tor-commits November 2019

tor-commits@lists.torproject.org

20 participants
2923 discussions

[stem/master] Generate defaults in introduction point creation
by atagar＠torproject.org 17 Nov '19

17 Nov '19

commit 61f5a97ad2016b7f1f043a0e0c551fedcf1ad2e1 Author: Damian Johnson <atagar(a)torproject.org> Date: Wed Nov 6 16:24:37 2019 -0800 Generate defaults in introduction point creation Making all the arguments except address/port optional so callers can opt to skip them. --- stem/descriptor/certificate.py | 2 ++ stem/descriptor/hidden_service.py | 57 ++++++++++++++++++++++----------------- 2 files changed, 34 insertions(+), 25 deletions(-) diff --git a/stem/descriptor/certificate.py b/stem/descriptor/certificate.py index 760287d8..f9ab8f80 100644 --- a/stem/descriptor/certificate.py +++ b/stem/descriptor/certificate.py @@ -100,6 +100,8 @@ ED25519_SIGNATURE_LENGTH = 64 SIG_PREFIX_SERVER_DESC = b'Tor router descriptor signature v1' SIG_PREFIX_HS_V3 = b'Tor onion service descriptor sig v3' +DEFAULT_EXPIRATION_HOURS = 54 # HSv3 certificate expiration of tor + CertType = stem.util.enum.UppercaseEnum( 'SIGNING', 'LINK_CERT', diff --git a/stem/descriptor/hidden_service.py b/stem/descriptor/hidden_service.py index ce8af246..a052d965 100644 --- a/stem/descriptor/hidden_service.py +++ b/stem/descriptor/hidden_service.py @@ -205,7 +205,7 @@ class IntroductionPointV3(collections.namedtuple('IntroductionPointV3', ['link_s return IntroductionPointV3(link_specifiers, onion_key, auth_key_cert, enc_key, enc_key_cert, legacy_key, legacy_key_cert) @staticmethod - def create(address, port, expiration, onion_key, enc_key, auth_key, signing_key): + def create(address, port, expiration = None, onion_key = None, enc_key = None, auth_key = None, signing_key = None): """ Simplified constructor. For more sophisticated use cases you can use this as a template for how introduction points are properly created. @@ -223,26 +223,8 @@ class IntroductionPointV3(collections.namedtuple('IntroductionPointV3', ['link_s :raises: **ValueError** if the address, port, or keys are malformed """ - def _key_bytes(key): - class_name = type(key).__name__ - - if isinstance(key, str): - return key - elif not class_name.endswith('PublicKey') and not class_name.endswith('PrivateKey'): - raise ValueError('Key must be a string or cryptographic public/private key (was %s)' % class_name) - elif not stem.prereq.is_crypto_available(): - raise ImportError('Serializing keys requires the cryptography module') - - from cryptography.hazmat.primitives import serialization - - if class_name.endswith('PrivateKey'): - key = key.public_key() - - return key.public_bytes( - encoding = serialization.Encoding.Raw, - format = serialization.PublicFormat.Raw, - ) - + if not stem.prereq.is_crypto_available(ed25519 = True): + raise ImportError('Introduction point creation requires the cryptography module ed25519 support') if not stem.util.connection.is_valid_port(port): raise ValueError("'%s' is an invalid port" % port) @@ -253,12 +235,37 @@ class IntroductionPointV3(collections.namedtuple('IntroductionPointV3', ['link_s else: raise ValueError("'%s' is not a valid IPv4 or IPv6 address" % address) - onion_key = base64.b64encode(_key_bytes(onion_key)) - enc_key = base64.b64encode(_key_bytes(enc_key)) + from cryptography.hazmat.primitives import serialization + from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey, Ed25519PublicKey + from cryptography.hazmat.primitives.asymmetric.x25519 import X25519PrivateKey, X25519PublicKey + + def _key_bytes(key): + if isinstance(key, str): + return key + elif isinstance(key, (X25519PrivateKey, Ed25519PrivateKey)): + return key.public_key().public_bytes( + encoding = serialization.Encoding.Raw, + format = serialization.PublicFormat.Raw, + ) + elif isinstance(key, (X25519PublicKey, Ed25519PublicKey)): + return key.public_bytes( + encoding = serialization.Encoding.Raw, + format = serialization.PublicFormat.Raw, + ) + else: + raise ValueError('Key must be a string or cryptographic public/private key (was %s)' % type(key).__name__) + + if expiration is None: + expiration = datetime.datetime.utcnow() + datetime.timedelta(hours = stem.descriptor.certificate.DEFAULT_EXPIRATION_HOURS) + + onion_key = base64.b64encode(_key_bytes(onion_key if onion_key else X25519PrivateKey.generate())) + enc_key = base64.b64encode(_key_bytes(enc_key if enc_key else X25519PrivateKey.generate())) + auth_key = _key_bytes(auth_key if auth_key else Ed25519PrivateKey.generate()) + signing_key = signing_key if signing_key else Ed25519PrivateKey.generate() extensions = [Ed25519Extension(ExtensionType.HAS_SIGNING_KEY, None, _key_bytes(signing_key))] - auth_key_cert = Ed25519CertificateV1(CertType.HS_V3_INTRO_AUTH, expiration, 1, _key_bytes(auth_key), extensions, signing_key = signing_key) - enc_key_cert = Ed25519CertificateV1(CertType.HS_V3_NTOR_ENC, expiration, 1, _key_bytes(auth_key), extensions, signing_key = signing_key) + auth_key_cert = Ed25519CertificateV1(CertType.HS_V3_INTRO_AUTH, expiration, 1, auth_key, extensions, signing_key = signing_key) + enc_key_cert = Ed25519CertificateV1(CertType.HS_V3_NTOR_ENC, expiration, 1, auth_key, extensions, signing_key = signing_key) return IntroductionPointV3(link_specifiers, onion_key, auth_key_cert, enc_key, enc_key_cert, None, None)

1 0

[stem/master] Refactor and move layer encryption
by atagar＠torproject.org 17 Nov '19

17 Nov '19

commit 33a96a6a754ca7e65f1d5741c6f813c447849ef8 Author: Damian Johnson <atagar(a)torproject.org> Date: Fri Nov 8 16:48:25 2019 -0800 Refactor and move layer encryption We already had a _decrypt_layer() helper from the last branch. While doing the same for encryption it became evedent that these helpers are mostly identical so refactoring the common crypto into a third function. Still not perfectly happy, but closer. :P --- stem/descriptor/hidden_service.py | 54 ++++++++++++++-------- stem/descriptor/hsv3_crypto.py | 95 --------------------------------------- 2 files changed, 36 insertions(+), 113 deletions(-) diff --git a/stem/descriptor/hidden_service.py b/stem/descriptor/hidden_service.py index 5fb7a189..f0baf678 100644 --- a/stem/descriptor/hidden_service.py +++ b/stem/descriptor/hidden_service.py @@ -445,12 +445,6 @@ def _parse_file(descriptor_file, desc_type = None, validate = False, **kwargs): def _decrypt_layer(encrypted_block, constant, revision_counter, subcredential, blinded_key): - from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes - from cryptography.hazmat.backends import default_backend - - def pack(val): - return struct.pack('>Q', val) - if encrypted_block.startswith('-----BEGIN MESSAGE-----\n') and encrypted_block.endswith('\n-----END MESSAGE-----'): encrypted_block = encrypted_block[24:-22] @@ -466,22 +460,42 @@ def _decrypt_layer(encrypted_block, constant, revision_counter, subcredential, b ciphertext = encrypted[SALT_LEN:-MAC_LEN] expected_mac = encrypted[-MAC_LEN:] - kdf = hashlib.shake_256(blinded_key + subcredential + pack(revision_counter) + salt + constant) + cipher, mac_for = _layer_cipher(constant, revision_counter, subcredential, blinded_key, salt) + + if expected_mac != mac_for(ciphertext): + raise ValueError('Malformed mac (expected %s, but was %s)' % (expected_mac, mac_for(ciphertext))) + + decryptor = cipher.decryptor() + plaintext = decryptor.update(ciphertext) + decryptor.finalize() + + return stem.util.str_tools._to_unicode(plaintext) + + +def _encrypt_layer(plaintext, constant, revision_counter, subcredential, blinded_key): + salt = os.urandom(16) + cipher, mac_for = _layer_cipher(constant, revision_counter, subcredential, blinded_key, salt) + + encryptor = cipher.encryptor() + ciphertext = encryptor.update(plaintext) + encryptor.finalize() + + return salt + ciphertext + mac_for(ciphertext) + + +def _layer_cipher(constant, revision_counter, subcredential, blinded_key, salt): + from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes + from cryptography.hazmat.backends import default_backend + + kdf = hashlib.shake_256(blinded_key + subcredential + struct.pack('>Q', revision_counter) + salt + constant) keys = kdf.digest(S_KEY_LEN + S_IV_LEN + MAC_LEN) secret_key = keys[:S_KEY_LEN] secret_iv = keys[S_KEY_LEN:S_KEY_LEN + S_IV_LEN] mac_key = keys[S_KEY_LEN + S_IV_LEN:] - mac = hashlib.sha3_256(pack(len(mac_key)) + mac_key + pack(len(salt)) + salt + ciphertext).digest() - - if mac != expected_mac: - raise ValueError('Malformed mac (expected %s, but was %s)' % (expected_mac, mac)) - cipher = Cipher(algorithms.AES(secret_key), modes.CTR(secret_iv), default_backend()) - decryptor = cipher.decryptor() + mac_prefix = struct.pack('>Q', len(mac_key)) + mac_key + struct.pack('>Q', len(salt)) + salt - return stem.util.str_tools._to_unicode(decryptor.update(ciphertext) + decryptor.finalize()) + return cipher, lambda ciphertext: hashlib.sha3_256(mac_prefix + ciphertext).digest() def _parse_protocol_versions_line(descriptor, entries): @@ -917,18 +931,22 @@ def _get_middle_descriptor_layer_body(encrypted): b'%s' % (fake_pub_key_bytes_b64, fake_clients, encrypted) -def _get_superencrypted_blob(intro_points, descriptor_signing_privkey, revision_counter, blinded_key_bytes, subcredential): +def _get_superencrypted_blob(intro_points, descriptor_signing_privkey, revision_counter, blinded_key, subcredential): """ Get the superencrypted blob (which also includes the encrypted blob) that should be attached to the descriptor """ inner_descriptor_layer = stem.util.str_tools._to_bytes('create2-formats 2\n' + '\n'.join(map(IntroductionPointV3.encode, intro_points)) + '\n') - inner_ciphertext = stem.descriptor.hsv3_crypto.encrypt_inner_layer(inner_descriptor_layer, revision_counter, blinded_key_bytes, subcredential) + inner_ciphertext = _encrypt_layer(inner_descriptor_layer, b'hsdir-encrypted-data', revision_counter, subcredential, blinded_key) inner_ciphertext_b64 = b64_and_wrap_desc_layer(inner_ciphertext, b'encrypted') middle_descriptor_layer = _get_middle_descriptor_layer_body(inner_ciphertext_b64) - outter_ciphertext = stem.descriptor.hsv3_crypto.encrypt_outter_layer(middle_descriptor_layer, revision_counter, blinded_key_bytes, subcredential) + + padding_bytes_needed = stem.descriptor.hsv3_crypto._get_padding_needed(len(middle_descriptor_layer)) + middle_descriptor_layer = middle_descriptor_layer + b'\x00' * padding_bytes_needed + + outter_ciphertext = _encrypt_layer(middle_descriptor_layer, b'hsdir-superencrypted-data', revision_counter, subcredential, blinded_key) return b64_and_wrap_desc_layer(outter_ciphertext) @@ -1279,7 +1297,7 @@ class InnerLayer(Descriptor): super(InnerLayer, self).__init__(content, lazy_load = not validate) self.outer = outer_layer - # inner layer begins with a few header fields, followed by multiple any + # inner layer begins with a few header fields, followed by any # number of introduction-points div = content.find('\nintroduction-point ') diff --git a/stem/descriptor/hsv3_crypto.py b/stem/descriptor/hsv3_crypto.py index 80759aa2..b762c5ee 100644 --- a/stem/descriptor/hsv3_crypto.py +++ b/stem/descriptor/hsv3_crypto.py @@ -1,7 +1,3 @@ -import hashlib -import struct -import os - from stem.descriptor import slow_ed25519 @@ -109,82 +105,6 @@ Descriptor encryption """ -def pack(val): - return struct.pack('>Q', val) - - -def get_desc_keys(secret_data, string_constant, subcredential, revision_counter, salt): - """ - secret_input = SECRET_DATA | subcredential | INT_8(revision_counter) - - keys = KDF(secret_input | salt | STRING_CONSTANT, S_KEY_LEN + S_IV_LEN + MAC_KEY_LEN) - - SECRET_KEY = first S_KEY_LEN bytes of keys - SECRET_IV = next S_IV_LEN bytes of keys - MAC_KEY = last MAC_KEY_LEN bytes of keys - - where - - 2.5.1.1. First layer encryption logic - SECRET_DATA = blinded-public-key - STRING_CONSTANT = "hsdir-superencrypted-data" - - 2.5.2.1. Second layer encryption keys - SECRET_DATA = blinded-public-key | descriptor_cookie - STRING_CONSTANT = "hsdir-encrypted-data" - """ - - secret_input = b'%s%s%s' % (secret_data, subcredential, pack(revision_counter)) - - kdf = hashlib.shake_256(secret_input + salt + string_constant) - - keys = kdf.digest(S_KEY_LEN + S_IV_LEN + MAC_LEN) - - secret_key = keys[:S_KEY_LEN] - secret_iv = keys[S_KEY_LEN:S_KEY_LEN + S_IV_LEN] - mac_key = keys[S_KEY_LEN + S_IV_LEN:] - - return secret_key, secret_iv, mac_key - - -def get_desc_encryption_mac(key, salt, ciphertext): - mac = hashlib.sha3_256(pack(len(key)) + key + pack(len(salt)) + salt + ciphertext).digest() - return mac - - -def _encrypt_descriptor_layer(plaintext, revision_counter, subcredential, secret_data, string_constant): - """ - Encrypt descriptor layer at 'plaintext' - """ - - from cryptography.hazmat.backends import default_backend - from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes - - salt = os.urandom(16) - - secret_key, secret_iv, mac_key = get_desc_keys(secret_data, string_constant, subcredential, revision_counter, salt) - - # Now time to encrypt descriptor - cipher = Cipher(algorithms.AES(secret_key), modes.CTR(secret_iv), default_backend()) - encryptor = cipher.encryptor() - ciphertext = encryptor.update(plaintext) + encryptor.finalize() - - mac = get_desc_encryption_mac(mac_key, salt, ciphertext) - - return salt + ciphertext + mac - - -def encrypt_inner_layer(plaintext, revision_counter, blinded_key_bytes, subcredential): - """ - Encrypt the inner layer of the descriptor - """ - - secret_data = blinded_key_bytes - string_constant = b'hsdir-encrypted-data' - - return _encrypt_descriptor_layer(plaintext, revision_counter, subcredential, secret_data, string_constant) - - def ceildiv(a, b): """ Like // division but return the ceiling instead of the floor @@ -205,18 +125,3 @@ def _get_padding_needed(plaintext_len): final_size = ceildiv(plaintext_len, PAD_MULTIPLE_BYTES) * PAD_MULTIPLE_BYTES return final_size - plaintext_len - - -def encrypt_outter_layer(plaintext, revision_counter, blinded_key_bytes, subcredential): - """ - Encrypt the outer layer of the descriptor - """ - - secret_data = blinded_key_bytes - string_constant = b'hsdir-superencrypted-data' - - # In the outter layer we first need to pad the plaintext - padding_bytes_needed = _get_padding_needed(len(plaintext)) - padded_plaintext = plaintext + b'\x00' * padding_bytes_needed - - return _encrypt_descriptor_layer(padded_plaintext, revision_counter, subcredential, secret_data, string_constant)

1 0

[stem/master] Drop _get_v3_desc_signature() helper
by atagar＠torproject.org 17 Nov '19

17 Nov '19

commit 8f633ddbad656e0d25ac6c190e4a6b1d9c2f1f59 Author: Damian Johnson <atagar(a)torproject.org> Date: Wed Nov 6 13:15:22 2019 -0800 Drop _get_v3_desc_signature() helper --- stem/descriptor/certificate.py | 7 +++++-- stem/descriptor/hidden_service.py | 26 +++++++------------------- 2 files changed, 12 insertions(+), 21 deletions(-) diff --git a/stem/descriptor/certificate.py b/stem/descriptor/certificate.py index dca54aee..760287d8 100644 --- a/stem/descriptor/certificate.py +++ b/stem/descriptor/certificate.py @@ -97,6 +97,9 @@ ED25519_KEY_LENGTH = 32 ED25519_HEADER_LENGTH = 40 ED25519_SIGNATURE_LENGTH = 64 +SIG_PREFIX_SERVER_DESC = b'Tor router descriptor signature v1' +SIG_PREFIX_HS_V3 = b'Tor onion service descriptor sig v3' + CertType = stem.util.enum.UppercaseEnum( 'SIGNING', 'LINK_CERT', @@ -438,10 +441,10 @@ class Ed25519CertificateV1(Ed25519Certificate): """ if isinstance(descriptor, stem.descriptor.server_descriptor.RelayDescriptor): - prefix = b'Tor router descriptor signature v1' + prefix = SIG_PREFIX_SERVER_DESC regex = '(.+router-sig-ed25519 )' elif isinstance(descriptor, stem.descriptor.hidden_service.HiddenServiceDescriptorV3): - prefix = b'Tor onion service descriptor sig v3' + prefix = SIG_PREFIX_HS_V3 regex = '(.+)signature ' else: raise ValueError('BUG: %s type unexpected' % type(descriptor).__name__) diff --git a/stem/descriptor/hidden_service.py b/stem/descriptor/hidden_service.py index 70ca6d25..ce8af246 100644 --- a/stem/descriptor/hidden_service.py +++ b/stem/descriptor/hidden_service.py @@ -954,18 +954,6 @@ def _get_superencrypted_blob(intro_points, descriptor_signing_privkey, revision_ return b64_and_wrap_desc_layer(outter_ciphertext) -def _get_v3_desc_signature(desc_str, signing_key): - """ - Compute the descriptor signature and return it as bytes - """ - - desc_str = b'Tor onion service descriptor sig v3' + desc_str - - signature = base64.b64encode(signing_key.sign(desc_str)) - signature = signature.rstrip(b'=') - return b'signature %s' % (signature) - - class HiddenServiceDescriptorV3(BaseHiddenServiceDescriptor): """ Version 3 hidden service descriptor. @@ -1061,8 +1049,8 @@ class HiddenServiceDescriptorV3(BaseHiddenServiceDescriptor): blinded_pubkey_bytes = blinded_pubkey.public_bytes(encoding = serialization.Encoding.Raw, format = serialization.PublicFormat.Raw) # Generate descriptor signing key - descriptor_signing_private_key = Ed25519PrivateKey.generate() - descriptor_signing_public_key = descriptor_signing_private_key.public_key() + signing_key = Ed25519PrivateKey.generate() + descriptor_signing_public_key = signing_key.public_key() # Get the main encrypted descriptor body revision_counter_int = int(time.time()) @@ -1072,7 +1060,7 @@ class HiddenServiceDescriptorV3(BaseHiddenServiceDescriptor): # this descriptor object so that we don't have to carry them around # functions and instead we could use e.g. self.descriptor_signing_public_key # But because this is a @classmethod this is not possible :/ - superencrypted_blob = _get_superencrypted_blob(intro_points, descriptor_signing_private_key, revision_counter_int, blinded_pubkey_bytes, subcredential) + superencrypted_blob = _get_superencrypted_blob(intro_points, signing_key, revision_counter_int, blinded_pubkey_bytes, subcredential) desc_content = _descriptor_content(attr, exclude, ( ('hs-descriptor', '3'), @@ -1085,10 +1073,10 @@ class HiddenServiceDescriptorV3(BaseHiddenServiceDescriptor): # Add a final newline before the signature block desc_content += b'\n' - # Compute the signature and append it to the descriptor - signature = _get_v3_desc_signature(desc_content, descriptor_signing_private_key) - final_desc = desc_content + signature - return final_desc + sig_content = stem.descriptor.certificate.SIG_PREFIX_HS_V3 + desc_content + signature = b'signature %s' % base64.b64encode(signing_key.sign(sig_content)).rstrip(b'=') + + return desc_content + signature @classmethod def create(cls, attr = None, exclude = (), validate = True, sign = False):

1 0

[stem/master] Helper for generating public bytes
by atagar＠torproject.org 17 Nov '19

17 Nov '19

commit 1fbf2c0fc0bb2daa1dc354c75d183adfac71337b Author: Damian Johnson <atagar(a)torproject.org> Date: Thu Nov 7 14:20:38 2019 -0800 Helper for generating public bytes We convert keys to bytes in enough places that this warrants a helper. Oddly the HSv3PublicBlindedKey class didn't actually implement its public_bytes() method so replacing its calls. --- stem/descriptor/hidden_service.py | 46 +++++++++---------------------- stem/descriptor/hsv3_crypto.py | 5 +--- stem/util/__init__.py | 30 ++++++++++++++++++++ test/unit/descriptor/hidden_service_v3.py | 18 ++++-------- 4 files changed, 50 insertions(+), 49 deletions(-) diff --git a/stem/descriptor/hidden_service.py b/stem/descriptor/hidden_service.py index a052d965..7b6651b7 100644 --- a/stem/descriptor/hidden_service.py +++ b/stem/descriptor/hidden_service.py @@ -43,6 +43,7 @@ import stem.client.datatype import stem.descriptor.certificate import stem.descriptor.hsv3_crypto import stem.prereq +import stem.util import stem.util.connection import stem.util.str_tools import stem.util.tor_tools @@ -225,7 +226,7 @@ class IntroductionPointV3(collections.namedtuple('IntroductionPointV3', ['link_s if not stem.prereq.is_crypto_available(ed25519 = True): raise ImportError('Introduction point creation requires the cryptography module ed25519 support') - if not stem.util.connection.is_valid_port(port): + elif not stem.util.connection.is_valid_port(port): raise ValueError("'%s' is an invalid port" % port) if stem.util.connection.is_valid_ipv4_address(address): @@ -235,35 +236,18 @@ class IntroductionPointV3(collections.namedtuple('IntroductionPointV3', ['link_s else: raise ValueError("'%s' is not a valid IPv4 or IPv6 address" % address) - from cryptography.hazmat.primitives import serialization - from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey, Ed25519PublicKey - from cryptography.hazmat.primitives.asymmetric.x25519 import X25519PrivateKey, X25519PublicKey - - def _key_bytes(key): - if isinstance(key, str): - return key - elif isinstance(key, (X25519PrivateKey, Ed25519PrivateKey)): - return key.public_key().public_bytes( - encoding = serialization.Encoding.Raw, - format = serialization.PublicFormat.Raw, - ) - elif isinstance(key, (X25519PublicKey, Ed25519PublicKey)): - return key.public_bytes( - encoding = serialization.Encoding.Raw, - format = serialization.PublicFormat.Raw, - ) - else: - raise ValueError('Key must be a string or cryptographic public/private key (was %s)' % type(key).__name__) + from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey + from cryptography.hazmat.primitives.asymmetric.x25519 import X25519PrivateKey if expiration is None: expiration = datetime.datetime.utcnow() + datetime.timedelta(hours = stem.descriptor.certificate.DEFAULT_EXPIRATION_HOURS) - onion_key = base64.b64encode(_key_bytes(onion_key if onion_key else X25519PrivateKey.generate())) - enc_key = base64.b64encode(_key_bytes(enc_key if enc_key else X25519PrivateKey.generate())) - auth_key = _key_bytes(auth_key if auth_key else Ed25519PrivateKey.generate()) + onion_key = base64.b64encode(stem.util._pubkey_bytes(onion_key if onion_key else X25519PrivateKey.generate())) + enc_key = base64.b64encode(stem.util._pubkey_bytes(enc_key if enc_key else X25519PrivateKey.generate())) + auth_key = stem.util._pubkey_bytes(auth_key if auth_key else Ed25519PrivateKey.generate()) signing_key = signing_key if signing_key else Ed25519PrivateKey.generate() - extensions = [Ed25519Extension(ExtensionType.HAS_SIGNING_KEY, None, _key_bytes(signing_key))] + extensions = [Ed25519Extension(ExtensionType.HAS_SIGNING_KEY, None, stem.util._pubkey_bytes(signing_key))] auth_key_cert = Ed25519CertificateV1(CertType.HS_V3_INTRO_AUTH, expiration, 1, auth_key, extensions, signing_key = signing_key) enc_key_cert = Ed25519CertificateV1(CertType.HS_V3_NTOR_ENC, expiration, 1, auth_key, extensions, signing_key = signing_key) @@ -861,13 +845,11 @@ def _get_descriptor_signing_cert(descriptor_signing_public_key, blinded_priv_key 'blinded_priv_key' key that signs the certificate """ - from cryptography.hazmat.primitives import serialization - # 54 hours expiration date like tor does expiration_date = datetime.datetime.utcnow() + datetime.timedelta(hours=54) - signing_key = descriptor_signing_public_key.public_bytes(encoding = serialization.Encoding.Raw, format = serialization.PublicFormat.Raw) - extensions = [Ed25519Extension(ExtensionType.HAS_SIGNING_KEY, None, blinded_priv_key.public_key().public_bytes(encoding = serialization.Encoding.Raw, format = serialization.PublicFormat.Raw))] + signing_key = stem.util._pubkey_bytes(descriptor_signing_public_key) + extensions = [Ed25519Extension(ExtensionType.HAS_SIGNING_KEY, None, blinded_priv_key.public_key().public_key)] desc_signing_cert = Ed25519CertificateV1(CertType.HS_V3_DESC_SIGNING, expiration_date, 1, signing_key, extensions, signing_key = blinded_priv_key) @@ -932,10 +914,9 @@ def _get_middle_descriptor_layer_body(encrypted): """ from cryptography.hazmat.primitives.asymmetric.x25519 import X25519PrivateKey - from cryptography.hazmat.primitives import serialization fake_pub_key = X25519PrivateKey.generate().public_key() - fake_pub_key_bytes = fake_pub_key.public_bytes(encoding = serialization.Encoding.Raw, format = serialization.PublicFormat.Raw) + fake_pub_key_bytes = stem.util._pubkey_bytes(fake_pub_key) fake_pub_key_bytes_b64 = base64.b64encode(fake_pub_key_bytes) fake_clients = _get_fake_clients_bytes() @@ -1012,7 +993,6 @@ class HiddenServiceDescriptorV3(BaseHiddenServiceDescriptor): """ from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey - from cryptography.hazmat.primitives import serialization if sign: raise NotImplementedError('Signing of %s not implemented' % cls.__name__) @@ -1048,12 +1028,12 @@ class HiddenServiceDescriptorV3(BaseHiddenServiceDescriptor): # Get the identity public key public_identity_key = ed25519_private_identity_key.public_key() - public_identity_key_bytes = public_identity_key.public_bytes(encoding = serialization.Encoding.Raw, format = serialization.PublicFormat.Raw) + public_identity_key_bytes = stem.util._pubkey_bytes(public_identity_key) # Blind the identity key to get ephemeral blinded key blinded_privkey = stem.descriptor.hsv3_crypto.HSv3PrivateBlindedKey(ed25519_private_identity_key, blinding_param = blinding_param) blinded_pubkey = blinded_privkey.public_key() - blinded_pubkey_bytes = blinded_pubkey.public_bytes(encoding = serialization.Encoding.Raw, format = serialization.PublicFormat.Raw) + blinded_pubkey_bytes = blinded_pubkey.public_key # Generate descriptor signing key signing_key = Ed25519PrivateKey.generate() diff --git a/stem/descriptor/hsv3_crypto.py b/stem/descriptor/hsv3_crypto.py index 69c8c185..73654866 100644 --- a/stem/descriptor/hsv3_crypto.py +++ b/stem/descriptor/hsv3_crypto.py @@ -42,16 +42,13 @@ class HSv3PrivateBlindedKey(object): return self.blinded_public_key def sign(self, msg): - return ed25519_exts_ref.signatureWithESK(msg, self.blinded_secret_key, self.blinded_public_key.public_bytes()) + return ed25519_exts_ref.signatureWithESK(msg, self.blinded_secret_key, self.blinded_public_key.public_key) class HSv3PublicBlindedKey(object): def __init__(self, public_key): self.public_key = public_key - def public_bytes(self, encoding=None, format=None): - return self.public_key - def verify(self, signature, message): """ raises exception if sig not valid diff --git a/stem/util/__init__.py b/stem/util/__init__.py index bff894dc..a8870499 100644 --- a/stem/util/__init__.py +++ b/stem/util/__init__.py @@ -127,6 +127,36 @@ def datetime_to_unix(timestamp): return (timestamp - datetime.datetime(1970, 1, 1)).total_seconds() +def _pubkey_bytes(key): + """ + Normalizes X25509 and ED25519 keys into their public key bytes. + """ + + if not stem.prereq.is_crypto_available(): + raise ImportError('Key normalization requires the cryptography module') + elif not stem.prereq.is_crypto_available(ed25519 = True): + raise ImportError('Key normalization requires the cryptography ed25519 support') + + from cryptography.hazmat.primitives import serialization + from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey, Ed25519PublicKey + from cryptography.hazmat.primitives.asymmetric.x25519 import X25519PrivateKey, X25519PublicKey + + if isinstance(key, str): + return key + elif isinstance(key, (X25519PrivateKey, Ed25519PrivateKey)): + return key.public_key().public_bytes( + encoding = serialization.Encoding.Raw, + format = serialization.PublicFormat.Raw, + ) + elif isinstance(key, (X25519PublicKey, Ed25519PublicKey)): + return key.public_bytes( + encoding = serialization.Encoding.Raw, + format = serialization.PublicFormat.Raw, + ) + else: + raise ValueError('Key must be a string or cryptographic public/private key (was %s)' % type(key).__name__) + + def _hash_attr(obj, *attributes, **kwargs): """ Provide a hash value for the given set of attributes. diff --git a/test/unit/descriptor/hidden_service_v3.py b/test/unit/descriptor/hidden_service_v3.py index b0f1829a..d7b32485 100644 --- a/test/unit/descriptor/hidden_service_v3.py +++ b/test/unit/descriptor/hidden_service_v3.py @@ -63,11 +63,6 @@ with open(get_resource('hidden_service_v3_intro_point')) as intro_point_file: INTRO_POINT_STR = intro_point_file.read() -def key_bytes(key): - from cryptography.hazmat.primitives import serialization - return key.public_bytes(encoding = serialization.Encoding.Raw, format = serialization.PublicFormat.Raw) - - class TestHiddenServiceDescriptorV3(unittest.TestCase): def test_real_descriptor(self): """ @@ -258,8 +253,8 @@ class TestHiddenServiceDescriptorV3(unittest.TestCase): self.assertTrue(isinstance(intro_point.onion_key(), X25519PublicKey)) self.assertTrue(isinstance(intro_point.enc_key(), X25519PublicKey)) - self.assertEqual(intro_point.onion_key_raw, base64.b64encode(key_bytes(intro_point.onion_key()))) - self.assertEqual(intro_point.enc_key_raw, base64.b64encode(key_bytes(intro_point.enc_key()))) + self.assertEqual(intro_point.onion_key_raw, base64.b64encode(stem.util._pubkey_bytes(intro_point.onion_key()))) + self.assertEqual(intro_point.enc_key_raw, base64.b64encode(stem.util._pubkey_bytes(intro_point.enc_key()))) self.assertEqual(None, intro_point.legacy_key_raw) self.assertEqual(None, intro_point.legacy_key()) @@ -296,9 +291,8 @@ class TestHiddenServiceDescriptorV3(unittest.TestCase): # Build the service private_identity_key = Ed25519PrivateKey.from_private_bytes(b'a' * 32) public_identity_key = private_identity_key.public_key() - pubkey_bytes = key_bytes(public_identity_key) - onion_address = HiddenServiceDescriptorV3.address_from_public_key(pubkey_bytes) + onion_address = HiddenServiceDescriptorV3.address_from_public_key(stem.util._pubkey_bytes(public_identity_key)) intro_points = [ IntroductionPointV3.create('1.1.1.1', 9001, expiration, onion_key, enc_key, auth_key, signing_key), @@ -326,6 +320,6 @@ class TestHiddenServiceDescriptorV3(unittest.TestCase): self.assertEqual(original.onion_key_raw, intro_point.onion_key_raw) self.assertEqual(original.auth_key_cert.key, intro_point.auth_key_cert.key) - self.assertEqual(intro_point.enc_key_raw, base64.b64encode(key_bytes(intro_point.enc_key()))) - self.assertEqual(intro_point.onion_key_raw, base64.b64encode(key_bytes(intro_point.onion_key()))) - self.assertEqual(intro_point.auth_key_cert.key, key_bytes(intro_point.auth_key())) + self.assertEqual(intro_point.enc_key_raw, base64.b64encode(stem.util._pubkey_bytes(intro_point.enc_key()))) + self.assertEqual(intro_point.onion_key_raw, base64.b64encode(stem.util._pubkey_bytes(intro_point.onion_key()))) + self.assertEqual(intro_point.auth_key_cert.key, stem.util._pubkey_bytes(intro_point.auth_key()))

1 0

[stem/master] Drop b64_and_wrap_desc_layer()
by atagar＠torproject.org 17 Nov '19

17 Nov '19

commit 293f90a1bbd3d49c64fbe1e8187a6f3b6cf419d4 Author: Damian Johnson <atagar(a)torproject.org> Date: Sun Nov 10 17:10:54 2019 -0800 Drop b64_and_wrap_desc_layer() --- stem/descriptor/hidden_service.py | 22 ++++------------------ 1 file changed, 4 insertions(+), 18 deletions(-) diff --git a/stem/descriptor/hidden_service.py b/stem/descriptor/hidden_service.py index f0baf678..ab377728 100644 --- a/stem/descriptor/hidden_service.py +++ b/stem/descriptor/hidden_service.py @@ -477,8 +477,9 @@ def _encrypt_layer(plaintext, constant, revision_counter, subcredential, blinded encryptor = cipher.encryptor() ciphertext = encryptor.update(plaintext) + encryptor.finalize() + encoded = base64.b64encode(salt + ciphertext + mac_for(ciphertext)) - return salt + ciphertext + mac_for(ciphertext) + return b'-----BEGIN MESSAGE-----\n%s\n-----END MESSAGE-----' % b'\n'.join(stem.util.str_tools._split_by_length(encoded, 64)) def _layer_cipher(constant, revision_counter, subcredential, blinded_key, salt): @@ -882,18 +883,6 @@ def _get_descriptor_signing_cert(descriptor_signing_public_key, blinded_priv_key return '\n' + desc_signing_cert.to_base64(pem = True) -def b64_and_wrap_desc_layer(layer_bytes, prefix_bytes=b''): - """ - Encode the descriptor layer in 'layer_bytes' to base64, and then wrap it up - so that it can be included in the descriptor. - """ - - layer_b64 = base64.b64encode(layer_bytes) - layer_blob = b'\n'.join(stem.util.str_tools._split_by_length(layer_b64, 64)) - - return b'%s\n-----BEGIN MESSAGE-----\n%s\n-----END MESSAGE-----' % (prefix_bytes, layer_blob) - - def _get_fake_clients_bytes(): """ Generate fake client authorization data for the middle layer @@ -938,17 +927,14 @@ def _get_superencrypted_blob(intro_points, descriptor_signing_privkey, revision_ """ inner_descriptor_layer = stem.util.str_tools._to_bytes('create2-formats 2\n' + '\n'.join(map(IntroductionPointV3.encode, intro_points)) + '\n') - inner_ciphertext = _encrypt_layer(inner_descriptor_layer, b'hsdir-encrypted-data', revision_counter, subcredential, blinded_key) - inner_ciphertext_b64 = b64_and_wrap_desc_layer(inner_ciphertext, b'encrypted') + inner_ciphertext_b64 = b'encrypted\n' + _encrypt_layer(inner_descriptor_layer, b'hsdir-encrypted-data', revision_counter, subcredential, blinded_key) middle_descriptor_layer = _get_middle_descriptor_layer_body(inner_ciphertext_b64) padding_bytes_needed = stem.descriptor.hsv3_crypto._get_padding_needed(len(middle_descriptor_layer)) middle_descriptor_layer = middle_descriptor_layer + b'\x00' * padding_bytes_needed - outter_ciphertext = _encrypt_layer(middle_descriptor_layer, b'hsdir-superencrypted-data', revision_counter, subcredential, blinded_key) - - return b64_and_wrap_desc_layer(outter_ciphertext) + return b'\n' + _encrypt_layer(middle_descriptor_layer, b'hsdir-superencrypted-data', revision_counter, subcredential, blinded_key) class HiddenServiceDescriptorV3(BaseHiddenServiceDescriptor):

1 0

[stem/master] Test introduction point creation
by atagar＠torproject.org 17 Nov '19

17 Nov '19

commit 1c3f49c8cf18e2b76bb8768437b2e9c1cd79d1a3 Author: Damian Johnson <atagar(a)torproject.org> Date: Fri Nov 8 15:18:07 2019 -0800 Test introduction point creation I love that test_encode_decode_descriptor() exercises re-parsing a descriptor we create. Adding a more targeted test to do this only for introduction points. We can then add companion tests once the InnerLayer and OuterLayer classes have creation methods. --- stem/descriptor/hidden_service.py | 12 ++++++++++++ test/unit/descriptor/hidden_service_v3.py | 16 ++++++++++++++++ 2 files changed, 28 insertions(+) diff --git a/stem/descriptor/hidden_service.py b/stem/descriptor/hidden_service.py index 1c4f0bdf..5fb7a189 100644 --- a/stem/descriptor/hidden_service.py +++ b/stem/descriptor/hidden_service.py @@ -379,6 +379,18 @@ class IntroductionPointV3(collections.namedtuple('IntroductionPointV3', ['link_s return link_specifiers + def __hash__(self): + if not hasattr(self, '_hash'): + self._hash = hash(self.encode()) + + return self._hash + + def __eq__(self, other): + return hash(self) == hash(other) if isinstance(other, IntroductionPointV3) else False + + def __ne__(self, other): + return not self == other + class AuthorizedClient(collections.namedtuple('AuthorizedClient', ['id', 'iv', 'cookie'])): """ diff --git a/test/unit/descriptor/hidden_service_v3.py b/test/unit/descriptor/hidden_service_v3.py index d7b32485..163ea3db 100644 --- a/test/unit/descriptor/hidden_service_v3.py +++ b/test/unit/descriptor/hidden_service_v3.py @@ -269,6 +269,22 @@ class TestHiddenServiceDescriptorV3(unittest.TestCase): self.assertRaisesWith(ImportError, 'cryptography module unavailable', intro_point.onion_key) @test.require.ed25519_support + def test_intro_point_creation(self): + """ + Create an introduction point, encode it, then re-parse. + """ + + intro_point = IntroductionPointV3.create('1.1.1.1', 9001) + + self.assertEqual(1, len(intro_point.link_specifiers)) + self.assertEqual(stem.client.datatype.LinkByIPv4, type(intro_point.link_specifiers[0])) + self.assertEqual('1.1.1.1', intro_point.link_specifiers[0].address) + self.assertEqual(9001, intro_point.link_specifiers[0].port) + + reparsed = IntroductionPointV3.parse(intro_point.encode()) + self.assertEqual(intro_point, reparsed) + + @test.require.ed25519_support def test_encode_decode_descriptor(self): """ Encode an HSv3 descriptor and then decode it and make sure you get the intended results.

1 0

[stem/master] Drop _get_inner_descriptor_layer_body() helper
by atagar＠torproject.org 17 Nov '19

17 Nov '19

commit 0892288744e9ca8869c29a71f5a2321aaa63449e Author: Damian Johnson <atagar(a)torproject.org> Date: Thu Nov 7 15:05:10 2019 -0800 Drop _get_inner_descriptor_layer_body() helper Now that introduction points can encode themselves there's no value in this helper. --- stem/descriptor/hidden_service.py | 23 +---------------------- 1 file changed, 1 insertion(+), 22 deletions(-) diff --git a/stem/descriptor/hidden_service.py b/stem/descriptor/hidden_service.py index 54874f0d..1c4f0bdf 100644 --- a/stem/descriptor/hidden_service.py +++ b/stem/descriptor/hidden_service.py @@ -868,27 +868,6 @@ def b64_and_wrap_desc_layer(layer_bytes, prefix_bytes=b''): return b'%s\n-----BEGIN MESSAGE-----\n%s\n-----END MESSAGE-----' % (prefix_bytes, layer_blob) -def _get_inner_descriptor_layer_body(intro_points, descriptor_signing_privkey): - """ - Get the inner descriptor layer into bytes. - - 'intro_points' is the list of introduction points that should be embedded to - this layer, and we also need the descriptor signing key to encode the intro - points. - """ - - if (not intro_points or len(intro_points) == 0): - raise ValueError('Need a proper intro points set') - - final_body = b'create2-formats 2\n' - - # Now encode all the intro points - for intro_point in intro_points: - final_body += intro_point.encode() + b'\n' - - return final_body - - def _get_fake_clients_bytes(): """ Generate fake client authorization data for the middle layer @@ -932,7 +911,7 @@ def _get_superencrypted_blob(intro_points, descriptor_signing_privkey, revision_ should be attached to the descriptor """ - inner_descriptor_layer = stem.util.str_tools._to_bytes(_get_inner_descriptor_layer_body(intro_points, descriptor_signing_privkey)) + inner_descriptor_layer = stem.util.str_tools._to_bytes('create2-formats 2\n' + '\n'.join(map(IntroductionPointV3.encode, intro_points)) + '\n') inner_ciphertext = stem.descriptor.hsv3_crypto.encrypt_inner_layer(inner_descriptor_layer, revision_counter, blinded_key_bytes, subcredential) inner_ciphertext_b64 = b64_and_wrap_desc_layer(inner_ciphertext, b'encrypted')

1 0

[stem/master] Rewrite HSv3 descriptor construction
by atagar＠torproject.org 17 Nov '19

17 Nov '19

commit a8c2a431c1c2a6f38bbf1678c05aebf0a5e217d6 Author: Damian Johnson <atagar(a)torproject.org> Date: Wed Nov 13 17:06:12 2019 -0800 Rewrite HSv3 descriptor construction Now that we have all the building blocks in place we can tackle HSv3 descriptor creation itself. Two main changes are... 1. More flexibility. All parameters are now customizable. 2. Simpler. All parameters have defaults so simply calling HiddenServiceDescriptorV3.create() once again works. --- stem/descriptor/__init__.py | 2 + stem/descriptor/certificate.py | 14 ++- stem/descriptor/hidden_service.py | 151 +++++++++++++++--------------- test/unit/descriptor/hidden_service_v3.py | 2 +- 4 files changed, 85 insertions(+), 84 deletions(-) diff --git a/stem/descriptor/__init__.py b/stem/descriptor/__init__.py index 862d5aca..49a4d4b5 100644 --- a/stem/descriptor/__init__.py +++ b/stem/descriptor/__init__.py @@ -895,6 +895,8 @@ class Descriptor(object): * **NotImplementedError** if not implemented for this descriptor type """ + # TODO: drop the 'sign' argument in stem 2.x (only a few subclasses use this) + raise NotImplementedError("The create and content methods haven't been implemented for %s" % cls.__name__) @classmethod diff --git a/stem/descriptor/certificate.py b/stem/descriptor/certificate.py index f9ab8f80..10518364 100644 --- a/stem/descriptor/certificate.py +++ b/stem/descriptor/certificate.py @@ -294,17 +294,21 @@ class Ed25519CertificateV1(Ed25519Certificate): :param cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey: certificate signing key """ - def __init__(self, cert_type, expiration, key_type, key, extensions, signature = None, signing_key = None): + def __init__(self, cert_type = None, expiration = None, key_type = None, key = None, extensions = None, signature = None, signing_key = None): super(Ed25519CertificateV1, self).__init__(1) if not signature and not signing_key: raise ValueError('Certificate signature or signing key is required') + elif cert_type is None: + raise ValueError('Certificate type is required') + elif key is None: + raise ValueError('Certificate key is required') self.type, self.type_int = ClientCertType.get(cert_type) - self.expiration = expiration - self.key_type = key_type - self.key = key - self.extensions = extensions + self.expiration = expiration if expiration else datetime.datetime.utcnow() + datetime.timedelta(hours = DEFAULT_EXPIRATION_HOURS) + self.key_type = key_type if key_type else 1 + self.key = key if isinstance(key, str) else stem.util._pubkey_bytes(key) + self.extensions = extensions if extensions else [] self.signature = signature if signing_key: diff --git a/stem/descriptor/hidden_service.py b/stem/descriptor/hidden_service.py index 05c8267b..604c3849 100644 --- a/stem/descriptor/hidden_service.py +++ b/stem/descriptor/hidden_service.py @@ -903,95 +903,95 @@ class HiddenServiceDescriptorV3(BaseHiddenServiceDescriptor): } @classmethod - def content(cls, attr = None, exclude = (), sign = False, ed25519_private_identity_key = None, intro_points = None, blinding_param = None): + def content(cls, attr = None, exclude = (), sign = False, inner_layer = None, outer_layer = None, identity_key = None, signing_key = None, signing_cert = None, revision_counter = None, blinding_param = None): """ - 'ed25519_private_identity_key' is the Ed25519PrivateKey of the onion service + Hidden service v3 descriptors consist of three parts: + + * InnerLayer, which most notably contain introduction points where the + service can be reached. + + * OuterLayer, which encrypts the InnerLayer among other paremters. + + * HiddenServiceDescriptorV3, which contains the OuterLayer and plaintext + parameters. + + Construction through this method can supply any or none of these, with + omitted parameters populated with randomized defaults. + + :param dict attr: keyword/value mappings to be included in plaintext descriptor + :param list exclude: mandatory keywords to exclude from the descriptor, this + results in an invalid descriptor + :param bool sign: includes cryptographic signatures and digests if True + :param stem.descriptor.hidden_service.InnerLayer inner_layer: inner + encrypted layer + :param stem.descriptor.hidden_service.OuterLayer outer_layer: outer + encrypted layer + :param cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey + identity_key: service identity key + :param cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PrivateKey + signing_key: service signing key + :param stem.descriptor.Ed25519CertificateV1 signing_cert: certificate + signing this descriptor + :param int revision_counter: descriptor revision number + :param bytes blinding_param: 32 byte blinding factor to derive the blinding key + + :returns: **str** with the content of a descriptor - 'intro_points' is a list of IntroductionPointV3 objects - - 'blinding_param' is a 32 byte blinding factor that should be used to derive - the blinded key from the identity key + :raises: + * **ValueError** if parameters are malformed + * **ImportError** if cryptography is unavailable """ - from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey + if not stem.prereq.is_crypto_available(ed25519 = True): + raise ImportError('Hidden service descriptor creation requires cryptography version 2.6') + elif not stem.prereq._is_sha3_available(): + raise ImportError('Hidden service descriptor creation requires python 3.6+ or the pysha3 module (https://pypi.org/project/pysha3/)') - if sign: - raise NotImplementedError('Signing of %s not implemented' % cls.__name__) + from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey - # TODO: When these additional arguments are not present simply constructing - # a descriptor that looks reasonable. This might not be the fallback we use - # later on. - - if not ed25519_private_identity_key or not intro_points or not blinding_param: - return _descriptor_content(attr, exclude, ( - ('hs-descriptor', '3'), - ('descriptor-lifetime', '180'), - ('descriptor-signing-key-cert', _random_crypto_blob('ED25519 CERT')), - ('revision-counter', '15'), - ('superencrypted', _random_crypto_blob('MESSAGE')), - ('signature', 'wdc7ffr+dPZJ/mIQ1l4WYqNABcmsm6SHW/NL3M3wG7bjjqOJWoPR5TimUXxH52n5Zk0Gc7hl/hz3YYmAx5MvAg'), - ), ()) - - # We need an private identity key for the onion service to create its - # descriptor. We could make a new one on the spot, but we also need to - # return it to the caller, otherwise the caller will have no way to decode - # the descriptor without knowing the private key or the onion address, so - # for now we consider it a mandatory argument. - - if not ed25519_private_identity_key: - raise ValueError('Need to provide a private ed25519 identity key to create a descriptor') - - if not intro_points: - raise ValueError('Need to provide the introduction points for this descriptor') - - if not blinding_param: - raise ValueError('Need to provide a blinding param for this descriptor') - - # Blind the identity key to get ephemeral blinded key - blinded_privkey = stem.descriptor.hsv3_crypto.HSv3PrivateBlindedKey(ed25519_private_identity_key, blinding_param = blinding_param) - blinded_key = blinded_privkey.blinded_pubkey - - # Generate descriptor signing key - signing_key = Ed25519PrivateKey.generate() - descriptor_signing_public_key = signing_key.public_key() - - # Get the main encrypted descriptor body - revision_counter = int(time.time()) - subcredential = HiddenServiceDescriptorV3._subcredential(ed25519_private_identity_key, blinded_key) - - outer_layer = OuterLayer.create( - inner_layer = InnerLayer.create( - introduction_points = intro_points, - ), - revision_counter = revision_counter, - subcredential = subcredential, - blinded_key = blinded_key, - ) - - expiration = datetime.datetime.utcnow() + datetime.timedelta(hours = stem.descriptor.certificate.DEFAULT_EXPIRATION_HOURS) - extensions = [Ed25519Extension(ExtensionType.HAS_SIGNING_KEY, None, blinded_privkey.blinded_pubkey)] - - signing_cert = Ed25519CertificateV1(CertType.HS_V3_DESC_SIGNING, expiration, 1, stem.util._pubkey_bytes(descriptor_signing_public_key), extensions, signing_key = blinded_privkey) + inner_layer = inner_layer if inner_layer else InnerLayer.create(exclude = exclude) + identity_key = identity_key if identity_key else Ed25519PrivateKey.generate() + signing_key = signing_key if signing_key else Ed25519PrivateKey.generate() + revision_counter = revision_counter if revision_counter else int(time.time()) + blinding_param = blinding_param if blinding_param else os.urandom(32) + + blinded_key = stem.descriptor.hsv3_crypto.HSv3PrivateBlindedKey(identity_key, blinding_param = blinding_param) + subcredential = HiddenServiceDescriptorV3._subcredential(identity_key, blinded_key.blinded_pubkey) + + if not outer_layer: + outer_layer = OuterLayer.create( + exclude = exclude, + inner_layer = inner_layer, + revision_counter = revision_counter, + subcredential = subcredential, + blinded_key = blinded_key.blinded_pubkey, + ) + + if not signing_cert: + signing_cert = Ed25519CertificateV1( + cert_type = CertType.HS_V3_DESC_SIGNING, + key = signing_key, + extensions = [Ed25519Extension(ExtensionType.HAS_SIGNING_KEY, None, blinded_key.blinded_pubkey)], + signing_key = blinded_key, + ) desc_content = _descriptor_content(attr, exclude, ( ('hs-descriptor', '3'), ('descriptor-lifetime', '180'), ('descriptor-signing-key-cert', '\n' + signing_cert.to_base64(pem = True)), ('revision-counter', str(revision_counter)), - ('superencrypted', b'\n' + outer_layer._encrypt(revision_counter, subcredential, blinded_key)), - ), ()) - - # Add a final newline before the signature block - desc_content += b'\n' + ('superencrypted', b'\n' + outer_layer._encrypt(revision_counter, subcredential, blinded_key.blinded_pubkey)), + ), ()) + b'\n' - sig_content = stem.descriptor.certificate.SIG_PREFIX_HS_V3 + desc_content - signature = b'signature %s' % base64.b64encode(signing_key.sign(sig_content)).rstrip(b'=') + if 'signature' not in exclude: + sig_content = stem.descriptor.certificate.SIG_PREFIX_HS_V3 + desc_content + desc_content += b'signature %s' % base64.b64encode(signing_key.sign(sig_content)).rstrip(b'=') - return desc_content + signature + return desc_content @classmethod - def create(cls, attr = None, exclude = (), validate = True, sign = False): - return cls(cls.content(attr, exclude, sign), validate = validate, skip_crypto_validation = not sign) + def create(cls, attr = None, exclude = (), validate = True, sign = False, inner_layer = None, outer_layer = None, identity_key = None, signing_key = None, signing_cert = None, revision_counter = None, blinding_param = None): + return cls(cls.content(attr, exclude, sign, inner_layer, outer_layer, identity_key, signing_key, signing_cert, revision_counter, blinding_param), validate = validate, skip_crypto_validation = not sign) def __init__(self, raw_contents, validate = False): super(HiddenServiceDescriptorV3, self).__init__(raw_contents, lazy_load = not validate) @@ -1176,8 +1176,6 @@ class OuterLayer(Descriptor): def content(cls, attr = None, exclude = (), validate = True, sign = False, inner_layer = None, revision_counter = None, subcredential = None, blinded_key = None): if not stem.prereq.is_crypto_available(ed25519 = True): raise ImportError('Hidden service layer creation requires cryptography version 2.6') - elif sign: - raise NotImplementedError('Signing of %s not implemented' % cls.__name__) from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey @@ -1252,9 +1250,6 @@ class InnerLayer(Descriptor): @classmethod def content(cls, attr = None, exclude = (), sign = False, introduction_points = None): - if sign: - raise NotImplementedError('Signing of %s not implemented' % cls.__name__) - if introduction_points: suffix = '\n' + '\n'.join(map(IntroductionPointV3.encode, introduction_points)) else: diff --git a/test/unit/descriptor/hidden_service_v3.py b/test/unit/descriptor/hidden_service_v3.py index 73f3e2c3..81e04a0f 100644 --- a/test/unit/descriptor/hidden_service_v3.py +++ b/test/unit/descriptor/hidden_service_v3.py @@ -439,7 +439,7 @@ class TestHiddenServiceDescriptorV3(unittest.TestCase): blind_param = bytearray.fromhex('677776AE42464CAAB0DF0BF1E68A5FB651A390A6A8243CF4B60EE73A6AC2E4E3') # Build the descriptor - desc_string = HiddenServiceDescriptorV3.content(ed25519_private_identity_key = private_identity_key, intro_points = intro_points, blinding_param = blind_param) + desc_string = HiddenServiceDescriptorV3.content(identity_key = private_identity_key, inner_layer = InnerLayer.create(introduction_points = intro_points), blinding_param = blind_param) # Parse the descriptor desc = HiddenServiceDescriptorV3.from_str(desc_string)

1 0

[stem/master] Drop _get_padding_needed()
by atagar＠torproject.org 17 Nov '19

17 Nov '19

commit d313aca7ec142e7be1ba00517f4bd12b535cea5e Author: Damian Johnson <atagar(a)torproject.org> Date: Sun Nov 10 17:22:02 2019 -0800 Drop _get_padding_needed() Maybe I'm missing something, but why not simply pad using the modulus? --- stem/descriptor/hidden_service.py | 6 ++-- stem/descriptor/hsv3_crypto.py | 61 --------------------------------------- 2 files changed, 4 insertions(+), 63 deletions(-) diff --git a/stem/descriptor/hidden_service.py b/stem/descriptor/hidden_service.py index ab377728..141f54b0 100644 --- a/stem/descriptor/hidden_service.py +++ b/stem/descriptor/hidden_service.py @@ -931,8 +931,10 @@ def _get_superencrypted_blob(intro_points, descriptor_signing_privkey, revision_ middle_descriptor_layer = _get_middle_descriptor_layer_body(inner_ciphertext_b64) - padding_bytes_needed = stem.descriptor.hsv3_crypto._get_padding_needed(len(middle_descriptor_layer)) - middle_descriptor_layer = middle_descriptor_layer + b'\x00' * padding_bytes_needed + # Spec mandated padding: "Before encryption the plaintext is padded with NUL + # bytes to the nearest multiple of 10k bytes." + + middle_descriptor_layer = middle_descriptor_layer + b'\x00' * (len(middle_descriptor_layer) % 10000) return b'\n' + _encrypt_layer(middle_descriptor_layer, b'hsdir-superencrypted-data', revision_counter, subcredential, blinded_key) diff --git a/stem/descriptor/hsv3_crypto.py b/stem/descriptor/hsv3_crypto.py index b762c5ee..0186ba90 100644 --- a/stem/descriptor/hsv3_crypto.py +++ b/stem/descriptor/hsv3_crypto.py @@ -64,64 +64,3 @@ class HSv3PrivateBlindedKey(object): def sign(self, msg): return signatureWithESK(msg, self.blinded_secret_key, self.blinded_pubkey) - - -""" -Basic descriptor logic: - - SALT = 16 bytes from H(random), changes each time we rebuld the - descriptor even if the content of the descriptor hasn't changed. - (So that we don't leak whether the intro point list etc. changed) - - secret_input = SECRET_DATA | subcredential | INT_8(revision_counter) - - keys = KDF(secret_input | salt | STRING_CONSTANT, S_KEY_LEN + S_IV_LEN + MAC_KEY_LEN) - - SECRET_KEY = first S_KEY_LEN bytes of keys - SECRET_IV = next S_IV_LEN bytes of keys - MAC_KEY = last MAC_KEY_LEN bytes of keys - - -Layer data: - - 2.5.1.1. First layer encryption logic - SECRET_DATA = blinded-public-key - STRING_CONSTANT = "hsdir-superencrypted-data" - - 2.5.2.1. Second layer encryption keys - SECRET_DATA = blinded-public-key | descriptor_cookie - STRING_CONSTANT = "hsdir-encrypted-data" -""" - -SALT_LEN = 16 -MAC_LEN = 32 - -S_KEY_LEN = 32 -S_IV_LEN = 16 -MAC_KEY_LEN = 32 - -""" -Descriptor encryption -""" - - -def ceildiv(a, b): - """ - Like // division but return the ceiling instead of the floor - """ - - return -(-a // b) - - -def _get_padding_needed(plaintext_len): - """ - Get descriptor padding needed for this descriptor layer. - From the spec: - Before encryption the plaintext is padded with NUL bytes to the nearest - multiple of 10k bytes. - """ - - PAD_MULTIPLE_BYTES = 10000 - - final_size = ceildiv(plaintext_len, PAD_MULTIPLE_BYTES) * PAD_MULTIPLE_BYTES - return final_size - plaintext_len

1 0

[stem/master] Outer layer creation and encryption
by atagar＠torproject.org 17 Nov '19

17 Nov '19

commit 04747884a33c5a0874a0143376010a4793245ec8 Author: Damian Johnson <atagar(a)torproject.org> Date: Tue Nov 12 16:50:30 2019 -0800 Outer layer creation and encryption Similar approach as the inner layer. This will provide more flexibility once we propagate the attribute up HiddenServiceDescriptorV3.content(). --- stem/descriptor/hidden_service.py | 143 ++++++++++++------------------ test/unit/descriptor/hidden_service_v3.py | 70 +++++++++++++++ 2 files changed, 126 insertions(+), 87 deletions(-) diff --git a/stem/descriptor/hidden_service.py b/stem/descriptor/hidden_service.py index fcd29032..56ba4d22 100644 --- a/stem/descriptor/hidden_service.py +++ b/stem/descriptor/hidden_service.py @@ -883,62 +883,6 @@ def _get_descriptor_signing_cert(descriptor_signing_public_key, blinded_priv_key return '\n' + desc_signing_cert.to_base64(pem = True) -def _get_fake_clients_bytes(): - """ - Generate fake client authorization data for the middle layer - """ - - final_bytes = b'' - num_fake_clients = 16 # default for when client auth is disabled - - for _ in range(num_fake_clients): - client_id = base64.b64encode(os.urandom(8)).rstrip(b'=') - client_iv = base64.b64encode(os.urandom(16)).rstrip(b'=') - descriptor_cookie = base64.b64encode(os.urandom(16)).rstrip(b'=') - - final_bytes += b'%s %s %s %s\n' % (b'auth-client', client_id, client_iv, descriptor_cookie) - - return final_bytes - - -def _get_middle_descriptor_layer_body(encrypted): - """ - Get the middle descriptor layer as bytes - (It's just fake client auth data since client auth is disabled) - """ - - from cryptography.hazmat.primitives.asymmetric.x25519 import X25519PrivateKey - - fake_pub_key = X25519PrivateKey.generate().public_key() - fake_pub_key_bytes = stem.util._pubkey_bytes(fake_pub_key) - fake_pub_key_bytes_b64 = base64.b64encode(fake_pub_key_bytes) - fake_clients = _get_fake_clients_bytes() - - return b'desc-auth-type x25519\n' \ - b'desc-auth-ephemeral-key %s\n' \ - b'%s' \ - b'%s' % (fake_pub_key_bytes_b64, fake_clients, encrypted) - - -def _get_superencrypted_blob(intro_points, revision_counter, blinded_key, subcredential): - """ - Get the superencrypted blob (which also includes the encrypted blob) that - should be attached to the descriptor - """ - - inner_layer = InnerLayer.create(introduction_points = intro_points) - inner_ciphertext_b64 = b'encrypted\n' + inner_layer.encrypt(revision_counter, blinded_key, subcredential) - - middle_descriptor_layer = _get_middle_descriptor_layer_body(inner_ciphertext_b64) - - # Spec mandated padding: "Before encryption the plaintext is padded with NUL - # bytes to the nearest multiple of 10k bytes." - - middle_descriptor_layer = middle_descriptor_layer + b'\x00' * (len(middle_descriptor_layer) % 10000) - - return b'\n' + _encrypt_layer(middle_descriptor_layer, b'hsdir-superencrypted-data', revision_counter, subcredential, blinded_key) - - class HiddenServiceDescriptorV3(BaseHiddenServiceDescriptor): """ Version 3 hidden service descriptor. @@ -1023,33 +967,33 @@ class HiddenServiceDescriptorV3(BaseHiddenServiceDescriptor): if not blinding_param: raise ValueError('Need to provide a blinding param for this descriptor') - # Get the identity public key - public_identity_key_bytes = stem.util._pubkey_bytes(ed25519_private_identity_key) - # Blind the identity key to get ephemeral blinded key blinded_privkey = stem.descriptor.hsv3_crypto.HSv3PrivateBlindedKey(ed25519_private_identity_key, blinding_param = blinding_param) - blinded_pubkey_bytes = blinded_privkey.blinded_pubkey + blinded_key = blinded_privkey.blinded_pubkey # Generate descriptor signing key signing_key = Ed25519PrivateKey.generate() descriptor_signing_public_key = signing_key.public_key() # Get the main encrypted descriptor body - revision_counter_int = int(time.time()) - subcredential = HiddenServiceDescriptorV3._subcredential(public_identity_key_bytes, blinded_pubkey_bytes) - - # XXX It would be more elegant to have all the above variables attached to - # this descriptor object so that we don't have to carry them around - # functions and instead we could use e.g. self.descriptor_signing_public_key - # But because this is a @classmethod this is not possible :/ - superencrypted_blob = _get_superencrypted_blob(intro_points, revision_counter_int, blinded_pubkey_bytes, subcredential) + revision_counter = int(time.time()) + subcredential = HiddenServiceDescriptorV3._subcredential(ed25519_private_identity_key, blinded_key) + + outer_layer = OuterLayer.create( + inner_layer = InnerLayer.create( + introduction_points = intro_points, + ), + revision_counter = revision_counter, + subcredential = subcredential, + blinded_key = blinded_key, + ) desc_content = _descriptor_content(attr, exclude, ( ('hs-descriptor', '3'), ('descriptor-lifetime', '180'), ('descriptor-signing-key-cert', _get_descriptor_signing_cert(descriptor_signing_public_key, blinded_privkey)), - ('revision-counter', str(revision_counter_int)), - ('superencrypted', superencrypted_blob), + ('revision-counter', str(revision_counter)), + ('superencrypted', b'\n' + outer_layer._encrypt(revision_counter, subcredential, blinded_key)), ), ()) # Add a final newline before the signature block @@ -1189,11 +1133,11 @@ class HiddenServiceDescriptorV3(BaseHiddenServiceDescriptor): return pubkey @staticmethod - def _subcredential(public_key, blinded_key): + def _subcredential(identity_key, blinded_key): # credential = H('credential' | public-identity-key) # subcredential = H('subcredential' | credential | blinded-public-key) - credential = hashlib.sha3_256(b'credential%s' % public_key).digest() + credential = hashlib.sha3_256(b'credential%s' % stem.util._pubkey_bytes(identity_key)).digest() return hashlib.sha3_256(b'subcredential%s%s' % (credential, blinded_key)).digest() @@ -1233,6 +1177,41 @@ class OuterLayer(Descriptor): plaintext = _decrypt_layer(encrypted, b'hsdir-superencrypted-data', revision_counter, subcredential, blinded_key) return OuterLayer(plaintext) + def _encrypt(self, revision_counter, subcredential, blinded_key): + # Spec mandated padding: "Before encryption the plaintext is padded with + # NUL bytes to the nearest multiple of 10k bytes." + + content = self.get_bytes() + b'\x00' * (len(self.get_bytes()) % 10000) + + # encrypt back into a hidden service descriptor's 'superencrypted' field + + return _encrypt_layer(content, b'hsdir-superencrypted-data', revision_counter, subcredential, blinded_key) + + @classmethod + def content(cls, attr = None, exclude = (), validate = True, sign = False, inner_layer = None, revision_counter = None, subcredential = None, blinded_key = None): + if not stem.prereq.is_crypto_available(ed25519 = True): + raise ImportError('Hidden service layer creation requires cryptography version 2.6') + elif sign: + raise NotImplementedError('Signing of %s not implemented' % cls.__name__) + + from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey + + inner_layer = inner_layer if inner_layer else InnerLayer.create() + revision_counter = revision_counter if revision_counter else 1 + blinded_key = blinded_key if blinded_key else stem.util._pubkey_bytes(Ed25519PrivateKey.generate()) + subcredential = subcredential if subcredential else HiddenServiceDescriptorV3._subcredential(Ed25519PrivateKey.generate(), blinded_key) + + return _descriptor_content(attr, exclude, ( + ('desc-auth-type', 'x25519'), + ('desc-auth-ephemeral-key', base64.b64encode(os.urandom(32))), + ), ( + ('encrypted', b'\n' + inner_layer._encrypt(revision_counter, subcredential, blinded_key)), + )) + + @classmethod + def create(cls, attr = None, exclude = (), validate = True, sign = False, inner_layer = None, revision_counter = None, subcredential = None, blinded_key = None): + return cls(cls.content(attr, exclude, validate, sign, inner_layer, revision_counter, subcredential, blinded_key), validate = validate) + def __init__(self, content, validate = False): content = content.rstrip('\x00') # strip null byte padding @@ -1281,6 +1260,11 @@ class InnerLayer(Descriptor): plaintext = _decrypt_layer(outer_layer.encrypted, b'hsdir-encrypted-data', revision_counter, subcredential, blinded_key) return InnerLayer(plaintext, validate = True, outer_layer = outer_layer) + def _encrypt(self, revision_counter, subcredential, blinded_key): + # encrypt back into an outer layer's 'encrypted' field + + return _encrypt_layer(self.get_bytes(), b'hsdir-encrypted-data', revision_counter, subcredential, blinded_key) + @classmethod def content(cls, attr = None, exclude = (), sign = False, introduction_points = None): if sign: @@ -1322,21 +1306,6 @@ class InnerLayer(Descriptor): else: self._entries = entries - def encrypt(self, revision_counter, blinded_key, subcredential): - """ - Encrypts into the content contained within the OuterLayer. - - :param int revision_counter: descriptor revision number - :param bytes blinded_key: descriptor signing key - :param bytes subcredential: public key hash - - :returns: base64 encoded content of the outer layer's 'encrypted' field - """ - - if not stem.prereq.is_crypto_available(ed25519 = True): - raise ImportError('Hidden service descriptor encryption requires cryptography version 2.6') - - return _encrypt_layer(self.get_bytes(), b'hsdir-encrypted-data', revision_counter, subcredential, blinded_key) # TODO: drop this alias in stem 2.x diff --git a/test/unit/descriptor/hidden_service_v3.py b/test/unit/descriptor/hidden_service_v3.py index f6173768..73f3e2c3 100644 --- a/test/unit/descriptor/hidden_service_v3.py +++ b/test/unit/descriptor/hidden_service_v3.py @@ -17,6 +17,7 @@ import test.require from stem.descriptor.hidden_service import ( IntroductionPointV3, HiddenServiceDescriptorV3, + AuthorizedClient, OuterLayer, InnerLayer, ) @@ -56,6 +57,17 @@ BDwQZ8rhp05oCqhhY3oFHqG9KS7HGzv9g2v1/PrVJMbkfpwu1YK4b3zIZAk= -----END ED25519 CERT-----\ """ +EXPECTED_OUTER_LAYER = """\ +desc-auth-type foo +desc-auth-ephemeral-key bar +auth-client JNil86N07AA epkaL79NtajmgME/egi8oA qosYH4rXisxda3X7p9b6fw +auth-client 1D8VBAh9hdM 6K/uO3sRqBp6URrKC7GB6Q ElwRj5+6SN9kb8bRhiiQvA +encrypted +-----BEGIN MESSAGE----- +malformed block +-----END MESSAGE-----\ +""" + with open(get_resource('hidden_service_v3')) as descriptor_file: HS_DESC_STR = descriptor_file.read() @@ -333,6 +345,64 @@ class TestHiddenServiceDescriptorV3(unittest.TestCase): ]).startswith('create2-formats 2\nintroduction-point AQAGAQEBASMp')) @test.require.ed25519_support + def test_outer_layer_creation(self): + """ + Outer layer creation. + """ + + from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey + + # minimal layer + + self.assertTrue(OuterLayer.content().startswith('desc-auth-type x25519\ndesc-auth-ephemeral-key ')) + self.assertEqual('x25519', OuterLayer.create().auth_type) + + # specify the parameters + + desc = OuterLayer.create({ + 'desc-auth-type': 'foo', + 'desc-auth-ephemeral-key': 'bar', + 'auth-client': [ + 'JNil86N07AA epkaL79NtajmgME/egi8oA qosYH4rXisxda3X7p9b6fw', + '1D8VBAh9hdM 6K/uO3sRqBp6URrKC7GB6Q ElwRj5+6SN9kb8bRhiiQvA', + ], + 'encrypted': '\n-----BEGIN MESSAGE-----\nmalformed block\n-----END MESSAGE-----', + }) + + self.assertEqual('foo', desc.auth_type) + self.assertEqual('bar', desc.ephemeral_key) + self.assertEqual('-----BEGIN MESSAGE-----\nmalformed block\n-----END MESSAGE-----', desc.encrypted) + + self.assertEqual({ + '1D8VBAh9hdM': AuthorizedClient(id = '1D8VBAh9hdM', iv = '6K/uO3sRqBp6URrKC7GB6Q', cookie = 'ElwRj5+6SN9kb8bRhiiQvA'), + 'JNil86N07AA': AuthorizedClient(id = 'JNil86N07AA', iv = 'epkaL79NtajmgME/egi8oA', cookie = 'qosYH4rXisxda3X7p9b6fw'), + }, desc.clients) + + self.assertEqual(EXPECTED_OUTER_LAYER, str(desc)) + + # create an inner layer then decrypt it + + revision_counter = 5 + blinded_key = stem.util._pubkey_bytes(Ed25519PrivateKey.generate()) + subcredential = HiddenServiceDescriptorV3._subcredential(Ed25519PrivateKey.generate(), blinded_key) + + outer_layer = OuterLayer.create( + inner_layer = InnerLayer.create( + introduction_points = [ + IntroductionPointV3.create('1.1.1.1', 9001), + ] + ), + revision_counter = revision_counter, + subcredential = subcredential, + blinded_key = blinded_key, + ) + + inner_layer = InnerLayer._decrypt(outer_layer, revision_counter, subcredential, blinded_key) + + self.assertEqual(1, len(inner_layer.introduction_points)) + self.assertEqual('1.1.1.1', inner_layer.introduction_points[0].link_specifiers[0].address) + + @test.require.ed25519_support def test_encode_decode_descriptor(self): """ Encode an HSv3 descriptor and then decode it and make sure you get the intended results.

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

tor-commits November 2019