Crate tor_cert

source · []
Expand description

Implementation for Tor certificates

Overview

The tor-cert crate implements the binary certificate types documented in Tor’s cert-spec.txt, which are used when authenticating Tor channels. (Eventually, support for onion service certificate support will get added too.)

This crate is part of Arti, a project to implement Tor in Rust.

There are other types of certificate used by Tor as well, and they are implemented in other places. In particular, see [tor-netdoc::doc::authcert] for the certificate types used by authorities in the directory protocol.

Design notes

The tor-cert code is in its own separate crate because it is required by several other higher-level crates that do not depend upon each other. For example, [tor-netdoc] parses encoded certificates from router descriptors, while [tor-proto] uses certificates when authenticating relays.

Examples

Parsing, validating, and inspecting a certificate:

use base64::decode;
use tor_cert::*;
use tor_checkable::*;
// Taken from a random relay on the Tor network.
let cert_base64 =
 "AQQABrntAThPWJ4nFH1L77Ar+emd4GPXZTPUYzIwmR2H6Zod5TvXAQAgBAC+vzqh
  VFO1SGATubxcrZzrsNr+8hrsdZtyGg/Dde/TqaY1FNbeMqtAPMziWOd6txzShER4
  qc/haDk5V45Qfk6kjcKw+k7cPwyJeu+UF/azdoqcszHRnUHRXpiPzudPoA4=";
// Remove the whitespace, so base64 doesn't choke on it.
let cert_base64: String = cert_base64.split_whitespace().collect();
// Decode the base64.
let cert_bin = base64::decode(cert_base64).unwrap();

// Decode the cert and check its signature.
let cert = Ed25519Cert::decode(&cert_bin).unwrap()
    .check_key(&None).unwrap()
    .check_signature().unwrap()
    .dangerously_assume_timely();
let signed_key = cert.subject_key();

Modules

rsa

RSA->Ed25519 cross-certificates

Structs

CertType

Recognized values for Tor’s certificate type field.

Ed25519Cert

Structure for an Ed25519-signed certificate as described in Tor’s cert-spec.txt.

ExtType

Extension identifiers for extensions in certificates.

KeyType

Identifiers for the type of key or object getting signed.

KeyUnknownCert

A parsed Ed25519 certificate. Maybe it includes its signing key; maybe it doesn’t.

SigCheckedCert

A certificate that has been parsed and signature-checked, but whose timeliness has not been checked.

UncheckedCert

A certificate that has been parsed, but whose signature and timeliness have not been checked.

UnrecognizedKey

A key whose type we didn’t recognize.

Enums

CertifiedKey

One of the data types that can be certified by an Ed25519Cert.