Struct TlsKeyAndCert 

#[non_exhaustive]
pub struct TlsKeyAndCert {
    pub(crate) certificates: Vec<Vec<u8>>,
    pub(crate) private_key: RsaPrivateKey,
    pub(crate) sha256_digest: [u8; 32],
    pub(crate) expiration: SystemTime,
}

A set of x.509 certificate information and keys for use with a TLS library.

Only relays need this: They should set these as the certificate(s) to be used for incoming TLS connections.

This is not necessarily the most convenient form to manipulate certificates in: rather, it is intended to provide the formats that TLS libraries generally expect to get.

Fields (Non-exhaustive)

Non-exhaustive structs could have additional fields added in future. Therefore, non-exhaustive structs cannot be constructed in external crates using the traditional Struct { .. } syntax; cannot be matched against without a wildcard ..; and struct update syntax will not work.

certificates: Vec<Vec<u8>>

A list of certificates in DER form.

(This may contain more than one certificate, but for now only one certificate is used.)

private_key: RsaPrivateKey

A private key for use in the TLS handshake.

sha256_digest: [u8; 32]

A SHA256 digest of the link certificate (the one certifying the private key’s public component).

This digest is the one what will be certified by the relay’s SIGNING_V_TLS_CERT certificate.

expiration: SystemTime

A time after which this set of link information won’t be valid, and another should be generated.

Implementations

impl TlsKeyAndCert

pub fn certificates_der(&self) -> Vec<&[u8]>

Return the certificates as a list of DER-encoded values.

pub fn certificate_pem(&self) -> String

Return the certificates as a concatenated list in PEM (“BEGIN CERTIFICATE”) format.

pub fn private_key_pkcs8_der(&self) -> Result<Zeroizing<Vec<u8>>, X509CertError>

Return the private key in (unencrypted) PKCS8 DER format.

pub fn private_key_pkcs8_pem(&self) -> Result<Zeroizing<String>, X509CertError>

Return the private key in (unencrypted) PKCS8 PEM (“BEGIN PRIVATE KEY”) format.

pub fn expiration(&self) -> SystemTime

Return the earliest time at which any of these certificates will expire.

pub fn link_cert_sha256(&self) -> &[u8; 32]

Return the SHA256 digest of the link certificate

This digest is the one certified with the relay’s SIGNING_V_TLS_CERT certificate.

pub fn create<Rng: CryptoRng>( rng: &mut Rng, now: SystemTime, issuer_hostname: &str, subject_hostname: &str, ) -> Result<Self, X509CertError>

Create a new TLS link key and associated certificate(s).

The certificate will be valid at now, and for a while after.

The certificate parameters and keys are chosen for reasonable security, approximate conformance to RFC5280, and limited fingerprinting resistance.

Note: The fingerprinting resistance is quite limited. We will likely want to pursue these avenues for better fingerprinting resistance:

• Encourage more use of TLS 1.3, where server certificates are encrypted. (This prevents passive fingerprinting only.)
• Adjust this function to make certificates look even more normal
• Integrate with ACME-supporting certificate issuers (Letsencrypt, etc) to get real certificates for Tor relays.

Trait Implementations

impl Clone for TlsKeyAndCert

fn clone(&self) -> TlsKeyAndCert

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for TlsKeyAndCert

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.