diff options
| author | Nick Mathewson <nickm@torproject.org> | 2024-01-16 13:39:59 -0500 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2024-01-16 13:39:59 -0500 |
| commit | cbcc20ad0ef3db5996f7440203f80d74988599b5 (patch) | |
| tree | 1a7e4ce1fbd86ca5aff4fe4f3475cae453ef1ab1 | |
| parent | 18c77a790fdc3c6914fd5494f17d8b702526b560 (diff) | |
| download | torspec-cbcc20ad0ef3db5996f7440203f80d74988599b5.tar.gz torspec-cbcc20ad0ef3db5996f7440203f80d74988599b5.zip | |
Note that the subject key in enc-key-cert always has sign=0.
This behavior is incorrect from the POV of preserving the key as a
signing key, but it is what C Tor does. See
`setup_desc_intro_point`, which has:
```
ed25519_public_key_from_curve25519_public_key(&ed25519_pubkey,
&ip->enc_key_kp.pubkey,
0);
```
The "incorrectness" doesn't matter in practice: since we have
the subject and signing keys inverted in this certificate, we
never have to actually verify anything using this public key.
Found while investigating arti#1221.
| -rw-r--r-- | spec/rend-spec/hsdesc-encrypt.md | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/spec/rend-spec/hsdesc-encrypt.md b/spec/rend-spec/hsdesc-encrypt.md index f267dcb..567637d 100644 --- a/spec/rend-spec/hsdesc-encrypt.md +++ b/spec/rend-spec/hsdesc-encrypt.md @@ -391,10 +391,15 @@ Followed by zero or more introduction points as follows (see section signing key. For "ntor" keys, certificate is a proposal 220 certificate - wrapped in "-----BEGIN ED25519 CERT-----" armor. The subject + wrapped in "-----BEGIN ED25519 CERT-----" armor. + + The subject key is the the ed25519 equivalent of a curve25519 public encryption key (`KP_hss_ntor`), with the ed25519 key - derived using the process in proposal 228 appendix A. The + derived using the process in proposal 228 appendix A, + and its sign bit set to zero. + + The signing key is the descriptor signing key (`KP_hs_desc_sign`). The certificate type must be [0B], and the signing-key extension is mandatory. @@ -406,6 +411,11 @@ Followed by zero or more introduction points as follows (see section encryption key `KP_hss_ntor` is already available from the `enc-key` entry. + ALSO NOTE: Setting the sign bit of the subject key + to zero makes the subjected unusable for verification; + this is also a mistake preserved for compatiblility withl + C tor. + "legacy-key" NL key NL [None or at most once per introduction point] |