Expand description
Ed25519 certificate parsing for Tor descriptors.
This module provides parsing for Ed25519 certificates used throughout the Tor network for cryptographic identity and signing key validation. These certificates are a fundamental building block of Tor’s identity system, enabling:
- Validating signing keys of server descriptors
- Validating signing keys of hidden service v3 descriptors
- Signing and encrypting hidden service v3 introduction points
- Cross-certifying relay identity keys
§Certificate Structure
Ed25519 certificates follow the format specified in cert-spec.txt. Each certificate contains:
- A version number (currently only version 1 is supported)
- A certificate type indicating its purpose
- An expiration time (in hours since Unix epoch)
- A certified key (32 bytes)
- Optional extensions (e.g., the signing key)
- A signature over the certificate body
§Security Considerations
- Always check
Ed25519Certificate::is_expiredbefore trusting a certificate - Certificate validation requires the
cryptographyfeature for signature verification - The signing key may be embedded in an extension or provided externally
- Certificates with unknown types are rejected to prevent security issues
§Example
use stem_rs::descriptor::certificate::Ed25519Certificate;
let cert_pem = r#"-----BEGIN ED25519 CERT-----
AQQABhtZAaW2GoBED1IjY3A6f6GNqBEl5A83fD2Za9upGke51JGqAQAgBABnprVR
ptIr43bWPo2fIzo3uOywfoMrryprpbm4HhCkZMaO064LP+1KNuLvlc8sGG8lTjx1
g4k3ELuWYgHYWU5rAia7nl4gUfBZOEfHAfKES7l3d63dBEjEX98Ljhdp2w4=
-----END ED25519 CERT-----"#;
let cert = Ed25519Certificate::from_base64(cert_pem).unwrap();
println!("Certificate type: {:?}", cert.cert_type);
println!("Expires: {}", cert.expiration);
println!("Is expired: {}", cert.is_expired());
// Extract signing key if present
if let Some(signing_key) = cert.signing_key() {
println!("Signing key: {} bytes", signing_key.len());
}§See Also
crate::descriptor::server- Server descriptors that contain Ed25519 certificatescrate::descriptor::hidden- Hidden service descriptors using Ed25519 certificatescrate::client::datatype- Low-level certificate types for ORPort communication
Structs§
- Ed25519
Certificate - A version 1 Ed25519 certificate used in Tor descriptors.
- Ed25519
Extension - An extension within an Ed25519 certificate.
Enums§
- Extension
Flag - Flags that can be assigned to Ed25519 certificate extensions.
- Extension
Type - Types of extensions that can appear in an Ed25519 certificate.
Constants§
- ED25519_
HEADER_ LENGTH - Length of the Ed25519 certificate header in bytes.
- ED25519_
KEY_ LENGTH - Length of an Ed25519 public key in bytes.
- ED25519_
SIGNATURE_ LENGTH - Length of an Ed25519 signature in bytes.