Generate weird certificates correctly

(Our link protocol assumes that the link cert certifies the TLS key,
and there is an RSA->Ed25519 crosscert)

1 files changed, 29 insertions, 18 deletions

diff --git a/src/test/test_routerkeys.c b/src/test/test_routerkeys.c
index 49174243ca..06fc4ee217 100644
--- a/src/test/test_routerkeys.c
+++ b/src/test/test_routerkeys.c
@@ -416,12 +416,21 @@ test_routerkeys_ed_keys_init_all(void *arg)
   or_options_t *options = tor_malloc_zero(sizeof(or_options_t));
   time_t now = time(NULL);
   ed25519_public_key_t id;
-  ed25519_keypair_t sign, link, auth;
-  //  tor_cert_t *cert_is, *cert_sl, *cert_auth;
+  ed25519_keypair_t sign, auth;
+  tor_cert_t *link_cert = NULL;
+
+  get_options_mutable()->ORPort_set = 1;
+
+  crypto_pk_t *rsa = pk_generate(0);
+
+  set_server_identity_key(rsa);
+  set_client_identity_key(rsa);
+
+  router_initialize_tls_context();
 
   options->SigningKeyLifetime = 30*86400;
   options->TestingAuthKeyLifetime = 2*86400;
-  options->TestingLinkKeyLifetime = 2*86400;
+  options->TestingLinkCertLifetime = 2*86400;
   options->TestingSigningKeySlop = 2*86400;
   options->TestingAuthKeySlop = 2*3600;
   options->TestingLinkKeySlop = 2*3600;
@@ -440,59 +449,61 @@ test_routerkeys_ed_keys_init_all(void *arg)
   tt_assert(get_master_identity_key());
   tt_assert(get_master_identity_key());
   tt_assert(get_master_signing_keypair());
-  tt_assert(get_current_link_keypair());
   tt_assert(get_current_auth_keypair());
   tt_assert(get_master_signing_key_cert());
-  tt_assert(get_current_link_key_cert());
+  tt_assert(get_current_link_cert_cert());
   tt_assert(get_current_auth_key_cert());
   memcpy(&id, get_master_identity_key(), sizeof(id));
   memcpy(&sign, get_master_signing_keypair(), sizeof(sign));
-  memcpy(&link, get_current_link_keypair(), sizeof(link));
   memcpy(&auth, get_current_auth_keypair(), sizeof(auth));
+  link_cert = tor_cert_dup(get_current_link_cert_cert());
 
   /* Call load_ed_keys again, but nothing has changed. */
   tt_int_op(0, ==, load_ed_keys(options, now));
   tt_mem_op(&id, ==, get_master_identity_key(), sizeof(id));
   tt_mem_op(&sign, ==, get_master_signing_keypair(), sizeof(sign));
-  tt_mem_op(&link, ==, get_current_link_keypair(), sizeof(link));
   tt_mem_op(&auth, ==, get_current_auth_keypair(), sizeof(auth));
+  tt_assert(tor_cert_eq(link_cert, get_current_link_cert_cert()));
 
   /* Force a reload: we make new link/auth keys. */
   routerkeys_free_all();
   tt_int_op(0, ==, load_ed_keys(options, now));
   tt_mem_op(&id, ==, get_master_identity_key(), sizeof(id));
   tt_mem_op(&sign, ==, get_master_signing_keypair(), sizeof(sign));
-  tt_mem_op(&link, !=, get_current_link_keypair(), sizeof(link));
+  tt_assert(tor_cert_eq(link_cert, get_current_link_cert_cert()));
   tt_mem_op(&auth, !=, get_current_auth_keypair(), sizeof(auth));
   tt_assert(get_master_signing_key_cert());
-  tt_assert(get_current_link_key_cert());
+  tt_assert(get_current_link_cert_cert());
   tt_assert(get_current_auth_key_cert());
-  memcpy(&link, get_current_link_keypair(), sizeof(link));
+  tor_cert_free(link_cert);
+  link_cert = tor_cert_dup(get_current_link_cert_cert());
   memcpy(&auth, get_current_auth_keypair(), sizeof(auth));
 
   /* Force a link/auth-key regeneration by advancing time. */
   tt_int_op(0, ==, load_ed_keys(options, now+3*86400));
   tt_mem_op(&id, ==, get_master_identity_key(), sizeof(id));
   tt_mem_op(&sign, ==, get_master_signing_keypair(), sizeof(sign));
-  tt_mem_op(&link, !=, get_current_link_keypair(), sizeof(link));
+  tt_assert(! tor_cert_eq(link_cert, get_current_link_cert_cert()));
   tt_mem_op(&auth, !=, get_current_auth_keypair(), sizeof(auth));
   tt_assert(get_master_signing_key_cert());
-  tt_assert(get_current_link_key_cert());
+  tt_assert(get_current_link_cert_cert());
   tt_assert(get_current_auth_key_cert());
-  memcpy(&link, get_current_link_keypair(), sizeof(link));
+  tor_cert_free(link_cert);
+  link_cert = tor_cert_dup(get_current_link_cert_cert());
   memcpy(&auth, get_current_auth_keypair(), sizeof(auth));
 
   /* Force a signing-key regeneration by advancing time. */
   tt_int_op(0, ==, load_ed_keys(options, now+100*86400));
   tt_mem_op(&id, ==, get_master_identity_key(), sizeof(id));
   tt_mem_op(&sign, !=, get_master_signing_keypair(), sizeof(sign));
-  tt_mem_op(&link, !=, get_current_link_keypair(), sizeof(link));
+  tt_assert(! tor_cert_eq(link_cert, get_current_link_cert_cert()));
   tt_mem_op(&auth, !=, get_current_auth_keypair(), sizeof(auth));
   tt_assert(get_master_signing_key_cert());
-  tt_assert(get_current_link_key_cert());
+  tt_assert(get_current_link_cert_cert());
   tt_assert(get_current_auth_key_cert());
   memcpy(&sign, get_master_signing_keypair(), sizeof(sign));
-  memcpy(&link, get_current_link_keypair(), sizeof(link));
+  tor_cert_free(link_cert);
+  link_cert = tor_cert_dup(get_current_link_cert_cert());
   memcpy(&auth, get_current_auth_keypair(), sizeof(auth));
 
   /* Demonstrate that we can start up with no secret identity key */
@@ -502,10 +513,10 @@ test_routerkeys_ed_keys_init_all(void *arg)
   tt_int_op(0, ==, load_ed_keys(options, now));
   tt_mem_op(&id, ==, get_master_identity_key(), sizeof(id));
   tt_mem_op(&sign, ==, get_master_signing_keypair(), sizeof(sign));
-  tt_mem_op(&link, !=, get_current_link_keypair(), sizeof(link));
+  tt_assert(! tor_cert_eq(link_cert, get_current_link_cert_cert()));
   tt_mem_op(&auth, !=, get_current_auth_keypair(), sizeof(auth));
   tt_assert(get_master_signing_key_cert());
-  tt_assert(get_current_link_key_cert());
+  tt_assert(get_current_link_cert_cert());
   tt_assert(get_current_auth_key_cert());
 
   /* But we're in trouble if we have no id key and our signing key has