[tor-commits] [stem/master] Certificate signing_key() helper
atagar at torproject.org
atagar at torproject.org
Sun Oct 6 02:07:34 UTC 2019
commit 287a27dc99bb6f5caa91964d0e307c123d1662d5
Author: Damian Johnson <atagar at torproject.org>
Date: Wed Oct 2 15:03:14 2019 -0700
Certificate signing_key() helper
Ok, I've kept going back and forth on this but definitely cleaner for callers.
---
stem/descriptor/certificate.py | 30 +++++++++++++++++++++---------
stem/descriptor/hidden_service.py | 10 ++--------
2 files changed, 23 insertions(+), 17 deletions(-)
diff --git a/stem/descriptor/certificate.py b/stem/descriptor/certificate.py
index 01238182..4a78fa3f 100644
--- a/stem/descriptor/certificate.py
+++ b/stem/descriptor/certificate.py
@@ -247,6 +247,22 @@ class Ed25519CertificateV1(Ed25519Certificate):
return datetime.datetime.now() > self.expiration
+ def signing_key(self):
+ """
+ Provides this certificate's signing key.
+
+ .. versionadded:: 1.8.0
+
+ :returns: **bytes** with the first signing key on the certificate, None if
+ not present
+ """
+
+ for extension in self.extensions:
+ if extension.type == ExtensionType.HAS_SIGNING_KEY:
+ return extension.data
+
+ return None
+
def validate(self, descriptor):
"""
Validates our signing key and that the given descriptor content matches its
@@ -271,27 +287,23 @@ class Ed25519CertificateV1(Ed25519Certificate):
if not isinstance(descriptor, stem.descriptor.server_descriptor.RelayDescriptor):
raise ValueError('Certificate validation only supported for server descriptors, not %s' % type(descriptor).__name__)
- descriptor_content = descriptor.get_bytes()
- signing_key = None
-
if descriptor.ed25519_master_key:
- signing_key = Ed25519PublicKey.from_public_bytes(base64.b64decode(stem.util.str_tools._to_bytes(descriptor.ed25519_master_key) + b'='))
+ signing_key = base64.b64decode(stem.util.str_tools._to_bytes(descriptor.ed25519_master_key) + b'=')
else:
- for extension in self.extensions:
- if extension.type == ExtensionType.HAS_SIGNING_KEY:
- signing_key = Ed25519PublicKey.from_public_bytes(extension.data)
- break
+ signing_key = self.signing_key()
if not signing_key:
raise ValueError('Server descriptor missing an ed25519 signing key')
try:
- signing_key.verify(self.signature, base64.b64decode(stem.util.str_tools._to_bytes(self.encoded))[:-ED25519_SIGNATURE_LENGTH])
+ Ed25519PublicKey.from_public_bytes(signing_key).verify(self.signature, base64.b64decode(stem.util.str_tools._to_bytes(self.encoded))[:-ED25519_SIGNATURE_LENGTH])
except InvalidSignature:
raise ValueError('Ed25519KeyCertificate signing key is invalid (Signature was forged or corrupt)')
# ed25519 signature validates descriptor content up until the signature itself
+ descriptor_content = descriptor.get_bytes()
+
if b'router-sig-ed25519 ' not in descriptor_content:
raise ValueError("Descriptor doesn't have a router-sig-ed25519 entry.")
diff --git a/stem/descriptor/hidden_service.py b/stem/descriptor/hidden_service.py
index dc282202..2ca9f4bf 100644
--- a/stem/descriptor/hidden_service.py
+++ b/stem/descriptor/hidden_service.py
@@ -54,8 +54,6 @@ from stem.descriptor import (
_random_crypto_blob,
)
-from stem.descriptor.certificate import ExtensionType
-
if stem.prereq._is_lru_cache_available():
from functools import lru_cache
else:
@@ -562,12 +560,8 @@ class HiddenServiceDescriptorV3(BaseHiddenServiceDescriptor):
elif not stem.prereq._is_sha3_available():
raise ImportError('Hidden service descriptor decryption requires python 3.6+ or the pysha3 module (https://pypi.org/project/pysha3/)')
- desc_signing_cert = stem.descriptor.certificate.Ed25519Certificate.parse(self.signing_cert)
-
- for extension in desc_signing_cert.extensions:
- if extension.type == ExtensionType.HAS_SIGNING_KEY:
- blinded_key = extension.data
- break
+ cert = stem.descriptor.certificate.Ed25519Certificate.parse(self.signing_cert)
+ blinded_key = cert.signing_key()
if not blinded_key:
raise ValueError('No signing key extension present')
More information about the tor-commits
mailing list