experiments with using v3 onions with client auth (as of tor 0.3.5.X)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# needs openssl 1.1+ | |
# needs `basez` https://manpages.debian.org/testing/basez/base32hex.1.en.html | |
# (but something else that decodes the base64 and re-encodes the raw key bytes | |
# to base32 is probably fine too) | |
##### generate a key | |
openssl genpkey -algorithm x25519 -out /tmp/k1.prv.pem | |
##### re-formatting the keys into base32 in a way that tor likes: | |
# basically take the base64pem from the above key file, decode it to raw binary data, | |
# strip the PKCS header (key is final 32bytes of the raw data), re-encode it into base32, | |
# strip the "=" padding | |
cat /tmp/k1.prv.pem |\ | |
grep -v " PRIVATE KEY" |\ | |
base64pem -d |\ | |
tail --bytes=32 |\ | |
base32 |\ | |
sed 's/=//g' > /tmp/k1.prv.key | |
openssl pkey -in /tmp/k1.prv.pem -pubout |\ | |
grep -v " PUBLIC KEY" |\ | |
base64pem -d |\ | |
tail --bytes=32 |\ | |
base32 |\ | |
sed 's/=//g' > /tmp/k1.pub.key | |
##### do the outputs | |
echo "X25519 Private Key:" | |
cat /tmp/k1.prv.key | |
echo | |
echo "X25519 Public Key: (give this to the onion service)" | |
cat /tmp/k1.pub.key | |
echo | |
echo "=====" | |
echo "Tor client configuration" | |
echo "=====" | |
echo "Make sure you have ClientOnionAuthDir set in your torrc. In the" | |
echo "<ClientOnionAuthDir> directory, create an '.auth_private' file for the" | |
echo "onion service corresponding to this key (i.e. 'bob_onion.auth_private')." | |
echo "The contents of the <ClientOnionAuthDir>/<user>.auth_private file should" | |
echo "look like:" | |
echo | |
echo " <56-char-onion-addr-without-.onion-part>:descriptor:x25519:`cat /tmp/k1.prv.key`" | |
echo | |
echo "i.e.:" | |
echo " p53lf57qovyuvwsc6xnrppyply3vtqm7l6pcobkmyqsiofyeznfu5uqd:descriptor:x25519:`cat /tmp/k1.prv.key`" | |
echo | |
echo "=====" | |
echo "Onion service configuration" | |
echo "=====" | |
echo "Inside the HiddenServiceDir for this onion service, create an" | |
echo "/authorized_clients/ subdirectory and a '.auth' file for the user (i.e." | |
echo "'alice.auth'). The contents of the <HiddenServiceDir>/authorized_clients/<username>.auth" | |
echo "file should look like:" | |
echo | |
echo " descriptor:x25519:`cat /tmp/k1.pub.key`" | |
rm -f /tmp/k1.pub.key /tmp/k1.prv.key /tmp/k1.prv.pem |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
X25519 Private Key: | |
BBBEAUAO3PIFAH7SBGBI6A2QFAZBXG2NVN7HMBXFCZENJVF6C5AQ | |
X25519 Public Key: (give this to the onion service) | |
SUCXD2A4YRK4JQ37QCIAQXGASQWVLFH45XENCC5YDZFR6RIT6ETA | |
===== | |
Tor client configuration | |
===== | |
Make sure you have ClientOnionAuthDir set in your torrc. In the | |
<ClientOnionAuthDir> directory, create an '.auth_private' file for the | |
onion service corresponding to this key (i.e. 'bob_onion.auth_private'). | |
The contents of the <ClientOnionAuthDir>/<user>.auth_private file should | |
look like: | |
<56-char-onion-addr-without-.onion-part>:descriptor:x25519:BBBEAUAO3PIFAH7SBGBI6A2QFAZBXG2NVN7HMBXFCZENJVF6C5AQ | |
i.e.: | |
p53lf57qovyuvwsc6xnrppyply3vtqm7l6pcobkmyqsiofyeznfu5uqd:descriptor:x25519:BBBEAUAO3PIFAH7SBGBI6A2QFAZBXG2NVN7HMBXFCZENJVF6C5AQ | |
===== | |
Onion service configuration | |
===== | |
Inside the HiddenServiceDir for this onion service, create an | |
/authorized_clients/ subdirectory and a '.auth' file for the user (i.e. | |
'alice.auth'). The contents of the <HiddenServiceDir>/authorized_clients/<username>.auth | |
file should look like: | |
descriptor:x25519:SUCXD2A4YRK4JQ37QCIAQXGASQWVLFH45XENCC5YDZFR6RIT6ETA |
Use tail -c 32
for posix.
Also, on openbsd, the openssl command is called eopenssl11
or eopenssl30
depending on the version installed via pkg_add.
There is no basez port on opensbd but it is coming soon.
#!/usr/bin/env sh
openssl_command="eopenssl30" ## [openssl|eopenssl11|eopenssl30]
"${openssl_command}" genpkey -algorithm x25519 -out /tmp/k1.prv.pem
grep -v " PRIVATE KEY" /tmp/k1.prv.pem | base64pem -d | tail -c 32 | base32 | sed "s/=//g" > /tmp/k1.prv.key
"${openssl_command}" pkey -in /tmp/k1.prv.pem -pubout | grep -v " PUBLIC KEY" | base64pem -d | tail -c 32 | base32 | sed "s/=//g" > /tmp/k1.pub.key
Hi, please pull my version https://gist.github.com/stokito/8d1fb41a3834deaf27f5619dc2bbb061
I adopted the script for OpenWrt.
Changes:
- Use /bin/sh shebang. No need to use bash here
- The base64pem replaced with plain base64. The string is anyway smaller than 76. The base64pem is not available on OpenWrt.
- Use tail -c 32 for posix as @nyxnor mentioned. The BusyBox's tail doesn't have --bytes
Thank you.
Turned out that for OpenWrt there is package tor-gencert for "Generate certs and keys for Tor directory authorities".
Also see https://openwrt.org/docs/guide-user/services/tor/hs#client_authorization_old
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
thanks for this @mtigas! I've also found this script useful.