commit f9b9ad7cf1dafeb59a54d7e4d3cf922586a3d05e Author: Matthew Finkel Matthew.Finkel@gmail.com Date: Sat Nov 9 17:12:45 2013 +0000

The identity is based on the public key of the router.

Specifically it is the SHA-1 hash of the DER encoding of an ASN.1 RSA public key.

(cherry picked from commit 6b57521a522abaa8f5fdd158708f382293a59e48) Signed-off-by: Isis Lovecruft isis@torproject.org

Conflicts: scripts/gen_bridge_descriptors

Matt and I both fixed the same bug, but it turns out we were both a tiny bit wrong, I believe, in different ways: I was improperly PEM-encoding the OR keys, and wasn't using ASN.1 format. Matt was using a dump of SIDPKey as the OR bridge's public identity key -- PyOpenSSL has this rather odd API where you have to dump the public key from the public cert to access it. Also, it's necessary to base64-encode the digest of the identity key, and strip the '=' character base64 padding.

We *might* still be doing it wrong and missing the DER-encoding step. --- scripts/gen_bridge_descriptors | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/scripts/gen_bridge_descriptors b/scripts/gen_bridge_descriptors index 4d7c930..019e1e3 100644 --- a/scripts/gen_bridge_descriptors +++ b/scripts/gen_bridge_descriptors @@ -98,6 +98,7 @@ OPENSSL_BEGIN_CERT = "-----BEGIN CERTIFICATE-----" OPENSSL_END_CERT = "-----END CERTIFICATE-----"

PEM = OpenSSL.crypto.FILETYPE_PEM +ASN1 = OpenSSL.crypto.FILETYPE_ASN1

class OpenSSLKeyGenError(Exception): @@ -573,15 +574,10 @@ def makeOnionKeys(bridge=True, digest='sha1'): onion = createKey() onionSKey, onionSCert, onionPKey, onionPCert = onion

- # This is the fingerprint of the server ID key, if we aren't a bridge. If - # we are a bridge, then this is the real fingerprint, which goes into our - # descriptor (but not the one that other ORs see when they connect to us) - fingerprint = CIDPCert.digest(digest) - onionKeyString = 'onion-key\n%s' % getPEMPublicKey(onionPCert) signingKeyString = 'signing-key\n%s' % getPEMPublicKey(signPCert)

- return SIDSKey, SIDPCert, (fingerprint, onionKeyString, signingKeyString) + return SIDSKey, SIDPCert, (onionKeyString, signingKeyString)

def generateExtraInfo(fingerprint, ts, ipv4, port): """Create an OR extra-info document. @@ -745,17 +741,20 @@ def generateDescriptors(): timestamp = makeTimeStamp(variation=True, period=36) protocols = makeProtocolsLine(vers)

- SIDSKey, SIDPCert, (fingerprint, onionkey, signingkey) = makeOnionKeys() + SIDSKey, SIDPCert, (onionkey, signingkey) = makeOnionKeys() idkey_private = getPEMPrivateKey(SIDSKey) idkey_digest = hashlib.sha1(idkey_private).digest()

fpr = convertToSpaceyFingerprint(fingerprint)

- idkey_public = OpenSSL.crypto.dump_privatekey(PEM, + idkey_public = OpenSSL.crypto.dump_privatekey(ASN1, SIDPCert.get_pubkey()) idkey_public = re.sub(OPENSSL_BEGIN_KEY, '', idkey_public) idkey_public = re.sub(OPENSSL_END_KEY, '', idkey_public) idkey_public = idkey_public.strip() + + ident_digest = hashlib.sha1(idkey_public).digest() + identity = binascii.b2a_base64( hashlib.sha1(idkey_public).digest()).strip().strip('=======')