Implement the /tor/keys/fp-sk/ URL format. That mostly finishes the server side of 157.

svn:r17611
This commit is contained in:
Nick Mathewson 2008-12-12 19:05:36 +00:00
parent 69ce955484
commit 5fb2ab1e65
6 changed files with 117 additions and 2 deletions

View File

@ -22,6 +22,8 @@ Changes in version 0.2.1.9-alpha - 200?-??-??
- Add cross-certification to newly generated certificates, so that
a signing key is enough information to use to look up a certificate.
Partial implementation of proposal 157.
- Start serving certificates by <identity digest, signing key digest>
pairs. Partial implementation of proposal 157.
o Minor features (controller):
- New CONSENSUS_ARRIVED event to note when a new consensus has

View File

@ -1556,6 +1556,15 @@ $Id$
available at:
http://<hostname>/tor/keys/sk/<F>.z
The key certificate whose identity key fingerprint is <F> and whose signing
key fingerprint is <S> should be available at:
http://<hostname>/tor/keys/fp-sk/<F>-<S>.z
(As usual, clients may request multiple certificates using:
http://<hostname>/tor/keys/fp-sk/<F1>-<S1>+<F2>-<S2>.z )
[The above fp-sk format was not supported before Tor 0.2.1.9-alpha.]
The most recent descriptor for a server whose identity key has a
fingerprint of <F> should be available at:
http://<hostname>/tor/server/fp/<F>.z

View File

@ -15,8 +15,9 @@ History:
Status:
Cross-certification is implemented for new certificates, but not yet
required.
As of 0.2.1.9-alpha:
Cross-certification is implemented for new certificates, but not yet
required. Directories support the tor/keys/fp-sk urls.
Overview:

View File

@ -2780,6 +2780,17 @@ directory_handle_command_get(dir_connection_t *conn, const char *headers,
tor_free(d);
});
smartlist_free(fps);
} else if (!strcmpstart(url, "/tor/keys/fp-sk/")) {
smartlist_t *fp_sks = smartlist_create();
dir_split_resource_into_fingerprint_pairs(url+strlen("/tor/keys/fp-sk/"),
fp_sks);
SMARTLIST_FOREACH(fp_sks, fp_pair_t *, pair, {
authority_cert_t *c = authority_cert_get_by_digests(pair->first,
pair->second);
if (c) smartlist_add(certs, c);
tor_free(pair);
});
smartlist_free(fp_sks);
} else {
write_http_status_line(conn, 400, "Bad request");
goto keys_done;
@ -3383,6 +3394,63 @@ dir_routerdesc_download_failed(smartlist_t *failed, int status_code,
* every 10 or 60 seconds (FOO_DESCRIPTOR_RETRY_INTERVAL) in main.c. */
}
static int
_compare_pairs(const void **a, const void **b)
{
const fp_pair_t *fp1 = *a, *fp2 = *b;
int r;
if ((r = memcmp(fp1->first, fp2->first, DIGEST_LEN)))
return r;
else
return memcmp(fp1->second, fp2->second, DIGEST_LEN);
}
/** DOCDOC */
int
dir_split_resource_into_fingerprint_pairs(const char *res,
smartlist_t *pairs_out)
{
smartlist_t *pairs_tmp = smartlist_create();
smartlist_t *pairs_result = smartlist_create();
smartlist_split_string(pairs_tmp, res, "+", 0, 0);
if (smartlist_len(pairs_tmp)) {
char *last = smartlist_get(pairs_tmp,smartlist_len(pairs_tmp)-1);
size_t last_len = strlen(last);
if (last_len > 2 && !strcmp(last+last_len-2, ".z")) {
last[last_len-2] = '\0';
}
}
SMARTLIST_FOREACH_BEGIN(pairs_tmp, char *, cp) {
if (strlen(cp) != HEX_DIGEST_LEN*2+1) {
log_info(LD_DIR,
"Skipping digest pair %s with non-standard length.", escaped(cp));
} else if (cp[HEX_DIGEST_LEN] != '-') {
log_info(LD_DIR,
"Skipping digest pair %s with missing dash.", escaped(cp));
} else {
fp_pair_t pair;
if (base16_decode(pair.first, DIGEST_LEN, cp, HEX_DIGEST_LEN)<0 ||
base16_decode(pair.second,
DIGEST_LEN, cp+HEX_DIGEST_LEN+1, HEX_DIGEST_LEN)<0) {
log_info(LD_DIR, "Skipping non-decodable digest pair %s", escaped(cp));
} else {
smartlist_add(pairs_result, tor_memdup(&pair, sizeof(pair)));
}
}
tor_free(cp);
} SMARTLIST_FOREACH_END(cp);
smartlist_free(pairs_tmp);
/* Uniq-and-sort */
smartlist_sort(pairs_result, _compare_pairs);
smartlist_uniq(pairs_result, _compare_pairs, _tor_free);
smartlist_add_all(pairs_out, pairs_result);
smartlist_free(pairs_result);
return 0;
}
/** Given a directory <b>resource</b> request, containing zero
* or more strings separated by plus signs, followed optionally by ".z", store
* the strings, in order, into <b>fp_out</b>. If <b>compressed_out</b> is

View File

@ -3277,6 +3277,12 @@ void directory_initiate_command(const char *address, const tor_addr_t *addr,
int dir_split_resource_into_fingerprints(const char *resource,
smartlist_t *fp_out, int *compresseed_out,
int decode_hex, int sort_uniq);
typedef struct {
char first[DIGEST_LEN];
char second[DIGEST_LEN];
} fp_pair_t;
int dir_split_resource_into_fingerprint_pairs(const char *res,
smartlist_t *pairs_out);
char *directory_dump_request_log(void);
void note_request(const char *key, size_t bytes);
int router_supports_extrainfo(const char *identity_digest, int is_authority);

View File

@ -2985,6 +2985,34 @@ test_dir_format(void)
tor_free(dir2); /* And more !*/
}
static void
test_dirutil(void)
{
smartlist_t *sl = smartlist_create();
fp_pair_t *pair;
dir_split_resource_into_fingerprint_pairs(
/* Two pairs, out of order, with one duplicate. */
"73656372657420646174612E0000000000FFFFFF-"
"557365204145532d32353620696e73746561642e+"
"73656372657420646174612E0000000000FFFFFF-"
"557365204145532d32353620696e73746561642e+"
"48657861646563696d616c2069736e277420736f-"
"676f6f6420666f7220686964696e6720796f7572.z", sl);
test_eq(smartlist_len(sl), 2);
pair = smartlist_get(sl, 0);
test_memeq(pair->first, "Hexadecimal isn't so", DIGEST_LEN);
test_memeq(pair->second, "good for hiding your", DIGEST_LEN);
pair = smartlist_get(sl, 1);
test_memeq(pair->first, "secret data.\0\0\0\0\0\xff\xff\xff", DIGEST_LEN);
test_memeq(pair->second, "Use AES-256 instead.", DIGEST_LEN);
done:
SMARTLIST_FOREACH(sl, fp_pair_t *, pair, tor_free(pair));
smartlist_free(sl);
}
extern const char AUTHORITY_CERT_1[];
extern const char AUTHORITY_SIGNKEY_1[];
extern const char AUTHORITY_CERT_2[];
@ -4448,6 +4476,7 @@ static struct {
SUBENT(util, order_functions),
ENT(onion_handshake),
ENT(dir_format),
ENT(dirutil),
ENT(v3_networkstatus),
ENT(policies),
ENT(rend_fns),