6 files changed, 28 insertions, 14 deletions

diff --git a/src/feature/nodelist/dirlist.c b/src/feature/nodelist/dirlist.c
index cd2921e653..f6e4662a0f 100644
--- a/src/feature/nodelist/dirlist.c
+++ b/src/feature/nodelist/dirlist.c
@@ -236,8 +236,8 @@ mark_all_dirservers_up(smartlist_t *server_list)
 /** Return true iff <b>digest</b> is the digest of the identity key of a
  * trusted directory matching at least one bit of <b>type</b>.  If <b>type</b>
  * is zero (NO_DIRINFO), or ALL_DIRINFO, any authority is okay. */
-int
-router_digest_is_trusted_dir_type(const char *digest, dirinfo_type_t type)
+MOCK_IMPL(int, router_digest_is_trusted_dir_type,
+        (const char *digest, dirinfo_type_t type))
 {
   if (!trusted_dir_servers)
     return 0;
diff --git a/src/feature/nodelist/dirlist.h b/src/feature/nodelist/dirlist.h
index c9310ff357..ae3debf4e5 100644
--- a/src/feature/nodelist/dirlist.h
+++ b/src/feature/nodelist/dirlist.h
@@ -25,13 +25,14 @@ int router_digest_is_fallback_dir(const char *digest);
 MOCK_DECL(dir_server_t *, trusteddirserver_get_by_v3_auth_digest,
           (const char *d));
 
+MOCK_DECL(int, router_digest_is_trusted_dir_type,
+        (const char *digest, dirinfo_type_t type));
+
 bool router_addr_is_trusted_dir_type(const tor_addr_t *addr,
                                      dirinfo_type_t type);
 #define router_addr_is_trusted_dir(d) \
   router_addr_is_trusted_dir_type((d), NO_DIRINFO)
 
-int router_digest_is_trusted_dir_type(const char *digest,
-                                      dirinfo_type_t type);
 #define router_digest_is_trusted_dir(d) \
   router_digest_is_trusted_dir_type((d), NO_DIRINFO)
 
diff --git a/src/feature/nodelist/networkstatus.c b/src/feature/nodelist/networkstatus.c
index 9210518de0..ece3c9e059 100644
--- a/src/feature/nodelist/networkstatus.c
+++ b/src/feature/nodelist/networkstatus.c
@@ -2444,7 +2444,12 @@ networkstatus_getinfo_by_purpose(const char *purpose_string, time_t now)
   return answer;
 }
 
-/* DOCDOC get_net_param_from_list */
+/**
+ * Search through a smartlist of "key=int32" strings for a value beginning
+ * with "param_name=". If one is found, clip it to be between min_val and
+ * max_val inclusive and return it.  If one is not found, return
+ * default_val.
+ ***/
 static int32_t
 get_net_param_from_list(smartlist_t *net_params, const char *param_name,
                         int32_t default_val, int32_t min_val, int32_t max_val)
diff --git a/src/feature/nodelist/nodelist.c b/src/feature/nodelist/nodelist.c
index 7edc1fc51c..c9928d2f9b 100644
--- a/src/feature/nodelist/nodelist.c
+++ b/src/feature/nodelist/nodelist.c
@@ -1947,7 +1947,7 @@ node_get_curve25519_onion_key(const node_t *node)
 /* Return a newly allocacted RSA onion public key taken from the given node.
  *
  * Return NULL if node is NULL or no RSA onion public key can be found. It is
- * the caller responsability to free the returned object. */
+ * the caller responsibility to free the returned object. */
 crypto_pk_t *
 node_get_rsa_onion_key(const node_t *node)
 {
diff --git a/src/feature/nodelist/torcert.c b/src/feature/nodelist/torcert.c
index 89cc9c88fb..dc36626122 100644
--- a/src/feature/nodelist/torcert.c
+++ b/src/feature/nodelist/torcert.c
@@ -37,11 +37,11 @@
 
 #include "core/or/or_handshake_certs_st.h"
 
-/** Helper for tor_cert_create(): signs any 32 bytes, not just an ed25519
- * key.
+/** As tor_cert_create(), but accept an arbitrary signed_key_type as the
+ * subject key -- not just an ed25519 key.
  */
-static tor_cert_t *
-tor_cert_sign_impl(const ed25519_keypair_t *signing_key,
+tor_cert_t *
+tor_cert_create_raw(const ed25519_keypair_t *signing_key,
                       uint8_t cert_type,
                       uint8_t signed_key_type,
                       const uint8_t signed_key_info[32],
@@ -128,13 +128,13 @@ tor_cert_sign_impl(const ed25519_keypair_t *signing_key,
  * the public part of <b>signing_key</b> in the certificate.
  */
 tor_cert_t *
-tor_cert_create(const ed25519_keypair_t *signing_key,
+tor_cert_create_ed25519(const ed25519_keypair_t *signing_key,
                 uint8_t cert_type,
                 const ed25519_public_key_t *signed_key,
                 time_t now, time_t lifetime,
                 uint32_t flags)
 {
-  return tor_cert_sign_impl(signing_key, cert_type,
+  return tor_cert_create_raw(signing_key, cert_type,
                             SIGNED_KEY_TYPE_ED25519, signed_key->pubkey,
                             now, lifetime, flags);
 }
diff --git a/src/feature/nodelist/torcert.h b/src/feature/nodelist/torcert.h
index f8fba2b794..3314ee2550 100644
--- a/src/feature/nodelist/torcert.h
+++ b/src/feature/nodelist/torcert.h
@@ -11,7 +11,9 @@
 
 #include "lib/crypt_ops/crypto_ed25519.h"
 
-#define SIGNED_KEY_TYPE_ED25519     0x01
+#define SIGNED_KEY_TYPE_ED25519        0x01
+#define SIGNED_KEY_TYPE_SHA256_OF_RSA  0x02
+#define SIGNED_KEY_TYPE_SHA256_OF_X509 0x03
 
 #define CERT_TYPE_ID_SIGNING        0x04
 #define CERT_TYPE_SIGNING_LINK      0x05
@@ -56,11 +58,17 @@ typedef struct tor_cert_st {
 
 struct tor_tls_t;
 
-tor_cert_t *tor_cert_create(const ed25519_keypair_t *signing_key,
+tor_cert_t *tor_cert_create_ed25519(const ed25519_keypair_t *signing_key,
                             uint8_t cert_type,
                             const ed25519_public_key_t *signed_key,
                             time_t now, time_t lifetime,
                             uint32_t flags);
+tor_cert_t * tor_cert_create_raw(const ed25519_keypair_t *signing_key,
+                      uint8_t cert_type,
+                      uint8_t signed_key_type,
+                      const uint8_t signed_key_info[32],
+                      time_t now, time_t lifetime,
+                      uint32_t flags);
 
 tor_cert_t *tor_cert_parse(const uint8_t *cert, size_t certlen);