prop224: Change how descriptor encode encryption keys

Every intro point, legacy or not, needs a ntor encryption key. However, in
the case of a legacy introductin point, we need an extra RSA key so the IP
can relay the INTRODUCE1 cell on the right circuit.

We now only need the cross certificate for the encryption key because the
signing-key extention make sure we have the actual key encoded in that
certificate. The legacy key cross certificate doesn't support that extention
so we need both the RSA key and the crosscert.

Fixes #21871

Signed-off-by: David Goulet <dgoulet@torproject.org>

1 files changed, 32 insertions, 22 deletions

diff --git a/proposals/224-rend-spec-ng.txt b/proposals/224-rend-spec-ng.txt
index 2d6f261..56ca69c 100644
--- a/proposals/224-rend-spec-ng.txt
+++ b/proposals/224-rend-spec-ng.txt
@@ -1219,39 +1219,49 @@ Table of contents:
           is included in the mandatory signing-key extension.  The certificate
           type must be [09].
 
-        Encryption key is specified as follow:
+        "enc-key" SP "ntor" SP key NL
 
-        [Exactly once enc-key per introduction point]
-
-           "enc-key" SP "ntor" SP key NL
-
-             The key is a base64 encoded curve25519 public key used to encrypt
-             the introduction request to service.
-
-           "enc-key" SP "legacy" NL key NL
+          [Exactly once per introduction point]
 
-             Base64 encoded RSA key, wrapped in "----BEGIN RSA PUBLIC
-             KEY-----" armor, for use with a legacy introduction point as
-             described in [LEGACY_EST_INTRO] and [LEGACY-INTRODUCE1] below.
+          The key is a base64 encoded curve25519 public key used to encrypt
+          the introduction request to service.
 
-        "enc-key-certification" NL certificate NL
+        "enc-key-cert" NL certificate NL
 
           [Exactly once per introduction point]
 
-          Cross-certification of the descriptor signing key by the enc-key.
-          The format of this certificate depends on the type of enc-key.
+          Cross-certification of the descriptor signing key by the encryption
+          key.
 
           For "ntor" keys, certificate is a proposal 220 certificate wrapped
           in "-----BEGIN ED25519 CERT-----" armor, cross-certifying the
-          descriptor signing key with the ed25519 equivalent of the curve25519
-          public key from "enc-key" derived using the process in proposal 228
-          appendix A. The certificate type must be [10], and the signing-key
+          descriptor signing key with the ed25519 equivalent of a curve25519
+          public encryption key derived using the process in proposal 228
+          appendix A. The certificate type must be [0B], and the signing-key
           extension is mandatory.
 
-          For "legacy" keys, certificate is a proposal 220 RSA->Ed
-          cross-certificate wrapped in "-----BEGIN CROSSCERT-----" armor,
-          cross-certifying the descriptor signing key with the legacy RSA
-          encryption key.
+        "legacy-key" NL key NL
+
+          [None or at most once per introduction point]
+
+          The key is an ASN.1 encoded RSA public key in PEM format used for a
+          legacy introduction point as described in [LEGACY_EST_INTRO] and
+          [LEGACY-INTRODUCE1] below.
+
+          This field is only present if the introduction point only supports
+          legacy protocol (v2) that is <= 0.2.9 or the protocol version value
+          "HSIntro 3".
+
+        "legacy-key-cert NL certificate NL
+
+          [None or at most once per introduction point]
+
+          MUST be present if "legacy-key" is present.
+
+          The certificate is a proposal 220 RSA->Ed cross-certificate wrapped
+          in "-----BEGIN CROSSCERT-----" armor, cross-certifying the
+          descriptor signing key with the RSA public key found in
+          "legacy-key".
 
    To remain compatible with future revisions to the descriptor format,
    clients should ignore unrecognized lines in the descriptor.