[tor-bugs] #13042 [Tor]: torspec isn't very clear about the encodings used for `onion-key` and `signing-key`
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Sep 2 23:17:58 UTC 2014
#13042: torspec isn't very clear about the encodings used for `onion-key` and
`signing-key`
-------------------------------------------------+-------------------------
Reporter: isis | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: Tor | Version:
Keywords: torspec, leekspin, stem, bridgedb, | Actual Points:
tor-descriptors | Points:
Parent ID: |
-------------------------------------------------+-------------------------
Currently, in `dir-spec.txt`, it is specified that:
{{{
"signing-key" NL a public key in PEM format
[Exactly once]
The OR's long-term identity key. It MUST be 1024 bits.
}}}
and
{{{
"onion-key" NL a public key in PEM format
[Exactly once]
This key is used to encrypt CREATE cells for this OR. The key MUST
be
accepted for at least 1 week after any new key is published in a
subsequent descriptor. It MUST be 1024 bits.
}}}
However, according to
[https://gitweb.torproject.org/stem.git/commitdiff/e0095fbe54759c45cbf6d1b120d2b17b47a0ec21
this commit] added to Stem in #5810, verifying signatures created with the
`signing-key` isn't so easy. With that code, Stem is able to verify
descriptor signatures created by Tor, yet not
[https://gitweb.torproject.org/user/isis/leekspin.git/blob/HEAD:/leekspin/generator.py#l89
those created by Leekspin], which clearly means the spec is unclear on
this matter (and Leekspin is Doing It Wrong).
My current understanding after looking at `crypto_pk_public_checksig()` in
Tor, the OpenSSL source, and Stem's signature verification code above is
that the `signing-key` and `onion-key` are formatted as follows:
1. OpenSSL PEM-encoded export of public halves of keys.
2. The PEM-encoded keys are stripped of their `----BEGIN...` and
`-----END...` headers.
3. The keys are then PKCS!#1 padded.
4. Next, the PKCS!#1-padded, PEM-encoded raw keys are encoded as an
ASN.1 DER sequence.
5. That ASN.1 DER sequence is then base64 encoded.
6. Finally, the `-----BEGIN...` and `-----END...` headers are stuck back
on the keys, and they are shoved into the descriptor.
Questions:
* Is the above understanding of the order of encodings correct?
* Which version of PCKS!#1? Any version? Anything newer than v1.5? Only
v2.0?
* I understand the use of PKCS!#1 to protect against padding attacks,
but doesn't [https://en.wikipedia.org/wiki/Adaptive_chosen-
ciphertext_attack#Practical_attacks Bleichenbacher's attack] still work
against PKCS!#1 v1.0?
* Why aren't we using the PKCS!#1 probabilistic signature schemes
(RSASSA-PSS/EMSA-PSS) used in PKCS!#1 v2.0?
* For the signatures, the descriptor document "through the newline on
the `router-signature` line" is PKCS!#1-padded, then digested. Does this
include the newline character?
* Also, the spec is unclear as to whether
1. the ''descriptor document'' is PKCS!#1-padded, then digested,
then signed,
or
2. the descriptor document is digested, then signed, and the
''signature'' is PKCS!#1-padded.
{{{
"router-signature" NL Signature NL
[At end, exactly once]
The "SIGNATURE" object contains a signature of the PKCS1-padded
hash of the entire router descriptor, taken from the beginning of
the
"router" line, through the newline after the "router-signature"
line.
The router descriptor is invalid unless the signature is performed
with the router's identity key.
}}}
* Is it any specific type of ASN.1 DER sequence?
* Why are we using ASN.1? Does it protect against something? It just
seems to send parsers to early graves. Why can't we just do the base64
encoding after PKCS!#1?
* ''Why? Oh why? Cthulhu fhtagn... Why? The insanity...''
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13042>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list