From cbcc20ad0ef3db5996f7440203f80d74988599b5 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Tue, 16 Jan 2024 13:39:59 -0500 Subject: Note that the subject key in enc-key-cert always has sign=0. This behavior is incorrect from the POV of preserving the key as a signing key, but it is what C Tor does. See `setup_desc_intro_point`, which has: ``` ed25519_public_key_from_curve25519_public_key(&ed25519_pubkey, &ip->enc_key_kp.pubkey, 0); ``` The "incorrectness" doesn't matter in practice: since we have the subject and signing keys inverted in this certificate, we never have to actually verify anything using this public key. Found while investigating arti#1221. --- spec/rend-spec/hsdesc-encrypt.md | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) (limited to 'spec') diff --git a/spec/rend-spec/hsdesc-encrypt.md b/spec/rend-spec/hsdesc-encrypt.md index f267dcb..567637d 100644 --- a/spec/rend-spec/hsdesc-encrypt.md +++ b/spec/rend-spec/hsdesc-encrypt.md @@ -391,10 +391,15 @@ Followed by zero or more introduction points as follows (see section signing key. For "ntor" keys, certificate is a proposal 220 certificate - wrapped in "-----BEGIN ED25519 CERT-----" armor. The subject + wrapped in "-----BEGIN ED25519 CERT-----" armor. + + The subject key is the the ed25519 equivalent of a curve25519 public encryption key (`KP_hss_ntor`), with the ed25519 key - derived using the process in proposal 228 appendix A. The + derived using the process in proposal 228 appendix A, + and its sign bit set to zero. + + The signing key is the descriptor signing key (`KP_hs_desc_sign`). The certificate type must be [0B], and the signing-key extension is mandatory. @@ -406,6 +411,11 @@ Followed by zero or more introduction points as follows (see section encryption key `KP_hss_ntor` is already available from the `enc-key` entry. + ALSO NOTE: Setting the sign bit of the subject key + to zero makes the subjected unusable for verification; + this is also a mistake preserved for compatiblility withl + C tor. + "legacy-key" NL key NL [None or at most once per introduction point] -- cgit v1.2.3-54-g00ecf From 2b985949fa92656f7d28fab1525df84cc86e5b11 Mon Sep 17 00:00:00 2001 From: gabi-250 Date: Tue, 16 Jan 2024 19:44:16 +0000 Subject: Typo fix --- spec/rend-spec/hsdesc-encrypt.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'spec') diff --git a/spec/rend-spec/hsdesc-encrypt.md b/spec/rend-spec/hsdesc-encrypt.md index 567637d..3e91172 100644 --- a/spec/rend-spec/hsdesc-encrypt.md +++ b/spec/rend-spec/hsdesc-encrypt.md @@ -413,7 +413,7 @@ Followed by zero or more introduction points as follows (see section ALSO NOTE: Setting the sign bit of the subject key to zero makes the subjected unusable for verification; - this is also a mistake preserved for compatiblility withl + this is also a mistake preserved for compatiblility with C tor. "legacy-key" NL key NL -- cgit v1.2.3-54-g00ecf