set of keypairs necessary to be an OR. More...

#include "core/or/or.h"
#include "app/config/config.h"
#include "feature/relay/router.h"
#include "feature/relay/routerkeys.h"
#include "feature/relay/routermode.h"
#include "feature/keymgt/loadkey.h"
#include "feature/nodelist/torcert.h"
#include "lib/crypt_ops/crypto_util.h"
#include "lib/tls/tortls.h"
#include "lib/tls/x509.h"

Go to the source code of this file.


#define ENC_KEY_HEADER   "Boxed Ed25519 key"
#define ENC_KEY_TAG   "master"
#define FAIL(msg)
#define SET_KEY(key, newval)
#define SET_CERT(cert, newval)
#define HAPPENS_SOON(when, interval)    ((when) < now + (interval))
#define EXPIRES_SOON(cert, interval)    (!(cert) || HAPPENS_SOON((cert)->valid_until, (interval)))


int load_ed_keys (const or_options_t *options, time_t now)
int generate_ed_link_cert (const or_options_t *options, time_t now, int force)
int should_make_new_ed_keys (const or_options_t *options, const time_t now)
static void print_cert_expiration (const char *expiration, const char *description)
static void log_ed_cert_expiration (const tor_cert_t *cert, const char *description, const char *fname, key_expiration_format_t time_format)
static int log_master_signing_key_cert_expiration (const or_options_t *options)
int log_cert_expiration (void)
const ed25519_public_key_tget_master_identity_key (void)
int router_ed25519_id_is_me (const ed25519_public_key_t *id)
const ed25519_keypair_tget_master_signing_keypair (void)
const struct tor_cert_st * get_master_signing_key_cert (void)
const ed25519_keypair_tget_current_auth_keypair (void)
const tor_cert_tget_current_link_cert_cert (void)
const tor_cert_tget_current_auth_key_cert (void)
void get_master_rsa_crosscert (const uint8_t **cert_out, size_t *size_out)
tor_cert_tmake_ntor_onion_key_crosscert (const curve25519_keypair_t *onion_key, const ed25519_public_key_t *master_id_key, time_t now, time_t lifetime, int *sign_out)
uint8_t * make_tap_onion_key_crosscert (const crypto_pk_t *onion_key, const ed25519_public_key_t *master_id_key, const crypto_pk_t *rsa_id_key, int *len_out)
void routerkeys_free_all (void)


static ed25519_keypair_tmaster_identity_key = NULL
static ed25519_keypair_tmaster_signing_key = NULL
static ed25519_keypair_tcurrent_auth_key = NULL
static tor_cert_tsigning_key_cert = NULL
static tor_cert_tlink_cert_cert = NULL
static tor_cert_tauth_key_cert = NULL
static uint8_t * rsa_ed_crosscert = NULL
static size_t rsa_ed_crosscert_len = 0
static time_t rsa_ed_crosscert_expiration = 0

Detailed Description

Functions and structures to handle generating and maintaining the set of keypairs necessary to be an OR.

The keys handled here now are the Ed25519 keys that Tor relays use to sign descriptors, authenticate themselves on links, and identify one another uniquely. Other keys are maintained in router.c and rendservice.c.

(TODO: The keys in router.c should go here too.)

Definition in file routerkeys.c.

Macro Definition Documentation


#define FAIL (   msg)
do { \
log_warn(LD_OR, (msg)); \
goto err; \
} while (0)
#define LD_OR
Definition: log.h:92


#define SET_CERT (   cert,
do { \
if ((cert) != (newval)) \
tor_cert_free(cert); \
cert = (newval); \
} while (0)


#define SET_KEY (   key,
do { \
if ((key) != (newval)) \
ed25519_keypair_free(key); \
key = (newval); \
} while (0)

Function Documentation

◆ generate_ed_link_cert()

int generate_ed_link_cert ( const or_options_t options,
time_t  now,
int  force 

Retrieve our currently-in-use Ed25519 link certificate and id certificate, and, if they would expire soon (based on the time now, generate new certificates (without embedding the public part of the signing key inside). If force is true, always generate a new certificate.

The signed_key from the current id->signing certificate will be used to sign the new key within newly generated X509 certificate.

Returns -1 upon error. Otherwise, returns 0 upon success (either when the current certificate is still valid, or when a new certificate was successfully generated, or no certificate was needed).

Definition at line 365 of file routerkeys.c.

◆ load_ed_keys()

int load_ed_keys ( const or_options_t options,
time_t  now 

Running as a server: load, reload, or refresh our ed25519 keys and certificates, creating and saving new ones as needed.

Return -1 on failure; 0 on success if the signing key was not replaced; and 1 on success if the signing key was replaced.

Definition at line 55 of file routerkeys.c.

◆ log_cert_expiration()

int log_cert_expiration ( void  )

Log when a key certificate expires. Used when tor is given the –key-expiration command-line option.

If an command argument is given, which should specify the type of key to get expiry information about (currently supported arguments are "sign"), get info about that type of certificate. Otherwise, print info about the supported arguments.

Returns 0 on success and -1 on failure.

Definition at line 606 of file routerkeys.c.

◆ log_ed_cert_expiration()

static void log_ed_cert_expiration ( const tor_cert_t cert,
const char *  description,
const char *  fname,
key_expiration_format_t  time_format 

Log when a certificate, cert, with some description and stored in a file named fname, is going to expire. Formats the expire time according to time_format.

Definition at line 524 of file routerkeys.c.

◆ log_master_signing_key_cert_expiration()

static int log_master_signing_key_cert_expiration ( const or_options_t options)

Log when our master signing key certificate expires. Used when tor is given the –key-expiration command-line option.

Returns 0 on success and 1 on failure.

Definition at line 560 of file routerkeys.c.

Referenced by log_cert_expiration().

◆ make_ntor_onion_key_crosscert()

tor_cert_t* make_ntor_onion_key_crosscert ( const curve25519_keypair_t onion_key,
const ed25519_public_key_t master_id_key,
time_t  now,
time_t  lifetime,
int *  sign_out 

Construct cross-certification for the master identity key with the ntor onion key. Store the sign of the corresponding ed25519 public key in *sign_out.

Definition at line 689 of file routerkeys.c.

◆ make_tap_onion_key_crosscert()

uint8_t* make_tap_onion_key_crosscert ( const crypto_pk_t onion_key,
const ed25519_public_key_t master_id_key,
const crypto_pk_t rsa_id_key,
int *  len_out 

Construct and return an RSA signature for the TAP onion key to cross-certify the RSA and Ed25519 identity keys. Set len_out to its length.

Definition at line 712 of file routerkeys.c.

◆ print_cert_expiration()

static void print_cert_expiration ( const char *  expiration,
const char *  description 

Print the ISO8601-formated expiration for a certificate with some description to stdout.

For example, for a signing certificate, this might print out: signing-cert-expiry: 2017-07-25 08:30:15 UTC

Definition at line 512 of file routerkeys.c.

◆ router_ed25519_id_is_me()

int router_ed25519_id_is_me ( const ed25519_public_key_t id)

Return true iff id is our Ed25519 master identity key.

Definition at line 631 of file routerkeys.c.

◆ should_make_new_ed_keys()

int should_make_new_ed_keys ( const or_options_t options,
const time_t  now 

Return 1 if any of the following are true:

  • if one of our Ed25519 signing, auth, or link certificates would expire soon w.r.t. the time now,
  • if we do not currently have a link certificate, or
  • if our cached Ed25519 link certificate is not same as the one we're currently using.

Otherwise, returns 0.

Definition at line 419 of file routerkeys.c.