tor_netdoc/parse2/poc/
authcert.rs

1//! Directory Authority Key Certificates
2
3use super::*;
4
5/// SHA1 hash as used in directory authority certificates
6//
7// We don't have a better name for this!
8type DirKeyCertificateHash = [u8; 20];
9
10pub use crate::doc::authcert::AuthCert as DirAuthKeyCert;
11pub use crate::doc::authcert::AuthCertSigned as DirAuthKeyCertSigned;
12
13impl DirAuthKeyCertSigned {
14    /// Verify the signatures (and check validity times)
15    ///
16    /// # Security considerations
17    ///
18    /// The caller must check that the KP_auth_id is correct/relevant.
19    pub fn verify_selfcert(self, now: SystemTime) -> Result<DirAuthKeyCert, VF> {
20        // verify main document signature (and timestamp)
21        let hash = self.signatures.dir_key_certification.hash;
22        let body = &self.inspect_unverified().0;
23
24        let validity = body.dir_key_published.0..=body.dir_key_expires.0;
25        check_validity_time(now, validity)?;
26        body.dir_identity_key
27            .verify(&hash, &self.signatures.dir_key_certification.signature)?;
28
29        // double-check the id hash
30        if *body.fingerprint != body.dir_identity_key.to_rsa_identity() {
31            return Err(VF::Inconsistent);
32        }
33
34        // verify cross-cert
35        let h_kp_auth_id_rsa: DirKeyCertificateHash =
36            tor_llcrypto::d::Sha1::digest(body.dir_identity_key.to_der()).into();
37        // Cross-cert has no timestamp.  Whatever.
38        body.dir_signing_key
39            .verify(&h_kp_auth_id_rsa, &body.dir_key_crosscert.signature)?;
40
41        Ok(self.unwrap_unverified().0)
42    }
43}
tor_netdoc/parse2/poc/authcert.rs

tor_netdoc/parse2/poc/
authcert.rs
