tor_llcrypto/
pk.rs

1//! Public-key cryptography for Tor.
2//!
3//! In old places, Tor uses RSA; newer Tor public-key cryptography is
4//! based on curve25519 and ed25519.
5
6pub mod ed25519;
7pub mod keymanip;
8pub mod rsa;
9
10/// Re-exporting Curve25519 implementations.
11///
12/// *TODO*: Eventually we should probably recommend using this code via some
13/// key-agreement trait, but for now we are just re-using the APIs from
14/// [`x25519_dalek`].
15pub mod curve25519 {
16    use derive_deftly::Deftly;
17    use educe::Educe;
18    use subtle::ConstantTimeEq;
19
20    use crate::util::ct::derive_deftly_template_PartialEqFromCtEq;
21    use crate::util::rng::RngCompat;
22
23    /// A keypair containing a [`StaticSecret`] and its corresponding public key.
24    #[allow(clippy::exhaustive_structs)]
25    #[derive(Clone, Educe)]
26    #[educe(Debug)]
27    pub struct StaticKeypair {
28        /// The secret part of the key.
29        #[educe(Debug(ignore))]
30        pub secret: StaticSecret,
31        /// The public part of this key.
32        pub public: PublicKey,
33    }
34
35    /// A curve25519 secret key that can only be used once,
36    /// and that can never be inspected.
37    ///
38    /// See [`x25519_dalek::EphemeralSecret`] for more information.
39    pub struct EphemeralSecret(x25519_dalek::EphemeralSecret);
40
41    /// A curve25519 secret key that can be used more than once,
42    /// and whose value can be inspected.
43    ///
44    /// See [`x25519_dalek::StaticSecret`] for more information.
45    //
46    // TODO: We may want eventually want to expose ReusableSecret instead of
47    // StaticSecret, for use in places where we need to use a single secret
48    // twice in one handshake, but we do not need that secret to be persistent.
49    //
50    // The trouble here is that if we use ReusableSecret in these cases, we
51    // cannot easily construct it for testing purposes.  We could in theory
52    // kludge something together using a fake Rng, but that might be more
53    // trouble than we want to go looking for.
54    #[derive(Clone)]
55    pub struct StaticSecret(x25519_dalek::StaticSecret);
56
57    impl ConstantTimeEq for StaticSecret {
58        fn ct_eq(&self, other: &Self) -> subtle::Choice {
59            let Self { 0: self_secret } = self;
60            let Self { 0: other_secret } = other;
61
62            self_secret.as_bytes().ct_eq(other_secret.as_bytes())
63        }
64    }
65
66    /// A curve15519 public key.
67    ///
68    /// See [`x25519_dalek::PublicKey`] for more information.
69    #[derive(Clone, Copy, Debug, Eq, Deftly)]
70    #[derive_deftly(PartialEqFromCtEq)]
71    pub struct PublicKey(x25519_dalek::PublicKey);
72
73    impl ConstantTimeEq for PublicKey {
74        fn ct_eq(&self, other: &Self) -> subtle::Choice {
75            let Self { 0: self_secret } = self;
76            let Self { 0: other_secret } = other;
77
78            self_secret.as_bytes().ct_eq(other_secret.as_bytes())
79        }
80    }
81
82    /// A shared secret negotiated using curve25519.
83    ///
84    /// See [`x25519_dalek::SharedSecret`] for more information
85    pub struct SharedSecret(x25519_dalek::SharedSecret);
86
87    impl<'a> From<&'a EphemeralSecret> for PublicKey {
88        fn from(secret: &'a EphemeralSecret) -> Self {
89            Self((&secret.0).into())
90        }
91    }
92
93    impl<'a> From<&'a StaticSecret> for PublicKey {
94        fn from(secret: &'a StaticSecret) -> Self {
95            Self((&secret.0).into())
96        }
97    }
98
99    impl From<[u8; 32]> for StaticSecret {
100        fn from(value: [u8; 32]) -> Self {
101            Self(value.into())
102        }
103    }
104    impl From<[u8; 32]> for PublicKey {
105        fn from(value: [u8; 32]) -> Self {
106            Self(value.into())
107        }
108    }
109
110    impl EphemeralSecret {
111        /// Return a new random ephemeral secret key.
112        pub fn random_from_rng<R: rand_core::RngCore + rand_core::CryptoRng>(csprng: R) -> Self {
113            Self(x25519_dalek::EphemeralSecret::random_from_rng(
114                RngCompat::new(csprng),
115            ))
116        }
117        /// Negotiate a shared secret using this secret key and a public key.
118        pub fn diffie_hellman(self, their_public: &PublicKey) -> SharedSecret {
119            SharedSecret(self.0.diffie_hellman(&their_public.0))
120        }
121    }
122    impl StaticSecret {
123        /// Return a new random static secret key.
124        pub fn random_from_rng<R: rand_core::RngCore + rand_core::CryptoRng>(csprng: R) -> Self {
125            Self(x25519_dalek::StaticSecret::random_from_rng(RngCompat::new(
126                csprng,
127            )))
128        }
129        /// Negotiate a shared secret using this secret key and a public key.
130        pub fn diffie_hellman(&self, their_public: &PublicKey) -> SharedSecret {
131            SharedSecret(self.0.diffie_hellman(&their_public.0))
132        }
133        /// Return the bytes that represent this key.
134        pub fn to_bytes(&self) -> [u8; 32] {
135            self.0.to_bytes()
136        }
137        /// Return a reference to the bytes that represent this key.
138        pub fn as_bytes(&self) -> &[u8; 32] {
139            self.0.as_bytes()
140        }
141    }
142    impl SharedSecret {
143        /// Return the shared secret as an array of bytes.
144        pub fn as_bytes(&self) -> &[u8; 32] {
145            self.0.as_bytes()
146        }
147        /// Return true if both keys contributed to this shared secret.
148        ///
149        /// See [`x25519_dalek::SharedSecret::was_contributory`] for more information.
150        pub fn was_contributory(&self) -> bool {
151            self.0.was_contributory()
152        }
153    }
154    impl PublicKey {
155        /// Return this public key as a reference to an array of bytes.
156        pub fn as_bytes(&self) -> &[u8; 32] {
157            self.0.as_bytes()
158        }
159        /// Return this public key as an array of bytes.
160        pub fn to_bytes(&self) -> [u8; 32] {
161            self.0.to_bytes()
162        }
163    }
164}
165
166/// A type for a validatable signature.
167///
168/// It necessarily includes the signature, the public key, and (a hash
169/// of?) the document being checked.
170///
171/// Having this trait enables us to write code for checking a large number
172/// of validatable signatures in a way that permits batch signatures for
173/// Ed25519.
174///
175/// To be used with [`validate_all_sigs`].
176pub trait ValidatableSignature {
177    /// Check whether this signature is a correct signature for the document.
178    fn is_valid(&self) -> bool;
179
180    /// Return this value as a validatable Ed25519 signature, if it is one.
181    fn as_ed25519(&self) -> Option<&ed25519::ValidatableEd25519Signature> {
182        None
183    }
184}
185
186/// Check whether all of the signatures in this Vec are valid.
187///
188/// Return `true` if every signature is valid; return `false` if even
189/// one is invalid.
190///
191/// This function should typically give the same result as just
192/// calling `v.iter().all(ValidatableSignature::is_valid))`, while taking
193/// advantage of batch verification to whatever extent possible.
194///
195/// (See [`ed25519::validate_batch`] for caveats.)
196pub fn validate_all_sigs(v: &[Box<dyn ValidatableSignature>]) -> bool {
197    // First we break out the ed25519 signatures (if any) so we can do
198    // a batch-verification on them.
199    let mut ed_sigs = Vec::new();
200    let mut non_ed_sigs = Vec::new();
201    for sig in v.iter() {
202        match sig.as_ed25519() {
203            Some(ed_sig) => ed_sigs.push(ed_sig),
204            None => non_ed_sigs.push(sig),
205        }
206    }
207
208    // Find out if the ed25519 batch is valid.
209    let ed_batch_is_valid = crate::pk::ed25519::validate_batch(&ed_sigs[..]);
210
211    // if so, verify the rest.
212    ed_batch_is_valid && non_ed_sigs.iter().all(|b| b.is_valid())
213}
214
215#[cfg(test)]
216mod test {
217    // @@ begin test lint list maintained by maint/add_warning @@
218    #![allow(clippy::bool_assert_comparison)]
219    #![allow(clippy::clone_on_copy)]
220    #![allow(clippy::dbg_macro)]
221    #![allow(clippy::mixed_attributes_style)]
222    #![allow(clippy::print_stderr)]
223    #![allow(clippy::print_stdout)]
224    #![allow(clippy::single_char_pattern)]
225    #![allow(clippy::unwrap_used)]
226    #![allow(clippy::unchecked_duration_subtraction)]
227    #![allow(clippy::useless_vec)]
228    #![allow(clippy::needless_pass_by_value)]
229    //! <!-- @@ end test lint list maintained by maint/add_warning @@ -->
230    #[test]
231    fn validatable_ed_sig() {
232        use super::ValidatableSignature;
233        use super::ed25519::{PublicKey, Signature, ValidatableEd25519Signature};
234        use hex_literal::hex;
235        let pk = PublicKey::from_bytes(&hex!(
236            "fc51cd8e6218a1a38da47ed00230f058
237             0816ed13ba3303ac5deb911548908025"
238        ))
239        .unwrap();
240        let sig: Signature = hex!(
241            "6291d657deec24024827e69c3abe01a3
242             0ce548a284743a445e3680d7db5ac3ac
243             18ff9b538d16f290ae67f760984dc659
244             4a7c15e9716ed28dc027beceea1ec40a"
245        )
246        .into();
247
248        let valid = ValidatableEd25519Signature::new(pk, sig, &hex!("af82"));
249        let invalid = ValidatableEd25519Signature::new(pk, sig, &hex!("af83"));
250
251        assert!(valid.is_valid());
252        assert!(!invalid.is_valid());
253    }
254}
tor_llcrypto/pk.rs

tor_llcrypto/
pk.rs
