Write standalone directory document signature verification tools

Right now, the only easy way for researchers to verify that they are using the actual Tor network consensuses/votes/descriptors is to verify Karsten's OpenPGP signature of the tarball (if there is one). Tor already contains code to verify those documents which have signatures; we should expose that code to researchers' scripts, too.

The extra-info descriptors and microdescriptors are authenticated by having their hashes published in other documents, rather than being signed directly, so they will be a bit trickier for simple tools to verify; we should postpone writing verification tools for those documents for now.

added component::metrics utilities owner::rransom priority::medium resolution::implemented status::closed type::enhancement labels

Agreed, we should write code to check the descriptor signatures. I suggest writing the code in Java, because we can create a standalone tool from it (as part of metrics-utils) and add it to metrics-db to check signatures on the fly. I should have some Java code around that checks descriptor signatures. Do you want to work on this? If so, I'll dig out the code.

Verifying extra-info descriptors requires having the server descriptors of the same month available. Fortunately, descriptors are sorted into month folders and tarballs by their publication time, so that all relevant server descriptors should be in a single tarball.

We don't collect any microdescriptors yet, and I don't know how to verify them. Perhaps by having the server descriptors, just like with extra-info descriptors? By the way, should we start collecting microdescriptors? If so, we should open a new ticket for that.

Replying to karsten:

Agreed, we should write code to check the descriptor signatures. I suggest writing the code in Java, because we can create a standalone tool from it (as part of metrics-utils) and add it to metrics-db to check signatures on the fly. I should have some Java code around that checks descriptor signatures. Do you want to work on this? If so, I'll dig out the code.

Yes, I want to work on these tools, but I currently do not have a Java runtime around.

We don't collect any microdescriptors yet, and I don't know how to verify them. Perhaps by having the server descriptors, just like with extra-info descriptors?

Microdescriptors can be verified using the microdescriptor consensus.

By the way, should we start collecting microdescriptors? If so, we should open a new ticket for that.

Probably (even though no clients use them yet). We should also investigate the lifetimes of microdescs.

Where are the directory authorities' consensus-signing keys archived?

Replying to rransom:

Where are the directory authorities' consensus-signing keys archived?

The DAs' directory-signing certificates can be extracted from their vote documents, but we should extract them and publish them separately from the (huge) vote tarballs.

Replying to rransom:

Replying to karsten:

By the way, should we start collecting microdescriptors? If so, we should open a new ticket for that.

Probably (even though no clients use them yet). We should also investigate the lifetimes of microdescs.

I just opened #2785 (moved) for the archiving part, but I will leave out the verification part for the moment.

Replying to rransom:

Replying to rransom:

Where are the directory authorities' consensus-signing keys archived?

The DAs' directory-signing certificates can be extracted from their vote documents, but we should extract them and publish them separately from the (huge) vote tarballs.

See the new ticket #2786 (moved).

Moving this ticket to the new Metrics Utilities component. Once there's code, it would most likely live in the metrics-utils repository. ExoneraTor and VisiTor tickets would also go in the Metrics Utilities component.

Also reducing priority to normal.

Trac:
Component: Metrics to Metrics Utilities
Priority: major to normal

task-2768 in metrics-tasks now contains code to verify server descriptors.

Replying to karsten:

task-2768 in metrics-tasks now contains code to verify server descriptors.

That repository now also contains code to verify consensuses.

Robert, do you have a list of things that need to be checked in order to verify the various descriptors? Here's what I do for server descriptors, certs, and consensuses:

Verify server descriptors using the contained signing key. Verify that

1. a contained fingerprint is actually a hash of the signing key and
2. a router signature was created using the signing key.

Verify consensuses using the separate certs. Verify that

1. the fingerprint in a cert is actually a hash of the identity key,
2. a cert was signed using the identity key,
3. a consensus was signed using the signing key from the cert.

There's code. Calling this done.

Trac:
Status: new to closed
Resolution: N/A to implemented

closed