Hi Beck, hi Karsten.
First I'd like to make sure that I'm clear on what we're trying to do. The javadocs for VerifyDescriptors [1] says that it...
Verify server descriptors using the contained signing key. Verify that
- a contained fingerprint is actually a hash of the signing key and
- a router signature was created using the signing key.
Verify consensuses using the separate certs. Verify that
- the fingerprint in a cert is actually a hash of the identity key,
- a cert was signed using the identity key,
- a consensus was signed using the signing key from the cert.
Honestly I'm not yet sure what most of this means. The first #2 is simply checking that the descriptor content can be verified using the router-signature and signing-key, right? If so then this sounds like a good place to start since it's entirely self-contained within the descriptor and just involves implementation and testing of...
https://gitweb.torproject.org/stem.git/blob/HEAD:/stem/descriptor/server_des...
However, I need some suggestions for the choice of Python cryptography API, since I haven't used any before.
Nor have I. At present stem does not have any dependencies outside of python's builtin functions. If we need PyCrypto and it's the best choice then so be it, but be sure to wrap the imports in a try/catch so we only raise an ImportError when executing the function that requires the PyCrypto library.
Cheers! -Damian
[1] https://gitweb.torproject.org/metrics-tasks.git/blob/HEAD:/task-2768/VerifyD...