Implement proposal 228: cross-certification with onion keys

Routers now use TAP and ntor onion keys to sign their identity keys,
and put these signatures in their descriptors.  That allows other
parties to be confident that the onion keys are indeed controlled by
the router that generated the descriptor.

1 files changed, 16 insertions, 0 deletions

diff --git a/src/or/routerkeys.h b/src/or/routerkeys.h
index eb21401d56..5e2ef45314 100644
--- a/src/or/routerkeys.h
+++ b/src/or/routerkeys.h
@@ -37,6 +37,22 @@ const ed25519_keypair_t *get_current_auth_keypair(void);
 const struct tor_cert_st *get_current_link_key_cert(void);
 const struct tor_cert_st *get_current_auth_key_cert(void);
 
+struct tor_cert_st *make_ntor_onion_key_crosscert(
+                                  const curve25519_keypair_t *onion_key,
+                                  const ed25519_public_key_t *master_id_key,
+                                  time_t now, time_t lifetime,
+                                  int *sign_out);
+uint8_t *make_tap_onion_key_crosscert(const crypto_pk_t *onion_key,
+                                  const ed25519_public_key_t *master_id_key,
+                                  const crypto_pk_t *rsa_id_key,
+                                  int *len_out);
+
+int check_tap_onion_key_crosscert(const uint8_t *crosscert,
+                                  int crosscert_len,
+                                  const crypto_pk_t *onion_pkey,
+                                  const ed25519_public_key_t *master_id_pkey,
+                                  const uint8_t *rsa_id_digest);
+
 int load_ed_keys(const or_options_t *options, time_t now);
 void routerkeys_free_all(void);