January 2014 - tor-commits - lists.torproject.org

[bridgedb/master] Return the OR server ID public RSA key from makeOnionKeys().
by isis＠torproject.org 12 Jan '14

12 Jan '14

commit 2d407a35b314c3ebad52ead0b95630d15cccb106 Author: Isis Lovecruft <isis(a)torproject.org> Date: Thu Nov 7 15:04:10 2013 +0000 Return the OR server ID public RSA key from makeOnionKeys(). The public key should be used in identity key hash digest creation, so we need to return `SIDPCert` from the makeOnionKeys() function in gen_bridge_descriptors, so that we can use it in makeDescriptors(). --- scripts/gen_bridge_descriptors | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/scripts/gen_bridge_descriptors b/scripts/gen_bridge_descriptors index 8a51529..ae37a6a 100644 --- a/scripts/gen_bridge_descriptors +++ b/scripts/gen_bridge_descriptors @@ -592,8 +592,7 @@ def makeOnionKeys(bridge=True, digest='sha1'): onionKeyString = 'onion-key\n%s' % getPEMPublicKey(onionPCert) signingKeyString = 'signing-key\n%s' % getPEMPublicKey(signPCert) - # XXX we don't need anything else… right? - return SIDSKey, (fingerprint, onionKeyString, signingKeyString) + return SIDSKey, SIDPCert, (fingerprint, onionKeyString, signingKeyString) def generateExtraInfo(fingerprint, ts, ipv4, port): """Create an OR extra-info document. @@ -757,8 +756,8 @@ def generateDescriptors(): timestamp = makeTimeStamp(variation=True, period=36) protocols = makeProtocolsLine(vers) - idkey, (fingerprint, onionkey, signingkey) = makeOnionKeys() - idkey_private = getPEMPrivateKey(idkey) + SIDSKey, SIDPCert, (fingerprint, onionkey, signingkey) = makeOnionKeys() + idkey_private = getPEMPrivateKey(SIDSKey) idkey_digest = hashlib.sha1(idkey_private).digest() fpr = convertToSpaceyFingerprint(fingerprint)

1 0

[bridgedb/master] Fix bug in gen_bridge_descriptors which left spaces in an OR fingerprint.
by isis＠torproject.org 12 Jan '14

12 Jan '14

commit 3a33c3ac35739cbc8a72e1038c7185406a3b672f Author: Isis Lovecruft <isis(a)torproject.org> Date: Tue Nov 5 08:49:51 2013 +0000 Fix bug in gen_bridge_descriptors which left spaces in an OR fingerprint. * FIX the first line of an OR extra-info document, the fingerprint was being written without the extra spaces removed. --- scripts/gen_bridge_descriptors | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/gen_bridge_descriptors b/scripts/gen_bridge_descriptors index 7050647..d9805d3 100644 --- a/scripts/gen_bridge_descriptors +++ b/scripts/gen_bridge_descriptors @@ -571,7 +571,7 @@ def generateExtraInfo(fingerprint, ts, ipv4, port): :returns: An extra-info document (unsigned). """ extra = [] - extra.append("extra-info Unnamed %s" % fingerprint) + extra.append("extra-info Unnamed %s" % fingerprint.replace(' ', '')) extra.append("published %s" % ts) extra.append("write-history %s (900 s)\n3188736,2226176,2866176" % ts) extra.append("read-history %s (900 s)\n3891200,2483200,2698240" % ts)

1 0

[bridgedb/master] Update makeOnionKeys() docstring to include encoding specifications.
by isis＠torproject.org 12 Jan '14

12 Jan '14

commit 02ea78ae3e683a888b82f768a8923a624d2dc0a1 Author: Isis Lovecruft <isis(a)torproject.org> Date: Fri Nov 15 08:59:32 2013 +0000 Update makeOnionKeys() docstring to include encoding specifications. * ADD excerpts, from tor-spec.txt and dir-spec.txt, pertaining to encodings and formats for keys/certs and hash digests, to gen_bridge_descriptor.makeOnionKeys() function docstring, for clarity, since the encodings currently used in this function are all kinds of wrong. --- scripts/gen_bridge_descriptors | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/scripts/gen_bridge_descriptors b/scripts/gen_bridge_descriptors index 161e310..8a51529 100644 --- a/scripts/gen_bridge_descriptors +++ b/scripts/gen_bridge_descriptors @@ -520,6 +520,38 @@ def getPEMPrivateKey(key): def makeOnionKeys(bridge=True, digest='sha1'): """Make all the keys and certificates necessary to fake an OR. + The encodings for the various key and descriptor digests needed are + described in dir-spec.txt and tor-spec.txt, the latter mostly for the + padding and encoding used in the creation of an OR's keys. + + For the "router" line in a networkstatus document, the following encodings + are specified: + + From dir-spec.txt, commit 36761c7d5, L1504-1512: + | + | […] "Identity" is a hash of its + | identity key, encoded in base64, with trailing equals sign(s) + | removed. "Digest" is a hash of its most recent descriptor as + | signed (that is, not including the signature), encoded in base64. + | + + Before the hash digest of an OR's identity key is base64-encoded for + inclusion in a networkstatus document, the hash digest is created in the + following manner: + + From tor-spec.txt, commit 36761c7d5, L109-110: + | + | When we refer to "the hash of a public key", we mean the SHA-1 hash of the + | DER encoding of an ASN.1 RSA public key (as specified in PKCS.1). + | + + From tor-spec.txt, commit 36761c7d5, L785-787: + | + | The "legacy identity" and "identity fingerprint" fields are the SHA1 + | hash of the PKCS#1 ASN1 encoding of the next onion router's identity + | (signing) key. (See 0.3 above.) + | + :param boolean bridge: If False, generate a server OR ID key, a signing key, and a TLS certificate/key pair. If True, generate a client ID key as well.

1 0

[bridgedb/master] Fix OpenSSL cert timestamp bug in gen_bridge_descriptors.
by isis＠torproject.org 12 Jan '14

12 Jan '14

commit e34e392186f599edc2c97e3816ae0ee2cb1a8c83 Author: Isis Lovecruft <isis(a)torproject.org> Date: Fri Nov 15 08:19:36 2013 +0000 Fix OpenSSL cert timestamp bug in gen_bridge_descriptors. OpenSSL only strictly takes a non-standardized format for timestamps which set the "Not Valid Before" and "Not Valid After" fields on an x509 certificate. It *doesn't* take timestamps in Seconds Since Epoch (as I previously had believed), but only with the strftime format "%Y%m%d%H%M%SZ" (yes, with a random capital-Z at the end). OpenSSL *also* doesn't consider the timestamp `0` to be the current time, contrary to its documentation. * FIXES a bug in gen_bridge_descriptors where all x509 certificates, and the signatures which their corresponding OpenSSL.crypto.PKeys created, were invalid due to crazy timestamps. --- scripts/gen_bridge_descriptors | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/scripts/gen_bridge_descriptors b/scripts/gen_bridge_descriptors index 23e87bf..161e310 100644 --- a/scripts/gen_bridge_descriptors +++ b/scripts/gen_bridge_descriptors @@ -474,8 +474,14 @@ def createTLSCert(lifetime=None): lifetime -= 1 cert = OpenSSL.crypto.X509() - cert.gmtime_adj_notBefore(0) # Not valid before now - cert.gmtime_adj_notAfter(lifetime) + + timeFormat = lambda x: time.strftime("%Y%m%d%H%M%SZ", x) + now = time.time() + before = time.gmtime(now) + after = time.gmtime(now + lifetime) + cert.set_notBefore(timeFormat(before)) + cert.set_notAfter(timeFormat(after)) + return cert def createTLSLinkCert(lifetime=7200):

1 0

[bridgedb/master] Fix missing newline after 'router-signature' in gen_bridge_descriptors.
by isis＠torproject.org 12 Jan '14

12 Jan '14

commit ea5666919ddd20ca761cf3dc91a3e78a85abbeb5 Author: Isis Lovecruft <isis(a)torproject.org> Date: Tue Nov 5 08:51:21 2013 +0000 Fix missing newline after 'router-signature' in gen_bridge_descriptors. * FIX a bug where the newline after 'router-signature' in an OR extra-info descriptor was missing. --- scripts/gen_bridge_descriptors | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/gen_bridge_descriptors b/scripts/gen_bridge_descriptors index d9805d3..23e87bf 100644 --- a/scripts/gen_bridge_descriptors +++ b/scripts/gen_bridge_descriptors @@ -589,7 +589,7 @@ def generateExtraInfo(fingerprint, ts, ipv4, port): extra.append("transport obfs2 %s:%d" % (ipv4, port + 2)) extra.append("bridge-stats-end %s (86400 s)\nbridge-ips ca=8" % ts) extra.append("bridge-ip-versions v4=8,v6=0\nbridge-ip-transports <OR>=8") - extra.append("router-signature") + extra.append("router-signature\n") return '\n'.join(extra)

1 0

[bridgedb/master] Create the OR public ID key hash digest in gen_bridge_descriptors.
by isis＠torproject.org 12 Jan '14

12 Jan '14

commit 3cfddb08ee8ee334038d725fd26a8d5e24c55acc Author: Isis Lovecruft <isis(a)torproject.org> Date: Thu Nov 7 15:31:11 2013 +0000 Create the OR public ID key hash digest in gen_bridge_descriptors. --- scripts/gen_bridge_descriptors | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/scripts/gen_bridge_descriptors b/scripts/gen_bridge_descriptors index ae37a6a..282e1bd 100644 --- a/scripts/gen_bridge_descriptors +++ b/scripts/gen_bridge_descriptors @@ -762,6 +762,14 @@ def generateDescriptors(): fpr = convertToSpaceyFingerprint(fingerprint) + idkey_public = OpenSSL.crypto.dump_privatekey(PEM, + SIDPCert.get_pubkey()) + idkey_public = re.sub(OPENSSL_BEGIN_KEY, '', idkey_public) + idkey_public = re.sub(OPENSSL_END_KEY, '', idkey_public) + idkey_public = idkey_public.strip() + identity = binascii.b2a_base64( + hashlib.sha1(idkey_public).digest()).strip().strip('=======') + extrainfo_document = generateExtraInfo(fpr, timestamp, ipv4, port) extrainfo_digest = hashlib.sha1(extrainfo_document).digest() extrainfo_hexdigest = hashlib.sha1(extrainfo_document).hexdigest().upper()

1 0

[bridgedb/master] Remove two EOL whitespace characters in gen_bridge_descriptors.
by isis＠torproject.org 12 Jan '14

12 Jan '14

commit 2d655c66a1e735a2a16d84a1805d83706215fceb Author: Isis Lovecruft <isis(a)torproject.org> Date: Thu Nov 7 15:31:45 2013 +0000 Remove two EOL whitespace characters in gen_bridge_descriptors. --- scripts/gen_bridge_descriptors | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/gen_bridge_descriptors b/scripts/gen_bridge_descriptors index 282e1bd..68d58c1 100644 --- a/scripts/gen_bridge_descriptors +++ b/scripts/gen_bridge_descriptors @@ -640,9 +640,9 @@ def generateNetstatus(idkey_digest, server_desc_digest, timestamp, :param XXX idkey_digest: The SHA-1 digest of the router's public identity key. - :param XXX server_desc_digest: The SHA-1 digest of the router's + :param XXX server_desc_digest: The SHA-1 digest of the router's ``@type [bridge-]server-descriptor``, before the descriptor is signed. - :param XXX timestamp: + :param XXX timestamp: """ idkey_b64 = binascii.b2a_base64(idkey_digest)

1 0

[bridgedb/master] Fix old-style class bridgedb.Bridges.BridgeRingParameters.
by isis＠torproject.org 12 Jan '14

12 Jan '14

commit 3721b39a5db4f9adc9bc5404ee4f86a68fa31403 Author: Isis Lovecruft <isis(a)torproject.org> Date: Fri Nov 15 13:19:38 2013 +0000 Fix old-style class bridgedb.Bridges.BridgeRingParameters. --- lib/bridgedb/Bridges.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/bridgedb/Bridges.py b/lib/bridgedb/Bridges.py index 264ef99..3323989 100644 --- a/lib/bridgedb/Bridges.py +++ b/lib/bridgedb/Bridges.py @@ -645,7 +645,7 @@ class BridgeHolder(object): def dumpAssignments(self, f, description=""): pass -class BridgeRingParameters: +class BridgeRingParameters(object): """DOCDOC""" def __init__(self, needPorts=(), needFlags=()): """DOCDOC takes list of port, count"""

1 0

[bridgedb/master] Fix old-style class bridgedb.Bridges.BridgeHolder.
by isis＠torproject.org 12 Jan '14

12 Jan '14

commit 3d4966034eb3adb6ba4ea67d926f5a5a42a51095 Author: Isis Lovecruft <isis(a)torproject.org> Date: Fri Nov 15 13:17:22 2013 +0000 Fix old-style class bridgedb.Bridges.BridgeHolder. --- lib/bridgedb/Bridges.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/bridgedb/Bridges.py b/lib/bridgedb/Bridges.py index 9fc94e8..264ef99 100644 --- a/lib/bridgedb/Bridges.py +++ b/lib/bridgedb/Bridges.py @@ -631,7 +631,7 @@ def parseCountryBlockFile(f): if ID and address and portlist and countries: yield ID, address, portlist, countries -class BridgeHolder: +class BridgeHolder(object): """Abstract base class for all classes that hold bridges.""" def insert(self, bridge): raise NotImplementedError

1 0

[bridgedb/master] Add a docstring to bridgedb.Bridges.BridgeRingParameters.
by isis＠torproject.org 12 Jan '14

12 Jan '14

commit d106b9e15d74214b0fc55d6f2957985e139ca69f Author: Isis Lovecruft <isis(a)torproject.org> Date: Fri Nov 15 13:20:37 2013 +0000 Add a docstring to bridgedb.Bridges.BridgeRingParameters. --- lib/bridgedb/Bridges.py | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/lib/bridgedb/Bridges.py b/lib/bridgedb/Bridges.py index 3323989..4627a88 100644 --- a/lib/bridgedb/Bridges.py +++ b/lib/bridgedb/Bridges.py @@ -646,7 +646,18 @@ class BridgeHolder(object): pass class BridgeRingParameters(object): - """DOCDOC""" + """Store validated settings on minimum number of Bridges with certain + attributes which should be included in any generated subring of a + hashring. + + :ivar list needPorts: List of two-tuples of desired port numbers and their + respective minimums. + :ivar list needFlags: List of two-tuples of desired flags_ assigned to a + Bridge by the Bridge DirAuth. + + .. _flags: https://gitweb.torproject.org/torspec.git/blob/HEAD:/dir-spec.txt#l1696 + """ + def __init__(self, needPorts=(), needFlags=()): """DOCDOC takes list of port, count""" for port,count in needPorts:

1 0