search

nyxnor / tor-ctrl

Raw use of tor's controller
Other
5 stars 3 forks source link

tor-ctrl-onion-client: explore `ONION_CLIENT_AUTH_{ADD,REMOVE,VIEW}` #24

Closed nyxnor closed 2 years ago

nyxnor commented 2 years ago

It is not the same key format used inside ClientOnionAuthDir/file.auth_private, as it is in base32 and the controller requires it to be in base 64.

Read TPO Client-Auth

To generate a key, you need openssl (not libressl as it does not contains alg x25519) and basez, as it contains base32 and bas64 scripts to encode and decode.

Create certificate:

openssl genpkey -algorithm x25519 -out /tmp/k1.prv.pem

Generate base32 keys:

private key:

grep -v " PRIVATE KEY" /tmp/k1.prv.pem | base64pem -d | tail -c 32 | base32 | tr -d "=" > /tmp/k1.prv.key.base32

public key:

openssl pkey -in /tmp/k1.prv.pem -pubout | grep -v " PUBLIC KEY" | base64pem -d | tail -c 32 | base32 | tr -d "=" > /tmp/k1.pub.key.base32

Keys

Generate base64 keys:

private key:

grep -v " PRIVATE KEY" /tmp/k1.prv.pem | base64pem -d | tail -c 32 | base64 | tr -d "=" > /tmp/k1.prv.key.base64

public key:

openssl pkey -in /tmp/k1.prv.pem -pubout | grep -v " PUBLIC KEY" | base64pem -d | tail -c 32 | base64 | tr -d "=" > /tmp/k1.pub.key.base64

Convert key from base64 to base32:

private key:

base64 -d /tmp/k1.prv.key.base64 2>/dev/null | base32 | tr -d "=" > /tmp/k1.prv.key.base32

public key:

base64 -d /tmp/k1.pub.key.base64 2>/dev/null | base32 | tr -d "=" >  /tmp/k1.pub.key.base32

Convert key from base32 to base64:

private key:

printf '%s====\n' "$(cat /tmp/k1.prv.key.base32)" | base32 -d | base64 | tr -d "=" >  /tmp/k1.prv.key.base64

public key:

printf '%s====\n' "$(cat /tmp/k1.pub.key.base32)" | base32 -d | base64 | tr -d "=" >  /tmp/k1.pub.key.base64

Syntax

serviceId is the hostname without .onion. serviceId=HSAddress

ONION_CLIENT_AUTH_ADD

serviceId x25519:privateKeyInBase64

Flags=Permanent - This client's credentials should be stored in the filesystem. If this is not set, the client's credentials are ephemeral and stored in memory.

ONION_CLIENT_AUTH_REMOVE

serviceId

ONION_CLIENT_AUTH_VIEW

[serviceId]

Tells the connected Tor to list all the stored client-side v3 client auth credentials for "HSAddress". If no "HSAddress" is provided, list all the stored client-side v3 client auth credentials.

nyxnor commented 2 years ago

the reason why it is planned to be a separate script than tor-ctrl-onion is because that script is for server administrators, while tor-ctrl-onion-client is for clients.

Summed up to people not understanding the options, which is very hard to summarize on a help message and maybe a manual will be needed for each script.

This separation is not a definitive one, just seems right at the moment, but can be ammended to tor-ctrl-onion if useful points are made.

nyxnor commented 2 years ago

ended up on the same script because the help message is better now, more organized and I hope it is understandable.

nyxnor commented 2 years ago

everything was accomplished.