commit b71058113a1c07a985c574200602b43829d1236d Author: Damian Johnson atagar@torproject.org Date: Sat Sep 28 12:40:17 2019 -0700

Generalize Certificat validate method

We'll be using certificates to validate both server and hidden service descriptors, so adjusting the method to take a base Descriptor object rather than server descriptors specifically. --- stem/descriptor/certificate.py | 27 ++++++++++++++------------- test/settings.cfg | 1 + 2 files changed, 15 insertions(+), 13 deletions(-)

diff --git a/stem/descriptor/certificate.py b/stem/descriptor/certificate.py index e9196319..e3e41ca4 100644 --- a/stem/descriptor/certificate.py +++ b/stem/descriptor/certificate.py @@ -75,6 +75,7 @@ import datetime import hashlib

import stem.prereq +import stem.descriptor.server_descriptor import stem.util.enum import stem.util.str_tools

@@ -241,17 +242,14 @@ class Ed25519CertificateV1(Ed25519Certificate):

return datetime.datetime.now() > self.expiration

- # TODO: This method is too specific to server descriptors. We should - # deprecate this if possible in favor of a more generic method that covers - # hidden service v3 descriptors as well. - - def validate(self, server_descriptor): + def validate(self, descriptor): """ Validates our signing key and that the given descriptor content matches its - Ed25519 signature. + Ed25519 signature. Supported descriptor types include... + + * server descriptors

- :param stem.descriptor.server_descriptor.RelayDescriptor server_descriptor: relay - server descriptor to validate + :param stem.descriptor.__init__.Descriptor descriptor: descriptor to validate

:raises: * **ValueError** if signing key or descriptor are invalid @@ -265,11 +263,14 @@ class Ed25519CertificateV1(Ed25519Certificate): from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PublicKey from cryptography.exceptions import InvalidSignature

- descriptor_content = server_descriptor.get_bytes() + if not isinstance(descriptor, stem.descriptor.server_descriptor.RelayDescriptor): + raise ValueError('Certificate validation only supported for server descriptors, not %s' % type(descriptor).__name__) + + descriptor_content = descriptor.get_bytes() signing_key = None

- if server_descriptor.ed25519_master_key: - signing_key = Ed25519PublicKey.from_public_bytes(base64.b64decode(stem.util.str_tools._to_bytes(server_descriptor.ed25519_master_key) + b'=')) + if descriptor.ed25519_master_key: + signing_key = Ed25519PublicKey.from_public_bytes(base64.b64decode(stem.util.str_tools._to_bytes(descriptor.ed25519_master_key) + b'=')) else: for extension in self.extensions: if extension.type == ExtensionType.HAS_SIGNING_KEY: @@ -292,8 +293,8 @@ class Ed25519CertificateV1(Ed25519Certificate): signed_content = descriptor_content[:descriptor_content.index(b'router-sig-ed25519 ') + 19] descriptor_sha256_digest = hashlib.sha256(ED25519_ROUTER_SIGNATURE_PREFIX + signed_content).digest()

- missing_padding = len(server_descriptor.ed25519_signature) % 4 - signature_bytes = base64.b64decode(stem.util.str_tools._to_bytes(server_descriptor.ed25519_signature) + b'=' * missing_padding) + missing_padding = len(descriptor.ed25519_signature) % 4 + signature_bytes = base64.b64decode(stem.util.str_tools._to_bytes(descriptor.ed25519_signature) + b'=' * missing_padding)

try: verify_key = Ed25519PublicKey.from_public_bytes(self.key) diff --git a/test/settings.cfg b/test/settings.cfg index 7e42b3af..5d755bad 100644 --- a/test/settings.cfg +++ b/test/settings.cfg @@ -212,6 +212,7 @@ pyflakes.ignore stem/prereq.py => 'lzma' imported but unused pyflakes.ignore stem/client/datatype.py => redefinition of unused 'pop' from * pyflakes.ignore stem/descriptor/hidden_service_descriptor.py => 'stem.descriptor.hidden_service.*' imported but unused pyflakes.ignore stem/descriptor/hidden_service_descriptor.py => 'from stem.descriptor.hidden_service import *' used; unable to detect undefined names +pyflakes.ignore stem/descriptor/hsv3_crypto.py => 'sha3' imported but unused pyflakes.ignore stem/interpreter/__init__.py => undefined name 'raw_input' pyflakes.ignore stem/response/events.py => undefined name 'long' pyflakes.ignore stem/util/__init__.py => undefined name 'long'