Opened 3 years ago

Closed 3 years ago

#19020 closed defect (implemented)

RSA cross-certification of ed25519 keys differs from spec

Reported by: special Owned by: nickm
Priority: Medium Milestone: Tor: 0.2.9.x-final
Component: Core Tor/Tor Version:
Severity: Normal Keywords: prop-220, tor-ed25519-proto, TorCoreTeam201608
Cc: nickm Actual Points: 0.5
Parent ID: #15055 Points: 0.5
Reviewer: Sponsor:


Proposal 220 section 4.2 defines a means of certifying an ed25519 key using an RSA key:

Certificate type [07] (Cross-certification of Ed25519 identity
with RSA key) contains the following data:

ED25519_KEY [32 bytes]
SIGNATURE [128 bytes]

Here, the Ed25519 identity key is signed with router's RSA
identity key, to indicate that authenticating with a key
certified by the Ed25519 key counts as certifying with RSA
identity key. (The signature is computed on the SHA256 hash of
the non-signature parts of the certificate, prefixed with the
string "Tor TLS RSA/Ed25519 cross-certificate".)

We implement this in the rsa_ed_crosscert_t trunnel structure and the tor_make_rsa_ed25519_crosscert function. There are two issues with this implementation, compared to the proposal:

Firstly, this code includes a 1 byte SIG_LEN field before the signature, and a signature of variable size. We should just change this in the proposal.

More significantly, this code signs the 36 byte structure directly rather than a SHA256 digest of the structure, and of course also doesn't have the prefix string in that signature. I doubt we can change this format easily now.

Child Tickets

Change History (11)

comment:1 Changed 3 years ago by nickm

Keywords: 029-proposed added

comment:2 Changed 3 years ago by nickm

So, we do _call_ tor_make_rsa_ed25519_crosscert, and we do save the result, but do we actually use it anywhere yet? I think maybe not.

comment:3 Changed 3 years ago by cypherpunks

Related to #17779.

comment:4 Changed 3 years ago by nickm

Keywords: 029-nickm-says-yes added

comment:5 Changed 3 years ago by nickm

Keywords: 029-proposed 029-nickm-says-yes removed
Parent ID: #15055
Points: 0.5

Calling this "in" for 029 since it's part of #15055, which is in.

comment:6 Changed 3 years ago by andrea

Owner: set to andrea
Status: newassigned

Taking ownership for 0.2.9 triage

comment:7 Changed 3 years ago by nickm

watch out before you get too far -- I suspect I may either have this done, or partially done, as part of my #15055 branch.

comment:8 Changed 3 years ago by nickm

Owner: changed from andrea to nickm

comment:9 Changed 3 years ago by nickm

Keywords: TorCoreTeam201608 added

comment:10 Changed 3 years ago by nickm

Actual Points: 0.5

I've tweaked the proposal in 7ad026a2d6cec0e8ae7f9b663dcc218f684c52fd to include the length field, and my #15055 branch to do the signing as specified.

comment:11 Changed 3 years ago by nickm

Resolution: implemented
Status: assignedclosed

These are implemented in 15055_wip; folding them into #15055 as their parent ticket.

Note: See TracTickets for help on using tickets.