[tor-commits] [torspec/master] Fix some descriptions in cert_key_type_fix.

dgoulet at torproject.org dgoulet at torproject.org
Tue Sep 22 17:43:00 UTC 2020 

commit acedbaca76354a071c8985ee976fed84789400da
Author: Nick Mathewson <nickm at torproject.org>
Date:   Thu Sep 17 08:46:06 2020 -0400

    Fix some descriptions in cert_key_type_fix.
    
    There were extraneous entries in the lists of signed key types:
    these values describe the type of the key being signed (eg, ed25519
    or RSA), not the type of the certificate.
    
    Further, clarify Tor bug 40124, so that people know to expect
    incorrect cert key types on older signing->link certs.
---
 cert-spec.txt | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/cert-spec.txt b/cert-spec.txt
index 1d57645..08d754d 100644
--- a/cert-spec.txt
+++ b/cert-spec.txt
@@ -49,11 +49,11 @@
    The "VERSION" field holds the value [01].  The "CERT_TYPE" field
    holds a value depending on the type of certificate. (See appendix
    A.1.) The CERTIFIED_KEY field is an Ed25519 public key if
-   CERT_KEY_TYPE is [01], or a SHA256 hash of some other key type
-   depending on the value of CERT_KEY_TYPE. The EXPIRATION_DATE is a
-   date, given in HOURS since the epoch, after which this
-   certificate isn't valid. (A four-byte field here will work fine
-   until 10136 A.D.)
+   CERT_KEY_TYPE is [01], or a digest of some other key type
+   depending on the value of CERT_KEY_TYPE.  (See appendix A.4.)
+   The EXPIRATION_DATE is a date, given in HOURS since the epoch,
+   after which this certificate isn't valid. (A four-byte field here
+   will work fine until 10136 A.D.)
 
    The EXTENSIONS field contains zero or more extensions, each of
    the format:
@@ -116,7 +116,7 @@
    acts with the authority of the RSA key that signed this
    certificate."
 
-A.1. List of certificate types
+A.1. List of certificate types (CERT_TYPE field)
 
    The values marked with asterisks are not types corresponding to
    the certificate format of section 2.1.  Instead, they are
@@ -166,14 +166,14 @@ A.3. List of signature prefixes
 
    "Tor router descriptor signature v1" (see dir-spec.txt)
 
-A.4. List of certified key types
+A.4. List of certified key types (CERT_KEY_TYPE field)
 
    [01] ed25519 key
-   [02] SHA256 hash of an RSA key
-   [03] SHA256 hash of an X.509 certificate
-   [08] short-term HS descriptor signing key, signed with blinded public key (rend-spec-v3.txt)
-   [09] intro point authentication key, cross-certifying the HS descriptor
-        signing key  (rend-spec-v3.txt)
-   [0B] ed25519 key derived from the curve25519 intro point encryption key,
-        cross-certifying the HS descriptor signing key  (rend-spec-v3.txt)
-
+   [02] SHA256 hash of an RSA key. (Not currently used.)
+   [03] SHA256 hash of an X.509 certificate. (Used with certificate
+        type 5.)
+
+   (NOTE: Up till 0.4.5.1-alpha, all versions of Tor have incorrectly used
+   "01" for all types of certified key.  Implementations SHOULD
+   allow "01" in this position, and infer the actual key type from
+   the CERT_TYPE field.)

More information about the tor-commits mailing list