diff options
Diffstat (limited to 'spec/cert-spec.md')
-rw-r--r-- | spec/cert-spec.md | 223 |
1 files changed, 223 insertions, 0 deletions
diff --git a/spec/cert-spec.md b/spec/cert-spec.md new file mode 100644 index 0000000..36c9c0b --- /dev/null +++ b/spec/cert-spec.md @@ -0,0 +1,223 @@ +Ed25519 certificates in Tor + +Table of Contents + +```text + 1. Scope and Preliminaries + 1.1. Signing + 1.2. Integer encoding + 2. Document formats + 2.1. Ed25519 Certificates + 2.2. Basic extensions + 2.2.1. Signed-with-ed25519-key extension [type 04] + 2.3. RSA->Ed25519 cross-certificate + A.1. List of certificate types (CERT_TYPE field) + A.2. List of extension types + A.3. List of signature prefixes + A.4. List of certified key types (CERT_KEY_TYPE field) +``` + +<a id="cert-spec.txt-1"></a> +# Scope and Preliminaries + +This document describes a certificate format that Tor uses for +its Ed25519 internal certificates. It is not the only +certificate format that Tor uses. For the certificates that +authorities use for their signing keys, see dir-spec.txt. +Additionally, Tor uses TLS, which depends on X.509 certificates; +see tor-spec.txt for details. + +The certificates in this document were first introduced in +proposal 220, and were first supported by Tor in Tor version +0.2.7.2-alpha. + +<a id="cert-spec.txt-1.1"></a> +## Signing + +All signatures here, unless otherwise specified, are computed +using an Ed25519 key. + +In order to future-proof the format, before signing anything, the +signed document is prefixed with a personalization string, which +will be different in each case. + +<a id="cert-spec.txt-1.2"></a> +## Integer encoding + +Network byte order (big-endian) is used to encode all integer values +in Ed25519 certificates unless explicitly specified otherwise. + +<a id="cert-spec.txt-2"></a> +# Document formats + +<a id="cert-spec.txt-2.1"></a> +## Ed25519 Certificates + +When generating a signing key, we also generate a certificate for it. +Unlike the certificates for authorities' signing keys, these +certificates need to be sent around frequently, in significant +numbers. So we'll choose a compact representation. + +```text + VERSION [1 Byte] + CERT_TYPE [1 Byte] + EXPIRATION_DATE [4 Bytes] + CERT_KEY_TYPE [1 byte] + CERTIFIED_KEY [32 Bytes] + N_EXTENSIONS [1 byte] + EXTENSIONS [N_EXTENSIONS times] + SIGNATURE [64 Bytes] +``` + +The "VERSION" field holds the value [01]. The "CERT_TYPE" field +holds a value depending on the type of certificate. (See appendix +A.1.) The CERTIFIED_KEY field is an Ed25519 public key if +CERT_KEY_TYPE is [01], or a digest of some other key type +depending on the value of CERT_KEY_TYPE. (See appendix A.4.) +The EXPIRATION_DATE is a date, given in HOURS since the epoch, +after which this certificate isn't valid. (A four-byte field here +will work fine until 10136 A.D.) + +The EXTENSIONS field contains zero or more extensions, each of +the format: + +```text + ExtLength [2 bytes] + ExtType [1 byte] + ExtFlags [1 byte] + ExtData [ExtLength bytes] + + The meaning of the ExtData field in an extension is type-dependent. + + The ExtFlags field holds flags; this flag is currently defined: + + 1 -- AFFECTS_VALIDATION. If this flag is present, then the + extension affects whether the certificate is valid; clients + must not accept the certificate as valid unless they + understand the extension. +``` + +It is an error for an extension to be truncated; such a +certificate is invalid. + +Before processing any certificate, parties SHOULD know which +identity key it is supposed to be signed by, and then check the +signature. The signature is created by signing all the fields in +the certificate up until "SIGNATURE" (that is, signing +sizeof(ed25519_cert) - 64 bytes). + +<a id="cert-spec.txt-2.2"></a> +## Basic extensions + +<a id="cert-spec.txt-2.2.1"></a> +### Signed-with-ed25519-key extension [type 04] + +In several places, it's desirable to bundle the key signing a +certificate along with the certificate. We do so with this +extension. + +```text + ExtLength = 32 + ExtData = + An ed25519 key [32 bytes] +``` + +When this extension is present, it MUST match the key used to +sign the certificate. + +<a id="cert-spec.txt-2.3"></a> +## RSA->Ed25519 cross-certificate + +Certificate type [07] (Cross-certification of Ed25519 identity +with RSA key) contains the following data: + +```text + ED25519_KEY [32 bytes] + EXPIRATION_DATE [4 bytes] + SIGLEN [1 byte] + SIGNATURE [SIGLEN bytes] +``` + +Here, the Ed25519 identity key is signed with router's RSA +identity key, to indicate that authenticating with a key +certified by the Ed25519 key counts as certifying with RSA +identity key. (The signature is computed on the SHA256 hash of +the non-signature parts of the certificate, prefixed with the +string "Tor TLS RSA/Ed25519 cross-certificate".) + +Just like with the Ed25519 certificates above, the EXPIRATION_DATE +operates in HOURS after the epoch. + +This certificate type is used to mean, "This Ed25519 identity key +acts with the authority of the RSA key that signed this +certificate." + +<a id="cert-spec.txt-A.1"></a> +## List of certificate types (CERT_TYPE field) + +The values marked with asterisks are not types corresponding to +the certificate format of section 2.1. Instead, they are +reserved for RSA-signed certificates to avoid conflicts between +the certificate type enumeration of the CERTS cell and the +certificate type enumeration of in our Ed25519 certificates. + +```text + **[00],[01],[02],[03] - Reserved to avoid conflict with types used + in CERTS cells. + + [04] - Ed25519 signing key with an identity key + (see prop220 section 4.2) + + [05] - TLS link certificate signed with ed25519 signing key + (see prop220 section 4.2) + + [06] - Ed25519 authentication key signed with ed25519 signing key + (see prop220 section 4.2) + + **[07] - Reserved for RSA identity cross-certification; + (see section 2.3 above, and tor-spec.txt section 4.2) + + [08] - Onion service: short-term descriptor signing key, signed + with blinded public key. + (See rend-spec-v3.txt, section [DESC_OUTER]) + + [09] - Onion service: intro point authentication key, cross-certifying the + descriptor signing key. + (See rend-spec-v3.txt, description of "auth-key") + + [0A] - ntor onion key cross-certifying ed25519 identity key + (see dir-spec.txt, description of "ntor-onion-key-crosscert") + + [0B] - Onion service: ntor-extra encryption key, cross-certifying + descriptor signing key. + (see rend-spec-v3.txt, description of "enc-key-cert") +``` + +<a id="cert-spec.txt-A.2"></a> +## List of extension types + +[04] - signed-with-ed25519-key (section 2.2.1) + +<a id="cert-spec.txt-A.3"></a> +## List of signature prefixes + +We describe various documents as being signed with a prefix. Here +are those prefixes: + +"Tor router descriptor signature v1" (see dir-spec.txt) + +<a id="cert-spec.txt-A.4"></a> +## List of certified key types (CERT_KEY_TYPE field) + +```text + [01] ed25519 key + [02] SHA256 hash of an RSA key. (Not currently used.) + [03] SHA256 hash of an X.509 certificate. (Used with certificate + type 5.) +``` + +(NOTE: Up till 0.4.5.1-alpha, all versions of Tor have incorrectly used +"01" for all types of certified key. Implementations SHOULD +allow "01" in this position, and infer the actual key type from +the CERT_TYPE field.) + |