pub struct CertType(/* private fields */);
Expand description
Recognized values for Tor’s certificate type field.
In the names used here, “X_V_Y” means “key X verifying key Y”, whereas “X_CC_Y” means “key X cross-certifying key Y”. In both cases, X is the key that is doing the signing, and Y is the key or object that is getting signed.
Not every one of these types is valid for an Ed25519 certificate. Some are for X.509 certs in a CERTS cell; some are for RSA->Ed crosscerts in a CERTS cell.
Implementations§
source§impl CertType
impl CertType
sourcepub const TLS_LINK_X509: CertType = _
pub const TLS_LINK_X509: CertType = _
TLS link key, signed with RSA identity. X.509 format. (Obsolete)
sourcepub const RSA_ID_X509: CertType = _
pub const RSA_ID_X509: CertType = _
Self-signed RSA identity certificate. X.509 format. (Legacy)
sourcepub const LINK_AUTH_X509: CertType = _
pub const LINK_AUTH_X509: CertType = _
RSA lnk authentication key signed with RSA identity key. X.509 format. (Obsolete)
sourcepub const IDENTITY_V_SIGNING: CertType = _
pub const IDENTITY_V_SIGNING: CertType = _
Identity verifying a signing key, directly.
sourcepub const SIGNING_V_TLS_CERT: CertType = _
pub const SIGNING_V_TLS_CERT: CertType = _
Signing key verifying a TLS certificate by digest.
sourcepub const SIGNING_V_LINK_AUTH: CertType = _
pub const SIGNING_V_LINK_AUTH: CertType = _
Signing key verifying a link authentication key.
sourcepub const RSA_ID_V_IDENTITY: CertType = _
pub const RSA_ID_V_IDENTITY: CertType = _
RSA identity key certifying an Ed25519 identity key. RSA crosscert format. (Legacy)
sourcepub const HS_BLINDED_ID_V_SIGNING: CertType = _
pub const HS_BLINDED_ID_V_SIGNING: CertType = _
For onion services: short-term descriptor signing key
(KP_hs_desc_sign
), signed with blinded onion service identity
(KP_hs_blind_id
).
sourcepub const HS_IP_V_SIGNING: CertType = _
pub const HS_IP_V_SIGNING: CertType = _
For onion services: Introduction point authentication key
(KP_hs_ipt_sid
), signed with short term descriptor signing key
(KP_hs_desc_sign
).
This one is, sadly, a bit complicated. In the original specification it was meant to be a cross-certificate, where the signature would be on the descriptor signing key, signed with the intro TID key. But we got it backwards in the C Tor implementation, and now, for compatibility, we are stuck doing it backwards in the future.
If we find in the future that it is actually important to cross-certify these keys (as originally intended), then we should add a new certificate type, and put the new certificate in the onion service descriptor.
sourcepub const NTOR_CC_IDENTITY: CertType = _
pub const NTOR_CC_IDENTITY: CertType = _
An ntor key converted to a ed25519 key, cross-certifying an identity key.
sourcepub const HS_IP_CC_SIGNING: CertType = _
pub const HS_IP_CC_SIGNING: CertType = _
For onion services: Ntor encryption key (KP_hss_ntor
),
converted to ed25519, signed with the descriptor signing key
(KP_hs_desc_sign
).
As with HS_IP_V_SIGNING
, this
certificate type is backwards. In the original specification it was
meant to be a cross certificate, with the signing and signed keys
reversed.
sourcepub fn is_recognized(self) -> bool
pub fn is_recognized(self) -> bool
Return true if this value is one that we recognize.